Get Rid of Your Trail: Remotely Erasing Backdoors in Federated Learning

Abstract

Federated learning (FL) enables collaborative learning across multiple participants without exposing sensitive personal data. However, the distributed nature of FL and unvetted participants’ data makes it vulnerable to backdoor attacks . In these attacks, adversaries selectively inject malicious functionality into the centralized model during training, leading to intentional misclassifications for specific adversary-chosen inputs. While previous research has demonstrated successful injections of persistent backdoors in FL, the persistence also poses a challenge, as their existence in the centralized model can prompt the central aggregation server to take preventive measures for penalizing the adversaries. Therefore, this article proposes a method that enables adversaries to effectively remove backdoors from the centralized model upon achieving their objectives or upon suspicion of possible detection. The proposed approach extends the concept of machine unlearning and presents strategies to preserve the performance of the centralized model and simultaneously prevent over-unlearning of information unrelated to backdoor patterns, making adversaries stealthy while removing backdoors. To the best of our knowledge, this is the first work exploring machine unlearning in FL to remove backdoors to the benefit of adversaries. Exhaustive evaluation considering various image classification scenarios demonstrates the efficacy of the proposed method for efficient backdoor removal from the centralized model, injected by state-of-the-art attacks across multiple configurations.