APR-FL: Defending Against Hidden Backdoor Attacks With Adaptive Parameter Replacement

Federated learning (FL) has become a key technology for achieving efficient and reliable edge AI decision-making in consumer electronics devices. However, its application in open network environments exposes the reliability of model decisions to serious threats from hidden backdoor attacks. Although existing defense methods (such as Weak DP and F2L) are able to resist these attacks to a certain extent, they rely on adding noise or dropping information, which directly leads to a decline in model main task performance. This article proposes a novel FL with Adaptive Parameter Replacement (APR-FL), which optimally ensures the aggregation of legitimate updates without introducing additional noise. Specifically, we design an Adaptive Parameter Replacement (APR) strategy that identifies key parameters (i.e., old parameters) exhibiting minimal changes during the local model update process and retrains the key parameters (i.e., new parameters) with a small, clean dataset. When the APR strategy replaces the old parameters with the new ones, we design a multi-task loss (MTL) function that separates the local loss into the loss of the main task and the loss of the defense backdoor task. Thereafter, the parameters generate legitimate updates and upload them to the server for aggregation. No legitimate updates are missed during the aggregation process. Therefore, APR-FL can balance both backdoor defense and model performance. Experiments on the MNIST, CIFAR-10, and Tiny-ImageNet datasets demonstrate that APR-FL consistently outperforms other methods regarding Main task Accuracy (MA) and Backdoor Accuracy (BA) by achieving an MA of 99.12% on the MNIST dataset and BA of 31.51% and 32.56% on CIFAR-10 (iid) and Tiny-ImageNet datasets, respectively.