FedSurrogate: Backdoor Defense in Federated Learning via Layer Criticality and Surrogate Replacement
Authors: Fatima Z. Abacha, Sin G. Teo, Yuanxiang Wu et al.
Summary
FedSurrogate is a defense against backdoor attacks in federated learning—scenarios where malicious participants try to poison a shared model. Instead of simply removing suspected malicious updates (which causes accuracy loss when honest clients are misidentified), the system replaces confirmed malicious updates with downscaled versions from structurally similar benign clients, preserving useful gradient information while neutralizing the attack.
Main takeaways:
- Achieves below 10% false-positive rate across all datasets, compared to 31-32% for the next-best baseline, meaning it rarely misclassifies honest participants as attackers
- Uses layer-adaptive anomaly detection—it focuses on security-critical layers identified through directional divergence analysis rather than examining all parameters equally
- Keeps attack success rates below 2.1% while maintaining better main-task accuracy than existing defenses
- The bidirectional filtering stage both screens trusted clients for contamination and rescues false positives from the suspect pool
Relevance
Not directly related to my work on persona installation. This addresses distributed training security rather than how behaviors are implanted or conditionally triggered within a single model.
Threat model
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, adversarial, evaluation.
Abstract
arXiv:2605.11122v1 Announce Type: new Abstract: Federated Learning remains highly susceptible to backdoor attacks--malicious clients inject targeted behaviours into the global model. Existing defenses suffer from substantial false-positive rates under realistic non-independent and identically distributed (non-IID) data, incorrectly flagging benign clients and degrading model accuracy even when adversaries are correctly identified. We present FedSurrogate, a novel backdoor defense that addresses this limitation by combining bidirectional gradient alignment filtering with layer-adaptive anomaly detection. FedSurrogate performs selective clustering on security-critical layers identified via directional divergence analysis, concentrating the detection signal on a low-dimensional subspace. A bidirectional soft-filtering stage screens trusted clients for residual contamination while rescuing false positives from suspects, substantially reducing misclassifications under heterogeneous conditions. Rather than removing confirmed malicious updates, FedSurrogate replaces them with downscaled surrogate updates from structurally similar benign clients, preserving gradient diversity while neutralising adversarial influence. Extensive evaluations demonstrate that FedSurrogate maintains false-positive rates below 10% across all datasets and attack types, compared to 31-32% for the nearest comparably effective baseline, while achieving superior main-task accuracy and maintaining attack success rates below 2.1% across all tested datasets and attack types under challenging non-IID settings.