DAGUARD：联邦学习下的分布式后门攻击防御方案

doi:10.11959/j.issn.1000-436x.2023086

摘要/Abstract

摘要：

为了解决联邦学习下的分布式后门攻击等问题，基于服务器挑选最多不超过半数恶意客户端进行全局聚合的假设，提出了一种联邦学习下的分布式后门防御方案（DAGUARD）。设计了三元组梯度优化算法局部更新策略（TernGrad）以解决梯度局部调整的后门攻击和推理攻击、自适应密度聚类防御方案（AdaptDBSCAN）以解决角度偏较大的后门攻击、自适应裁剪方案以限制放大梯度的后门增强攻击和自适应加噪方案以削弱分布式后门攻击。实验结果表明，在联邦学习场景下，所提方案相比现有的防御策略具有更好的防御性能和防御稳定性。

关键词: 联邦学习, 分布式后门攻击, 聚类, 差分隐私

Abstract:

In order to solve the problems of distributed backdoor attack under federated learning, a distributed backdoor attack defense scheme (DAGUARD) under federated learning was proposed based on the assumption that the server selected no more than half of malicious clients for global aggregation.The partial update strategy of the triple gradient optimization algorithm (TernGrad) was designed to solve the backdoor attack and inference attack, an adaptive density clustering defense scheme was designed to solve the backdoor attacks with relatively large angle deflection, the adaptive clipping scheme was designed to limit the enhancement backdoor attack that amplify the gradients and the adaptive noise-enhancing scheme was designed to weaken distributed backdoor attacks.The experimental results show that in the federated learning scenario, the proposed scheme has better defense performance and defense stability than existing defense strategies.

Key words: federated learning, distributed backdoor attack, cluster, differential privacy

中图分类号:

TN92

余晟兴, 陈泽凯, 陈钟, 刘西蒙. DAGUARD：联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023, 44(5): 110-122.

Shengxing YU, Zekai CHEN, Zhong CHEN, Ximeng LIU. DAGUARD: distributed backdoor attack defense scheme under federated learning[J]. Journal on Communications, 2023, 44(5): 110-122.

图/表 9

图1

图2

图3

图4

表1

表2

图5

图6

表3

参考文献 36

[1]	MCMAHAN H B , MOORE E , RAMAGE D ,et al. Communication-efficient learning of deep networks from decentralized data[C]// Artificial intelligence and statistics. New York:PMLR, 2017: 1273-1282.
[2]	LIU Y , FAN T , CHEN T J ,et al. FATE:an industrial grade platform for collaborative learning with data protection[J]. The Journal of Machine Learning Research, 2021,22(1): 10320-10325.
[3]	KURUPATHI S R , MAASS W . Survey on federated learning towards privacy preserving AI[C]// Proceedings of Computer Science ＆ Information Technology (CS ＆ IT). Chennai:AIRCC Publishing Corporation, 2020: 235-253.
[4]	BOGDANOVA A , NAKAI A , OKADA Y ,et al. Federated learning system without model sharing through integration of dimensional reduced data representations[J]. arXiv Preprint,arXiv:2011.06803, 2020.
[5]	BIGGIO B , NELSON B , LASKOV P . Poisoning attacks against support vector machines[J]. arXiv Preprint,arXiv:1206.6389, 2012.
[6]	NELSON B , BARRENO M , CHI F J ,et al. Exploiting machine learning to subvert your spam filter[C]// Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. Berkeley:USENIX Association, 2008: 1-9.
[7]	FANG M H , CAO X Y , JIA J Y ,et al. Local model poisoning attacks to Byzantine-robust federated learning[C]// Proceedings of the 29th USENIX Conference on Security Symposium. Berkeley:USENIX Association, 2020: 1623-1640.
[8]	BHAGOJI A N , CHAKRABORTY S , MITTAL P ,et al. Analyzing federated learning through an adversarial lens[C]// International Conference on Machine Learning. New York:PMLR, 2019: 634-643.
[9]	XIE C , HUANG K , CHEN P Y ,et al. DBA:distributed backdoor attacks against federated learning[C]// Proceedings of the 8th International Conference on Learning Representations. [S.l.]:OpenReview, 2020: 1-19.
[10]	BAGDASARYAN E , VEIT A , HUA Y ,et al. How to backdoor federated learning[C]// International Conference on Artificial Intelligence and Statistics. New York:PMLR, 2020: 2938-2948.
[11]	YIN D , CHEN Y , RAMCHANDRAN K ,et al. Byzantine-robust distributed learning:towards optimal statistical rates[C]// International Conference on Machine Learning. New York:PMLR, 2018: 5650-5659.
[12]	BLANCHARD P , EL-MHAMDI E M , GUERRAOUI R ,et al. Machine learning with adversaries:Byzantine tolerant gradient descent[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. New York:ACM Press, 2017: 118-128.
[13]	NGUYEN T D , RIEGER P , MIETTINEN M ,et al. Poisoning attacks on federated learning-based IoT intrusion detection system[C]// Proceedings of 2020 Workshop on Decentralized IoT Systems and Security. Reston:Internet Society, 2020: 1-7.
[14]	SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2017: 3-18.
[15]	GANJU K R , WANG Q , YANG W ,et al. Property inference attacks on fully connected neural networks using permutation invariant representations[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 619-633.
[16]	PYRGELIS A , TRONCOSO C , CRISTOFARO E D . Knock knock,who’s there? membership inference on aggregate location data[J]. arXiv Preprint,arXiv:1708.06145, 2017.
[17]	CHEN Y D , SU L L , XU J M . Distributed statistical machine learning in adversarial settings:Byzantine gradient descent[C]// Proceedings of the 2018 ACM International Conference on Measurement and Modeling of Computer Systems. New York:ACM Press, 2018:96.
[18]	XU J , HUANG S , SONG L ,et al. SignGuard:Byzantine-robust federated learning through collaborative malicious gradient filtering[J]. arXiv Preprint,arXiv:2109.05872, 2021.
[19]	SHEN S Q , TOPLE S , SAXENA P . Auror:defending against poisoning attacks in collaborative deep learning systems[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. New York:ACM Press, 2016: 508-519.
[20]	NGUYEN T D , RIEGER P , CHEN H ,et al. FLAME:taming backdoors in federated learning[C]// Proceedings of the 31st USENIX Security Symposium. Berkeley:USENIX Association, 2022: 1415-1432.
[21]	WEN W , XU C , YAN F ,et al. TernGrad:ternary gradients to reduce communication in distributed deep learning[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. New York:ACM Press, 2017: 1508-1518.
[22]	ESTER M , KRIEGEL H P , SANDER J ,et al. A density-based algorithm for discovering clusters in large spatial databases with noise[C]// Proceedings of the Second International Conference on Knowledge Discovery and Data Mining. Palo Alto:AAAI Press, 1996: 226-231.
[23]	CAMPELLO R J G B , MOULAVI D , SANDER J . Density-based clustering based on hierarchical density estimates[C]// Pacific-Asia Conference on Knowledge Discovery and Data Mining. Berlin:Springer, 2013: 160-172.
[24]	HAN J , PEI J , TONG H . Data mining:concepts and techniques[M]. San Francisco: Margan Kaufmann, 2022.
[25]	MURTAGH F , CONTRERAS P . Algorithms for hierarchical clustering:an overview[J]. Wiley Interdisciplinary Reviews:Data Mining and Knowledge Discovery, 2012,2(1): 86-97.
[26]	KRISHNA K , NARASIMHA M M . Genetic K-means algorithm[J]. IEEE Transactions on Systems,Man,and Cybernetics,Part B (Cybernetics), 1999,29(3): 433-439.
[27]	AMINI A , WAH T Y , SAYBANI M R ,et al. A study of density-grid based clustering algorithms on data streams[C]// Proceedings of 2011 Eighth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD). Piscataway:IEEE Press, 2011: 1652-1656.
[28]	DWORK C . Differential privacy:a survey of results[C]// International Conference on Theory and Applications of Models of Computation. Berlin:Springer, 2008: 1-19.
[29]	HUANG Z H , HU R , GUO Y X ,et al. DP-ADMM:ADMM-based distributed learning with differential privacy[J]. IEEE Transactions on Information Forensics and Security, 2020,15: 1002-1012.
[30]	DWORK C , ROTH A . The algorithmic foundations of differential privacy[J]. Foundations and Trends in Theoretical Computer Science, 2013,9(3/4): 211-407.
[31]	BONAWITZ K , IVANOV V , KREUTER B ,et al. Practical secure aggregation for privacy-preserving machine learning[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 1175-1191.
[32]	ANDERSON A G , BERG C P . The high-dimensional geometry of binary neural networks[J]. arXiv Preprint,arXiv:1705.07199, 2017.
[33]	SUN Z , KAIROUZ P , SURESH A T ,et al. Can you really backdoor federated learning?[J]. arXiv Preprint,arXiv:1911.07963, 2019.
[34]	DU M , JIA R , SONG D . Robust anomaly detection and backdoor attack detection via differential privacy[J]. arXiv Preprint,arXiv:1911.07116, 2019.
[35]	LECUN Y , BOTTOU L , BENGIO Y ,et al. Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998,86(11): 2278-2324.
[36]	XIAO H , RASUL K , VOLLGRAF R . Fashion-MNIST:a novel image dataset for benchmarking machine learning algorithms[J]. arXiv Preprint,arXiv:1708.07747, 2017.

防御方案	NIR（PDR=0.312 50）			PDR（NIR=0.25）
防御方案	0.25	0.50	0.75	0.156 25	0.312 50	0.468 75
FedAvg	100%	100%	100%	100%	100%	100%
Median	64.15%	6.18%	10.80%	6.23%	64.15%	56.72%
FLAME	1.58%	1.31%	1.98%	45.52%	1.58%	1.56%
DAGUARD	1.17%	1.08%	1.02%	0.95%	1.90%	1.79%

防御方案	NIR（PDR=0.312 50）			PDR（NIR=0.25）
防御方案	0.25	0.50	0.75	0.156 25	0.312 50	0.468 75
FedAvg	100%	100%	100%	100%	100%	100%
Median	99.96%	99.92%	100%	99.94%	99.96%	99.96%
FLAME	30.15%	17.75%	54.15%	24.16%	30.15%	26.26%
DAGUARD	11.4%	10.92%	17.44%	17.61%	11.40%	13.55%

防御方案	PDR		MNIST			FASHION
防御方案	PDR	NIR=0.25	NIR=0.50	NIR=0.75	NIR=0.25	NIR=0.50	NIR=0.75
FedAvg	0.156 25	95.23%	94.71%	94.65%	96.92%	91.05%	91.06%
	0.312 50	98.18%	94.30%	94.28%	93.24%	97.02%	97.02%
	0.468 75	97.46%	98.46%	98.36%	97.88%	98.62%	98.62%
Median	0.156 25	2.58%	2.19%	2.17%	47.23%	43.51%	43.52%
	0.312 50	12.92%	2.81%	2.71%	66.17%	62.75%	62.74%
	0.468 75	15.42%	9.32%	9.29%	56.50%	61.21%	61.19%
FLAME	0.156 25	11.16%	0.98%	0.97%	9.54%	7.81%	7.80%
	0.312 50	1.59%	0.83%	0.82%	9.38%	27.24%	27.22%
	0.468 75	1.74%	0.86%	0.85%	11.89%	7.25%	7.23%
DAGUARD	0.156 25	1.27%	0.75%	0.73%	9.38%	6.37%	6.35%
	0.312 50	0.85%	0.99%	0.98%	9.04%	6.31%	6.29%
	0.468 75	0.84%	0.78%	0.80%	6.60%	6.90%	6.85%