{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,22]],"date-time":"2026-04-22T18:39:04Z","timestamp":1776883144172,"version":"3.51.2"},"reference-count":53,"publisher":"MDPI AG","issue":"11","license":[{"start":{"date-parts":[[2024,11,8]],"date-time":"2024-11-08T00:00:00Z","timestamp":1731024000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key R&amp;D Program of China","doi-asserted-by":"publisher","award":["2022YFB3305800"],"award-info":[{"award-number":["2022YFB3305800"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100012166","name":"National Key R&amp;D Program of China","doi-asserted-by":"publisher","award":["H&C-MPC-2023-02-05"],"award-info":[{"award-number":["H&C-MPC-2023-02-05"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"name":"State Key Laboratory of Massive Personalized Customization System and Technology","award":["2022YFB3305800"],"award-info":[{"award-number":["2022YFB3305800"]}]},{"name":"State Key Laboratory of Massive Personalized Customization System and Technology","award":["H&C-MPC-2023-02-05"],"award-info":[{"award-number":["H&C-MPC-2023-02-05"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>Federated Learning (FL), as a distributed machine learning framework, can effectively learn symmetric and asymmetric patterns from large-scale participants. However, FL is susceptible to malicious backdoor attacks through attackers injecting triggers into the backdoored model, resulting in backdoor samples being misclassified as target classes. Due to the stealthy nature of backdoor attacks in FL, it is difficult for users to discover the symmetric and asymmetric backdoor properties. Currently, backdoor defense methods in FL cause model performance degradation while reducing backdoors. In addition, some methods will assume the existence of clean samples, which does not match the realistic scenarios. To address such issues, we propose FLSAD, an effective backdoor defense method in FL via self-attention distillation. FLSAD can recover the triggers using an entropy maximization estimator. Based on the recovered triggers, we leverage the self-attention distillation to eliminate the backdoor. Compared with the baseline backdoor defense methods, FLSAD can reduce the success rates of different state-of-the-art backdoor attacks to 2% on four real-world datasets through extensive evaluation.<\/jats:p>","DOI":"10.3390\/sym16111497","type":"journal-article","created":{"date-parts":[[2024,11,8]],"date-time":"2024-11-08T06:05:41Z","timestamp":1731045941000},"page":"1497","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["FLSAD: Defending Backdoor Attacks in Federated Learning via Self-Attention Distillation"],"prefix":"10.3390","volume":"16","author":[{"given":"Lucheng","family":"Chen","sequence":"first","affiliation":[{"name":"State Key Laboratory of Massive Personalized Customization System and Technology, COSMOPlat IoT Technology Co., Ltd., Qingdao 266101, China"},{"name":"College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xiaoshuang","family":"Liu","sequence":"additional","affiliation":[{"name":"Qingdao Penghai Software Co., Ltd., Qingdao 266071, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ailing","family":"Wang","sequence":"additional","affiliation":[{"name":"Qingdao Penghai Software Co., Ltd., Qingdao 266071, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Weiwei","family":"Zhai","sequence":"additional","affiliation":[{"name":"Qingdao Penghai Software Co., Ltd., Qingdao 266071, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xiang","family":"Cheng","sequence":"additional","affiliation":[{"name":"School of Information Engineering, Yangzhou University, Yangzhou 225127, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2024,11,8]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"106775","DOI":"10.1016\/j.knosys.2021.106775","article-title":"A survey on federated learning","volume":"216","author":"Zhang","year":"2021","journal-title":"Knowl.-Based Syst."},{"key":"ref_2","first-page":"1","article-title":"Fate: An industrial grade platform for collaborative learning with data protection","volume":"22","author":"Liu","year":"2021","journal-title":"J. Mach. Learn. Res."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"106854","DOI":"10.1016\/j.cie.2020.106854","article-title":"A review of applications in federated learning","volume":"149","author":"Li","year":"2020","journal-title":"Comput. Ind. Eng."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Zhong, H., Liao, C., Squicciarini, A.C., Zhu, S., and Miller, D. (2020, January 16). Backdoor embedding in convolutional neural network models via invisible perturbation. Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, New Orleans, LA, USA.","DOI":"10.1145\/3374664.3375751"},{"key":"ref_5","unstructured":"Chen, X., Liu, C., Li, B., Lu, K., and Song, D. (2017). Targeted backdoor attacks on deep learning systems using data poisoning. arXiv."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Ji, Y., Zhang, X., Ji, S., Luo, X., and Wang, T. (2018, January 15). Model-reuse attacks on deep learning systems. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, Toronto, ON, Canada.","DOI":"10.1145\/3243734.3243757"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Liu, Y., Ma, S., Aafer, Y., Lee, W.C., Zhai, J., Wang, W., and Zhang, X. (2018, January 18\u201321). Trojaning attack on neural networks. Proceedings of the 25th Annual Network And Distributed System Security Symposium, San Diego, CA, USA.","DOI":"10.14722\/ndss.2018.23291"},{"key":"ref_8","unstructured":"Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., and Shmatikov, V. (2020, January 2). How to backdoor federated learning. Proceedings of the International Conference on Artificial Intelligence and Statistics, PMLR, Virtual Event USA."},{"key":"ref_9","unstructured":"Xie, C., Huang, K., Chen, P.Y., and Li, B. (2019, January 6\u20139). DBA: Distributed backdoor attacks against federated learning. Proceedings of the International Conference on Learning Representations, New Orleans, LA, USA."},{"key":"ref_10","unstructured":"Fang, M., Cao, X., Jia, J., and Gong, N. (2020, January 12\u201314). Local model poisoning attacks to {Byzantine-Robust} federated learning. Proceedings of the 29th USENIX Security Symposium (USENIX Security 20), Boston, MA, USA."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Lyu, X., Han, Y., Wang, W., Liu, J., Wang, B., Liu, J., and Zhang, X. (2023, January 7\u20138). Poisoning with cerberus: Stealthy and colluded backdoor attack against federated learning. Proceedings of the AAAI Conference on Artificial Intelligence, Washington, DC, USA.","DOI":"10.1609\/aaai.v37i7.26083"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Li, H., Ye, Q., Hu, H., Li, J., Wang, L., Fang, C., and Shi, J. (2023, January 21\u201325). 3dfed: Adaptive and extensible framework for covert backdoor attack in federated learning. Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP46215.2023.10179401"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Lin, J., Xu, L., Liu, Y., and Zhang, X. (2020, January 2). Composite backdoor attack for deep neural network by mixing existing benign features. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event USA.","DOI":"10.1145\/3372297.3423362"},{"key":"ref_14","unstructured":"Sun, Z., Kairouz, P., Suresh, A.T., and McMahan, H.B. (2019). Can you really backdoor federated learning?. arXiv."},{"key":"ref_15","first-page":"16070","article-title":"Attack of the tails: Yes, you really can backdoor federated learning","volume":"33","author":"Wang","year":"2020","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_16","unstructured":"Fung, C., Yoon, C.J., and Beschastnikh, I. (2020, January 14\u201318). The limitations of federated learning in sybil settings. Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), San Sebastian, Spain."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Zhao, C., Wen, Y., Li, S., Liu, F., and Meng, D. (2021, January 24). Federatedreverse: A detection and defense method against backdoor attacks in federated learning. Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security, Belgium, Brussel.","DOI":"10.1145\/3437880.3460403"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Andreina, S., Marson, G.A., M\u00f6llering, H., and Karame, G. (2021, January 7\u201310). Baffle: Backdoor detection via feedback-based federated learning. Proceedings of the 2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS), Washington, DC, USA.","DOI":"10.1109\/ICDCS51616.2021.00086"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"102819","DOI":"10.1016\/j.cose.2022.102819","article-title":"Defense against backdoor attack in federated learning","volume":"121","author":"Lu","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Ozdayi, M.S., Kantarcioglu, M., and Gel, Y.R. (2021, January 2\u20139). Defending against backdoors in federated learning with robust learning rate. Proceedings of the AAAI Conference on Artificial Intelligence, Vancouver, BC, Canada.","DOI":"10.1609\/aaai.v35i10.17118"},{"key":"ref_21","unstructured":"Xie, C., Chen, M., Chen, P.Y., and Li, B. (2021, January 18\u201324). Crfl: Certifiably robust federated learning against backdoor attacks. Proceedings of the International Conference on Machine Learning, PMLR, Vienna, Austria."},{"key":"ref_22","unstructured":"Awan, S., Luo, B., and Li, F. (2021). Contra: Defending against poisoning attacks in federated learning. Proceedings of the Computer Security\u2013ESORICS 2021: 26th European Symposium on Research in Computer Security, Darmstadt, Germany, 4\u20138 October 2021, Springer. Proceedings, Part I 26."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Bonawitz, K., Ivanov, V., Kreuter, B., Marcedone, A., McMahan, H.B., Patel, S., Ramage, D., Segal, A., and Seth, K. (November, January 30). Practical secure aggregation for privacy-preserving machine learning. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA.","DOI":"10.1145\/3133956.3133982"},{"key":"ref_24","unstructured":"Kairouz, P., Liu, Z., and Steinke, T. (2021, January 18\u201324). The distributed discrete gaussian mechanism for federated learning with secure aggregation. Proceedings of the International Conference on Machine Learning, PMLR, Vienna Austria."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Fereidooni, H., Marchal, S., Miettinen, M., Mirhoseini, A., M\u00f6llering, H., Nguyen, T.D., Rieger, P., Sadeghi, A.R., Schneider, T., and Yalame, H. (2021, January 27). SAFELearn: Secure aggregation for private federated learning. Proceedings of the 2021 IEEE Security and Privacy Workshops (SPW), Virtual Event.","DOI":"10.1109\/SPW53761.2021.00017"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Zeng, Y., Park, W., Mao, Z.M., and Jia, R. (2021, January 19\u201325). Rethinking the backdoor attacks\u2019 triggers: A frequency perspective. Proceedings of the IEEE\/CVF international Conference on Computer Vision, Virtual Event.","DOI":"10.1109\/ICCV48922.2021.01616"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Liu, K., Dolan-Gavitt, B., and Garg, S. (2018). Fine-pruning: Defending against backdooring attacks on deep neural networks. Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses, Springer.","DOI":"10.1007\/978-3-030-00470-5_13"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Wang, B., Yao, Y., Shan, S., Li, H., Viswanath, B., Zheng, H., and Zhao, B.Y. (2019, January 19\u201323). Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP.2019.00031"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Yoshida, K., and Fujino, T. (2020, January 9). Disabling backdoor and identifying poison data by using knowledge distillation in backdoor attacks on deep neural networks. Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security, New York, NY, USA.","DOI":"10.1145\/3411508.3421375"},{"key":"ref_30","unstructured":"Li, Y., Lyu, X., Koren, N., Lyu, L., Li, B., and Ma, X. (2021, January 3\u20137). Neural attention distillation: Erasing backdoor triggers from deep neural networks. Proceedings of the 9th International Conference on Learning Representations (ICLR), Virtual Event."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Ezzeldin, Y.H., Yan, S., He, C., Ferrara, E., and Avestimehr, A.S. (2023, January 7\u201314). Fairfed: Enabling group fairness in federated learning. Proceedings of the AAAI Conference on Artificial Intelligence, Washington, DC, USA.","DOI":"10.1609\/aaai.v37i6.25911"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Zhang, J., Hua, Y., Wang, H., Song, T., Xue, Z., Ma, R., and Guan, H. (2023, January 7\u201314). Fedala: Adaptive local aggregation for personalized federated learning. Proceedings of the AAAI Conference on Artificial Intelligence, Washington, DC, USA.","DOI":"10.1609\/aaai.v37i9.26330"},{"key":"ref_33","unstructured":"Wu, X., Huang, F., Hu, Z., and Huang, H. (2023, January 7\u201314). Faster adaptive federated learning. Proceedings of the AAAI Conference on Artificial Intelligence, Washington, DC, USA."},{"key":"ref_34","unstructured":"Bhagoji, A.N., Chakraborty, S., Mittal, P., and Calo, S. (2019, January 9\u201315). Analyzing federated learning through an adversarial lens. Proceedings of the International Conference on Machine Learning, PMLR, Long Beach, CA, USA."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Cao, D., Chang, S., Lin, Z., Liu, G., and Sun, D. (2019, January 4\u20136). Understanding distributed poisoning attack in federated learning. Proceedings of the 2019 IEEE 25th International Conference on Parallel and Distributed Systems (ICPADS), Tianjin, China.","DOI":"10.1109\/ICPADS47876.2019.00042"},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"3310","DOI":"10.1109\/JIOT.2020.3023126","article-title":"PoisonGAN: Generative poisoning attacks against federated learning in edge computing systems","volume":"8","author":"Zhang","year":"2020","journal-title":"IEEE Internet Things J."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Zhao, Z., Chen, X., Xuan, Y., Dong, Y., Wang, D., and Liang, K. (2022, January 19\u201320). Defeat: Deep hidden feature backdoor attacks by imperceptible perturbation and latent representation constraints. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, New Orleans, LA, USA.","DOI":"10.1109\/CVPR52688.2022.01478"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Zhong, N., Qian, Z., and Zhang, X. (2022, January 23\u201329). Imperceptible Backdoor Attack: From Input Space to Feature Representation. Proceedings of the Thirty-First International Joint Conference on Artificial Intelligence, Vienna, Austria.","DOI":"10.24963\/ijcai.2022\/242"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Xia, P., Li, Z., Zhang, W., and Li, B. (2022). Data-efficient backdoor attacks. arXiv.","DOI":"10.24963\/ijcai.2022\/554"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Rong, D., He, Q., and Chen, J. (2022, January 23\u201329). Poisoning Deep Learning Based Recommender Model in Federated Learning Scenarios. Proceedings of the Thirty-First International Joint Conference on Artificial Intelligence (IJCAI 2022), Vienna, Austria.","DOI":"10.24963\/ijcai.2022\/306"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Liu, Y., Fan, M., Chen, C., Liu, X., Ma, Z., Wang, L., and Ma, J. (2022, January 12). Backdoor defense with machine unlearning. Proceedings of the IEEE INFOCOM 2022-IEEE Conference on Computer Communications, Virtual Event.","DOI":"10.1109\/INFOCOM48880.2022.9796974"},{"key":"ref_42","first-page":"14900","article-title":"Anti-backdoor learning: Training clean models on poisoned data","volume":"34","author":"Li","year":"2021","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Weber, M., Xu, X., Karla\u0161, B., Zhang, C., and Li, B. (2023, January 21). Rab: Provable robustness against backdoor attacks. Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP46215.2023.10179451"},{"key":"ref_44","unstructured":"Nguyen, T.D., Rieger, P., De Viti, R., Chen, H., Brandenburg, B.B., Yalame, H., M\u00f6llering, H., Fereidooni, H., Marchal, S., and Miettinen, M. (2022, January 18). {FLAME}: Taming backdoors in federated learning. Proceedings of the 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, USA."},{"key":"ref_45","unstructured":"Hinton, G., Vinyals, O., and Dean, J. (2015). Distilling the knowledge in a neural network. arXiv."},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Mirzadeh, S.I., Farajtabar, M., Li, A., Levine, N., Matsukawa, A., and Ghasemzadeh, H. (2020, January 7). Improved knowledge distillation via teacher assistant. Proceedings of the AAAI Conference on Artificial Intelligence, New York, NY, USA.","DOI":"10.1609\/aaai.v34i04.5963"},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"Park, W., Kim, D., Lu, Y., and Cho, M. (2019, January 15\u201320). Relational knowledge distillation. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition, Long Beach, CA, USA.","DOI":"10.1109\/CVPR.2019.00409"},{"key":"ref_48","unstructured":"Zagoruyko, S., and Komodakis, N. (2016). Paying more attention to attention: Improving the performance of convolutional neural networks via attention transfer. arXiv."},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Song, X., Feng, F., Han, X., Yang, X., Liu, W., and Nie, L. (2018, January 8\u201312). Neural compatibility modeling with attentive knowledge distillation. Proceedings of the 41st International ACM SIGIR Conference on Research & Development in Information Retrieval, Ann Arbor, MI, USA.","DOI":"10.1145\/3209978.3209996"},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"Hou, Y., Ma, Z., Liu, C., and Loy, C.C. (2019, January 15\u201320). Learning lightweight lane detection cnns by self attention distillation. Proceedings of the IEEE\/CVF International Conference on Computer Vision, Long Beach, CA, USA.","DOI":"10.1109\/ICCV.2019.00110"},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Zheng, X., Dong, Q., and Fu, A. (2022, January 12). WMDefense: Using watermark to defense Byzantine attacks in federated learning. Proceedings of the IEEE INFOCOM 2022-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Virtual Event.","DOI":"10.1109\/INFOCOMWKSHPS54753.2022.9798217"},{"key":"ref_52","first-page":"8011","article-title":"Spectral signatures in backdoor attacks","volume":"31","author":"Tran","year":"2018","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_53","first-page":"2088","article-title":"Invisible backdoor attacks on deep neural networks via steganography and regularization","volume":"18","author":"Li","year":"2020","journal-title":"IEEE Trans. Dependable Secur. Comput."}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/16\/11\/1497\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T16:28:44Z","timestamp":1760113724000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/16\/11\/1497"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,8]]},"references-count":53,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2024,11]]}},"alternative-id":["sym16111497"],"URL":"https:\/\/doi.org\/10.3390\/sym16111497","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,11,8]]}}}