Strengthening Federated Learning: Surrogate Data-Guided Aggregation for Robust Backdoor Defense

Q1: Could you clarify the significance of the theoretical result?

Ans for Q1): The defined statistical robustness refers to the expected distance from each sample to the closest adversarial example. Therefore, it is always greater than 0. For robust classifiers, we want the lower bound of their statistical robustness to be as large as possible. The theoretical result proves the lower bound of models trained according to the proposed objective. For classifiers without special defenses, backdoor attacks allow adversarial examples to be found for any sample with only minor modifications, resulting in very low statistical robustness.

Q2: Can you provide results from more recent defense baselines?

Ans for Q2): Thanks for your comments. Due to time constraints, we will discuss and compare with more SOTA methods in the revised paper.

Q3: Can you explain why you construct the surrogate data by passing noise through an untrained GAN? Is there a simpler way of doing this?

Ans for Q3): In Appendix E.4, we employ two additional generated datasets to replace the original surrogate dataset produced by StyleGAN, including one generated by a simple CNN and another generated by upsampling pure Gaussian noise. The experimental results indicate that all three methods can provide powerful defense capabilities to the server, with the surrogate data generated by Style-GAN performing slightly better in most cases.

Q4: Can you please explicitly explain in the paper what happens after model filtering?

Ans for Q4): After model filtering, malicious models do not participate in subsequent aggregation. Following your valuable comments, we have added the above explaination to our revision.

Q1: What is SuDA's sensitivity to the hyperparameter $\lambda=0$ in Table 15? Were any automated methods for tuning this parameter considered?

Ans for Q1): The results in Table 15 demonstrate that SuDA is not sensitive to the align weight $\lambda$, and it can achieve good performance within a wide range of $\lambda$. In our experiments, the parameter $\lambda$ is set to a default value of 1.

Q2: How does SuDA address non-iid data distributions among clients? Are there any assumptions or strategies for handling this challenge within the defense framework?

Ans for Q2): SuDA introduces surrogate data and aligns feature distributions. On one hand, it increases the amount of training data and reduces the imbalance between labels in the training data. On the other hand, aligning the feature distributions reduces client drift. Therefore, SuDA performs well in the Non-IID setting.

Q3: What is the value of $n_k$ in the aggregation phase when clients use surrogate data?

Ans for Q3): The size of the surrogate dataset in our experiments is 2000. We also conduct ablations on the sensitivity of the size of the surrogate dataset and report results in Table 10.

Q4: Explore other distance metrics and experimental settings.

Ans for Q4): Thanks for your comments. Due to time constraints, we will discuss and compare with more settings in the revised paper.

Q1: The inclusion of surrogate data and trigger reconstruction introduces additional computational and communication overhead, which may limit scalability, particularly in resource-constrained FL setups.

Ans for Q1): In Appendix E.9, we discuss the additional overhead introduced by the proposed method and further present a more efficient SuDA-Efficient, making the additional overhead acceptable.

Q2: How well does SuDA handle backdoor attacks that dynamically change over time rather than using a fixed trigger pattern?

Ans for Q2): In the proposed SuDA, triggers are independently reconstructed in each round based on the submitted local models. As long as the model has been affected by a backdoor attack, its trigger can be reconstructed, regardless of whether the trigger dynamically changes during the process.

Q3: The defense’s effectiveness relies on hyperparameters such as the alignment parameter for feature distribution. Tuning may be complex and environment-dependent.

Ans for Q3): The results in Table 15 demonstrate that SuDA is not sensitive to the align weight $\lambda$, and it can achieve good performance within a wide range of $\lambda$. In our experiments, the parameter $\lambda$ is set to a default value of 1.

Q4: Using surrogate noise data in model training could potentially degrade the performance of benign models.

Ans for Q4): Directly introducing surrogate data that differs from the true data distribution during training can indeed potentially degrade the performance of benign models. As detailed in Section 4.3, SuDA addresses this issue by aligning feature distributions, and subsequent experiments validate the effectiveness of this method.

Q5: Could SuDA be adapted to settings with non-image data, like natural language or time-series data?

Ans for Q5): Adapting SuDA to settings with non-image data is an interesting problem, we leave it for future work due to the time limitation.

Q1: The authors should discuss and compare with more SOTA methods.

Ans for Q1): Thanks for your comments. Due to time constraints, we will discuss and compare with more SOTA methods in the revised paper.

Q2: The overview of SuDA in 4.1 referred equations that are not introduced previously, which may cause confusion.

Ans for Q2): In Section 4.1, we introduce the SuDA framework to provide readers with an overall understanding of the proposed method before delving into the details. The equations cited in Section 4.1 are also explained in detail in the subsequent sections.

Q3: Observation 4.1 is provided without any empirical results validating it.

Ans for Q3): In Figure 2, we present potential triggers for the target label (second column) and non-target labels (third column) reconstructed from poisoned data. We can observe that the potential triggers corresponding to the target label are significantly fewer than those corresponding to non-target labels, which validates our observation.

Q4: Eqn 3 cannot cover all types of triggers. For example, it cannot represent the trigger that only changes a small region in bottom right corner, as all pixels in x_posion will be changed.

Ans for Q4): Equation 3 can represent the proposed trigger type. It only requires setting the small region corresponding to the trigger in $M$ to 1, while setting the rest of the area to 0.

Q5: Why the surrogate dataset is generated by Style-GAN rather than a more simpler model. Is there a specific reason?

Ans for Q5): In Appendix E.4, we employ two additional generated datasets to replace the original surrogate dataset produced by StyleGAN, including one generated by a simple CNN and another generated by upsampling pure Gaussian noise. The experimental results indicate that all three methods can provide powerful defense capabilities to the server, with the surrogate data generated by Style-GAN performing slightly better in most cases.

Q6: Why the surrogate data share the same labels with training data? Can they have total different label set?

Ans for Q6): Surrogate data share the same labels as the training data because we want the surrogate data to represent the real data and align their feature distributions. If their label sets are different, the feature distributions cannot be effectively aligned.

Q7: What is the definition of \alpha in 5.1?

Ans for Q7): $\alpha$ is the parameter of the commonly used Non-IID partition method Latent Dirichlet Sampling.