FedBAP: Federated Backdoor Defense
- The paper introduces FedBAP, which mitigates backdoor attacks by generating trigger-matched perturbations and reducing the model’s reliance on backdoor triggers.
- It optimizes mask and pattern generation alongside benign adversarial perturbation training to ensure robust backdoor suppression while preserving clean accuracy.
- Empirical results on CIFAR-10, CIFAR-100, and Fashion-MNIST demonstrate significant reduction in attack success rates and competitive accuracy compared to existing defenses.
Searching arXiv for FedBAP and closely related federated backdoor defense papers. arXiv search query: "FedBAP federated backdoor defense benign adversarial perturbation" FedBAP is a federated learning backdoor defense that mitigates backdoor attacks by reducing a model’s reliance on backdoor triggers rather than by directly detecting or removing poisoned clients or suspicious updates. It was introduced as “FedBAP: Backdoor Defense via Benign Adversarial Perturbation in Federated Learning” and is organized around three coupled mechanisms: perturbed trigger generation, benign adversarial perturbation training, and adaptive perturbation scaling (Yan et al., 26 Jul 2025).
1. Threat model and design premise
FedBAP addresses the standard federated learning setting in which malicious clients poison local training so that the global model predicts a target label whenever a trigger is present. The defense is motivated by the observation that the server typically cannot inspect raw data or fully audit local training, so backdoors can persist while clean accuracy remains high. The paper states that most existing defenses in federated learning have limited effectiveness because they neglect the model’s over-reliance on backdoor triggers, particularly as the proportion of malicious clients increases (Yan et al., 26 Jul 2025).
The method is explicitly framed against two difficulties. First, many defenses do not reliably identify backdoor features: they rely on anomaly detection, gradient statistics, clustering, or heuristic pruning, while backdoor features are stealthy and adaptive attacks can bypass such criteria. Second, they often trade off defense strength and clean accuracy, especially under non-IID data, where benign client heterogeneity already makes updates highly variable. FedBAP therefore treats the core failure mode as shortcut learning of the form trigger target label and attempts to weaken that shortcut during training rather than to isolate malicious behavior.
This positioning is important for interpreting FedBAP’s scope. It is not primarily an update-filtering method such as Krum, MultiKrum, FLTrust, RLR, FLAME, or FLIP; nor is it formulated as explicit trigger recovery followed by sample cleansing. Its central claim is that a model can be made less exploitable by learning to classify correctly even in the presence of trigger-like perturbations.
2. Trigger-matched perturbation construction
FedBAP begins by constructing a perturbation trigger designed to match the attacker’s trigger in location and size. The trigger is parameterized by a mask and a pattern , and the embedding operator is defined as
Here, specifies the spatial region to modify, while specifies the trigger content (Yan et al., 26 Jul 2025).
The paper motivates this construction through a notion of backdoor distance. For a source class to target class , the trigger difficulty is
and for a backdoor target class , the backdoor distance is
0
For a successful backdoor, the paper states that
1
The intended implication is that an effective backdoor target can be activated with a comparatively small modified region, so FedBAP attempts to learn a compact mask that probes the same decision pathway as the attacker’s trigger.
Mask generation is formulated as the joint optimization of mask and pattern:
2
The first term encourages the trigger to push predictions toward the target class, and the second penalizes large masks. Algorithmically, each client initializes candidate masks and patterns for all target classes, optimizes them on local data, and retains the best mask if it achieves backdoor accuracy above a threshold 3 and has the smallest mask norm seen so far. The server then averages the best masks across clients and binarizes the result with threshold 4.
FedBAP further refines the perturbation via PatternGen. The paper argues that perturbation patterns should maximize their effect in penultimate layer representation (PLR) space, using the bound
5
where 6 are PLRs, 7 are output probability vectors, and 8 is the final-layer weight matrix. PatternGen therefore minimizes cosine similarity between the PLR after applying the trigger and the PLR of the clean input:
9
The effect is to make the triggered representation as different as possible from the clean one, thereby increasing perturbation influence on model behavior (Yan et al., 26 Jul 2025).
3. Benign adversarial perturbation training and adaptive scaling
After trigger construction, FedBAP uses the learned mask and pattern to generate benign adversarial perturbations. These perturbations are not intended to induce misclassification; instead, they are applied to clean samples while enforcing the correct label, so that the model learns that trigger-like features are not predictive of the attacker’s target. The local BAPGen objective is
0
followed by the update
1
The algorithm returns both the updated local model and the average benign adversarial perturbation loss 2 (Yan et al., 26 Jul 2025).
The full workflow is phase-structured around a defense start round 3. The global model 4 and a scaling factor are initialized first. At round 5, MaskGen is run to obtain the shared mask 6, and PatternGen is run to obtain the perturbation pattern 7. For each subsequent round 8, each selected client runs BAPGen using 9, performs normal local training, and uploads both its model update and benign perturbation loss. The server averages the reported losses, updates the perturbation scale by AdaptiveScaling, and aggregates client updates with FedAvg-style averaging (Yan et al., 26 Jul 2025).
Adaptive scaling is the third core mechanism. The paper treats fixed perturbation strength as unstable: if it is too weak, backdoor suppression fades, while if it is too strong, clean accuracy drops. The update depends on a loss ratio 0, a smoothing factor 1, and a step size 2. The loss ratio is
3
and the smoothing factor is a moving average over recent 4 values:
5
The scale update is
6
Empirically, the paper reports that 7 may be insufficient under strong attacks, 8 gives the best tradeoff in the A3FL experiment, and 9 begins to degrade accuracy noticeably (Yan et al., 26 Jul 2025).
4. Experimental protocol and empirical results
FedBAP is evaluated on CIFAR-10, CIFAR-100, and Fashion-MNIST. The principal models are ResNet-18 and VGG-19 on CIFAR-10, and ResNet-18 on CIFAR-100 and Fashion-MNIST. The federated setup uses 100 clients, 10% malicious clients by default, 10% of clients selected each round, non-IID partition with concentration parameter 0 by default, 200 communication rounds, 2 local epochs per round, defense start at round 100, trigger size 1, learning rate 2, and batch size 3. The appendix further reports MaskGen with 100 epochs and learning rate 4, PatternGen with 100 epochs and learning rate 5, BAPGen with 10 epochs and learning rate 6, together with 7 and window size 8 (Yan et al., 26 Jul 2025).
The evaluated attacks are BadNets, LP, and A3FL, with CerP added in the Fashion-MNIST experiments. The comparison baselines are FedAvg, Krum, MultiKrum, FLTrust, RLR, FLAME, and FLIP, with RoseAgg, Snowball, and BackdoorIndicator added for Fashion-MNIST. Evaluation uses three metrics: ABSR, defined as Average Backdoor Success Rate over the last 20 rounds; BBSR, defined as Best Backdoor Success Rate in the last 20 rounds; and ACC, the clean accuracy (Yan et al., 26 Jul 2025).
The abstract reports that FedBAP reduces attack success rates by 0.22%–5.34%, 0.48%–6.34%, and 97.22%–97.6% under three types of backdoor attacks, respectively, and emphasizes particularly strong performance against novel backdoor attacks (Yan et al., 26 Jul 2025). In the non-IID CIFAR-10 and CIFAR-100 results, the reported FedBAP figures include: on CIFAR-10 with ResNet-18 under BadNets, ABSR = 1.55% and ACC = 89.98%; on CIFAR-10 with VGG-19 under BadNets, ABSR = 2.26% and ACC = 87.24%; on CIFAR-10 with VGG-19 under LP, ABSR = 2.84% and ACC = 78.40%; on CIFAR-100 with ResNet-18 under BadNets, ABSR = 0.58% and ACC = 63.12%; and on CIFAR-100 with ResNet-18 under A3FL, ABSR = 2.55% and ACC = 63.05% (Yan et al., 26 Jul 2025).
The Fashion-MNIST experiments report clean accuracies of 90.79% under BadNets, 90.83% under A3FL, and 90.15% under CerP. Across the non-IID settings summarized in the paper, FedBAP generally achieves the lowest ABSR, often the lowest BBSR, and the highest ACC or among the highest ACC values. The IID experiments show the same general trend, and the paper notes that some baselines that are competitive in IID conditions degrade significantly in non-IID settings, whereas FedBAP remains relatively stable (Yan et al., 26 Jul 2025).
5. Ablation, robustness, and operational constraints
The ablation study on CIFAR-10 under BadNets is used to isolate the contributions of Pattern Generation, Benign Adversarial Perturbation, and Adaptive Scaling. The full FedBAP configuration reports BBSR = 2.51, ABSR = 1.55, and ACC = 89.98. By contrast, the variant without Pattern Generation reports BBSR = 98.97, ABSR = 97.28, and ACC = 89.5. The paper also states that removing Adaptive Scaling or other components degrades performance relative to the full method, supporting the conclusion that trigger generation, perturbation training, and scaling control are all functionally necessary (Yan et al., 26 Jul 2025).
Robustness is further examined under stronger attack conditions. When the malicious client proportion is increased from 9 to 0, most defenses degrade sharply, but FedBAP is reported to remain robust: ABSR stays below 3% for BadNets and below 6% for LP and A3FL, while preserving higher ACC than competitors. As data heterogeneity increases, baseline defenses usually deteriorate in both attack suppression and clean accuracy, whereas FedBAP is reported to maintain low attack success with only minor clean-accuracy drop. The method is also highlighted as strong against LP, A3FL, and CerP, which are treated in the paper as more adaptive or stealthy than classical BadNets-style attacks (Yan et al., 26 Jul 2025).
The paper also implies a set of practical constraints. FedBAP requires a defense start round 1 and careful tuning of 2. Perturbation generation introduces additional computation on clients and server. The mechanism is designed and evaluated mainly for synchronous federated learning, and the authors identify asynchronous federated learning and personalized federated learning as future directions. The method can improve clean accuracy due to robust training effects, but the paper also notes the standard scale-selection tradeoff: if 3 is too small, backdoor suppression can weaken, and if it is too large, clean accuracy may drop (Yan et al., 26 Jul 2025).
6. Terminological scope and relation to adjacent literature
The acronym “FedBAP” can be confused with several unrelated federated-learning or distributed-systems topics. In the federated bandit literature, “Federated Multi-Armed Bandits Under Byzantine Attacks” studies federated bandits with Byzantine clients and proposes Fed-MoM-UCB; that paper explicitly states that FedBAP is not a method name used there (Saday et al., 2022). In personalized federated healthcare, FedAP denotes an adaptive batch-normalization-based personalization method rather than a security defense (Lu et al., 2021). In distributed consensus, federated Byzantine agreement systems concern quorum slices, quorum intersection, and intactness analysis, which are consensus-theoretic objects rather than federated backdoor defenses (Gaul et al., 2019).
Within its own line of work, FedBAP is best understood as a trigger-dependence defense. Its distinctive property is not robust aggregation in the usual sense, but the attempt to reshape the representation learned by the global model so that trigger-like features cease to function as a reliable shortcut. The paper’s final one-sentence characterization is exact on this point: FedBAP creates trigger-matched perturbations, uses them for benign adversarial training to break the model’s trigger dependence, and adaptively scales perturbation strength so that backdoors are suppressed while clean accuracy is preserved (Yan et al., 26 Jul 2025).