MARS: A Malignity-Aware Backdoor Defense in Federated Learning

We sincerely thank the Reviewer xuCv for the valuable feedbacks, and we hope our responses are helpful to address your concerns. We are more than happy to discuss if there is still something unclear.

Authors should consider to specify the adversarial settings concerning different malicious learning rates and the number of training rounds.

Our experiments follow the setup used in 3DFed, with the malicious learning rate set to 0.1 and the malicious training rounds set to 15, ensuring that 3DFed achieves its maximum attack effectiveness. However, in response to the reviewer’s concerns, we have also varied the malicious learning rate and malicious training rounds following the settings in BackdoorIndicator. As shown in the two tables below, MARS consistently provides robust protection across all configurations.

Tab. 4-1 Performance under different malicious learning rate

Tab. 4-2 Performance under different malicious training round

Authors should consider other backdoor training methods, like Neurotoxin and Chameleon, which are proved to be more stealthy against various backdoor detection mechanism in the BackdoorIndicator paper.

Since both the BackdoorIndicator and Chameleon papers consistently demonstrate that Chameleon outperforms Neurotoxin in attack effectiveness, here we only include the evaluation under Chameleon attack. However, we will discuss both attacks in the related work section. As shown in the table below, MARS effectively defends against Chameleon, achieving performance levels nearly equivalent to FedAvg in a non-adversarial scenario. This fully demonstrates the generalizability of our BE/CBE method, which can effectively handle a variety of backdoor attacks.

Tab. 4-3 Performace under Chameleon

Authors should also move the discussion part on the non-IID degree to the main paper, as it is a important aspect for advanced backdoor defense mechanisms.

Thank you for your suggestions. We will make every effort to move the discussion on the non-IID degree to the main paper.

Dear Reviewer xuCv,

We hope our rebuttal has answered your questions and clarified the concerns. Please kindly let us know if there are additional questions we should address, before the interactive rebuttal system is closed.

Thank you and happy weekend.

1. I dont think MultiKrum is an advanced defense mechanism. Instead, it is quite naive as it only rules out updates that are larger than others in L2 norm. And of course, when the FL is about to converge, benign updates have small norms, while adversaries could only craft poisoned updates with large norms as they have to learn a new task. In such cases, MultiKrum can definitely have good performance. However, one can easily evade the detection of MultiKrum by crafting backdoors that are statistically close (lets say in L2 norm) to benign ones. And, authors may need to know that one of the hardest parts of a successful backdoor defense mechanism is about how to identify backdoor updates among statistically close benign updates.
2. When designing a backdoor attack method, adversaries could surely choose when to inject backdoor updates (either in the early stages or late stages). And injecting backdoors in near-convergence stages is also easier for defense mechanisms to detect. But when considering a defense mechanism, you need to assume backdoor injection could happen anytime during the training process.
3. How can you obtain a pre-trained model for CIFAR10, CIFAR100 datasets? What are the datasets on which the pre-trained model is pre-trained? If you could manage to have a so-called near convergence pre-trained model, then why do you even need Federated Learning?
4. Authors mention LLM to address the reasonability of pre-trained models. It is unconvincing because all experiments are conducted on CV tasks, not even discriminative language models.
5. Conducting experiments for only 30 rounds is too short. Backdoorindicator evaluates the defense performance for 250 rounds.

These will be my final comments, and I have updated my ratings accordingly.

We sincerely thank the Reviewer SEZk for the appreciation of our paper in terms of Soundness (3: good), Presentation (4: excellent), and Contribution (3: good), as well as the positive rating (6). We also greatly appreciate the valuable suggestions provided by the reviewer, and we hope our responses are helpful to address your concerns. We are more than happy to discuss if there is still something unclear.

Could the authors provide specific details on how they compute or estimate these constants for different layer types (e.g., convolutional, fully-connected) in their experiments?

Assume that a certain subnetwork $f$ (for convenience, we omit the layer index $l$) is linear, i.e., $f(x) = W x + b$. According to the definition of the Lipschitz constant, $\|\|f\|\|_{\text{Lip}} = \underset{\Delta x \neq 0}{max} \frac{\|\|f(x + \Delta x) - f(x) \|\|_2}{\|\|\Delta x\|\|_2} = \underset{\Delta x \neq 0}{max} \frac{\|\|W \cdot \Delta x\|\|_2}{\|\|\Delta x\|\|_2}$. The rightmost part of this equation is precisely the spectral norm of the matrix $W$, which can be computed using Singular Value Decomposition (SVD). Specifically, we decompose matrix $W$ into the product of three matrices: one orthogonal matrix, one diagonal matrix, and another orthogonal matrix.

The largest element in the diagonal matrix is the spectral norm of $W$, i.e., $\|\|f\|\|_{\text{Lip}}$. In PyTorch, the Lipschitz constant can be easily computed using torch.svd(weight)[1].max(). For fully-connected layers, we can directly apply the above method. For convolutional layers, we approximate them as linear, and then reshape the weight tensor into a matrix form. The spectral norm of the reshaped matrix is used as an approximation to the original spectral norm. For batch normalization (BN) layers (assuming the BN transformation is $y = \frac{x - \mu}{\sigma} \cdot \gamma + \beta$), we use $\|\frac{\gamma}{\sigma}\|$ to estimate the Lipschitz constant, as it reflects the maximum possible scaling of the input variation after passing through the BN layer, which aligns with the core purpose of the Lipschitz constant. Additionally, to enhance the reproducibility of MARS, we will open-source the code as soon as the paper is accepted.

How to make sure the selected clients are not all malicious? If fail to guarantee, then does the clustering method still work? Please discuss potential limitations or failure modes if this assumption does not hold, or analyze the impact on the defense mechanism if this assumption is violated.

As pointed out in “Back to the Drawing Board: A Critical Evaluation of Poisoning Attacks on Production Federated Learning” (IEEE S&P 2022), the attacker ratio is typically low in real-world scenarios, so we have not considered cases where all selected clients are malicious. In our experiments, to control the attacker ratio precisely, we followed the CerP setup by randomly selecting a set proportion of clients from both benign and malicious groups. For example, with a 60% attacker ratio, we randomly select 12 attackers and 8 benign clients, ensuring that not all selected clients are malicious. If we were to consider such a scenario, adaptive client selection could be a promising approach. Specifically, selecting clients based on their historical performance could significantly reduce the probability of malicious clients participating in FL rounds.

It is evident that MARS outperforms other defenses against attacks, especially the 3DFed attack. Yet, for the other two attacks, there are defenses that work similarly to MARS (metric-wise). Why is this the case? The authors should provide more insights.

Good consideration! Some defenses, such as Multi-Krum, RFLBAT, and FLAME, do indeed perform similarly to MARS against MRA and CerP attacks. This is because, in MRA, no constraints are applied when training the backdoor models. Furthermore, to ensure that a small number of attackers dominate, MRA applies a scaling factor of 5 to all local updates. Consequently, the backdoor models become out-of-distribution (OOD) relative to the benign ones, enabling these OOD detection-based defenses to effectively identify them. Although CerP introduces constraints on the magnitude and direction of backdoor updates, it may struggle to find the optimal balance. This can result in either insufficient or overly strict constraints, causing the backdoor updates to deviate significantly from the overall model distribution and thus become outliers detectable by these defenses. In contrast to these two attacks, the innovation of 3DFed lies in its indicator mechanism, which detects whether the backdoor models from the previous round have been accepted by the central server, enabling it to dynamically adjust its poisoning strategy. This dynamic adaptation makes all existing defenses ineffective against 3DFed.

Dear Reviewer SEZk,

We hope our rebuttal has answered your questions and clarified the concerns. Please kindly let us know if there are additional questions we should address, before the interactive rebuttal system is closed.

Thank you and happy weekend.

The experiments assume an attacker rate of 20%, a condition that might not reflect realistic scenarios. How does MARS perform with varying attacker ratios and data poisoning rates?

The 20% attacker rate is just the default setting. In fact, Table 5 in the original paper already evaluates MARS's performance as the attacker rate varies from 0% to 95%. The impact of data poisoning rate on MARS is shown in the table below. It can be seen that MARS performs well across various levels of data poisoning rates.

Tab. 2-4 Performance with varying data poisoning rates

Does MARS require a high proportion of malicious clients to be effective, or can it detect backdoored models with a small number of attackers?

No. MARS directly perceives the degree of malignity in local models, independent of the proportion of attackers. As shown in Table 5 of our paper, MARS consistently maintains a high CAD as the attacker proportion varies from 0% to 95%.

How many rounds do attackers participate in, and what is the data poisoning rate?

We follow the experimental setup of 3DFed, allowing attackers to participate in all FL rounds and setting the data poisoning rate to 50%.

Can FLIP be used as a benchmark for comparison with MARS in terms of defense performance?

For the following reasons, we chose not to include FLIP as an additional benchmark; however, we will incorporate a discussion of FLIP in the related work section. First, our paper already evaluates nine SOTA defenses, including the latest approach, BackdoorIndicator, published at Usenix Security 2024, which sufficiently demonstrates the superiority of MARS. Second, FLIP requires trigger inversion to be performed on benign clients. However, in practical applications, it is difficult to identify benign clients in advance. Furthermore, executing defenses on the client side exposes the defense strategy to attackers, allowing them to dynamically adjust their attacks to circumvent FLIP. Third, as shown in the original FLIP paper and in Snowball (Resisting Backdoor Attacks in Federated Learning via Bidirectional Elections and Individual Perspective, AAAI 2024), FLIP results in a 5%-10% decrease in model accuracy, which is unacceptable in real-world industrial scenarios where high accuracy is critical. In contrast, MARS has almost no impact on model performance.

In some cases, the backdoor energy of benign models may be higher than that of malicious models. How does MARS handle this scenario?

Among all the existing attacks we evaluated, the backdoor energy of benign models is always lower than that of malicious models. However, we did find a scenario that matches the reviewer’s description, where attackers launch an adaptive attack (please refer to “Resilience to adaptive attack” in our paper) by adding a regularization term to reduce the backdoor energy of each neuron, which causes the original version of MARS to mistakenly classify backdoored models as benign. Nevertheless, there is still a significant difference in the CBE distribution between benign and malicious models. We only need to slightly relax the assumption by allowing the attacker proportion to be no more than 50% (in fact, according to DarkFed, the proportion of attackers in real-world scenarios is unlikely to exceed 50%) and then select the larger cluster for aggregation. This modified version is represented as MARS* in Table 3 in our paper. As shown, MARS* effectively handles this scenario.

Under what circumstances does Wasserstein distance-based clustering fail to detect backdoored models, and how might MARS be improved to address these cases?

Clustering failure depends on whether the CBE can accurately capture the malicious features in the model. For example, in the adaptive attack scenario mentioned earlier, the CBE of the backdoored model can even be lower than that of the benign model, leading to the failure of Wasserstein distance-based clustering. We can slightly relax the assumption by allowing the attacker proportion to be no more than 50% and then select the larger cluster for aggregation.

Which version of ImageNet is used in the paper? Is it Tiny ImageNet (200 classes) or the full ImageNet (1000 classes)?

Full ImageNet (1000 classes).

We sincerely thank the Reviewer fHPw for the appreciation of our paper in terms of Soundness (3: good), Presentation (4: excellent), and Contribution (3: good). We also greatly appreciate the valuable suggestions provided by the reviewer, and we hope our responses are helpful to address your concerns. We are more than happy to discuss if there is still something unclear.

A comparison with optimized backdoor attacks, such as A3FL and IBA, is missing.

According to our understand, the "optimized backdoor attacks" mentioned here refer to the optimization of triggers. In fact, CerP, which we evaluated, falls into this category. However, considering the reviewer’s concerns, we are willing to add an additional baseline. Due to the poor quality of the IBA open-source code and the authors' lack of responsiveness to GitHub issues, we were unable to successfully run IBA despite several attempts. Furthermore, we found that none of the 21 citations of IBA have successfully reproduced the method and compared it to existing works. In contrast, the open-source code on A3FL is more robust, and several papers have successfully reproduced it (e.g., "Infighting in the Dark: Multi-Labels Backdoor Attack in Federated Learning"). Therefore, we chose A3FL as the fifth baseline, independent of the MRA, CerP, 3DFed, and Adaptive Attack methods already evaluated in our paper. As shown in the table below, MARS performs well against A3FL.

Tab. 2-1 Performance under A3FL

How applicable might MARS be to FL settings involving text or tabular data?

Good consideration! We have added an evaluation of MARS on the IMDB dataset, using LSTM as the model structure. As shown in the table below, MARS is also applicable to text data, achieving performance comparable to FedAvg in the non-adversarial scenario.

Tab. 2-2 Performance on IMDB dataset

Concern about the computational overhead of MARS.

The aggregation time required by MARS (including BE computation, CBE formation, Wasserstein-based clustering, and the final aggregation to obtain the new global model) is shorter than that of most existing defenses. The table below presents results on the CIFAR-10 dataset with a ResNet-18 model, a total of 100 clients, 20 of whom are attackers, with 20 clients randomly sampled per round. We recorded the average runtime per round for each defense method. As shown, MARS, FedAvg, and FLAME complete aggregation within 7 seconds, while the other six defenses require longer aggregation time, with DeepSight taking as much as 101.69 seconds. The rapid runtime of MARS is achieved through several key tricks. First, we extract the top-$\kappa$% of BE values to form CBE, which significantly reduces the time needed for subsequent Wasserstein-based clustering. Second, we estimate BE values only for convolutional and bn layers, ignoring the fully connected layers that are the most time-consuming. Third, inspired by the work "Rethinking Lipschitzness for Data-free Backdoor Defense" (under review at ICLR 2025), we optimize the computation of the Lipschitz constant using dot product properties. Tab. 2-3 Average runtime per round

Dear Reviewer fHPw,

We hope our rebuttal has answered your questions and clarified the concerns. Please kindly let us know if there are additional questions we should address, before the interactive rebuttal system is closed.

Thank you and happy weekend.

We sincerely thank the Reviewer sSLz for the valuable feedbacks, and we hope our responses are helpful to address your concerns. We are more than happy to discuss if there is still something unclear.

Concerns about the computational and communication overheads of MARS.

MARS does not require clients to upload anything other than model parameters, resulting in no additional communication overhead compared to existing defenses such as FedAvg. In terms of computational overhead, the aggregation time required by MARS (including BE computation, CBE formation, Wasserstein-based clustering, and the final aggregation to obtain the new global model) is shorter than that of most existing defenses. The table below presents results on the CIFAR-10 dataset with a ResNet-18 model, a total of 100 clients, 20 of whom are attackers, with 20 clients randomly sampled per round. We recorded the average runtime per round for each defense method. As shown, MARS, FedAvg, and FLAME complete aggregation within 7 seconds, while the other six defenses require longer aggregation time, with DeepSight taking as much as 101.69 seconds. The rapid runtime of MARS is achieved through several key tricks. First, we extract the top-$\kappa$% of BE values to form CBE, which significantly reduces the time needed for subsequent Wasserstein-based clustering. Second, we estimate BE values only for convolutional and bn layers, ignoring the fully connected layers that are the most time-consuming. Third, inspired by the work "Rethinking Lipschitzness for Data-free Backdoor Defense" (under review at ICLR 2025), we optimize the computation of the Lipschitz constant using dot product properties.

Tab. 1-1 Average runtime per round

The success of BE calculation relies on model parameters, which may vary across neural network architectures, affecting generalizability.

Our experiments cover various model architectures: CNN for MNIST, ResNet-18 for CIFAR-10 and CIFAR-100, and ReXNet for ImageNet. Additionally, following reviewer fHPw's suggestion, we included experiments with an LSTM on the IMDB dataset. MARS performs excellently across all model structures, demonstrating its strong generalizability.

In real-world scenarios, attackers may vary their strategies across rounds, models, and clients, making the BE metric less reliable for identifying such dynamic attacks.

Our evaluated 3DFed to some extent aligns with this scenario. 3DFed uses an indicator mechanism to detect whether the backdoor models from the previous round was accepted, and then dynamically adjusts the training strategy for the current round. However, in light of the reviewer’s concerns, we further introduced a new attack method, named Dyn-Attack. Specifically, each attacker randomly selects one of four strategies: 3DFed, CerP, MRA, or no attack. As shown in the table below, MARS performs comparably to FedAvg in the non-adversarial scenario.

Tab. 1-2 Performance on Dyn-Attack

The paper assumes all clients use the same model architecture, allowing consistent BE and CBE calculations.

At no point in our paper do we claim that MARS requires all clients to use the same model architecture. Although many existing defenses indeed rely on this assumption—such as Multi-Krum, which requires calculating the Euclidean distance between each pair of local models, and FoolsGold, which calculates cosine similarity between pairs of local models—these defenses cannot function if the models differ structurally. In contrast, MARS can effectively handle heterogeneous model architectures. This is because, when clustering CBE values, MARS employs the Wasserstein distance as a metric, as shown in Eq. (5) in our paper. The Wasserstein distance measures the distance between two distributions, so even if heterogeneous model architectures lead to differences in CBE dimensionality, MARS can still perform clustering to distinguish benign models from backdoor models.

For instance, consider the toy example in the paper: assume that $L1=[1,3,4,6]$ (originally $L1=[1,3,4,5,6]$, with the last hidden layer removed due to model heterogeneity) and $L2=[5,5,2]$ (originally $L2=[5,5,4,3,2]$, with the last two hidden layers removed) are the CBEs of backdoor models, while $L3=[1,1,1,1,1]$ (the complete model) is the CBE of a benign model. According to Eq. (5), we obtain $wass(L1, L2)=1.17$, $wass(L1, L3)=2.50$, and $wass(L2, L3)=3.00$, allowing us to cluster the more similar $L1$ and $L2$ together.

Sensitivity analysis about $\kappa$ and $\epsilon$.

Our original submission already includes these experiments, which were placed in Appendix A.6 (SENSITIVITY TO HYPERPARAMETERS) due to space constraints.

While the paper demonstrates effectiveness on standard datasets, I expect to see evaluations on larger, more complex datasets like ImageNet to assess scalability.

Our original submission already evaluated the scalability of MARS on ImageNet (full ImageNet with 1,000 classes). Please refer to Appendix A.7 (PERFORMANCE ON IMAGENET) for details.

How does MARS handle scalability in large federated networks (e.g., with thousands of clients)?

MARS's accurate estimation of backdoor energy enables it to exhibit exceptional backdoor detection capabilities, providing effective protection even in scenarios with thousands of clients. We consider a setup with 1,000 clients, 200 of whom are attackers, and the central server randomly selects 100 clients per round. As shown in the table below, MARS is still able to defend against SOTA backdoor attacks.

Tab. 1-3 Performance in 1000 clients scenario

Could the BE/CBE method be extended to detect other attack types, such as data poisoning or Byzantine attacks?

Although our paper primarily focuses on backdoor defense in FL, we believe the BE/CBE method also holds potential for resisting Byzantine attacks. Byzantine defense is essentially an anomaly detection problem in high-dimensional data. One common defense approach is to extract key information from local models to obtain low-dimensional representations, which facilitate the subsequent calculation of anomaly scores or clustering. The process of calculating BE/CBE is essentially about extracting representations from local models that can distinguish benign models from malicious ones. Therefore, we intuitively believe that BE/CBE is not limited to backdoor defense scenarios and, with further improvements, could potentially be applied to Byzantine defense. We leave it as our future work.

Dear Reviewer sSLz,

We hope our rebuttal has answered your questions and clarified the concerns. Please kindly let us know if there are additional questions we should address, before the interactive rebuttal system is closed.

Thank you and happy weekend.