Papers
Topics
Authors
Recent
Search
2000 character limit reached

Coward: Federated Backdoor Defense

Updated 3 July 2026
  • Coward is a proactive defense method in federated learning that uses collision-based OOD watermarking to detect and neutralize backdoor attacks.
  • It exploits a multi-backdoor collision effect by sequentially implanting distinct triggers to suppress adversarial mappings in client updates.
  • Experimental evaluations on benchmarks like CIFAR-10 demonstrate Coward’s high true-positive rates and low false-positive rates even under non-i.i.d conditions.

In federated learning, the integrity of the global model is threatened by backdoor attacks, in which adversarial clients upload poisoned model updates that induce the model to misclassify specific data containing malicious triggers. "Coward" is a practical, proactive defense method designed to robustly detect and neutralize such backdoor attacks in federated learning, particularly under realistic non-i.i.d. data distributions and adversarial adaptive strategies. Coward exploits a novel multi-backdoor collision effect, operationalized via collision-based out-of-distribution (OOD) watermarks systematically injected and evaluated during the federated training process (Li et al., 4 Aug 2025).

1. Threat Model and Prior Defense Limitations

Federated learning (FL) orchestrates learning over KK clients for TT rounds, using variants of FedAvg. In each round tt, a subset StS^t of clients receives the current global model wtw^t, locally trains, and submits updates Δwkt\Delta w_k^t. The server aggregates:

wt+1=wt+∑k∈StNk∑j∈StNjΔwktw^{t+1} = w^t + \sum_{k \in S^t} \frac{N_k}{\sum_{j \in S^t} N_j} \Delta w_k^t

Attackers, controlling a minority of clients, inject backdoors by partially poisoning their local data with a trigger tat_a, inducing the mapping x⊕ta↦ya≠ytruex \oplus t_a \mapsto y_a \ne y_{\rm true}. The defender (server) lacks access to private client data but is permitted to modify broadcasted models and perform OOD evaluations.

Limitations of passive defenses (clustering, outlier filtering: MultiKrum, Foolsgold, FLAME, etc.) are pronounced in realistic FL scenarios, as non-i.i.d. data and random participation amplify benign variability, causing high false-positive rates and sensitivity collapse ("non-i.i.d. blurring").

Existing proactive defenses (e.g., BackdoorIndicator) inject server-side OOD mappings and compare class-wise OOD prediction accuracy, but deep models exhibit extreme OOD-prediction bias, leading to benign clients breaching thresholds and unpredictable false positives.

2. Multi-Backdoor Collision Principle

The core empirical observation underlying Coward is that sequential implantation of two distinct backdoors (triggers t1t_1, TT0 with targets TT1) provokes a strong suppression of the earlier mapping by the latter—a "collision" effect far exceeding ordinary fine-tuning drift.

Formally, if TT2 is the attack success rate for TT3 after its placement, and TT4 is the ASR after subsequent backdoor-2 injection, then:

TT5

The effect is attributed to the superposition of conflicting gradient fields in the OOD feature region, resulting in rapid and robust erasure of prior backdoor mappings. This mechanism enables detection based on monitoring the fate of a global server-injected watermark under client-side updates.

3. Collision-Based OOD Watermarking Mechanism

Coward injects a global watermark—an OOD backdoor—whose persistence or erasure can be used to discriminate benign from malicious updates.

3.1 Regulated Base OOD Mapping

A deterministic mapping TT6 is established between OOD and target class spaces. The server constructs a planting set TT7 from OOD data, minimizing:

TT8

where CE is cross-entropy loss, promoting stability and controllability of OOD predictions.

3.2 Targeted Watermark Mapping

A fraction TT9 of tt0 is selected; each sample is augmented with a trigger tt1 and relabeled to a unique server-selected target tt2. The server minimizes:

tt3

Both losses are combined for a small number of OOD-only steps before each round:

tt4

Here, tt5 regularizes deviation from the current global state, and OOD-specific BatchNorm statistics are managed to isolate the operation.

4. Client-Side Dynamics and Watermark Collision

Benign clients minimize standard supervised cross-entropy over their local data:

tt6

Malicious clients extend this with a backdoor loss on their poisoned partition:

tt7

Critically, when tt8, attacker-induced gradients conflict with the server’s watermark, rapidly erasing the watermark (empirically, watermark accuracy reduces to zero). Thus, the presence/absence of the watermark in returned models serves as a reliable indicator of attack.

5. Detection Framework and Aggregation Rule

After receiving a client model tt9, the server evaluates the watermark prediction accuracy:

StS^t0

Clients with StS^t1 (recommended StS^t2=5%) are deemed benign, while those below are flagged as malicious. Only benign clients contribute to the global update:

StS^t3

This test statistic and thresholding scheme directly leverage the multi-backdoor collision mechanism.

6. Experimental Results and Comparative Evaluation

Coward has been comprehensively validated on CIFAR-10, CIFAR-100, and EMNIST, using ResNet-18, with 100 clients, and strong data heterogeneity (Dirichlet StS^t4).

Metrics include true-positive rate (TPR), false-positive rate (FPR), attack success rate (ASR), and benign accuracy (BA). Key findings are summarized below:

Scenario Coward BackdoorIndicator Best Passive Defenses
Non-IID (α=0.3) TPR ≥ 99%, FPR ≤ 9.6% TPR ≈ 93–94%, FPR ≈ 30% TPR < 10%
Advanced Attacks TPR ≈ 98–100%, FPR < 10%, ASR < 10% TPR ≈ 87–93%, FPR 30–50% TPR < 15%
Multi-Attacker (70%) TPR ≥ 100%, FPR < 12%, ASR ≈ 10–11% ASR up to 40% (>50% attackers) Fail

Ablation studies show that Coward's FPR remains below 6% even with noise or highly dissimilar OOD sets, in contrast to FPR > 50% for BackdoorIndicator. Across multiple triggers and thresholds, Coward sustains TPR > 96.5% and practical FPR < 17.3%. One iteration of watermarking already achieves TPR = 100%, FPR ≈ 12%.

7. Adaptive Strategies, Overheads, and Extensions

Coward demonstrates resilience against adaptive attackers such as the Periodic Guessing Attack, in which adversaries attempt to preserve the watermark by guessing server triggers and targets. Even with maximal adaptivity (guessing every round), the global ASR remains below 25% (versus >90% without defense), and such attempts destabilize attacker performance due to local collision contradictions.

The method incurs negligible overhead, using only five OOD optimization iterations per round. Hyperparameters are robust to broad variation: planting set size = 1000, StS^t5 = 20%, StS^t6 = 0.3, StS^t7 = 5%. Future directions include fine-grained or dynamic watermarks (class/sample-specific, per-round, or per-client), and multi-metric detection strategies that can integrate OOD base retention with collision erasure.

Coward establishes a robust, proactive, and practical line of defense against federated backdoor attacks, based on fundamental advances in characterizing and exploiting destructive interference among neural backdoors (Li et al., 4 Aug 2025).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Coward.