MARS: A Malignity-Aware Backdoor Defense in Federated Learning

We sincerely thank Reviewer 1dAU for the thoughtful review and the positive rating. We hope our responses are helpful in addressing your concerns and would be happy to discuss if anything remains unclear.

In the experiments, BackdoorIndicator is specifically selected to make comparisons and discussions. What is the reason? What is the major difference between other defenses, BackdoorIndicator, and MARS? Please provide more discussion on this.

Thank you for raising this point. We selected BackdoorIndicator as our main point of comparison for three reasons. First, it was very recently published at USENIX Security ’24 and has already garnered strong community recognition. Second, like MARS, it departs from conventional FL defenses—such as norm-constraint, out-of-distribution detection, and consistency checks—and offers a fresh insight and mechanism. Third, it achieves robust empirical performance against standard backdoor attacks, making it a natural baseline for any new defense.

However, MARS and BackdoorIndicator differ in a critical way:

Theoretical underpinnings vs. empirical observation: BackdoorIndicator is motivated by the empirical finding that deploying repeated backdoors with the same target label amplifies the trigger effect. Importantly, this observation has only been validated under unconstrained attack settings; for constrained attacks like 3DFed, the assumption may no longer hold, as demonstrated by the sharp performance drops in Table 4 of our paper. In contrast, MARS derives a formal upper bound on backdoor energy via Lipschitz and Wasserstein metrics, providing a provable foundation for its clustering defense that remains valid regardless of attack constraints.

No reliance on external data: BackdoorIndicator injects “indicator tasks” using an auxiliary OOD dataset and judges updates by the model’s accuracy on those tasks, making its effectiveness dependent on the availability and suitability of that data. MARS, by contrast, analyzes only the model parameters—specifically, neurons’ activation “energy”—and requires no external samples.

These distinctions highlight MARS’s practical advantages—strong theoretical guarantees and no need for trusted external data—which we will underscore in the revised manuscript.

In the experiments, hyperparameters $\kappa$ and $\epsilon$ are set to 5 and 0.03. In the appendix, the results indicate that these values fall within the optimal range for CIFAR-10. How can you make sure these values are still optimal for other datasets? Is there any theoretical discussion for setting these hyperparameters?

Thank you for this question. Frankly, our choices of both $\kappa$ and $\epsilon$ are guided primarily by practical intuition and empirical analysis rather than by a strict theoretical derivation:

Setting $\kappa = 5$: We drew inspiration from pruning-based defenses—originally developed to mitigate gradient-inversion attacks—which commonly remove a small fraction of parameters (e.g., 5%) as a default that balances defense strength and model utility. For example, “Revisiting Gradient Pruning: A Dual Realization for Defending against Gradient Attacks” (AAAI ’24) uses 5% pruning with strong results. In our context, selecting the top 5% of neurons by backdoor energy similarly captures the most suspicious activity while preserving computational efficiency.

Setting $\epsilon = 0.03$: We examined pairwise Wasserstein‐distance matrices of Cumulative Backdoor Energy (CBE) vectors across multiple datasets (CIFAR-10, CIFAR-100, MNIST) and attack scenarios (including 3DFed). In every case, we observed a pronounced “gap” between intra‐group distances (malicious–malicious or benign–benign) and inter‐group distances, which offers a wide margin for threshold selection.

For example, Table 4.1 reports the distances for 10 clients on CIFAR-10 under a 3DFed attack (clients 1–2 malicious, 3–10 benign). All pairwise distances among malicious clients or among benign clients remain below 0.03, while every malicious–benign distance lies around 5.95–5.98. This clear separation means that setting $\epsilon = 0.03$ places the threshold squarely in the middle of these two clusters. We observed the same pattern on CIFAR-100 and MNIST, making 0.03 a reliable, off-the-shelf default that requires no per-dataset tuning.

Table 4.1: Pairwise Wasserstein Distances (CIFAR-10, 3DFed)

While these settings are ultimately empirical, they have proven stable across diverse tasks and architectures. We view $\kappa = 5$ and $\epsilon = 0.03$ as sensible defaults for practitioners, with the understanding that one could perform a quick pre-deployment calibration—by inspecting the distance matrix on a small held-out validation set—to adjust them if a dramatically different data distribution or attack style is anticipated.

Why are the TPR and FPR results missing for FedCLP in Table 2?

Thank you for pointing this out. The reason TPR and FPR are not reported for FedCLP in Table 2 is that FedCLP treats every local update identically—pruning all client models before aggregation—rather than attempting to distinguish benign from malicious submissions. As a result, it does not produce per‐client labels and we cannot compute true‐positive or false‐positive rates. In our Appendix F (Lines 706–708) we clarify this and denote TPR/FPR as “–” for FedCLP. To avoid any confusion, we will move that explanation into the main text in the revised manuscript.

We sincerely thank Reviewer hznG for the thoughtful review and the positive rating. We hope our responses are helpful in addressing your concerns and would be happy to discuss if anything remains unclear.

To substantiate the claim that K-WMeans effectively separates clients, could the authors provide a visualization (e.g., a heatmap) of a real, pairwise Wasserstein distance matrix computed on the CBE vectors from one of the main experimental settings (e.g., CIFAR-10)? This would provide more direct and compelling evidence of client separability than a toy example and greatly strengthen the justification for the core defense mechanism.

Thank you for this valuable suggestion. Below, we provide the pairwise Wasserstein distance matrix computed over the CBE vectors of 10 clients under the CIFAR-10 + 3DFed attack (clients 1–2 are malicious; clients 3–10 are benign). As shown in Table 3.1, intra-malicious and intra-benign distances remain very small (0.02–0.03), while malicious–benign distances are very large ( 5.95–5.98), which clearly justifies K-WMeans’ ability to separate the two groups. We will include this table in the revised manuscript to provide direct and compelling evidence for the separability that underpins our core defense mechanism.

Table 3.1: Pairwise Wasserstein Distances (CIFAR-10, 3DFed)

Could the authors elaborate on the rationale for excluding fully connected layers from the BE calculation? To validate this design choice, could you provide an ablation study comparing the defense performance (both ACC and ASR) and computational cost when MARS is applied to (a) only convolutional/BN layers versus (b) all layers, including FC layers? Does this selective approach create an exploitable loophole for attackers to plant backdoors in the final layers of a network?

Thank you for the insightful comment. We acknowledge the importance of justifying the design choice of excluding fully connected (FC) layers from the Backdoor Energy (BE) computation. To this end, we conducted a thorough ablation study comparing two variants of MARS: one that computes BE using only convolutional and batch normalization (BN) layers ("partial-layers"), and another that includes all layers, including FC layers ("all-layers"). The results in Table 3.2 demonstrate that both versions achieve nearly identical defense effectiveness under 3DFed attacks on CIFAR-10 with ResNet-18: the clean accuracy (ACC) and attack success rate (ASR) are virtually unchanged (e.g., ACC ≈ 85%, ASR ≈ 9%). However, including FC layers increases computational cost by approximately 13% per communication round. This validates our decision to focus on convolutional/BN layers as a practical tradeoff between performance and efficiency.

Table 3.2 Partial-Layers vs. All-Layers Ablation

More importantly, we also evaluated whether this selective layer choice introduces a potential vulnerability—for instance, if an attacker attempts to inject a backdoor exclusively through FC layers. To simulate this, we conducted an additional experiment where malicious clients freeze all parameters except the FC layers during local training in Table 3.3. In this case, MARS (partial-layers) fails to detect the malicious updates (TPR = 0%, FPR = 100%), since it ignores the manipulated layers. However, the attack itself is unsuccessful: the ASR drops to just 9.86%, while clean accuracy also suffers. This suggests that injecting a backdoor using only the FC layers fails to achieve both stealth and effectiveness. We hypothesize that this is due to the limited expressive capacity of isolated FC-layer tuning: the convolutional layers generate nearly identical features for a clean sample and the corresponding triggered sample, making it difficult for the final layer alone to simultaneously satisfy both objectives (i.e., clean accuracy and attack success). Finally, we note that MARS (all-layers) can still detect such attacks, achieving 100% TPR even when malicious updates are limited to FC layers. Therefore, although our default implementation prioritizes efficiency by ignoring FC layers, MARS can be easily extended to handle such edge cases when needed, without compromising robustness.

Table 3.3 FC Layers Tuning Attack

We will include these ablation results and analysis in the revised manuscript to clarify both the rationale and empirical support for this design choice.

Dear Reviewer,

I hope this message finds you well. As the discusion period is nearing its end with less than three days remaining, I want to ensure we have adressed all your concems satisfactorly. If there are any additional points or feedback you'd like us to consider, please let us know. Your insights are invaluable to us, and we're eager to address any remaining issues to improve our work.

Thank you for your time and effort in reviewing our paper.

We sincerely thank Reviewer oRiw for the thoughtful review. We hope our responses are helpful in addressing your concerns and would be happy to discuss if anything remains unclear.

MARS relies on Lipschitz-based backdoor energy, which becomes unreliable in architectures like Vision Transformers due to the complex, input-dependent nature of self-attention and normalization layers.

Thank you for raising this important point. To demonstrate that MARS scales to Vision Transformer architectures, we evaluated it on a pretrained ViT model using the Hugging Face Transformers library. Specifically, we loaded

ViTForImageClassification.from_pretrained( 'google/vit-base-patch16-224-in21k',num_labels=10,ignore_mismatched_sizes=True)

and fine-tuned it on CIFAR-10. This ViT contains a very high proportion of linear layers (99.09% of its parameters), so MARS remains fully applicable. As shown in Table 2.1, MARS on ViT achieves detection performance comparable to Baseline (i.e., FedAvg in attack-free scenario), confirming its effectiveness on large-scale models. We will include this experiment (and its detailed results) in the revised manuscript.

Table 2.1 Performance on ViT

MARS assumes that all clients use structurally similar models, but in practice, heterogeneous client architectures may yield incomparable backdoor energy profiles.

Thank you for raising this important point. We would like to clarify that MARS does not require all clients to use the same network architecture. While many existing defenses—such as Multi-Krum (which computes pairwise Euclidean distances) or FoolsGold (which relies on cosine similarity)—indeed break down when models differ structurally, MARS operates on the distribution of backdoor energies rather than on raw parameter vectors. Specifically, in Eq. (5) we use the Wasserstein distance to compare each client’s CBE profile. Since the Wasserstein distance measures the distance between two distributions, it naturally accommodates vectors of differing lengths or supports. For instance, consider the toy example in the paper: assume that $L_1=[1,3,4,5]$ (originally [1,2,3,4,5] with one layer missin) and $L_2=[5,5,2]$ (originally [5,5,4,3,2] with two layers missing) are the CBEs of backdoor models, while $L_3=[1,1,1,1,1]$ (the complete model) is the CBE of a benign model. According to Eq. (5), we obtain $\mathrm{Wass}(L_1, L_2) = 1.75$, $\mathrm{Wass}(L_1, L_3) = 2.25$, $\mathrm{Wass}(L_2, L_3) = 3.00$, allowing us to cluster the more similar $L_1$ and $L_2$ together. This demonstrates that MARS can effectively distinguish backdoored from benign clients even when their architectures—and thus the dimensionality of their BE vectors—differ. We will clarify this in the revised manuscript.

The paper assumes an "FL system with only attackers is meaningless". However, a 100% attacker scenario is plausible (though rare) and falls within your threat model where attackers can constitute a majority. How does MARS ensure effectiveness in such a scenario, where all malicious models might be misclassified as benign?

Thank you for highlighting this edge case. We acknowledge that MARS, like nearly all existing defenses, cannot recover a clean global model if all clients are malicious—an FL setting in which no honest update exists to guide aggregation. We consider a 100%–attacker scenario to be fundamentally impractical, because without any benign contributions an FL system cannot produce a useful model, irrespective of defense strategy. For context, FLTrust (NDSS ’21) evaluates up to 95% attackers and BackdoorIndicator (USENIX Security ’24) up to 60%, and both require external “trusted” or out-of-distribution data to function. In contrast, MARS can tolerate over 50% malicious clients without any auxiliary dataset—an advancement we believe represents a significant step forward. We will clarify in the revision that handling a 100%–attacker case lies outside the scope of our threat model and is shared by prior work.

MARS fails against adaptive attacks with $\lambda \ge 0.05$. While MARS uses a majority-based selection, this reintroduces the benign-majority assumption that MARS aims to avoid. Given the defender's minimal knowledge of attacker proportion and λ, how can the correct strategy (MARS vs. MARS ) be reliably chosen in practice?

Thank you for this perceptive observation. As reported in Table 3 of our paper, when the adaptive attacker increases the regularization coefficient to $\lambda \ge 0.05$, MARS indeed swaps the labels of benign and malicious updates—but in that regime, the aggregated global model’s ACC plunges to just 10%. Such a collapse violates the key stealth requirement of backdoor attacks (i.e., remaining accurate on clean data while misbehaving only on triggered inputs), meaning the attack itself is no longer successful or realistic.

Moreover, empirical studies in production‐scale federated learning—most notably “Back to the drawing board: A critical evaluation of poisoning attacks on production federated learning” (IEEE S&P ’22)—show that real‐world adversaries rarely control more than 10 % of clients. Under these practical conditions, MARS*’s majority‐based cluster selection is both justified and effective. We will clarify these points in the revised manuscript to emphasize that (1) overly aggressive minimization of backdoor energy undermines the attack’s stealth and (2) in realistic threat settings where attackers form a small minority, MARS* provides robust defense.

Dear Reviewer,

I hope this message finds you well. As the discusion period is nearing its end with less than three days remaining, I want to ensure we have adressed all your concems satisfactorly. If there are any additional points or feedback you'd like us to consider, please let us know. Your insights are invaluable to us, and we're eager to address any remaining issues to improve our work.

Thank you for your time and effort in reviewing our paper.

Dear Reviewer oRiw,

We hope you’re doing well. As the rebuttal discussion period will close in under two days, we wanted to kindly follow up on our previous message. If you have any additional concerns or comments on our paper, we would be grateful to address them before the deadline. Your feedback is invaluable in helping us improve our work.

Thank you again for your time and effort.

We sincerely thank Reviewer xx46 for the thoughtful review and the positive rating. We hope our responses are helpful in addressing your concerns and would be happy to discuss if anything remains unclear.

Although briefly referenced in the appendix, the computational cost of computing Lipschitz constants and Wasserstein distances for all neurons/models needs more discussion in the main paper.

Thank you for this valuable suggestion. We have added a discussion of the computational cost of computing Lipschitz constants and Wasserstein distances to the main text:

Cost of computing the Lipschitz constant For an $m×n$ weight matrix, we approximate its Lipschitz constant via the power-iteration method. Each iteration involves one matrix–vector multiplication at cost $O(mn)$; after k iterations, the total complexity is $O(kmn)$. Cost of computing the Wasserstein distance Given two n-dimensional vectors, we first sort each in ascending order at cost O(nlogn), then compute and sum the absolute differences element-wise at cost $O(n)$. The overall complexity is therefore $O(nlogn)+O(n)=O(nlogn)$.

In the final manuscript, we will also report actual timing results from our experiments and include implementation details in the appendix, so that readers can clearly assess the efficiency of our approach. Thank you again for your insightful feedback.

Can it scale to large models like ViT or LLMs?

Thank you for raising this important point. To demonstrate that MARS scales to Vision Transformer architectures, we evaluated it on a pretrained ViT model using the Hugging Face Transformers library. Specifically, we loaded

ViTForImageClassification.from_pretrained( 'google/vit-base-patch16-224-in21k',num_labels=10,ignore_mismatched_sizes=True)

and fine-tuned it on CIFAR-10. This ViT contains a very high proportion of linear layers (99.09% of its parameters), so MARS remains fully applicable. As shown in Table 1.1, MARS on ViT achieves detection performance comparable to Baseline (i.e., FedAvg in attack-free scenario), confirming its effectiveness on large-scale models. We will include this experiment (and its detailed results) in the revised manuscript.

Table 1.1 Performance on ViT

While the paper justifies approximating BE with Lipschitz norms, the assumption that relative ordering is preserved may not always hold, especially in deep networks with normalization layers. Some discussion or empirical validation would be helpful.

Thank you for pointing this out. We believe there may be a misunderstanding: our method does not rely on preserving the relative ordering of backdoor energies. Instead, by using Wasserstein distance based clustering, MARS is inherently order‐insensitive. For example, in our toy example(line 263) we show two CBE vectors,L₁ = [1, 2, 3, 4, 5], L₂ = [5, 5, 3, 2, 2], they differ greatly element-wise yet have nearly identical Wasserstein distances and are correctly assigned to the same cluster.

Moreover, all of our main experiments on CIFAR-10 and CIFAR-100 use ResNet-18—an architecture with batch-normalization layers—and still demonstrate strong defense performance, confirming that MARS remains effective even when standard normalization may disrupt simple ordering assumptions. We will clarify this point in the revised manuscript.

The definition of “Backdoor Energy” is somewhat abstract. A diagram or intuition about what a “malignant neuron” looks like (activation-wise) might help reader understand the intuition.

Thank you for this helpful suggestion. We agree that a visual intuition can greatly aid understanding. In the revised manuscript, we will include a schematic illustration to show typical activation patterns of “malignant” versus benign neurons.

How does MARS perform if benign updates contain high-magnitude neurons due to data heterogeneity? Could this lead to false positives?

Thank you for raising this important concern. We have evaluated the impact of data heterogeneity on MARS in Appendix G (page 17). As shown in Fig. 3, when using a Dirichlet sampling parameter of $\alpha = 0.2$—which induces extreme heterogeneity across client data distributions—existing defenses suffer dramatic performance degradation. In contrast, MARS maintains a true-positive rate (TPR) of 100% and a false-positive rate (FPR) of 0% under these highly heterogeneous conditions. This result demonstrates that MARS’s Wasserstein-distance–based clustering remains robust even when benign updates contain high-magnitude neurons due to non-IID data.

Could this method generalize to detecting other stealthy behaviors (e.g., model inversion or privacy leakage)?

Thank you for this insightful question. MARS is primarily designed to detect backdoor attacks, but in our experiments we also observed strong defense against Byzantine attacks (see Appendix M, page 22), successfully mitigating both data-poisoning and model-poisoning threats. However, the current version of MARS cannot directly detect other stealthy behaviors such as model inversion or privacy leakage. These threats are typically addressed on the client side—for example, by adding Gaussian noise, applying Top-kkk sparsification, or clipping sensitive parameters before uploads—whereas MARS operates on the server side and does not modify or inspect client-side parameter updates in that manner. Extending MARS to cover privacy-related attacks is an interesting direction for future work, and we plan to explore how MARS could be adapted or combined with client-side defenses to detect or mitigate such stealthy behaviors.

How sensitive is the model performance to the percentage of top BE values (e.g., $\kappa = 5$)? Are results robust to this choice?

Thank you for this valuable question. As shown in Table 9 (page 19), when $\kappa$ varies between 1% and 10%, MARS consistently achieves a 100% true-positive rate (TPR) and 0% false-positive rate (FPR). However, when $\kappa$ is increased to 20%, the TPR slightly decreases to 94.44% and the FPR rises to 0.35%. For even larger $\kappa$, we observe further fluctuations in both TPR and FPR, never quite matching the optimal performance seen at lower values.

This behavior arises because including too many “irrelevant” backdoor energy values dilutes the Wasserstein-distance calculation and thus impairs the K-WMeans clustering. Crucially, since $\kappa$ values from 1% to 10% all yield the best possible defense metrics, we conclude that MARS’s performance is indeed robust to the choice of $\kappa$ within this range. We will clarify these findings in the revised manuscript.

Consider including runtime/efficiency information.

Thank you for the suggestion. We have empirically evaluated MARS’s runtime in Appendix J (page 20), demonstrating that it runs faster than existing defenses under the same experimental settings. Furthermore, as noted above, we will also add a dedicated discussion of the computational cost of computing Lipschitz constants and Wasserstein distances to the main paper to give readers a clear picture of our method’s efficiency.