{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,22]],"date-time":"2026-04-22T18:38:31Z","timestamp":1776883111903,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","funder":[{"name":"Natural Science Foundation of China","award":["62272170"],"award-info":[{"award-number":["62272170"]}]},{"name":"Digital Silk Road Shanghai International Joint Lab of Trustworthy Intelligent Software","award":["22510750100"],"award-info":[{"award-number":["22510750100"]}]},{"name":"Shanghai Trusted Industry Internet Software Collaborative Innovation Center"},{"name":"National Research Foundation, Singapore"},{"name":"Cyber Security Agency under its National Cybersecurity R&D Programme","award":["NCRP25-P04-TAICeN"],"award-info":[{"award-number":["NCRP25-P04-TAICeN"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3744883","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:32:38Z","timestamp":1763854358000},"page":"3147-3161","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["FilterFL: Knowledge Filtering-based Data-Free Backdoor Defense for Federated Learning"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-3607-9023","authenticated-orcid":false,"given":"Yanxin","family":"Yang","sequence":"first","affiliation":[{"name":"East China Normal University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5058-4660","authenticated-orcid":false,"given":"Ming","family":"Hu","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1288-6502","authenticated-orcid":false,"given":"Xiaofei","family":"Xie","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-3785-7281","authenticated-orcid":false,"given":"Yue","family":"Cao","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7835-3709","authenticated-orcid":false,"given":"Pengyu","family":"Zhang","sequence":"additional","affiliation":[{"name":"East China Normal University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5784-770X","authenticated-orcid":false,"given":"Yihao","family":"Huang","sequence":"additional","affiliation":[{"name":"National University of Singapore, Singapore, Singapore"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3922-0989","authenticated-orcid":false,"given":"Mingsong","family":"Chen","sequence":"additional","affiliation":[{"name":"East China Normal University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","first-page":"1273","article-title":"Communication-efficient learning of deep networks from decentralized data","author":"McMahan Brendan","year":"2017","unstructured":"Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In Proceedings of Artificial Intelligence and Statistics (AISTATS). 1273-1282.","journal-title":"Proceedings of Artificial Intelligence and Statistics (AISTATS)."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v38i11.29146"},{"key":"e_1_3_2_1_3_1","volume-title":"Federated learning for generalization, robustness, fairness: A survey and benchmark","author":"Huang Wenke","year":"2024","unstructured":"Wenke Huang, Mang Ye, Zekun Shi, Guancheng Wan, He Li, Bo Du, and Qiang Yang. 2024. Federated learning for generalization, robustness, fairness: A survey and benchmark. IEEE Transactions on Pattern Analysis and Machine Intelligence (2024)."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR46437.2021.00107"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN52387.2021.9533808"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/RTSS59052.2023.00022"},{"key":"e_1_3_2_1_7_1","first-page":"2938","article-title":"How to backdoor federated learning","author":"Bagdasaryan Eugene","year":"2020","unstructured":"Eugene Bagdasaryan, Andreas Veit, Yiqing Hua, Deborah Estrin, and Vitaly Shmatikov. 2020. How to backdoor federated learning. In Proceedings of Artificial Intelligence and Statistics (AISTATS). 2938-2948.","journal-title":"Proceedings of Artificial Intelligence and Statistics (AISTATS)."},{"key":"e_1_3_2_1_8_1","first-page":"16070","article-title":"Attack of the tails: Yes, you really can backdoor federated learning","author":"Wang Hongyi","year":"2020","unstructured":"Hongyi Wang, Kartik Sreenivasan, Shashank Rajput, Harit Vishwakarma, Saurabh Agarwal, Jy-yong Sohn, Kangwook Lee, and Dimitris Papailiopoulos. 2020. Attack of the tails: Yes, you really can backdoor federated learning. In Advances in Neural Information Processing Systems (NeurIPS). 16070-16084.","journal-title":"Advances in Neural Information Processing Systems (NeurIPS)."},{"key":"e_1_3_2_1_9_1","volume-title":"Proceedings of International Conference on Learning Representations (ICLR).","author":"Xie Chulin","year":"2020","unstructured":"Chulin Xie, Keli Huang, Pin-Yu Chen, and Bo Li. 2020. Dba: Distributed backdoor attacks against federated learning. In Proceedings of International Conference on Learning Representations (ICLR)."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3581783.3612415"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00031"},{"key":"e_1_3_2_1_13_1","volume-title":"Neural attention distillation: Erasing backdoor triggers from deep neural networks. arXiv:2101.05930","author":"Li Yige","year":"2021","unstructured":"Yige Li, Xixiang Lyu, Nodens Koren, Lingjuan Lyu, Bo Li, and Xingjun Ma. 2021. Neural attention distillation: Erasing backdoor triggers from deep neural networks. arXiv:2101.05930 (2021)."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3394171.3413546"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2023.3312973"},{"key":"e_1_3_2_1_16_1","first-page":"119","article-title":"Machine learning with adversaries: Byzantine tolerant gradient descent","author":"Blanchard Peva","year":"2017","unstructured":"Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. 2017. Machine learning with adversaries: Byzantine tolerant gradient descent. In Advances in Neural Information Processing Systems (NeurIPS). 119-129.","journal-title":"Advances in Neural Information Processing Systems (NeurIPS)."},{"key":"e_1_3_2_1_17_1","volume-title":"Generalized byzantine-tolerant sgd. arXiv:1802.10116","author":"Xie Cong","year":"2018","unstructured":"Cong Xie, Oluwasanmi Koyejo, and Indranil Gupta. 2018. Generalized byzantine-tolerant sgd. arXiv:1802.10116 (2018)."},{"key":"e_1_3_2_1_18_1","volume-title":"Proceedings of International Conference on Machine Learning (ICML). 5650-5659","author":"Yin Dong","year":"2018","unstructured":"Dong Yin, Yudong Chen, Ramchandran Kannan, and Peter Bartlett. 2018. Byzantine-robust distributed learning: Towards optimal statistical rates. In Proceedings of International Conference on Machine Learning (ICML). 5650-5659."},{"key":"e_1_3_2_1_19_1","volume-title":"Ananda Theertha Suresh, and H Brendan McMahan","author":"Sun Ziteng","year":"2019","unstructured":"Ziteng Sun, Peter Kairouz, Ananda Theertha Suresh, and H Brendan McMahan. 2019. Can you really backdoor federated learning? arXiv:1911.07963 (2019)."},{"key":"e_1_3_2_1_20_1","first-page":"211","volume-title":"Foundations and Trends\u00ae in Theoretical Computer Science","volume":"9","author":"Dwork Cynthia","year":"2014","unstructured":"Cynthia Dwork, Aaron Roth, et al., 2014. The algorithmic foundations of differential privacy. Foundations and Trends\u00ae in Theoretical Computer Science, Vol. 9, 3--4 (2014), 211-407."},{"key":"e_1_3_2_1_21_1","volume-title":"Proceedings of USENIX Security Symposium (USENIX Security). 1415-1432","author":"Nguyen Thien Duc","year":"2022","unstructured":"Thien Duc Nguyen, Phillip Rieger, Roberta De Viti, Huili Chen, Bj\u00f6rn B Brandenburg, Hossein Yalame, Helen M\u00f6llering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, et al., 2022. FLAME: Taming backdoors in federated learning. In Proceedings of USENIX Security Symposium (USENIX Security). 1415-1432."},{"key":"e_1_3_2_1_22_1","volume-title":"Fltrust: Byzantine-robust federated learning via trust bootstrapping. arXiv:2012.13995","author":"Cao Xiaoyu","year":"2020","unstructured":"Xiaoyu Cao, Minghong Fang, Jia Liu, and Neil Zhenqiang Gong. 2020. Fltrust: Byzantine-robust federated learning via trust bootstrapping. arXiv:2012.13995 (2020)."},{"key":"e_1_3_2_1_23_1","volume-title":"Flip: A provable defense framework for backdoor mitigation in federated learning. arXiv:2210.12873","author":"Zhang Kaiyuan","year":"2022","unstructured":"Kaiyuan Zhang, Guanhong Tao, Qiuling Xu, Siyuan Cheng, Shengwei An, Yingqi Liu, Shiwei Feng, Guangyu Shen, Pin-Yu Chen, Shiqing Ma, et al., 2022. Flip: A provable defense framework for backdoor mitigation in federated learning. arXiv:2210.12873 (2022)."},{"key":"e_1_3_2_1_24_1","first-page":"14900","article-title":"Anti-backdoor learning: Training clean models on poisoned data","author":"Li Yige","year":"2021","unstructured":"Yige Li, Xixiang Lyu, Nodens Koren, Lingjuan Lyu, Bo Li, and Xingjun Ma. 2021. Anti-backdoor learning: Training clean models on poisoned data. In Advances in Neural Information Processing Systems (NeurIPS). 14900-14912.","journal-title":"Advances in Neural Information Processing Systems (NeurIPS)."},{"key":"e_1_3_2_1_25_1","first-page":"16913","article-title":"Adversarial neuron pruning purifies backdoored deep models","author":"Wu Dongxian","year":"2021","unstructured":"Dongxian Wu and Yisen Wang. 2021. Adversarial neuron pruning purifies backdoored deep models. In Advances in Neural Information Processing Systems (NeurIPS). 16913-16925.","journal-title":"Advances in Neural Information Processing Systems (NeurIPS)."},{"key":"e_1_3_2_1_26_1","volume-title":"Conditional generative adversarial nets. arXiv:1411.1784","author":"Mirza Mehdi","year":"2014","unstructured":"Mehdi Mirza and Simon Osindero. 2014. Conditional generative adversarial nets. arXiv:1411.1784 (2014)."},{"key":"e_1_3_2_1_27_1","volume-title":"Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv:1708.06733","author":"Gu Tianyu","year":"2017","unstructured":"Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv:1708.06733 (2017)."},{"key":"e_1_3_2_1_28_1","volume-title":"Targeted backdoor attacks on deep learning systems using data poisoning. arXiv:1712.05526","author":"Chen Xinyun","year":"2017","unstructured":"Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. 2017. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv:1712.05526 (2017)."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-58607-2_11"},{"key":"e_1_3_2_1_30_1","volume-title":"Label-consistent backdoor attacks. arXiv:1912.02771","author":"Turner Alexander","year":"2019","unstructured":"Alexander Turner, Dimitris Tsipras, and Aleksander Madry. 2019. Label-consistent backdoor attacks. arXiv:1912.02771 (2019)."},{"key":"e_1_3_2_1_31_1","first-page":"3454","article-title":"Input-aware dynamic backdoor attack","author":"Nguyen Tuan Anh","year":"2020","unstructured":"Tuan Anh Nguyen and Anh Tran. 2020. Input-aware dynamic backdoor attack. In Advances in Neural Information Processing Systems (NeurIPS). 3454-3464.","journal-title":"Advances in Neural Information Processing Systems (NeurIPS)."},{"key":"e_1_3_2_1_32_1","volume-title":"Proceedings of International Conference on Machine Learning (ICML). 26429-26446","author":"Zhang Zhengming","year":"2022","unstructured":"Zhengming Zhang, Ashwinee Panda, Linyue Song, Yaoqing Yang, Michael Mahoney, Prateek Mittal, Ramchandran Kannan, and Joseph Gonzalez. 2022. Neurotoxin: Durable backdoors in federated learning. In Proceedings of International Conference on Machine Learning (ICML). 26429-26446."},{"key":"e_1_3_2_1_33_1","unstructured":"Hangfan Zhang Jinyuan Jia Jinghui Chen Lu Lin and Dinghao Wu. 2023. A3FL: Adversarially Adaptive Backdoor Attacks to Federated Learning. In Advances in Neural Information Processing Systems (NeurIPS)."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v37i10.26393"},{"key":"e_1_3_2_1_35_1","first-page":"121236","article-title":"SampDetox: Black-box Backdoor Defense via Perturbation-based Sample Detoxification","author":"Yang Yanxin","year":"2024","unstructured":"Yanxin Yang, Chentao Jia, DengKe Yan, Ming Hu, Tianlin Li, Xiaofei Xie, Xian Wei, and Mingsong Chen. 2024. SampDetox: Black-box Backdoor Defense via Perturbation-based Sample Detoxification. In Advances in Neural Information Processing Systems (NeurIPS). 121236-121264.","journal-title":"Advances in Neural Information Processing Systems (NeurIPS)."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2009.12"},{"key":"e_1_3_2_1_37_1","first-page":"19165","article-title":"Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch","author":"Souri Hossein","year":"2022","unstructured":"Hossein Souri, Liam Fowl, Rama Chellappa, Micah Goldblum, and Tom Goldstein. 2022. Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch. In Advances in Neural Information Processing Systems (NeurIPS). 19165-19178.","journal-title":"Advances in Neural Information Processing Systems (NeurIPS)."},{"key":"e_1_3_2_1_38_1","first-page":"2","article-title":"Learning algorithms for classification: A comparison on handwritten digit recognition","volume":"261","author":"LeCun Yann","year":"1995","unstructured":"Yann LeCun, Lawrence D Jackel, L\u00e9on Bottou, Corinna Cortes, John S Denker, Harris Drucker, Isabelle Guyon, Urs A Muller, Eduard Sackinger, Patrice Simard, et al., 1995. Learning algorithms for classification: A comparison on handwritten digit recognition. Neural Networks: the Statistical Mechanics Perspective, Vol. 261, 276 (1995), 2.","journal-title":"Neural Networks: the Statistical Mechanics Perspective"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2012.02.016"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11263-015-0816-y"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46493-0_38"},{"key":"e_1_3_2_1_42_1","volume-title":"Very deep convolutional networks for large-scale image recognition. arXiv:1409.1556","author":"Simonyan Karen","year":"2014","unstructured":"Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv:1409.1556 (2014)."},{"key":"e_1_3_2_1_43_1","volume-title":"Measuring the effects of non-identical data distribution for federated visual classification. arXiv:1909.06335","author":"Harry Hsu Tzu-Ming","year":"2019","unstructured":"Tzu-Ming Harry Hsu, Hang Qi, and Matthew Brown. 2019. Measuring the effects of non-identical data distribution for federated visual classification. arXiv:1909.06335 (2019)."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i10.17118"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3534678.3539231"},{"key":"e_1_3_2_1_46_1","volume-title":"Proceedings of International Conference on Machine Learning (ICML).","author":"Yueqi XIE","year":"2024","unstructured":"XIE Yueqi, Minghong Fang, and Neil Zhenqiang Gong. 2024. Fedredefense: Defending against model poisoning attacks for federated learning using model update reconstruction error. In Proceedings of International Conference on Machine Learning (ICML)."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2019.2952146"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2020.3037194"},{"key":"e_1_3_2_1_49_1","volume-title":"Proceedings of International Conference on Distributed Computing Systems (ICDCS). 756-767","author":"Nguyen Thien Duc","year":"2019","unstructured":"Thien Duc Nguyen, Samuel Marchal, Markus Miettinen, Hossein Fereidooni, N Asokan, and Ahmad-Reza Sadeghi. 2019. D\u00cfoT: A federated self-learning anomaly detection system for IoT. In Proceedings of International Conference on Distributed Computing Systems (ICDCS). 756-767."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.41"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","location":"Taipei Taiwan","acronym":"CCS '25","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3744883","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:12:55Z","timestamp":1766441575000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3744883"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":51,"alternative-id":["10.1145\/3719027.3744883","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3744883","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}