SPMC: Self-Purifying Federated Backdoor Defense via Margin Contribution

Dear Reviewer 7qEv：

Thank you for your thoughtful review and for raising key concerns regarding our work. We hope the following responses will address your concerns and update the score.

Question

Q1: Lack of substantiation and theoretical claims. (Claims And Evidence&Theoretical Claims)

A1: We sincerely apologize for the confusion. Inspired by the Shapley value, we define a client's contribution to its marginal coalition as the marginal contribution. Specifically, for client $k$, its contribution to the marginal coalition is denoted as $\phi_k(k;\ \Gamma;\ D;\ N)=\mathbb{E}_{\Gamma\sim D^N}[\Gamma(N\setminus{k})-\Gamma({k})]$，where $D^N$ represents the collection of all clients' datasets, and $\Gamma(N\setminus{k})-\Gamma({k})$ captures the model parameter difference between the marginal coalition and client k. Next, we introduce the theorem to demonstrate the role of marginal contribution in identifying malicious clients. Theorem: Let parameter aggregation function $\Gamma$ be B-Lipschitz with respect to $Z$. Suppose $D_k$ and $D_p$ are two data distribution over $Z$. Then, for client $k,p\in N$,

$$\phi_k(k;\ \Gamma;\ D_k;\ N)-\phi_p(p;\ \Gamma;\ D_p;\ N)\le2NB·W(D_k,D_p),$$

where $W$ denotes the distributional difference between two data distributions. This theorem measures the marginal contribution changes under two different data distributions. Due to the significantly different distribution of malicious clients, the marginal contributions of malicious clients become easier to distinguish. We will add this theorem's derivation in final version. Thank you for the valuable comment.

Q2: Extended experiments on a new dataset. (Methods And Evaluation Criteria)

A2: We agree with you and have incorporated this suggestion throughout our paper. We extended our experiments on the CIFAR-100 dataset using ResNet-18. As shown in Table 1, even in more complex task scenarios, both DnC and SPMC maintain their defensive effectiveness. However, DnC struggles to match SPMC’s backdoor defense due to the limited information captured by its sub-dimensions. Moreover, the increased model complexity and task difficulty hinder convergence of the local gradient learning rate, significantly impacting RLR's main task performance.

Table 1: Comparison with the SOTA backdoor robust solutions on CIFAR-100 dataset using ResNet-18. The malicious proportion is γ=0.3 and the local data poisoned portion is set as 0.3.

Q3: Lack of comparison to recent backdoor attack method under PFL. (Essential References Not Discussed&Other Comments Or Suggestions&Other Strengths And Weaknesses)

A3: Thank you for your suggestion. We would like to clarify that the attack method used in our approach is BadNet, not DBA. BadNet aims to poison the model by injecting whole static triggers into the local dataset. In contrast, DBA constructs a global trigger by combining local triggers across multiple clients.

To verify that SPMC can maintain the robustness of federated systems in the stronger attack, we followed your suggestion and introduced an attack method, Bad-PFL [1]. This method leverages natural data features as triggers, achieving both effectiveness and stealth in PFL method (i.e., FedProx [2]). As shown in Table 2, BadPFL achieves better attack performance compared to BadNet in PFL.

Table 2: Comparison with BadNet and Bad-PFL under PFL. The experiment is based on CIFAR-10 with malicious ratio of 0.3 and SimpleCNN.

Table 3 presents the resistance of two defense methods and one no-defense method (Equal) against the BadPFL attack in the context of personalized federated learning.

Table 3: Comparison with the SOTA backdoor defense with Bad-PFL attack under the PFL. The experiment is based on CIFAR-10 dataset with malicious ratio of 0.3 and SimpleCNN.

As shown in Table 3, although BadPFL achieves robust attack performance in personalized federated learning settings, it can still be effectively detected by defense methods such as DnC and SPMC. Moreover, SPMC demonstrates better defense effectiveness compared to DnC. Overall, even in the face of advanced attack strategies and PFL method, SPMC is able to maintain the security of the federated system to a considerable extent.

[1] Bad-pfl: Exploring backdoor attacks against personalized federated learning.In Proc. of ICLR, 2025.

[2] Federated optimization in heterogeneous networks. In MLSys, 2020a.

Dear Reviewer 7GF4：

We sincerely thank you for the valuable comments and suggestions. We hope our responses below address your concerns and provide a clearer understanding of our approach and results.

Question

Q1: Theoretical description for shapley value. (Theoretical Claims)

A1: Inspired by the concept of the Shapley value, we define a client’s contribution to its marginal coalition as its marginal contribution. For client $k\in\ N$, the marginal contribution is denoted as $\phi_k(k;\ \Gamma;\ D;\ N)=\mathbb{E}_{\Gamma\sim D^N}[\Gamma(N\setminus{k})-\Gamma({k})]$，where $D^N$ represents the collection of all clients' datasets, and $\Gamma(N\setminus{k})-\Gamma({k})$ captures the model parameter difference between the marginal coalition and local client. We introduce the theorem to demonstrate the role of marginal contribution in identifying malicious clients.

Theorem: Let parameter aggregation function $\Gamma$ be B-Lipschitz with respect to Z. Suppose $D_k$ and $D_p$ are two data distribution over $Z$. Then, for client $k,p\in N$,

$$\phi_k(k;\ \Gamma;\ D_k;\ N)-\phi_p(p;\ \Gamma;\ D_p;\ N)\le2NB·W(D_k,D_p),$$

where $W$ denotes the distributional difference between two data distributions. This theorem measures the marginal contribution changes under two different data distributions. Due to the significant different distribution of malicious clients, the marginal contributions of malicious clients become easier to distinguish.

Q2: Evaluation on large-scale datasets and complex backbone. (Experimental Designs Or Analyses&Other Strengths And Weaknesses)

A2: Based on your suggestion, we have extended our experiments on the CIFAR-100 dataset using ResNet-18 as the backbone. As shown in Table 1, even in more complex models and task scenarios, both DnC and SPMC are able to maintain their defensive effectiveness. However, DnC struggles to achieve a stronger backdoor performance compared to SPMC because of the poor sub-dimensions' information. In addition, due to the increased model complexity and the difficulty of classification tasks, the gradient learning rate on local clients fails to converge, which significantly undermines the RLR's performance of the main task.

Table 1: Comparison with the state-of-the-art backdoor robust solutions on CIFAR-100 dataset using ResNet-18 as the backbone. The malicious proportion is γ=0.3 and the local data poisoned portion is set as 0.3.

Weakness

W1: Explanation for the self-purification part of local updates.

A3: Thank you for the constructive comments. We believe it is important to emphasize the importance of the self-purification. Malicious clients may inject trigger patterns $\tau$ to alter original labels and distort gradient directions, deviating from those of benign clients. To counter this, SPMC introduces a self-purification update mechanism that adjusts local gradients using Equation (9), aligning them with the marginal federation model's knowledge while preserving useful benign local information; As shown in Table 1 of our paper, the self-purification component of local updates effectively preserves benign information and achieves strong defense performance.

W2: What kinds of triggers did the authors use in the experiments?

A4: We use a trigger pattern located at the top-left corner of the image with a size of 2 × 6. The poisoned label is set to class 2. Thank you for your feedback and we will emphasize this point in the final version.

W3: The criteria for selecting Coalitions and the communication cost for the choice of Coalitions.

A5: We thank the reviewer for pointing out this issue. We have added the detailed clarification in our revised manuscript. In fact, each client is associated with a corresponding marginal coalition. For example, for client i, its marginal coalition $S_k$ consists of all online clients excluding client $i$. Therefore, we do not need to spend significant computational resources to select the marginal coalition. As shown in the table 3, SPMC does not introduce significant computational cost on either the server or client side. We will update the detailed discussion in the final version.

Table 3: Computation cost comparison. $n$ refers to the number of online client, $|w|$ represents the scale of network, $|w|_{sub}$ represents the scale of sub-network and $E$ indicates the iteration times of using SVD.

Dear Reviewer VbBm：

Thank you very much for your valuable suggestions—they have provided us with clear direction for further exploring the details of our method. We hope the following responses will address your concerns.

Question

Q1: Lack of support from other experiments. (Experimental Designs Or Analyses)

A1: We will expand to more complex experimental settings and incorporate a wider range of attack types in the final version. Thank you for your suggestion.

Weakness

W1: Evaluation on complex datasets.

A2: We agree with you and have incorporated this suggestion throughout our paper. We have extended our experiments on the CIFAR-100 dataset using ResNet-18 as the backbone. As shown in Table 1, even in more complex models and task scenarios, both DnC and SPMC are able to maintain their defensive effectiveness. However, DnC struggles to achieve a stronger backdoor performance compared to SPMC because of the poor sub-dimensions' information. In addition, due to the increased model complexity and the difficulty of classification tasks, the gradient learning rate on local clients fails to converge, which significantly undermines the RLR's performance of the main task.

Table 1: Comparison with the state-of-the-art backdoor robust solutions on CIFAR-100 dataset using ResNet-18 as the backbone. The malicious proportion is γ=0.3, and the local data poisoned portion is set as 0.3.

W2: Discussion the scenario with attack ratio set to 0.5.

A3: You have raised an interesting concern. We can compare the performance of SPMC under high attack ratio (i.e, γ=0.5) and low attack ratio (i.e, γ=0.3). As shown in Table 2, when the proportion of malicious clients increases to 0.5, it becomes more challenging to identify and mitigate the backdoor attack, as the probability that malicious clients have marginal contributions similar to those of the marginal coalition significantly increases. However, we believe that high attack ratio would be outside the scope of our paper. In real-world deployments of federated learning systems, the proportion of attackers is typically low [1]. Therefore, we focus on attack ratios of 0.2 and 0.3, which are more consistent with commonly observed threat models in practice. In this work, SPMC demonstrates reliable defense performance across multiple task settings, indicating its effectiveness in maintaining the robustness of real-world federated systems.

Table 2: Comparison with different malicious proportion γ on CIFAR-10 dataset with ResNet-18.

W3: Explanation the concept of "margin contribution".

A4: Our method is inspired by the Shapley Value, using marginal contribution to measure each client’s impact on the overall federation in federated learning. In the SPMC approach, we estimate a client’s marginal contribution by simplifying the calculation of its influence on the coalition formed by the remaining clients. The server then reallocates aggregation weights based on these contributions, increasing the influence of benign clients while reducing that of malicious ones. On the client side, marginal contribution is used to guide local gradient adjustments, ensuring the update direction aligns with global knowledge and preventing interference from malicious data. This approach effectively identifies and mitigates the impact of attackers, enhancing the security and robustness of the federated learning system. We will add the detailed explanation this in our final version. Thank you for the comment.

W4: The color contrast in the article is not strong enough.

A5: We will make the necessary adjustments in the corresponding sections. Thank you for your feedback.

[1] Back to the drawing board: A critical evaluation of poisoning attacks on federated learning. arXiv abs/2108.10241.

Dear Reviewer hJgY：

Thank you for your valuable feedback and for your time reviewing our work. We hope our responses below help clarify the issues and update the score.

Weaknesses

W1: Missing an explanation why the combination of LGAlign and MCAgg leads to better performance.

A1: For our method, LGAlign represents the local update process. Specifically, it ensures that the update gradients of local clients remain aligned with the general knowledge of the edge federation, thereby preventing attackers from fitting malicious outcomes. As for MCAgg, it represents the server aggregation process. It encourages the positive influence of clients that contribute significantly to the edge federation, while suppressing the malicious impact of those with relatively small marginal contributions. The combination of LGAlign and MCAgg not only prevents local malicious gradients from steering the global update, but also promotes the influence of benign clients through inter-client interactions on the server side. We have rewritten this part to be more in line with your comments. We hope that the edited section clarifies the reason for the combination of LGAlign and MCAgg.

W2: The reason for choosing cosine similarity to measure Γ (N{n}) − Γ ({n}).

A2: Thank you for your helpful feedback. We have included a new table to further illustrate the effectiveness of cosine similarity. We used cosine similarity, Euclidean distance, and Wasserstein distance as evaluation metrics to measure Γ (N{n}) − Γ ({n}). As shown in Table 1, cosine similarity proves to be the most suitable metric. In SPMC, cosine similarity is chosen primarily because it effectively measures the directional difference between two vectors, rather than their magnitude (as in Euclidean distance) or the divergence between probability distributions (as in Wasserstein distance). In the model parameter space, this allows for the evaluation of directional consistency among client updates, which is particularly important for identifying malicious attackers. Malicious clients often train their local models on poisoned datasets, resulting in update directions that deviate significantly from those of benign clients. We will supplement this experiment along with the corresponding explanation in the final version. Thank you for your feedback again.

Table 1: Comparison with evaluation metrics on CIFAR-10 dataset with malicious proportion γ=0.3. We use the trade-off V to evaluate the performance of different evaluation metrics.

W3: Explanation of hyperparameter λ in non-proxy distillation.

A3: We thank the reviewer for pointing out this issue. Specifically, Equation (9) in the paper is as follows:

$$G_{locgrad} = \begin{cases} G_d, & \text{if } G_d \cdot G_g \geq 0, \\\\ G_d - \lambda \cdot \frac{G_d \cdot G_g}{\|G_g\|^2} G_g, & \text{otherwise}. \end{cases}$$

where $G_g$ represents the general knowledge between client and its marginal coalition, $G_d$ represents the local knowledge and $G_{locgrad}$ denotes the final local updated gradient. Next, we analyze the role of hyperparameter λ when $G_d \cdot G_g < 0$. When λ=1, the formula becomes $G_{locgrad} = G_d -\frac{G_d \cdot G_g}{\|G_g\|^2} G_g$. At this point, $G_{\text{locgrad}}$ is orthogonal to $G_g$, as shown by the following derivation:

$$\begin{aligned} G_{locgrad} \cdot G_g &= (G_d - \frac{G_d \cdot G_g}{\|G_g\|_2} G_g) \cdot G_g \\\\ &= G_d \cdot G_g - \frac{G_d \cdot G_g}{\|G_g\|_2} \|G_g\|_2^2 \\\\ &= G_d \cdot G_g - G_d \cdot G_g \\\\ &= 0. \end{aligned}$$

When λ>1, we have $G_{locgrad} \cdot Gg>0$. This means the angle between$G_{locgrad}$ and $G_g$ is less than 90°, indicating that their directions are more closely aligned. In this case, the update gradient leans more toward general knowledge, potentially at the cost of missing important local knowledge. As for λ<1, we have $G_{locgrad} \cdot Gg<0$. This means the angle between$G_{locgrad}$ and $G_g$ is more than 90°, indicating that a less noticeable adjustment toward general knowledge, causing the update gradient to stay closer to local malicious knowledge for attacker. The reviewer might have overlooked "Figure 3. Comparison of different λ" in our original manuscript. To further clarify, we present a comparison of different λ values again in Table 2. We sincerely appreciate your constructive suggestion, and we will include the corresponding derivation and explanation in the revised version.

Table 2: Comparison with different lambda on CIFAR-10 dataset with malicious proportion γ={0.2, 0.3}. We use the trade-off V to evaluate the performance of different lambda.