Your Neighbors Know: Leveraging Local Neighborhoods for Backdoor Detection in Decentralized Learning

Anne-Marie Kermarrec; Antoine Boutet; Davide Frey; Dimitri Ler\'ev\'erend; Fran\c{c}ois Ta\"iani; Martijn de Vos; Maxime Jacovella; Rachid Guerraoui; Romaric Gaudel; Sayan Biswas

arxiv: 2605.19969 · v2 · pith:GXH7MQ73new · submitted 2026-05-19 · 💻 cs.LG

Your Neighbors Know: Leveraging Local Neighborhoods for Backdoor Detection in Decentralized Learning

Sayan Biswas , Antoine Boutet , Davide Frey , Romaric Gaudel , Rachid Guerraoui , Maxime Jacovella , Anne-Marie Kermarrec , Dimitri Ler\'ev\'erend

show 2 more authors

Fran\c{c}ois Ta\"iani Martijn de Vos

This is my paper

Pith reviewed 2026-05-20 07:30 UTC · model grok-4.3

classification 💻 cs.LG

keywords backdoor detectiondecentralized learningdistributed machine learningmodel poisoningtrigger consistencyneighborhood analysisstructural similarity

0 comments

The pith

Decentralized learning nodes detect backdoor attacks by sharing potential triggers among neighbors and filtering those with consistent patterns.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Decentralized learning lets nodes train a shared model together without any central server, but this direct collaboration opens the door to backdoor attacks that leave normal behavior intact while adding secret malicious responses to chosen triggers. The paper describes Argus, a defense in which each node inspects incoming model updates for candidate triggers and passes those candidates to its immediate neighbors. A structural similarity metric then separates real backdoors, which produce matching patterns across nodes, from false alarms that vary because of each node's private data. Updates that fail the test are dropped and nodes that keep sending them are eventually removed from the group. The method includes proofs that this filtering step keeps the overall training convergence rate close to the rate achieved by undefended decentralized learning.

Core claim

Argus is a backdoor detection framework native to decentralized learning in which nodes locally identify candidate triggers, exchange them with neighbors, and apply a structural similarity metric to retain only those triggers that appear consistently, thereby rejecting malicious updates with high probability while preserving convergence guarantees comparable to standard decentralized learning.

What carries the argument

The structural similarity metric applied to triggers shared among neighboring nodes, which separates consistent true backdoor patterns from inconsistent false positives induced by data heterogeneity.

If this is right

The defense requires neither a central coordinator nor advance knowledge of the trigger.
Attack success rates fall by up to 90 percentage points while model utility remains within 5 points of an omniscient oracle.
The defense grows more effective as data heterogeneity across nodes increases.
Persistent malicious nodes are eventually evicted after repeated rejections.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Neighborhood consistency checks could be applied to detect other poisoning attacks in peer-to-peer training systems.
The approach may require adjustments when node participation changes rapidly or when neighbor sets are small.
Testing against adaptive attackers who try to mimic data heterogeneity would clarify remaining limits.

Load-bearing premise

False positive triggers from data heterogeneity exhibit inconsistencies across participants while true backdoor triggers produce consistent patterns that the similarity metric can reliably separate.

What would settle it

An experiment that injects a backdoor whose trigger is deliberately made to look different to different nodes and then measures whether the similarity scores for the true trigger fall below the detection threshold.

Figures

Figures reproduced from arXiv: 2605.19969 by Anne-Marie Kermarrec, Antoine Boutet, Davide Frey, Dimitri Ler\'ev\'erend, Fran\c{c}ois Ta\"iani, Martijn de Vos, Maxime Jacovella, Rachid Guerraoui, Romaric Gaudel, Sayan Biswas.

**Figure 1.** Figure 1: The average Attack Success Rate (ASR) of the backdoor attack in a 16-node network with one attacker, using the CIFAR-10 dataset in a NIID setting. This is done without compromising the model’s accuracy on normal, clean inputs [7]. In DL, such backdoor triggers are continuously injected and spread across the network through seemingly legitimate model updates [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗

**Figure 2.** Figure 2: The workflow of ARGUS during a single round in DL as executed by an honest node. 2 Background and problem formulation We now introduce the standard DL algorithm and backdoors, and then elaborate on the shortcomings of existing approaches that defend against backdoor attacks in collaborative ML algorithms. Decentralized learning. A set of n nodes collaboratively trains a model fθ to minimize the global risk… view at source ↗

**Figure 3.** Figure 3: Example True Positive (TP) and FP reverse-engineered triggers from CIFAR-10 when the real backdoor trigger is a bottomright 3 × 3 pixel square. since detecting nodes are tracing the same implanted trigger. This is formulated in the insight below: Insight 1 (Structural similarity of recovered triggers). Let τˆa and τˆb be triggers reverse-engineered by two honest nodes given the same update. (TP) If the up… view at source ↗

**Figure 4.** Figure 4: Empirical FP vs. TP trigger similarities on CIFAR-10 (α = 0.5, m = 2 attacker nodes, n = 16 nodes) and calibrated threshold ξ = 0.42. only the image dimensions (H, W), the clipping size k, the SSIM window size w and the model architecture, with no access to the trigger or training data. Motivated by Insight 1, we model FP triggers as independent samples from a Gaussian random field with correlation σ on th… view at source ↗

**Figure 5.** Figure 5: Local detection alone is unsatisfactory. The CA (left, ↑ is better), rejection rate (middle, ↓ is better) and ASR (right, ↓ is better) for CIFAR-10 with m = 2 attackers out of n = 16 nodes, and for varying heterogeneity levels. We consider different baseline settings and report std over 3 seeds. (while showing minimal loss on the easier FEMNIST task). On the attack side, ARGUS reduces ASR to below 7% on CI… view at source ↗

**Figure 6.** Figure 6: The per-neighbor trust state machine maintained by each (honest) node. [PITH_FULL_IMAGE:figures/full_fig_p017_6.png] view at source ↗

**Figure 7.** Figure 7: Empirical FP vs. TP similarities (additional settings). We consider IID (left) and α = 0.25 (right) heterogeneity levels, using the CIFAR-10 dataset [PITH_FULL_IMAGE:figures/full_fig_p019_7.png] view at source ↗

**Figure 8.** Figure 8: Backdoor propagation and persistence in DL. Experiments on CIFAR-10 with a 3- regular network of 16 nodes (α = 0.5) and m = 1 attacker node. Left: Average ASR of honest nodes with varying malicious updates rejection rates, and when rejecting no malicious updates. The solid line indicates the average ASR across all honest nodes whereas the dashed line considers the ASR of nodes that are directly connected t… view at source ↗

**Figure 9.** Figure 9: Various trigger types. We vary their shape, position and size. Actual triggers are colored in gray to be more inconspicuous. nodes can somehow identify and reject 50% or 75% of the malicious updates, the backdoor still propagates and is effective, with the average ASR for all nodes reaching 55% and 34% on average, respectively. Thus, [PITH_FULL_IMAGE:figures/full_fig_p022_9.png] view at source ↗

**Figure 10.** Figure 10: Evolution of the function ψpfp for different values of pfp. We represent the behavior on the eigenvalues (µ2, µn) for a given 3-regular graph with 16 nodes. Thus, we get: max k≥2 ψpfp (µk) = max ψpfp (µ2) , ψpfp (µn) [PITH_FULL_IMAGE:figures/full_fig_p029_10.png] view at source ↗

read the original abstract

Decentralized learning (DL) is an emerging machine learning paradigm where nodes collaboratively train models without a central server. However, the collaborative nature of DL makes it vulnerable to backdoor attacks, where a model is taught to behave normally on standard inputs while executing hidden, malicious actions when encountering data with specific triggers. Backdoor attacks in DL remain understudied and existing defenses often overlook DL constraints. We introduce Argus, a novel backdoor detection framework native to DL that requires neither a central coordinator nor prior knowledge of the trigger. In Argus, honest nodes locally analyze received model updates to identify potential backdoor triggers. Nodes then collectively share their triggers with their neighbors and use a structural similarity metric to separate true backdoors from false alarms induced by data heterogeneity. A key insight is that false positive triggers exhibit inconsistencies across participants while true positive ones show consistent patterns. Model updates that fail this collaborative test are rejected, and persistently malicious senders are eventually evicted. We provide the first theoretical convergence guarantees for a DL-specific backdoor detection mechanism, showing that filtering out suspicious model updates with high probability preserves a convergence rate comparable to standard DL. We implement and evaluate Argus on three standard datasets and against three state-of-the-art baselines. Across settings, Argus reduces attack success rates by up to 90 points compared to no defense, while preserving model utility within 5 percentage points of an omniscient oracle. Furthermore, the effectiveness of Argus compared to baselines improves as data heterogeneity increases.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Argus gives decentralized learning its first native backdoor detector that skips central servers and trigger knowledge, backed by convergence guarantees and experiments that improve with heterogeneity.

read the letter

Colleague, Argus claims to be the first backdoor detection system designed from the ground up for decentralized learning. It avoids any central point and does not require knowing the trigger pattern ahead of time. Instead, each node checks updates it receives, shares possible triggers with its direct neighbors, and applies a structural similarity measure to decide which ones are likely real attacks because they look the same everywhere. The work stands out for delivering theoretical convergence results under this filtering process. It shows that rejecting suspicious updates with high probability keeps the overall training converging at a rate similar to the undefended case. The experiments back this up across three datasets and against three baselines, with attack success falling sharply and model accuracy staying close to what an ideal defender would achieve. Notably, the gap to baselines widens as data becomes more heterogeneous, which runs counter to the usual story in this area. The main question is whether the similarity metric can reliably separate the cases when data distributions vary strongly. The approach assumes that genuine backdoors produce consistent trigger patterns across nodes while false alarms do not. If local data changes how the trigger activates in the model update, a real attack could appear inconsistent and get missed. The paper states that performance improves with heterogeneity, so the analysis must limit how much the trigger representation can differ. Checking the precise invariance properties of the metric and the conditions in the proof would clarify if this holds. This paper is aimed at the decentralized and federated learning community focused on robustness. It brings together a practical mechanism with formal guarantees, so it merits a serious referee who can verify the proof details and experimental controls. I would send it to peer review.

Referee Report

1 major / 1 minor

Summary. The paper introduces Argus, a backdoor detection framework for decentralized learning. Nodes locally analyze received model updates for potential triggers, share candidate triggers with neighbors, and apply a structural similarity metric to retain only consistent (true positive) triggers while discarding inconsistent ones induced by data heterogeneity. Malicious updates are rejected and persistent attackers evicted. The work supplies the first theoretical convergence guarantees for a DL-native backdoor filter, showing that high-probability rejection of suspicious updates preserves a convergence rate comparable to undefended DL. Empirical evaluation on three datasets against three baselines reports attack-success-rate reductions of up to 90 points with utility loss bounded within 5 points of an omniscient oracle, with relative gains increasing under higher heterogeneity.

Significance. If the theoretical guarantees hold under the stated assumptions and the empirical controls are sound, the contribution is substantial: it supplies the first provably convergent defense that is native to the decentralized setting and requires neither a central coordinator nor trigger knowledge. The counter-intuitive claim that detection improves with heterogeneity, if rigorously supported, would be a notable insight for heterogeneous DL deployments.

major comments (1)

[Theoretical guarantees] Theoretical guarantees section: the high-probability filtering premise used to establish convergence rests on the claim that the structural similarity metric reliably separates consistent true-positive triggers from inconsistent false positives. The manuscript must supply explicit conditions or invariance properties on how data heterogeneity affects trigger encoding in local updates; without such bounds the premise can fail when heterogeneity alters trigger representations, producing false negatives that invalidate the stated convergence rate.

minor comments (1)

[Abstract] Abstract: the three datasets and three baselines are not named; explicit identification would aid readers.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive and detailed review of our manuscript. We address the major comment on the theoretical guarantees below and have revised the manuscript to incorporate additional formal conditions.

read point-by-point responses

Referee: [Theoretical guarantees] Theoretical guarantees section: the high-probability filtering premise used to establish convergence rests on the claim that the structural similarity metric reliably separates consistent true-positive triggers from inconsistent false positives. The manuscript must supply explicit conditions or invariance properties on how data heterogeneity affects trigger encoding in local updates; without such bounds the premise can fail when heterogeneity alters trigger representations, producing false negatives that invalidate the stated convergence rate.

Authors: We agree that the original presentation of the high-probability filtering argument would benefit from explicit conditions linking data heterogeneity to trigger encoding. In the revised manuscript we have added Assumption 3.2, which bounds the total variation distance between any pair of local data distributions by a constant H. Under this assumption we prove (new Lemma 3.4) that the structural similarity metric applied to candidate triggers is invariant to heterogeneity-induced shifts for true-positive triggers while remaining sensitive to inconsistency for false positives. The lemma yields an explicit lower bound of 1 - exp(-k) on the probability of correct separation, where k denotes the number of neighbors. This bound is then substituted into the existing convergence theorem, producing a convergence rate identical to the undefended case up to an additive term linear in H. The full proof appears in the new Appendix C. We believe these additions directly resolve the concern while preserving the paper's core claims. revision: yes

Circularity Check

0 steps flagged

Derivation is self-contained with no circular reductions

full rationale

The paper introduces Argus as a novel framework for backdoor detection in decentralized learning. It relies on local analysis of model updates and a structural similarity metric to distinguish true backdoors (consistent patterns) from false positives (inconsistencies due to heterogeneity). Theoretical convergence guarantees are provided, claimed as the first for DL-specific mechanisms. The abstract and description do not show any step where a prediction or result is equivalent to its inputs by construction, nor load-bearing self-citations that reduce the central claim. The method is presented as independent, with effectiveness improving under heterogeneity, suggesting the core logic is not circular.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Detection logic rests on the domain assumption that real backdoors produce cross-node consistency while heterogeneity-induced false positives do not; no new physical entities or free parameters are explicitly introduced in the abstract.

axioms (1)

domain assumption True backdoor triggers produce consistent patterns across honest nodes despite data heterogeneity.
This consistency assumption is the basis for using structural similarity to filter updates and is invoked in the description of the collaborative test.

pith-pipeline@v0.9.0 · 5847 in / 1243 out tokens · 57108 ms · 2026-05-20T07:30:16.752688+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/AbsoluteFloorClosure.lean absolute_floor_iff_bare_distinguishability echoes

?

echoes
ECHOES: this paper passage has the same mathematical shape or conceptual pattern as the Recognition theorem, but is not a direct formal dependency.

Nodes then collectively share their triggers with their neighbors and use a structural similarity metric to separate true backdoors from false alarms induced by data heterogeneity. A key insight is that false positive triggers exhibit inconsistencies across participants while true positive ones show consistent patterns.

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.