SCRUB-FL: Sanitizing and Cleansing Representations via Unlearning of Backdoors
Reviewed by Pith2026-06-26 10:19 UTCgrok-4.3pith:BEKP7RCDopen to challenge →
The pith
SCRUB-FL removes backdoors from converged federated models by having clients train local WGAN-GP generators on suspicious samples and then unlearning on server-synthesized data.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
SCRUB-FL shows that backdoor behaviors in a converged global FL model can be erased by redistributing predictions on synthesized suspicious samples generated from aggregated client WGAN-GP models, reducing attack success to as low as 3.88% while retaining over 91% normal task accuracy across multiple attacks and up to 40% malicious clients.
What carries the argument
Client-side identification of suspicious samples followed by local WGAN-GP training, with server-side aggregation of generators to synthesize unlearning samples that erase trigger-target mappings.
If this is right
- Backdoor attack success rate drops to 3.88% on CIFAR-10 and GTSRB under three attack types.
- Normal task accuracy stays above 91% after sanitization.
- The method outperforms prior defenses without requiring trigger patterns or large clean datasets at the server.
- It operates after model convergence when poisoned clients are unknown.
Where Pith is reading between the lines
- The approach could support repeated sanitization rounds if new backdoors appear later.
- Synthesizing unlearning data from aggregated generators may generalize to other decentralized settings where raw data cannot be shared.
- The reliance on spectral and clustering detection at clients suggests similar local filtering could help other post-training defenses.
Load-bearing premise
WGAN-GP models trained locally on client suspicious samples capture trigger-related distributions well enough for the server to synthesize samples that allow unlearning to remove the backdoor without major clean accuracy loss.
What would settle it
A test showing that unlearning on the synthesized samples leaves backdoor success rate above 10% or drops clean accuracy below 85% on CIFAR-10 would falsify the central effectiveness claim.
Figures
read the original abstract
Federated Learning (FL) enables collaborative model training without sharing raw data, making it a promising paradigm for privacy-sensitive applications. However, its decentralized nature makes it inherently vulnerable to backdoor attacks, where malicious clients embed hidden triggers into local training data to manipulate model predictions. Existing defenses mainly operate during before and during aggregation cannot fully eliminate backdoor behaviors that persist in the converged global model. Moreover, the effectiveness of post-training sanitization is often limited by the server's lack of knowledge of trigger patterns or poisoned clients after convergence, resulting in residual backdoor behaviors or accuracy degradation due to neuron entanglement. To address this limitation, we propose SCRUB-FL (Sanitizing and Cleansing Representations via Unlearning of Backdoors), a two-phase solution for post-training backdoor removal in FL. During training, clients identify suspicious samples using spectral analysis and activation clustering, then train lightweight Wasserstein Generative Adversarial Network with Gradient Penalty (WGAN-GP) models to capture trigger-related distributions. The generator parameters are aggregated server-side to construct a global representation of suspicious patterns without exposing raw data. After convergence, the server synthesizes trigger-approximating samples and applies machine unlearning to erase the trigger-target association by redistributing predictions toward a uniform distribution. Experimental evaluations on CIFAR-10 and GTSRB across three attack types and up to 40% malicious participation demonstrate that SCRUB-FL reduces the backdoor attack success rate to as low as 3.88% while maintaining over 91% normal task accuracy, outperforming state-of-the-art defenses without requiring prior trigger knowledge or a large clean proxy dataset at the server.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript proposes SCRUB-FL, a two-phase post-training defense against backdoor attacks in federated learning. Clients detect suspicious samples via spectral analysis and activation clustering, train local WGAN-GP generators on them, and transmit only the generator parameters; the server aggregates these to synthesize trigger-approximating samples and performs machine unlearning by redistributing predictions toward a uniform distribution. Experiments on CIFAR-10 and GTSRB with up to 40% malicious clients and three attack types report backdoor attack success rates as low as 3.88% while retaining over 91% clean accuracy, outperforming prior defenses without requiring trigger knowledge or a large clean proxy dataset at the server.
Significance. If the synthesis and unlearning steps function as described, the work would offer a practical advance in post-aggregation backdoor sanitization for FL by preserving privacy through generator-parameter sharing rather than raw data or clean proxies. The federated WGAN-GP construction is a technically interesting mechanism for capturing suspicious distributions without central data access.
major comments (2)
- [Experimental Evaluations] Experimental Evaluations: the headline metrics (ASR 3.88%, accuracy >91%) are presented without the number of independent runs, standard deviations, statistical significance tests, or precise hyperparameter and baseline configurations used for SOTA comparisons; these omissions directly affect the ability to evaluate whether the claimed outperformance is robust.
- [Client-side suspicious sample identification and server-side synthesis] Client-side suspicious sample identification and server-side synthesis: the central unlearning step assumes that spectral analysis plus activation clustering isolates trigger-related samples sufficiently for local WGAN-GP training and that federated aggregation of the resulting generators produces outputs close to the true trigger distribution; no ablation on clustering failure modes, mixing of clean samples, or sensitivity of the aggregated generator is reported, leaving the load-bearing assumption untested.
minor comments (1)
- [Abstract] Abstract: the description of the two-phase workflow is compressed; expanding the sentence on client detection and server aggregation would improve immediate clarity.
Simulated Author's Rebuttal
Thank you for the constructive feedback on our manuscript. We address each major comment point by point below and commit to revisions where the evaluation can be strengthened.
read point-by-point responses
-
Referee: [Experimental Evaluations] Experimental Evaluations: the headline metrics (ASR 3.88%, accuracy >91%) are presented without the number of independent runs, standard deviations, statistical significance tests, or precise hyperparameter and baseline configurations used for SOTA comparisons; these omissions directly affect the ability to evaluate whether the claimed outperformance is robust.
Authors: We agree that additional statistical reporting is required for robust evaluation. In the revised manuscript we will report all headline metrics as means and standard deviations over five independent runs, include paired t-tests against each baseline, and add an appendix table with the precise hyperparameter values and training configurations used for every compared method to enable direct reproduction. revision: yes
-
Referee: [Client-side suspicious sample identification and server-side synthesis] Client-side suspicious sample identification and server-side synthesis: the central unlearning step assumes that spectral analysis plus activation clustering isolates trigger-related samples sufficiently for local WGAN-GP training and that federated aggregation of the resulting generators produces outputs close to the true trigger distribution; no ablation on clustering failure modes, mixing of clean samples, or sensitivity of the aggregated generator is reported, leaving the load-bearing assumption untested.
Authors: The observation is accurate; the current manuscript does not contain explicit ablations on these points. We will add a dedicated ablation subsection that quantifies (i) the effect of varying fractions of clean samples mixed into the suspicious set, (ii) sensitivity of downstream ASR to clustering threshold and number of clusters, and (iii) the distribution distance between samples generated by the aggregated generator versus per-client generators, thereby directly testing the load-bearing assumptions. revision: yes
Circularity Check
No significant circularity; empirical defense validated on benchmarks
full rationale
The paper describes an empirical two-phase defense (client-side spectral analysis + WGAN-GP training, server-side aggregation and unlearning) whose central performance claims (ASR reduced to 3.88%, >91% clean accuracy on CIFAR-10/GTSRB) rest on experimental results across attack types and malicious participation rates. No load-bearing derivation, fitted parameter renamed as prediction, or self-citation chain is present in the provided text; the method is self-contained against external benchmarks without reducing to its own inputs by construction.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Communication-efficient learning of deep networks from decentralized data,
B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” inArtificial intelligence and statistics. PMLR, 2017, pp. 1273– 1282
2017
-
[2]
A survey of security threats in federated learning,
Y . Feng, Y . Guo, Y . Hou, Y . Wu, M. Lao, T. Yu, and G. Liu, “A survey of security threats in federated learning,”Complex & Intelligent Systems, vol. 11, no. 2, p. 165, 2025
2025
-
[3]
MITRE ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems,
MITRE Corporation, “MITRE ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems,” https://atlas.mitre.org, 2023, tech- nique AML.T0018: Backdoor ML Model
2023
-
[4]
Fltrust: Byzantine- robust federated learning via trust bootstrapping,
X. Cao, M. Fang, J. Liu, and N. Z. Gong, “Fltrust: Byzantine- robust federated learning via trust bootstrapping,”arXiv preprint arXiv:2012.13995, 2020
-
[5]
{FLAME}: Taming backdoors in federated learning,
T. D. Nguyen, P. Rieger, H. Chen, H. Yalame, H. M ¨ollering, H. Fer- eidooni, S. Marchal, M. Miettinen, A. Mirhoseini, S. Zeitouniet al., “{FLAME}: Taming backdoors in federated learning,” in31st USENIX security symposium (USENIX Security 22), 2022, pp. 1415–1432
2022
-
[6]
Resisting poisoning attacks in federated learning via dual-domain distance and trust assessment,
Z. Wang, Z. Zhang, Z. Li, Y . Wu, Y . Liu, M. Li, X. Li, Y . Liu, J. An, W. Lianget al., “Resisting poisoning attacks in federated learning via dual-domain distance and trust assessment,”IEEE Transactions on Information Forensics and Security, 2025
2025
-
[7]
Robust knowl- edge distillation in federated learning: Counteracting backdoor attacks,
E. Alharbi, L. S. Marcolino, Q. Ni, and A. Gouglidis, “Robust knowl- edge distillation in federated learning: Counteracting backdoor attacks,” in2025 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML). IEEE, 2025, pp. 189–202
2025
-
[8]
Defending against backdoor attacks in federated learning by using differential privacy and ood data attributes,
Q. Tan, Y . Li, and B.-S. Shin, “Defending against backdoor attacks in federated learning by using differential privacy and ood data attributes,” Computer Modeling in Engineering & Sciences, vol. 143, no. 2, pp. 2417–2428, 2025
2025
-
[9]
Defending the edge: Representative-attention defense against backdoor attacks in federated learning,
C. P. Obioma, Y . Sun, and M. A. Mustafa, “Defending the edge: Representative-attention defense against backdoor attacks in federated learning,”arXiv preprint arXiv:2505.10297, 2025
-
[10]
Securing federated learning against backdoor threats with foundation model integration,
X. Bi and X. Li, “Securing federated learning against backdoor threats with foundation model integration,” in2025 IEEE International Con- ference on Information Reuse and Integration and Data Science (IRI). IEEE, 2025, pp. 184–189
2025
-
[11]
Flpu- rifier: Backdoor defense in federated learning via decoupled contrastive training,
J. Zhang, C. Zhu, X. Sun, C. Ge, B. Chen, W. Susilo, and S. Yu, “Flpu- rifier: Backdoor defense in federated learning via decoupled contrastive training,”IEEE Transactions on Information Forensics and Security, vol. 19, pp. 4752–4766, 2024
2024
-
[12]
Unlearning backdoor attacks in federated learning,
C. Wu, S. Zhu, P. Mitra, and W. Wang, “Unlearning backdoor attacks in federated learning,” in2024 IEEE Conference on Communications and Network Security (CNS). IEEE, 2024, pp. 1–9
2024
-
[13]
Fedcleanse: Cleanse the backdoor attacks in federated learning system,
S. Huang, Y . Li, C. Chen, L. Shi, W. Cai, and Y . Gao, “Fedcleanse: Cleanse the backdoor attacks in federated learning system,”Knowledge- Based Systems, p. 114494, 2025
2025
-
[14]
Shift: Enhancing federated learning robustness through client-side backdoor detection,
K. Wang, L. Wang, Z. Liu, Y . Luo, K. Zhang, and W. Li, “Shift: Enhancing federated learning robustness through client-side backdoor detection,”Information Fusion, p. 104144, 2026
2026
-
[15]
Adfl: Defending backdoor attacks in federated learning via adversarial distillation,
C. Zhu, J. Zhang, X. Sun, B. Chen, and W. Meng, “Adfl: Defending backdoor attacks in federated learning via adversarial distillation,” Computers & Security, vol. 132, p. 103366, 2023
2023
-
[16]
Mitigating distributed backdoor attack in federated learning through mode connec- tivity,
K. Walter, M. Mohammady, S. Nepal, and S. S. Kanhere, “Mitigating distributed backdoor attack in federated learning through mode connec- tivity,” inProceedings of the 19th ACM Asia Conference on Computer and Communications Security, 2024, pp. 1287–1298
2024
-
[17]
Generative adversarial nets,
I. J. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y . Bengio, “Generative adversarial nets,” Advances in neural information processing systems, vol. 27, 2014
2014
-
[18]
Improved training of wasserstein gans,
I. Gulrajani, F. Ahmed, M. Arjovsky, V . Dumoulin, and A. C. Courville, “Improved training of wasserstein gans,”Advances in neural information processing systems, vol. 30, 2017
2017
-
[19]
Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering
B. Chen, W. Carvalho, N. Baracaldo, H. Ludwig, B. Edwards, T. Lee, I. Molloy, and B. Srivastava, “Detecting backdoor attacks on deep neural networks by activation clustering,”arXiv preprint arXiv:1811.03728, 2018
work page internal anchor Pith review Pith/arXiv arXiv 2018
-
[20]
Mudguard: Taming malicious majorities in federated learning using privacy-preserving byzantine-robust clustering,
R. Wang, X. Wang, H. Chen, J. Decouchant, S. Picek, N. Laoutaris, and K. Liang, “Mudguard: Taming malicious majorities in federated learning using privacy-preserving byzantine-robust clustering,”Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 8, no. 3, pp. 1–41, 2024
2024
-
[21]
Learning multiple layers of features from tiny images,
A. Krizhevsky, G. Hintonet al., “Learning multiple layers of features from tiny images,” 2009
2009
-
[22]
The german traffic sign recognition benchmark: a multi-class classification competition,
J. Stallkamp, M. Schlipsing, J. Salmen, and C. Igel, “The german traffic sign recognition benchmark: a multi-class classification competition,” in The 2011 international joint conference on neural networks. IEEE, 2011, pp. 1453–1460
2011
-
[23]
Fine-pruning: Defending against backdooring attacks on deep neural networks,
K. Liu, B. Dolan-Gavitt, and S. Garg, “Fine-pruning: Defending against backdooring attacks on deep neural networks,” inInternational sympo- sium on research in attacks, intrusions, and defenses. Springer, 2018, pp. 273–294
2018
-
[24]
Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,
B. Wang, Y . Yao, S. Shan, H. Li, B. Viswanath, H. Zheng, and B. Y . Zhao, “Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,” in2019 IEEE symposium on security and privacy (SP). IEEE, 2019, pp. 707–723
2019
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.