pith. sign in

arxiv: 2411.12220 · v3 · submitted 2024-11-19 · 💻 cs.LG · cs.AI· cs.CR

DeTrigger: A Gradient-Centric Approach to Backdoor Attack Mitigation in Federated Learning

Kichang Lee , Yujin Shin , Jonghyuk Yun , Songkuk Kim , Jun Han , JeongGil Ko This is my paper

Pith reviewed 2026-05-23 17:54 UTC · model grok-4.3

classification 💻 cs.LG cs.AIcs.CR
keywords federated learningbackdoor attackgradient analysistemperature scalingmodel pruningattack mitigationmodel poisoningdistributed training
0
0 comments X

The pith

DeTrigger mitigates backdoor attacks in federated learning by using gradient analysis with temperature scaling to prune malicious model activations up to 98.9% effectively.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents DeTrigger as a method to protect federated learning systems from backdoor attacks, where adversaries insert triggers to manipulate predictions. It focuses on analyzing gradients during training and applying temperature scaling to separate harmful signals from normal ones. This separation allows targeted pruning of weights associated with backdoors. The approach is shown to be much faster than existing techniques while keeping the main model's performance intact on various datasets. Readers might care because federated learning is increasingly used for collaborative training without sharing private data, making it vulnerable to such hidden attacks.

Core claim

DeTrigger is a scalable backdoor-robust federated learning framework that leverages gradient analysis with temperature scaling to detect and isolate backdoor triggers. This enables precise model weight pruning of backdoor activations without sacrificing benign model knowledge. Evaluations on four datasets show up to 251 times faster detection and up to 98.9 percent mitigation of backdoor attacks with minimal impact on global model accuracy.

What carries the argument

Gradient analysis with temperature scaling to detect and isolate backdoor triggers for precise weight pruning.

If this is right

  • Federated learning models can be protected against backdoor attacks with high success rates.
  • Detection of triggers happens up to 251 times faster than traditional methods.
  • The mitigation has minimal effect on the accuracy of the global model.
  • The framework scales to different datasets used in mobile and embedded systems.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The method might generalize to other types of model poisoning beyond backdoors.
  • It could reduce the need for heavy computational resources in defense mechanisms for distributed training.
  • Application in real-world federated setups with heterogeneous devices could be tested by measuring trigger isolation accuracy.
  • Connections to adversarial robustness techniques in centralized settings may offer further improvements.

Load-bearing premise

Gradient analysis combined with temperature scaling can reliably distinguish and isolate backdoor activations from benign training signals without introducing significant false positives or degrading model utility across varied attack types and datasets.

What would settle it

Running DeTrigger on a previously untested dataset with a novel backdoor attack pattern and observing either detection speeds not exceeding traditional methods or mitigation rates below 80% would challenge the central claims.

Figures

Figures reproduced from arXiv: 2411.12220 by JeongGil Ko, Jonghyuk Yun, Jun Han, Kichang Lee, Songkuk Kim, Yujin Shin.

Figure 1
Figure 1. Figure 1: (a) Illustration of backdoor attack in federated learning scenario for local training, server-side global aggregation, and [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: (a) Illustration of adversarial and backdoor attacks represented with class decision boundaries. (b) Normal and [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Overall workflow of DeTrigger. DeTrigger leverages insights from adversarial attack methodologies to effectively identify the trigger and prune the backdoor knowledge. The server first distributes the global model to selected clients for the local model training. Malicious clients may introduce backdoor triggers into their datasets. To mitigate this, DeTrigger analyzes gradients to detect potential backdoo… view at source ↗
Figure 4
Figure 4. Figure 4: Illustration of gradient preprocessing and trigger extraction operations in [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: (a) Conceptual illustration of the impact of temperature scaling on normal data feature space and backdoor feature [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Minimum total variation 𝑇𝑉 of the processed input layer gradients across different clients. Note the lower 𝑇𝑉 trend for backdoor-affected gradients. the 𝑇𝑉 . Note that, the threshold for determining this is adaptive to input data dimensions and resolution, enabling the server to set appropriate thresholds by computing gradients based on centrally available information. Transferability-based Verification. N… view at source ↗
Figure 7
Figure 7. Figure 7: (a) Data distribution used in the preliminary motivational study. (b) Model accuracy for different data labels with [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Overall global model accuracy v.s. backdoor attack accuracy across different baselines. [PITH_FULL_IMAGE:figures/full_fig_p013_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Elapsed time per federated training round with respect to different defense schemes normalized to the performance [PITH_FULL_IMAGE:figures/full_fig_p014_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: L1-norm of ground truth and inferred trigger along with the accuracy drop for the backdoor and global model with [PITH_FULL_IMAGE:figures/full_fig_p014_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Visualization of representation space before and after weight pruning is applied on backdoor and benign models. [PITH_FULL_IMAGE:figures/full_fig_p015_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: (a) L1-norm with respect to input size for different dataset/model configurations. (b) Sample triggers extracted for [PITH_FULL_IMAGE:figures/full_fig_p015_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Extracted sample triggers with varying color, location, and shape of the backdoor trigger. [PITH_FULL_IMAGE:figures/full_fig_p016_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: L1-norm with varying color, location, and shape of the backdoor trigger. [PITH_FULL_IMAGE:figures/full_fig_p017_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: Accuracy drop for the backdoor task and main task for different colors, locations, and shapes of the backdoor trigger. [PITH_FULL_IMAGE:figures/full_fig_p017_15.png] view at source ↗
Figure 16
Figure 16. Figure 16: Normalized latency for different backdoor detection schemes with varying number of clients. [PITH_FULL_IMAGE:figures/full_fig_p018_16.png] view at source ↗
read the original abstract

Federated Learning (FL) enables collaborative model training across distributed devices while preserving local data privacy, making it ideal for mobile and embedded systems. However, the decentralized nature of FL also opens vulnerabilities to model poisoning attacks, particularly backdoor attacks, where adversaries implant trigger patterns to manipulate model predictions. In this paper, we propose DeTrigger, a scalable and efficient backdoor-robust federated learning framework that leverages insights from adversarial attack methodologies. By employing gradient analysis with temperature scaling, DeTrigger detects and isolates backdoor triggers, allowing for precise model weight pruning of backdoor activations without sacrificing benign model knowledge. Extensive evaluations across four widely used datasets demonstrate that DeTrigger achieves up to 251x faster detection than traditional methods and mitigates backdoor attacks by up to 98.9%, with minimal impact on global model accuracy. Our findings establish DeTrigger as a robust and scalable solution to protect federated learning environments against sophisticated backdoor threats.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper proposes DeTrigger, a federated learning defense that applies gradient analysis combined with temperature scaling to detect backdoor triggers, isolate them, and prune the corresponding activations from model weights. It reports empirical results across four datasets claiming up to 251x faster detection than baselines and up to 98.9% backdoor mitigation while preserving global model accuracy.

Significance. If the empirical claims hold under reproducible conditions and across varied attack types, the work could provide a practical, low-overhead defense for FL systems. The gradient-centric approach draws from adversarial methods in a potentially useful way, but the absence of methodological details, experimental controls, and error analysis in the manuscript prevents assessment of whether the performance numbers are robust or generalizable.

major comments (1)
  1. [Abstract] Abstract: The central performance claims (251x speedup, 98.9% mitigation) are stated without any accompanying methodological details, experimental setup, attack variants, baseline descriptions, or statistical analysis. This prevents verification that the results support the claims and makes the soundness of the empirical evaluation impossible to assess from the provided text.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their review and the opportunity to clarify the presentation of our work. The primary concern raised is addressed point-by-point below. We maintain that the abstract serves its conventional purpose as a high-level summary while the full manuscript supplies the requested details.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central performance claims (251x speedup, 98.9% mitigation) are stated without any accompanying methodological details, experimental setup, attack variants, baseline descriptions, or statistical analysis. This prevents verification that the results support the claims and makes the soundness of the empirical evaluation impossible to assess from the provided text.

    Authors: Abstracts are deliberately concise and do not include full methodological, experimental, or statistical details, as these would violate length conventions and duplicate content already present in the body. The manuscript provides: (i) gradient-centric detection and temperature scaling in Section 3, (ii) experimental setup, four datasets, attack variants, and baselines in Section 4, and (iii) quantitative results with comparisons in Section 5. The abstract therefore summarizes rather than substantiates; readers are expected to consult the full text for verification. If the referee prefers, we can append one sentence to the abstract noting the evaluation scope. revision: partial

Circularity Check

0 steps flagged

No significant circularity; empirical evaluation only

full rationale

The paper presents DeTrigger as a practical framework relying on gradient analysis combined with temperature scaling to detect and prune backdoor activations in federated learning. All performance claims (251x speedup, 98.9% mitigation) are stated as direct outcomes of experimental evaluations across four datasets rather than any closed-form derivation, fitted parameter renamed as prediction, or self-referential definition. No equations, uniqueness theorems, or ansatzes are invoked that could reduce to the inputs by construction. The method is therefore self-contained against external benchmarks and receives the default non-circularity finding.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Only abstract available; no free parameters, axioms, or invented entities are specified. The approach implicitly assumes gradient distinguishability of backdoors but provides no details on any fitted values or background assumptions.

pith-pipeline@v0.9.0 · 5712 in / 1117 out tokens · 27187 ms · 2026-05-23T17:54:14.839899+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Your Neighbors Know: Leveraging Local Neighborhoods for Backdoor Detection in Decentralized Learning

    cs.LG 2026-05 unverdicted novelty 7.0

    Argus detects backdoors in decentralized learning by local trigger analysis and neighbor similarity checks on consistency, with theoretical convergence guarantees and empirical reductions in attack success up to 90 points.

Reference graph

Works this paper leans on

60 extracted references · 60 canonical work pages · cited by 1 Pith paper · 8 internal anchors

  1. [1]

    Jungmo Ahn, JaeYeon Park, Sung Sik Lee, Kyu-Hyuk Lee, Heesung Do, and JeongGil Ko. 2023. SafeFac: Video-based smart safety monitoring for preventing industrial work accidents. Expert Systems with Applications 215 (2023), 119397

    work page 2023

  2. [2]

    Eugene Bagdasaryan, Andreas Veit, Yiqing Hua, Deborah Estrin, and Vitaly Shmatikov. 2020. How to backdoor federated learning. In International conference on artificial intelligence and statistics . PMLR, 2938–2948

    work page 2020

  3. [3]

    Daniel J Beutel, Taner Topal, Akhil Mathur, Xinchi Qiu, Javier Fernandez-Marques, Yan Gao, Lorenzo Sani, Kwing Hei Li, Titouan Parcollet, Pedro Porto Buarque de Gusmão, et al . 2020. Flower: A friendly federated learning research framework. arXiv preprint arXiv:2007.14390 (2020)

    work page internal anchor Pith review Pith/arXiv arXiv 2020

  4. [4]

    Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. 2017. Machine learning with adversaries: Byzantine tolerant gradient descent. Advances in neural information processing systems 30 (2017)

    work page 2017

  5. [5]

    Xiaoyu Cao, Minghong Fang, Jia Liu, and Neil Zhenqiang Gong. 2020. Fltrust: Byzantine-robust federated learning via trust bootstrapping. arXiv preprint arXiv:2012.13995 (2020)

    work page arXiv 2020

  6. [6]

    Xiaoyu Cao and Neil Zhenqiang Gong. 2022. Mpaf: Model poisoning attacks to federated learning based on fake clients. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition . 3396–3404

    work page 2022

  7. [7]

    Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp). Ieee, 39–57

    work page 2017

  8. [8]

    Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. 2017. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 (2017)

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  9. [9]

    Adam Coates, Andrew Ng, and Honglak Lee. 2011. An analysis of single-layer networks in unsupervised feature learning. In Proceedings of the fourteenth international conference on artificial intelligence and statistics . JMLR Workshop and Conference Proceedings, 215–223

    work page 2011

  10. [10]

    Li Deng. 2012. The mnist database of handwritten digit images for machine learning research. IEEE Signal Processing Magazine 29, 6 (2012), 141–142

    work page 2012

  11. [11]

    Yongheng Deng, Sheng Yue, Tuowei Wang, Guanbo Wang, Ju Ren, and Yaoxue Zhang. 2023. FedINC: An Exemplar-Free Continual Federated Learning Framework with Small Labeled Data. In Proceedings of the 21st ACM Conference on Embedded Networked Sensor Systems. 56–69

    work page 2023

  12. [12]

    Yao Deng, Xi Zheng, Tianyi Zhang, Chen Chen, Guannan Lou, and Miryung Kim. 2020. An analysis of adversarial attacks and defenses on autonomous driving models. In 2020 IEEE international conference on pervasive computing and communications (PerCom) . IEEE, 1–10

    work page 2020

  13. [13]

    Fatima Elhattab, Sara Bouchenak, Rania Talbi, and Vlad Nitu. 2023. Robust federated learning for ubiquitous computing through mitigation of edge-case backdoor attacks. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 6, 4 (2023), 1–27

    work page 2023

  14. [14]

    Minghong Fang, Xiaoyu Cao, Jinyuan Jia, and Neil Gong. 2020. Local model poisoning attacks to {Byzantine-Robust} federated learning. In 29th USENIX security symposium (USENIX Security 20) . 1605–1622

    work page 2020

  15. [15]

    Yinghua Gao, Dongxian Wu, Jingfeng Zhang, Guanhao Gan, Shu-Tao Xia, Gang Niu, and Masashi Sugiyama. 2023. On the effectiveness of adversarial training against backdoor attacks. IEEE Transactions on Neural Networks and Learning Systems (2023)

    work page 2023

  16. [16]

    Xueluan Gong, Yanjiao Chen, Qian Wang, and Weihan Kong. 2022. Backdoor attacks and defenses in federated learning: State-of-the-art, taxonomy, and future directions. IEEE Wireless Communications 30, 2 (2022), 114–121

    work page 2022

  17. [17]

    Ian J Goodfellow. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  18. [18]

    Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017)

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  19. [19]

    Wenbo Guo, Lun Wang, Xinyu Xing, Min Du, and Dawn Song. 2019. Tabor: A highly accurate approach to inspecting and restoring trojan backdoors in ai systems. arXiv preprint arXiv:1908.01763 (2019). 19

    work page arXiv 2019

  20. [20]

    Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition . 770–778

    work page 2016

  21. [21]

    Geoffrey Hinton, Oriol Vinyals, and Jeff Dean. 2015. Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531 (2015)

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  22. [22]

    Sebastian Houben, Johannes Stallkamp, Jan Salmen, Marc Schlipsing, and Christian Igel. 2013. Detection of Traffic Signs in Real-World Images: The German Traffic Sign Detection Benchmark. In International Joint Conference on Neural Networks

    work page 2013

  23. [23]

    Tzu-Ming Harry Hsu, Hang Qi, and Matthew Brown. 2019. Measuring the effects of non-identical data distribution for federated visual classification. arXiv preprint arXiv:1909.06335 (2019)

    work page internal anchor Pith review Pith/arXiv arXiv 2019

  24. [24]

    Kaidi Jin, Tianwei Zhang, Chao Shen, Yufei Chen, Ming Fan, Chenhao Lin, and Ting Liu. 2022. Can we mitigate backdoor attack using adversarial detection methods? IEEE Transactions on Dependable and Secure Computing 20, 4 (2022), 2867–2881

    work page 2022

  25. [25]

    Diederik P Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)

    work page internal anchor Pith review Pith/arXiv arXiv 2014

  26. [26]

    Alex Krizhevsky, Geoffrey Hinton, et al. 2009. Learning multiple layers of features from tiny images. (2009)

    work page 2009

  27. [27]

    Kichang Lee, Songkuk Kim, and JeongGil Ko. 2024. FLex&Chill: Improving Local Federated Learning Training with Logit Chilling. arXiv preprint arXiv:2401.09986 (2024)

    work page arXiv 2024

  28. [28]

    Kichang Lee, Jonghyuk Yun, Jaeho Jin, Jun Han, and JeongGil Ko. 2025. Mind your indices! Index hijacking attacks on collaborative unpooling autoencoder systems. Internet of Things 29 (2025), 101462

    work page 2025

  29. [29]

    Ang Li, Jingwei Sun, Xiao Zeng, Mi Zhang, Hai Li, and Yiran Chen. 2021. Fedmask: Joint computation and communication-efficient personalized federated learning via heterogeneous masking. In Proceedings of the 19th ACM Conference on Embedded Networked Sensor Systems. 42–55

    work page 2021

  30. [30]

    Yuezun Li, Yiming Li, Baoyuan Wu, Longkang Li, Ran He, and Siwei Lyu. 2021. Invisible backdoor attack with sample-specific triggers. In Proceedings of the IEEE/CVF international conference on computer vision . 16463–16472

    work page 2021

  31. [31]

    Yijing Li, Xiaofeng Tao, Xuefei Zhang, Junjie Liu, and Jin Xu. 2021. Privacy-preserved federated learning for autonomous driving. IEEE Transactions on Intelligent Transportation Systems 23, 7 (2021), 8423–8434

    work page 2021

  32. [32]

    Yiming Li, Tongqing Zhai, Yong Jiang, Zhifeng Li, and Shu-Tao Xia. 2021. Backdoor attack in the physical world. arXiv preprint arXiv:2104.02361 (2021)

    work page arXiv 2021

  33. [33]

    Bingyan Liu, Yifeng Cai, Ziqi Zhang, Yuanchun Li, Leye Wang, Ding Li, Yao Guo, and Xiangqun Chen. 2021. Distfl: Distribution-aware federated learning for mobile scenarios. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 5, 4 (2021), 1–26

    work page 2021

  34. [34]

    Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In Artificial intelligence and statistics. PMLR, 1273–1282

    work page 2017

  35. [35]

    Xiaomin Ouyang, Zhiyuan Xie, Heming Fu, Sitong Cheng, Li Pan, Neiwen Ling, Guoliang Xing, Jiayu Zhou, and Jianwei Huang. 2023. Harmony: Heterogeneous multi-modal federated learning through disentangled model training. In Proceedings of the 21st Annual International Conference on Mobile Systems, Applications and Services . 530–543

    work page 2023

  36. [36]

    Xiaomin Ouyang, Zhiyuan Xie, Jiayu Zhou, Guoliang Xing, and Jianwei Huang. 2022. Clusterfl: A clustering-based federated learning system for human activity recognition. ACM Transactions on Sensor Networks 19, 1 (2022), 1–32

    work page 2022

  37. [37]

    Jaeyeon Park, Hyeon Cho, Rajesh Krishna Balan, and JeongGil Ko. 2020. HeartQuake: Accurate Low-Cost Non-Invasive ECG Monitoring Using Bed-Mounted Geophones. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 4, 3, Article 93 (sep 2020), 28 pages

    work page 2020

  38. [38]

    JaeYeon Park and JeongGil Ko. 2024. FedHM: Practical federated learning for heterogeneous model deployments. ICT Express 10, 2 (2024), 387–392

    work page 2024

  39. [39]

    JaeYeon Park, Kichang Lee, Sungmin Lee, Mi Zhang, and JeongGil Ko. 2023. AttFL: A Personalized Federated Learning Framework for Time-series Mobile and Embedded Sensor Data Processing. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 7, 3 (2023), 1–31

    work page 2023

  40. [40]

    Krishna Pillutla, Sham M Kakade, and Zaid Harchaoui. 2022. Robust aggregation for federated learning. IEEE Transactions on Signal Processing 70 (2022), 1142–1154

    work page 2022

  41. [41]

    Shiva Raj Pokhrel and Jinho Choi. 2020. A decentralized federated learning approach for connected autonomous vehicles. In 2020 IEEE Wireless Communications and Networking Conference Workshops (WCNCW) . IEEE, 1–6

    work page 2020

  42. [42]

    Ho-Kyeong Ra, Jungmo Ahn, Hee Jung Yoon, Dukyong Yoon, Sang Hyuk Son, and JeongGil Ko. 2017. I am a" smart" watch, smart enough to know the accuracy of my own heart rate sensor. In Proceedings of the 18th International Workshop on Mobile Computing Systems and Applications. 49–54

    work page 2017

  43. [43]

    Leming Shen, Qiang Yang, Kaiyan Cui, Yuanqing Zheng, Xiao-Yong Wei, Jianwei Liu, and Jinsong Han. 2024. FedConv: A Learning-on- Model Paradigm for Heterogeneous Federated Clients. In Proceedings of the 22nd Annual International Conference on Mobile Systems, Applications and Services. 398–411

    work page 2024

  44. [44]

    Yujin Shin, Kichang Lee, Sungmin Lee, You Rim Choi, Hyung-Sin Kim, and JeongGil Ko. 2024. Effective Heterogeneous Federated Learning via Efficient Hypernetwork-based Weight Generation. InProceedings of the 22nd ACM Conference on Embedded Networked Sensor Systems. 112–125. 20

    work page 2024

  45. [45]

    Yanghao Su, Jie Zhang, Ting Xu, Tianwei Zhang, Weiming Zhang, and Nenghai Yu. 2024. Model X-ray: Detect Backdoored Models via Decision Boundary. arXiv preprint arXiv:2402.17465 (2024)

    work page arXiv 2024

  46. [46]

    Qi Sun, Arjun Ashok Rao, Xufeng Yao, Bei Yu, and Shiyan Hu. 2020. Counteracting adversarial attacks in autonomous driving. In Proceedings of the 39th International Conference on Computer-Aided Design . 1–7

    work page 2020

  47. [47]

    Ziteng Sun, Peter Kairouz, Ananda Theertha Suresh, and H Brendan McMahan. 2019. Can you really backdoor federated learning? arXiv preprint arXiv:1911.07963 (2019)

    work page arXiv 2019

  48. [48]

    Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013)

    work page internal anchor Pith review Pith/arXiv arXiv 2013

  49. [49]

    Canh T Dinh, Nguyen Tran, and Josh Nguyen. 2020. Personalized federated learning with moreau envelopes. Advances in neural information processing systems 33 (2020), 21394–21405

    work page 2020

  50. [50]

    Laurens Van der Maaten and Geoffrey Hinton. 2008. Visualizing data using t-SNE. Journal of machine learning research 9, 11 (2008)

    work page 2008

  51. [51]

    Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y Zhao. 2019. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In 2019 IEEE symposium on security and privacy (SP) . IEEE, 707–723

    work page 2019

  52. [52]

    Shaokui Wei, Mingda Zhang, Hongyuan Zha, and Baoyuan Wu. 2023. Shared adversarial unlearning: Backdoor mitigation by unlearning shared adversarial examples. Advances in Neural Information Processing Systems 36 (2023), 25876–25909

    work page 2023

  53. [53]

    Cheng-Hsin Weng, Yan-Ting Lee, and Shan-Hung Brandon Wu. 2020. On the trade-off between adversarial and backdoor robustness. Advances in Neural Information Processing Systems 33 (2020), 11973–11983

    work page 2020

  54. [54]

    Emily Wenger, Josephine Passananti, Arjun Nitin Bhagoji, Yuanshun Yao, Haitao Zheng, and Ben Y Zhao. 2021. Backdoor attacks against deep learning systems in the physical world. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition . 6206–6215

    work page 2021

  55. [55]

    Chulin Xie, Keli Huang, Pin-Yu Chen, and Bo Li. 2019. Dba: Distributed backdoor attacks against federated learning. In International conference on learning representations

    work page 2019

  56. [56]

    Dezhong Yao, Wanning Pan, Michael J O’Neill, Yutong Dai, Yao Wan, Hai Jin, and Lichao Sun. 2021. Fedhm: Efficient federated learning for heterogeneous models via low-rank factorization. arXiv preprint arXiv:2111.14655 (2021)

    work page arXiv 2021

  57. [57]

    Dong Yin, Yudong Chen, Ramchandran Kannan, and Peter Bartlett. 2018. Byzantine-robust distributed learning: Towards optimal statistical rates. In International conference on machine learning . Pmlr, 5650–5659

    work page 2018

  58. [58]

    Jonghyuk Yun, Kyoosik Lee, Kichang Lee, Bangjie Sun, Jaeho Jeon, Jeonggil Ko, Inseok Hwang, and Jun Han. 2024. PowDew: Detecting Counterfeit Powdered Food Products using a Commodity Smartphone. In Proceedings of the 22nd Annual International Conference on Mobile Systems, Applications and Services . 210–222

    work page 2024

  59. [59]

    Weibin Zhang, Youpeng Li, Lingling An, Bo Wan, and Xuyu Wang. 2024. SARS: A Personalized Federated Learning Framework Towards Fairness and Robustness against Backdoor Attacks. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 8, 4 (2024), 1–24

    work page 2024

  60. [60]

    Bo Zhao, Peng Sun, Tao Wang, and Keyu Jiang. 2022. Fedinv: Byzantine-robust federated learning by inversing local model updates. In Proceedings of the AAAI Conference on Artificial Intelligence , Vol. 36. 9171–9179. 21

    work page 2022