Feddsg: backdoor defense via semantic filter and geometric constraint in federated learning
摘要
Backdoor attacks pose a serious threat to Internet-of-Things (IoT) federated learning. In IoT deployments, pronounced non-independent and identically distributed (non-IID) data heterogeneity causes benign client updates to exhibit substantial variability across devices. Meanwhile, the physical exposure of IoT devices increases the risk of large-scale compromise and elevated malicious participation. Such variability allows poisoned updates to blend into natural fluctuations, rendering many robust aggregation and detection-based defenses unreliable. We propose FedDSG, a server-side defense that combines a semantic bias filter and a geometric direction constraint to counter backdoor manipulation. FedDSG first extracts a novel scale-invariant semantic cue from the last-layer bias of client updates to identify abnormal target-class reinforcement, staying effective even when benign bias patterns differ substantially across clients. The remaining updates are then constrained using a reference derived from a small trusted anchor set, limiting adversarial drift. This sequential design links semantic cues with geometric structure, where the former removes clearly suspicious updates and the latter stabilizes the residual ones, preventing misdetection-induced drift amplification while avoiding distortion of benign updates. The method does not alter client behavior or communication and adds minimal server-side overhead. Extensive experiments on MNIST, Fashion-MNIST, CIFAR-10, and SVHN under non-IID distributions with high malicious participation demonstrate the robustness of FedDSG. It reduces the attack success rate to 0.003, 0.006, 0.007, and 0.091, respectively, with only marginal accuracy loss and consistently achieves the highest Overall Performance Score (OPS), reflecting a superior trade-off between robustness and accuracy. Code and data availability information is provided in the Availability of data and materials section.