{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,24]],"date-time":"2026-01-24T19:29:52Z","timestamp":1769282992372,"version":"3.49.0"},"reference-count":41,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2023,1,17]],"date-time":"2023-01-17T00:00:00Z","timestamp":1673913600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Key Research and Development Program of China","award":["2020YFB1712101"],"award-info":[{"award-number":["2020YFB1712101"]}]},{"name":"National Key Research and Development Program of China","award":["U1936218"],"award-info":[{"award-number":["U1936218"]}]},{"name":"National Key Research and Development Program of China","award":["62072037"],"award-info":[{"award-number":["62072037"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["2020YFB1712101"],"award-info":[{"award-number":["2020YFB1712101"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U1936218"],"award-info":[{"award-number":["U1936218"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62072037"],"award-info":[{"award-number":["62072037"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Federated learning has a distributed collaborative training mode, widely used in IoT scenarios of edge computing intelligent services. However, federated learning is vulnerable to malicious attacks, mainly backdoor attacks. Once an edge node implements a backdoor attack, the embedded backdoor mode will rapidly expand to all relevant edge nodes, which poses a considerable challenge to security-sensitive edge computing intelligent services. In the traditional edge collaborative backdoor defense method, only the cloud server is trusted by default. However, edge computing intelligent services have limited bandwidth and unstable network connections, which make it impossible for edge devices to retrain their models or update the global model. Therefore, it is crucial to detect whether the data of edge nodes are polluted in time. This paper proposes a layered defense framework for edge-computing intelligent services. At the edge, we combine the gradient rising strategy and attention self-distillation mechanism to maximize the correlation between edge device data and edge object categories and train a clean model as much as possible. On the server side, we first implement a two-layer backdoor detection mechanism to eliminate backdoor updates and use the attention self-distillation mechanism to restore the model performance. Our results show that the two-stage defense mode is more suitable for the security protection of edge computing intelligent services. It can not only weaken the effectiveness of the backdoor at the edge end but also conduct this defense at the server end, making the model more secure. The precision of our model on the main task is almost the same as that of the clean model.<\/jats:p>","DOI":"10.3390\/s23031052","type":"journal-article","created":{"date-parts":[[2023,1,17]],"date-time":"2023-01-17T05:36:55Z","timestamp":1673933815000},"page":"1052","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Edge-Cloud Collaborative Defense against Backdoor Attacks in Federated Learning"],"prefix":"10.3390","volume":"23","author":[{"given":"Jie","family":"Yang","sequence":"first","affiliation":[{"name":"Beijing Institute of Technology, School of Cyberspace Science and Technology, Beijing 100083, China"}]},{"given":"Jun","family":"Zheng","sequence":"additional","affiliation":[{"name":"Beijing Institute of Technology, School of Cyberspace Science and Technology, Beijing 100083, China"}]},{"given":"Haochen","family":"Wang","sequence":"additional","affiliation":[{"name":"Beijing Institute of Technology, School of Cyberspace Science and Technology, Beijing 100083, China"}]},{"given":"Jiaxing","family":"Li","sequence":"additional","affiliation":[{"name":"Beijing Institute of Technology, School of Cyberspace Science and Technology, Beijing 100083, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2388-7447","authenticated-orcid":false,"given":"Haipeng","family":"Sun","sequence":"additional","affiliation":[{"name":"Beijing Institute of Technology, School of Cyberspace Science and Technology, Beijing 100083, China"}]},{"given":"Weifeng","family":"Han","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Shield Machine and Boring Technology State Key Laboratory of Industrial Control Technology, China Railway Tunnel Bureau Group Co., Ltd., Zhengzhou 450000, China"}]},{"given":"Nan","family":"Jiang","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Shield Machine and Boring Technology State Key Laboratory of Industrial Control Technology, China Railway Tunnel Bureau Group Co., Ltd., Zhengzhou 450000, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6404-8853","authenticated-orcid":false,"given":"Yu-An","family":"Tan","sequence":"additional","affiliation":[{"name":"Beijing Institute of Technology, School of Cyberspace Science and Technology, Beijing 100083, China"}]}],"member":"1968","published-online":{"date-parts":[[2023,1,17]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Reus-Muns, G., Jaisinghani, D., Sankhe, K., and Chowdhury, K.R. (2020, January 7\u201311). Trust in 5G open RANs through machine learning: RF fingerprinting on the POWDER PAWR platform. Proceedings of the GLOBECOM 2020-2020 IEEE Global Communications Conference, Taipei, Taiwan.","DOI":"10.1109\/GLOBECOM42002.2020.9348261"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Gul, O.M., Kulhandjian, M., Kantarci, B., Touazi, A., Ellement, C., and D\u2019Amours, C. (2022, January 2\u20133). Fine-grained Augmentation for RF Fingerprinting under Impaired Channels. Proceedings of the 2022 IEEE 27th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), Paris, France.","DOI":"10.1109\/CAMAD55695.2022.9966888"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Comert, C., Kulhandjian, M., Gul, O.M., Touazi, A., Ellement, C., Kantarci, B., and D\u2019Amours, C. (2022, January 19). Analysis of Augmentation Methods for RF Fingerprinting under Impaired Channels. Proceedings of the 2022 ACM Workshop on Wireless Security and Machine Learning (WiseML \u201922), San Antonio, TX, USA.","DOI":"10.1145\/3522783.3529518"},{"key":"ref_4","first-page":"4004","article-title":"A Survey on Security and Privacy Issues in Edge-Computing-Assisted Internet of Things","volume":"8","author":"Alwarafy","year":"2021","journal-title":"IEEE Access"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"2543","DOI":"10.1002\/int.22784","article-title":"A fine-grained and traceable multidomain secure data-sharing model for intelligent terminals in edge-cloud collaboration scenarios","volume":"37","author":"Sun","year":"2022","journal-title":"Int. J. Intell. Syst."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Maamar, Z., Baker, T., Faci, N., Ugljanin, E., Khafajiy, M.A., and Bur\u00e9gio, V. (2019, January 8\u201312). Towards a seamless coordination of cloud and fog: Illustration through the internet-of-things. Proceedings of the 34th ACM\/SIGAPP Symposium on Applied Computing, Limassol, Cyprus.","DOI":"10.1145\/3297280.3297477"},{"key":"ref_7","first-page":"5","article-title":"Edge-Cloud Polarization and Collaboration: A Comprehensive Survey for AI","volume":"3","author":"Yao","year":"2022","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Wang, J., He, D., Castiglione, A., Gupta, B.B., Karuppiah, M., and Wu, L. (2022). PCNNCEC: Efficient and Privacy-Preserving Convolutional Neural Network Inference Based on Cloud-Edge-Client Collaboration. IEEE Trans. Netw. Sci. Eng.","DOI":"10.1109\/TNSE.2022.3177755"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3339474","article-title":"Federated machine learning: Concept and applications","volume":"10","author":"Yang","year":"2019","journal-title":"ACM Trans. Intell. Syst. Technol."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"11053","DOI":"10.1109\/JIOT.2020.2994596","article-title":"Toward communication-efficient federated learning in the Internet of Things with edge computing","volume":"7","author":"Sun","year":"2020","journal-title":"IEEE Internet Things J."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"209191","DOI":"10.1109\/ACCESS.2020.3038287","article-title":"EdgeFed: Optimized federated learning based on edge computing","volume":"8","author":"Ye","year":"2020","journal-title":"IEEE Access"},{"key":"ref_12","first-page":"1","article-title":"Deep Fusion: Crafting Transferable Adversarial Examples and Improving Robustness of Industrial Artificial Intelligence of Things","volume":"37","author":"Wang","year":"2022","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_13","first-page":"9290","article-title":"Clean-label poisoning attacks on federated learning for IoT","volume":"37","author":"Yang","year":"2022","journal-title":"Expert Syst."},{"key":"ref_14","unstructured":"Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., and Shmatikov, V. (2020). How to backdoor federated learning. Int. Conf. Artif. Intell. Stat., 2938\u20132948."},{"key":"ref_15","unstructured":"Suresh, A.T., McMahan, B., Kairouz, P., and Sun, Z. (2019). Can you really backdoor federated learning?. arXiv."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Zeng, Y., Pan, M., Just, H.A., Lyu, L., Qiu, M., and Jia, R. (2022). NARCISSUS: A Practical Clean-Label Backdoor Attack with Limited Information. arXiv.","DOI":"10.1145\/3576915.3616617"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"199","DOI":"10.1049\/cje.2021.00.126","article-title":"Backdoor Attacks on Image Classification Models in Deep Neural Networks","volume":"31","author":"Zhang","year":"2022","journal-title":"Chin. J. Electron."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Andreina, S., Marson, G.A., M\u00f6llering, H., and Karame, G. (2021, January 7\u201310). Baffle: Backdoor detection via feedback-based federated learning. Proceedings of the 2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS), Washington, DC, USA.","DOI":"10.1109\/ICDCS51616.2021.00086"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"163","DOI":"10.1109\/MNET.011.2000265","article-title":"Stability-based analysis and defense against backdoor attacks on edge computing services","volume":"1","author":"Zhao","year":"2021","journal-title":"IEEE Netw."},{"key":"ref_20","unstructured":"Nguyen, T.D., Rieger, P., Chen, H., Yalame, H., M\u00f6llering, H., Fereidooni, H., Marchal, S., Miettinen, M., Mirhoseini, A., and Zeitouni, S. (2022, January 10\u201312). {FLAME}: Taming Backdoors in Federated Learning. Proceedings of the 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, USA."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Jebreel, N., and Domingo-Ferrer, J. (2022). FL-Defender: Combating Targeted Attacks in Federated Learning. arXiv.","DOI":"10.1016\/j.knosys.2022.110178"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Rieger, P., Nguyen, T.D., Miettinen, M., and Sadeghi, A.-R. (2022). Deepsight: Mitigating backdoor attacks in federated learning through deep model inspection. arXiv.","DOI":"10.14722\/ndss.2022.23156"},{"key":"ref_23","unstructured":"Wang, Y., Shi, H., Min, R., Wu, R., Liang, S., Wu, Y., Liang, D., and Liu, A. (2022). Adaptive Perturbation Generation for Multiple Backdoors Detection. arXiv."},{"key":"ref_24","first-page":"1273","article-title":"Communication-efficient learning of deep networks from decentralized data","volume":"1","author":"McMahan","year":"2017","journal-title":"Artif. Intell. Stat."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"6563","DOI":"10.1109\/TCOMM.2022.3200111","article-title":"Backdoor Federated Learning-Based mmWave Beam Selection","volume":"70","author":"Zhang","year":"2022","journal-title":"IEEE Trans. Commun."},{"key":"ref_26","first-page":"1","article-title":"Backdoor learning: A survey","volume":"1","author":"Li","year":"2022","journal-title":"IEEE Trans. Neural Netw. Learn. Syst."},{"key":"ref_27","unstructured":"Xie, C., Huang, K., Chen, P.-Y., and Li, B. (2019, January 6\u20139). Dba: Distributed backdoor attacks against federated learning. Proceedings of the International Conference on Learning Representations, New Orleans, LA, USA."},{"key":"ref_28","unstructured":"Fung, C., Yoon, C.J.M., and Beschastnikh, I. (2018). Mitigating sybils in federated learning poisoning. arXiv."},{"key":"ref_29","first-page":"1","article-title":"Dataset security for machine learning: Data poisoning, backdoor attacks, and defenses","volume":"1","author":"Goldblum","year":"2022","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_30","unstructured":"Mu\u00f1oz-Gonz\u00e1lez, L., Co, K.T., and Lupu, E.C. (2019). Byzantine-robust federated machine learning through adaptive model averaging. arXiv."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"3562","DOI":"10.1109\/TII.2021.3112100","article-title":"Mitigating the backdoor attack by federated filters for industrial IoT applications","volume":"18","author":"Hou","year":"2021","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_32","unstructured":"Nguyen, T.D., Rieger, P., Yalame, H., M\u00f6llering, H., Fereidooni, H., Marchal, S., Miettinen, M., Mirhoseini, A., Sadeghi, A.-R., and Schneider, T. (2021). Flguard: Secure and private federated learning. arXiv."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"6340","DOI":"10.1109\/TII.2022.3145837","article-title":"Secure Partial Aggregation Making Federated Learning More Robust for Industry 4 Applications","volume":"18","author":"Gao","year":"2022","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_34","unstructured":"Mi, Y., Guan, J., and Zhou, S. (2022). ARIBA: Towards Accurate and Robust Identification of Backdoor Attacks in Federated Learning. arXiv."},{"key":"ref_35","unstructured":"Wu, C., Zhu, S., and Mitra, P. (2022). Federated Unlearning with Knowledge Distillation. arXiv."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Zhao, C., Wen, Y., Li, S., Liu, F., and Meng, D. (2021, January 22\u201325). Federatedreverse: A detection and defense method against backdoor attacks in federated learning. Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security, Virtual.","DOI":"10.1145\/3437880.3460403"},{"key":"ref_37","first-page":"14900","article-title":"Anti-backdoor learning: Training clean models on poisoned data","volume":"34","author":"Li","year":"2021","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"15256","DOI":"10.1109\/TITS.2021.3139001","article-title":"Efficient Semantic Segmentation via Self-Attention and Self-Distillation","volume":"23","author":"An","year":"2022","journal-title":"IEEE Trans. Intell. Transp. Syst."},{"key":"ref_39","unstructured":"Jebreel, N.M., Domingo-Ferrer, J., S\u00e1nchez, D., and Blanco-Justicia, A. (2022). Defending against the label-flipping attack in federated learning. arXiv."},{"key":"ref_40","first-page":"1","article-title":"Evil vs. evil: Using adversarial examples to against backdoor attack in federated learning","volume":"1","author":"Fung","year":"2022","journal-title":"Multimed. Syst."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"102819","DOI":"10.1016\/j.cose.2022.102819","article-title":"Defense against backdoor attack in federated learning","volume":"121","author":"Lu","year":"2022","journal-title":"Comput. Secur."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/3\/1052\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T18:08:08Z","timestamp":1760119688000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/23\/3\/1052"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,17]]},"references-count":41,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2023,2]]}},"alternative-id":["s23031052"],"URL":"https:\/\/doi.org\/10.3390\/s23031052","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,1,17]]}}}