Parameter Disparities Dissection for Backdoor Defense in Heterogeneous Federated Learning

Response to Reviewer AqVq

Dear Reviewer AqVq:

We thank the reviewer for the appreciation and valuable comments. We are pleased you found our paper well-organized and our literature review comprehensive. Your recognition of our novel approach and its effectiveness in various scenarios is encouraging. We aim to address your concerns in detail below.

Weakness

W1: In page 6, the authors discuss the clustering methods in the cooperative cluster module and compare them with K-Means and DBSCAN. But it is unclear how these methods are achieved, e.g., how the authors choose the hyper-parameters.

A1: In our study, we compare both K-Means and DBSCAN. For K-Means, it iteratively assigns points to a fixed number of groups and focuses on partitioning the observed samples into k clusters. Each instance belongs to the cluster with the nearest cluster center, thereby minimizing within-cluster variances. We set the cluster center scale to 2 for the benign and malicious groups. As for DBSCAN, it is a density-based clustering algorithm that identifies densely packed areas of data points and distinguishes them from sparser, noise-labeled regions. DBSCAN operates with two primary hyperparameters: eps, the maximum distance between two points for one to be considered in the neighborhood of the other, and min_samples, the minimum number of points required to form a dense region. For our experiments, we selected eps = 0.05 and min_samples = 1. We will add the introduction and hyperparameter details in the manuscript!

W2: For Figure1, whether this Client parameter importance degree similarity would be affected in the large client scale.

A2: The similarity in client parameter importance degree is calculated based on client distribution behaviors, ie., benign and malicious intents, and thus remains unaffected by the scale of client participation. We further validate this through experiments conducted on the Cifar-10 dataset ($\beta=0.5$) involving 15 clients, which includes eleven normal participants and four backdoor attackers, as shown in the following table. The results demonstrate a distinct difference in the client parameter importance between benign and malicious clients.

Table: The similarity matrix for client parameter importance reveals significant parameter importance differences between benign and malicious groups. Experiments were conducted on the CIFAR-10 dataset ($\beta=0.5$) with four backdoor and eleven benign clients. We measured the parameter importance based on the Fisher Information.

Response to Reviewer 7qoM

Dear Reviewer 7qoM:

Thank you for your thoughtful review. We appreciate your recognition of our innovative use of Fisher Information in our method, the dual approach of client selection and parameter aggregation, and its robustness across various scenarios. We aim to address your concerns in our detailed responses below, hoping to provide clarity and demonstrate the effectiveness of our proposed approach.

Weakness

W1: Long-term Stability: The long-term stability of the FDCR method over multiple communication rounds is not fully evaluated. It is important to assess whether the method remains effective as the federated learning process continues over many iterations.

A1: We acknowledge the importance of evaluating the long-term stability of our method over multiple communication rounds. To address this, we have conducted extensive experiments to assess the effectiveness of our method over an extended number of iterations, i.e., 100 epochs. Our results, as shown in the following table, demonstrate that the FDCR method maintains robust backdoor defense capabilities across different datasets and varying degrees of data heterogeneity. We will update the experimental results in the final version!

Table: Comparison with the state-of-the-art backdoor robust solutions: in Cifar-10, Fashion-MNIST, and USPS scenarios with skew ratio $\beta=0.5$ and malicious proportion $\Upsilon=20\%$. A and R mean federated benign performance and backdoor failure rate. V measures the heterogeneity and robustness trade-off.

W2: Clustering Description: Although authors provide a full comparision for different clustering methods. But the selected cluster method (Finch) is not thoroughly introduced. This could make readers feel confused. The authors should provide a clear descprition of how to use the Finch in your method.

A2: The selected clustering method, Finch, considers the nearest neighbor of each sample as sufficient support for grouping and implicitly selects characteristic prototypes, as prototypes from different domains are less likely to be first neighbors. In our work, we use the Euclidean metric to evaluate the distance between any two client gradient update discrepancies and view the weight with the minimum distance as its “neighbor”, sorting it into the same set. After clustering, we regard the group with the maximum mean weight as the malicious clients and then eliminate their aggregation weights for backdoor defense in heterogeneous federated learning. In our final version, we will provide a comprehensive description of the selected cluster method.

Response to Reviewer oCkz

Dear Reviewer oCkz:

Thank you for affirming our work and raising insightful questions. We are pleased you found our method novel and effective, leveraging Fisher Information to quantify parameter importance and reweight client updates. We appreciate your acknowledgment of its practical applicability and faster, more stable convergence rates.

Weakness

W1: More details about Data Heterogeneity can be provided in Section 4.1.

Thank you for your advice. Regarding data heterogeneity, we focus on generating non-independent and identically distributed (non-IID) distributions among clients. In our work, we draw $p_c \sim Dir_c (\beta)$ from the Dirichlet distribution and allocate a $p_{c,k}$ proportion of the instances of class $c$ to participant $k$, where $Dir(\beta)$ is a concentration parameter controlling the similarity among clients. With this partitioning strategy, increased data heterogeneity results in each party having relatively fewer data samples in some classes. Thus, the smaller the $\beta$ value, the more imbalanced the local distribution. We set $\beta$ to 0.5 and 0.3 for the subsequent experimental comparisons. We will update the details about data heterogeneity to make it easy to understand！

W2: More analysis on the details of the experimental results can be provided to support the conclusion.

Thanks for your suggestion! We provide a comprehensive discussion comparing existing methods with our approach. As data heterogeneity severity and the number of backdoor attackers increase, various methods naturally present a certain degree of defense degradation. Specifically, for Distance Difference Defense methods, such as Multi-Krum and DnC, measure the distance among client updates to identify backdoor attackers. These methods face a significant decrease in defense ability with challenging data heterogeneity, i.e., $\beta=0.3$. Furthermore, statistical distribution defense methods, such as Trimmed Mean and Bulyan, calculate general statistical information to depict normal client behavior, making them sensitive to large scales of malicious attackers. For instance, with a malicious ratio $\Upsilon=30\%$, these methods demonstrate fragile defensive capabilities against backdoor attackers. In contrast, our method leverages inherent network characteristics to measure parameter importance towards agnostic distribution, revealing that benign and malicious clients exhibit distinct degrees of parameter importance. Thus, our method demonstrates stable robustness towards varying data heterogeneity and different scales of backdoor attacks. We will provide a detailed experiment analysis in our final version!

Response to Reviewer M9TV

Dear Reviewer M9TV:

We sincerely appreciate your time and effort in reviewing our paper. Your positive feedback on the novelty of our approach, the clarity of our writing, and the comprehensiveness of our experiments is very encouraging. We are glad that our novel method of addressing the parameter discrepancy between benign and malicious gradients was well-received, and that our writing and experiments were clear and thorough. we hope that our responses below will address your concerns and update the score.

Weaknesses

W1: The computation cost of Fisher information matrix is unclear.

A1: Thank you for the feedback. In our work, we require different clients to calculate the parameter importance based on the local distribution via the Fisher Information [1,2]. To save the computational effort, we follow previous works and approximate the Fisher information matrix as the diagonal matrix, i.e., ${F}_w \in \mathbb{R}^{|w|}$ [3]. Thus, the computation cost complexity for the Fisher information matrix in our methodology is $\mathcal{O}(|w|)$, where $\mathcal{O}$ means complexity degree. We will add computation cost discussion to enhance readability in our revised manuscript!

[1] Fisher, R. A. On the mathematical foundations of theoretical statistics. Philosophical Transactions of the Royal Society of London. Series A, Containing Papers of a Mathematical or Physical Character, 222(594-604):309–368, 1922.

[2] Amari, S. Neural learning in structured parameter spaces-natural riemannian gradient. Advances in neural information processing systems, pp. 127–133, 1997.

[3] Kirkpatrick J, Pascanu R, Rabinowitz N, et al. Overcoming catastrophic forgetting in neural networks[J]. Proceedings of the national academy of sciences, 2017, 114(13): 3521-3526.

W2: Theoretical analysis can better validate the effectiveness of the proposed FDCR.

A2: In our work, we introduce the Fisher Discrepancy Cluster and Rescale, abbreviated as FDCR, to establish the backdoor defense in heterogeneous federated learning. The core insight is to distinguish benign and malicious behaviors based on different parameter importance degrees. We estimate the importance of each parameter using an empirical approximation of Fisher information for each client distribution. The rationale is that Fisher information is proposed to measures the information carried by an observable random variable about the unknown parameters of the distributio. Thus, the Fisher Information Matrix measures parameter importance by quantifying the sensitivity of the likelihood function to parameter changes, capturing the curvature of the likelihood surface, and reflecting the precision of parameter estimates. With respect to our method, we find that benign and malicious clients manifest as noticeable parameter importance discrepancies because they focus on fitting on distinct distribution manners and thus appear different information capabilities for the same parameter elements. Therefore, we employ the Fisher Information to distinguish between benign and malicious distributions based on distinct degrees of parameter importance.

Furthermore, we demonstrate the effectiveness of the proposed method from the communication aspect. Our method conducts backdoor defense from the server side. The server collects the updated client models and corresponding parameter importance matrices to identify client behavior and mitigate the backdoor effect during aggregation. Thus, compared to existing solutions, while our method linearly increases computation cost, it significantly enhances backdoor defense effectiveness, as shown in the following table. We will provide a computation complexity comparison in the final version. Thanks for the advice!

Table: Computation burden comparison on Cifar-10 with $\beta=0.5$ and evil ratio $\Upsilon=0.2$. $w$ refers to the network, $K$ represents client scale, and O indicates complexity degree. A and R mean federated benign performance and backdoor failure rate. V measures the heterogeneity and robustness trade-off.