Coward: Collision-based OOD Watermarking for Practical Proactive Federated Backdoor Detection

Researchers introduce Coward, a novel proactive backdoor detection method for federated learning that uses collision-based watermarking to identify poisoned model updates from malicious clients. The approach addresses critical limitations in existing detection methods by leveraging multi-backdoor collision effects and regulated OOD data injection, achieving state-of-the-art performance with fewer false positives.

Federated learning faces a fundamental security challenge: malicious participants can poison the global model through coordinated backdoor attacks while maintaining plausible deniability across distributed networks. Traditional defenses fall into two camps, each with critical weaknesses. Passive detection methods struggle with real-world federated environments where non-independent-and-identically-distributed data and variable client participation create noise that obscures attack signatures. Proactive methods that actively intervene during training have achieved better detection but introduce their own vulnerability: out-of-distribution bias from detection mechanisms can trigger false alarms, effectively weaponizing the defense itself.

Coward's innovation centers on discovering that consecutively planted backdoors suppress earlier ones—a collision effect that inverts the detection paradigm. Rather than looking for backdoor presence, the method injects a carefully designed watermark that would be disrupted by actual backdoor attacks. This approach fundamentally sidesteps OOD bias by using it strategically rather than fighting against it. The dual-mapping learning mechanism on OOD data creates a low-disruptive training intervention that minimizes model performance degradation while maintaining detection sensitivity.

For the federated learning ecosystem, this represents meaningful progress toward practical security at scale. Current production federated systems often prioritize availability over security due to detection reliability concerns. Coward's demonstrated reduction in misjudgments could enable more aggressive security postures without unacceptable false positive rates. The research validates that sophisticated attack-defense dynamics require architectural innovation rather than incremental refinement of existing paradigms.

• →Multi-backdoor collision effects enable inverted detection paradigms that naturally counteract OOD prediction bias
• →Coward achieves state-of-the-art backdoor detection while reducing false positives compared to existing proactive methods
• →The approach uses low-disruptive training interventions through regulated dual-mapping learning on OOD data
• →Practical federated learning deployments can now balance security requirements with model training efficiency
• →Detection mechanism design must account for adversarial interactions between multiple backdoors rather than isolated attack models