通信学报 ›› 2023, Vol. 44 ›› Issue (5): 110-122.doi: 10.11959/j.issn.1000-436x.2023086

• 学术论文 • 上一篇    下一篇

DAGUARD:联邦学习下的分布式后门攻击防御方案

余晟兴1, 陈泽凯2, 陈钟1, 刘西蒙2   

  1. 1 北京大学计算机学院,北京 100871
    2 福州大学计算机与大数据学院/软件学院,福建 福州 350108
  • 修回日期:2023-04-12 出版日期:2023-05-25 发布日期:2023-05-01
  • 作者简介:余晟兴(1995- ),男,福建福州人,北京大学博士生,主要研究方向为机器学习、隐私保护、区块链、可验证计算等
    陈泽凯(1998- ),男,广东汕头人,福州大学硕士生,主要研究方向为安全多方计算、联邦学习等
    陈钟(1963- ),男,江苏徐州人,博士,北京大学教授、博士生导师,主要研究方向为网络与信息安全、区块链等
    刘西蒙(1988- ),男,陕西西安人,博士,福州大学教授、博士生导师,主要研究方向为云安全、应用密码学和大数据安全等
  • 基金资助:
    国家自然科学基金资助项目(62072109);国家自然科学基金资助项目(62102422)

DAGUARD: distributed backdoor attack defense scheme under federated learning

Shengxing YU1, Zekai CHEN2, Zhong CHEN1, Ximeng LIU2   

  1. 1 School of Computer Science, Peking University, Beijing 100871, China
    2 College of Computer and Data Science/College of Software, Fuzhou University, Fuzhou 350108, China
  • Revised:2023-04-12 Online:2023-05-25 Published:2023-05-01
  • Supported by:
    The National Natural Science Foundation of China(62072109);The National Natural Science Foundation of China(62102422)

摘要:

为了解决联邦学习下的分布式后门攻击等问题,基于服务器挑选最多不超过半数恶意客户端进行全局聚合的假设,提出了一种联邦学习下的分布式后门防御方案(DAGUARD)。设计了三元组梯度优化算法局部更新策略(TernGrad)以解决梯度局部调整的后门攻击和推理攻击、自适应密度聚类防御方案(AdaptDBSCAN)以解决角度偏较大的后门攻击、自适应裁剪方案以限制放大梯度的后门增强攻击和自适应加噪方案以削弱分布式后门攻击。实验结果表明,在联邦学习场景下,所提方案相比现有的防御策略具有更好的防御性能和防御稳定性。

关键词: 联邦学习, 分布式后门攻击, 聚类, 差分隐私

Abstract:

In order to solve the problems of distributed backdoor attack under federated learning, a distributed backdoor attack defense scheme (DAGUARD) under federated learning was proposed based on the assumption that the server selected no more than half of malicious clients for global aggregation.The partial update strategy of the triple gradient optimization algorithm (TernGrad) was designed to solve the backdoor attack and inference attack, an adaptive density clustering defense scheme was designed to solve the backdoor attacks with relatively large angle deflection, the adaptive clipping scheme was designed to limit the enhancement backdoor attack that amplify the gradients and the adaptive noise-enhancing scheme was designed to weaken distributed backdoor attacks.The experimental results show that in the federated learning scenario, the proposed scheme has better defense performance and defense stability than existing defense strategies.

Key words: federated learning, distributed backdoor attack, cluster, differential privacy

中图分类号: 

No Suggested Reading articles found!