通信学报 ›› 2023, Vol. 44 ›› Issue (5): 110-122.doi: 10.11959/j.issn.1000-436x.2023086
余晟兴1, 陈泽凯2, 陈钟1, 刘西蒙2
修回日期:
2023-04-12
出版日期:
2023-05-25
发布日期:
2023-05-01
作者简介:
余晟兴(1995- ),男,福建福州人,北京大学博士生,主要研究方向为机器学习、隐私保护、区块链、可验证计算等基金资助:
Shengxing YU1, Zekai CHEN2, Zhong CHEN1, Ximeng LIU2
Revised:
2023-04-12
Online:
2023-05-25
Published:
2023-05-01
Supported by:
摘要:
为了解决联邦学习下的分布式后门攻击等问题,基于服务器挑选最多不超过半数恶意客户端进行全局聚合的假设,提出了一种联邦学习下的分布式后门防御方案(DAGUARD)。设计了三元组梯度优化算法局部更新策略(TernGrad)以解决梯度局部调整的后门攻击和推理攻击、自适应密度聚类防御方案(AdaptDBSCAN)以解决角度偏较大的后门攻击、自适应裁剪方案以限制放大梯度的后门增强攻击和自适应加噪方案以削弱分布式后门攻击。实验结果表明,在联邦学习场景下,所提方案相比现有的防御策略具有更好的防御性能和防御稳定性。
中图分类号:
余晟兴, 陈泽凯, 陈钟, 刘西蒙. DAGUARD:联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023, 44(5): 110-122.
Shengxing YU, Zekai CHEN, Zhong CHEN, Ximeng LIU. DAGUARD: distributed backdoor attack defense scheme under federated learning[J]. Journal on Communications, 2023, 44(5): 110-122.
表3
不同PDR与NIR下各方案在MNIST和FASHION的ABA对比"
防御方案 | PDR | MNIST | FASHION | |||||
NIR=0.25 | NIR=0.50 | NIR=0.75 | NIR=0.25 | NIR=0.50 | NIR=0.75 | |||
FedAvg | 0.156 25 | 95.23% | 94.71% | 94.65% | 96.92% | 91.05% | 91.06% | |
0.312 50 | 98.18% | 94.30% | 94.28% | 93.24% | 97.02% | 97.02% | ||
0.468 75 | 97.46% | 98.46% | 98.36% | 97.88% | 98.62% | 98.62% | ||
Median | 0.156 25 | 2.58% | 2.19% | 2.17% | 47.23% | 43.51% | 43.52% | |
0.312 50 | 12.92% | 2.81% | 2.71% | 66.17% | 62.75% | 62.74% | ||
0.468 75 | 15.42% | 9.32% | 9.29% | 56.50% | 61.21% | 61.19% | ||
FLAME | 0.156 25 | 11.16% | 0.98% | 0.97% | 9.54% | 7.81% | 7.80% | |
0.312 50 | 1.59% | 0.83% | 0.82% | 9.38% | 27.24% | 27.22% | ||
0.468 75 | 1.74% | 0.86% | 0.85% | 11.89% | 7.25% | 7.23% | ||
DAGUARD | 0.156 25 | 1.27% | 0.75% | 0.73% | 9.38% | 6.37% | 6.35% | |
0.312 50 | 0.85% | 0.99% | 0.98% | 9.04% | 6.31% | 6.29% | ||
0.468 75 | 0.84% | 0.78% | 0.80% | 6.60% | 6.90% | 6.85% |
[1] | MCMAHAN H B , MOORE E , RAMAGE D ,et al. Communication-efficient learning of deep networks from decentralized data[C]// Artificial intelligence and statistics. New York:PMLR, 2017: 1273-1282. |
[2] | LIU Y , FAN T , CHEN T J ,et al. FATE:an industrial grade platform for collaborative learning with data protection[J]. The Journal of Machine Learning Research, 2021,22(1): 10320-10325. |
[3] | KURUPATHI S R , MAASS W . Survey on federated learning towards privacy preserving AI[C]// Proceedings of Computer Science & Information Technology (CS & IT). Chennai:AIRCC Publishing Corporation, 2020: 235-253. |
[4] | BOGDANOVA A , NAKAI A , OKADA Y ,et al. Federated learning system without model sharing through integration of dimensional reduced data representations[J]. arXiv Preprint,arXiv:2011.06803, 2020. |
[5] | BIGGIO B , NELSON B , LASKOV P . Poisoning attacks against support vector machines[J]. arXiv Preprint,arXiv:1206.6389, 2012. |
[6] | NELSON B , BARRENO M , CHI F J ,et al. Exploiting machine learning to subvert your spam filter[C]// Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. Berkeley:USENIX Association, 2008: 1-9. |
[7] | FANG M H , CAO X Y , JIA J Y ,et al. Local model poisoning attacks to Byzantine-robust federated learning[C]// Proceedings of the 29th USENIX Conference on Security Symposium. Berkeley:USENIX Association, 2020: 1623-1640. |
[8] | BHAGOJI A N , CHAKRABORTY S , MITTAL P ,et al. Analyzing federated learning through an adversarial lens[C]// International Conference on Machine Learning. New York:PMLR, 2019: 634-643. |
[9] | XIE C , HUANG K , CHEN P Y ,et al. DBA:distributed backdoor attacks against federated learning[C]// Proceedings of the 8th International Conference on Learning Representations. [S.l.]:OpenReview, 2020: 1-19. |
[10] | BAGDASARYAN E , VEIT A , HUA Y ,et al. How to backdoor federated learning[C]// International Conference on Artificial Intelligence and Statistics. New York:PMLR, 2020: 2938-2948. |
[11] | YIN D , CHEN Y , RAMCHANDRAN K ,et al. Byzantine-robust distributed learning:towards optimal statistical rates[C]// International Conference on Machine Learning. New York:PMLR, 2018: 5650-5659. |
[12] | BLANCHARD P , EL-MHAMDI E M , GUERRAOUI R ,et al. Machine learning with adversaries:Byzantine tolerant gradient descent[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. New York:ACM Press, 2017: 118-128. |
[13] | NGUYEN T D , RIEGER P , MIETTINEN M ,et al. Poisoning attacks on federated learning-based IoT intrusion detection system[C]// Proceedings of 2020 Workshop on Decentralized IoT Systems and Security. Reston:Internet Society, 2020: 1-7. |
[14] | SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2017: 3-18. |
[15] | GANJU K R , WANG Q , YANG W ,et al. Property inference attacks on fully connected neural networks using permutation invariant representations[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 619-633. |
[16] | PYRGELIS A , TRONCOSO C , CRISTOFARO E D . Knock knock,who’s there? membership inference on aggregate location data[J]. arXiv Preprint,arXiv:1708.06145, 2017. |
[17] | CHEN Y D , SU L L , XU J M . Distributed statistical machine learning in adversarial settings:Byzantine gradient descent[C]// Proceedings of the 2018 ACM International Conference on Measurement and Modeling of Computer Systems. New York:ACM Press, 2018:96. |
[18] | XU J , HUANG S , SONG L ,et al. SignGuard:Byzantine-robust federated learning through collaborative malicious gradient filtering[J]. arXiv Preprint,arXiv:2109.05872, 2021. |
[19] | SHEN S Q , TOPLE S , SAXENA P . Auror:defending against poisoning attacks in collaborative deep learning systems[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. New York:ACM Press, 2016: 508-519. |
[20] | NGUYEN T D , RIEGER P , CHEN H ,et al. FLAME:taming backdoors in federated learning[C]// Proceedings of the 31st USENIX Security Symposium. Berkeley:USENIX Association, 2022: 1415-1432. |
[21] | WEN W , XU C , YAN F ,et al. TernGrad:ternary gradients to reduce communication in distributed deep learning[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. New York:ACM Press, 2017: 1508-1518. |
[22] | ESTER M , KRIEGEL H P , SANDER J ,et al. A density-based algorithm for discovering clusters in large spatial databases with noise[C]// Proceedings of the Second International Conference on Knowledge Discovery and Data Mining. Palo Alto:AAAI Press, 1996: 226-231. |
[23] | CAMPELLO R J G B , MOULAVI D , SANDER J . Density-based clustering based on hierarchical density estimates[C]// Pacific-Asia Conference on Knowledge Discovery and Data Mining. Berlin:Springer, 2013: 160-172. |
[24] | HAN J , PEI J , TONG H . Data mining:concepts and techniques[M]. San Francisco: Margan Kaufmann, 2022. |
[25] | MURTAGH F , CONTRERAS P . Algorithms for hierarchical clustering:an overview[J]. Wiley Interdisciplinary Reviews:Data Mining and Knowledge Discovery, 2012,2(1): 86-97. |
[26] | KRISHNA K , NARASIMHA M M . Genetic K-means algorithm[J]. IEEE Transactions on Systems,Man,and Cybernetics,Part B (Cybernetics), 1999,29(3): 433-439. |
[27] | AMINI A , WAH T Y , SAYBANI M R ,et al. A study of density-grid based clustering algorithms on data streams[C]// Proceedings of 2011 Eighth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD). Piscataway:IEEE Press, 2011: 1652-1656. |
[28] | DWORK C . Differential privacy:a survey of results[C]// International Conference on Theory and Applications of Models of Computation. Berlin:Springer, 2008: 1-19. |
[29] | HUANG Z H , HU R , GUO Y X ,et al. DP-ADMM:ADMM-based distributed learning with differential privacy[J]. IEEE Transactions on Information Forensics and Security, 2020,15: 1002-1012. |
[30] | DWORK C , ROTH A . The algorithmic foundations of differential privacy[J]. Foundations and Trends in Theoretical Computer Science, 2013,9(3/4): 211-407. |
[31] | BONAWITZ K , IVANOV V , KREUTER B ,et al. Practical secure aggregation for privacy-preserving machine learning[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 1175-1191. |
[32] | ANDERSON A G , BERG C P . The high-dimensional geometry of binary neural networks[J]. arXiv Preprint,arXiv:1705.07199, 2017. |
[33] | SUN Z , KAIROUZ P , SURESH A T ,et al. Can you really backdoor federated learning?[J]. arXiv Preprint,arXiv:1911.07963, 2019. |
[34] | DU M , JIA R , SONG D . Robust anomaly detection and backdoor attack detection via differential privacy[J]. arXiv Preprint,arXiv:1911.07116, 2019. |
[35] | LECUN Y , BOTTOU L , BENGIO Y ,et al. Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998,86(11): 2278-2324. |
[36] | XIAO H , RASUL K , VOLLGRAF R . Fashion-MNIST:a novel image dataset for benchmarking machine learning algorithms[J]. arXiv Preprint,arXiv:1708.07747, 2017. |
[1] | 马玲, 樊漆亮, 许婷, 郭冠琛, 张圣林, 孙永谦, 张玉志. 基于强化学习的在线离线混部云环境下的调度框架[J]. 通信学报, 2023, 44(6): 90-102. |
[2] | 马鑫迪, 李清华, 姜奇, 马卓, 高胜, 田有亮, 马建峰. 面向Non-IID数据的拜占庭鲁棒联邦学习[J]. 通信学报, 2023, 44(6): 138-153. |
[3] | 金彪, 李逸康, 姚志强, 陈瑜霖, 熊金波. GenFedRL:面向深度强化学习智能体的通用联邦强化学习框架[J]. 通信学报, 2023, 44(6): 183-197. |
[4] | 李开菊, 许强, 王豪. 冗余数据去除的联邦学习高效通信方法[J]. 通信学报, 2023, 44(5): 79-93. |
[5] | 姜慧, 何天流, 刘敏, 孙胜, 王煜炜. 面向异构流式数据的高性能联邦持续学习算法[J]. 通信学报, 2023, 44(5): 123-136. |
[6] | 田有亮, 吴柿红, 李沓, 王林冬, 周骅. 基于激励机制的联邦学习优化算法[J]. 通信学报, 2023, 44(5): 169-180. |
[7] | 张佳乐, 朱诚诚, 孙小兵, 陈兵. 基于GAN的联邦学习成员推理攻击与防御方法[J]. 通信学报, 2023, 44(5): 193-205. |
[8] | 冯涛, 陈李秋, 方君丽, 石建明. 基于本地化差分隐私和属性基可搜索加密的区块链数据共享方案[J]. 通信学报, 2023, 44(5): 224-233. |
[9] | 董煜, 张友鹏. 基于聚类赋权的冲突证据组合方法[J]. 通信学报, 2023, 44(3): 157-163. |
[10] | 张淑芬, 董燕灵, 徐精诚, 王豪石. 基于目标扰动的AdaBoost算法[J]. 通信学报, 2023, 44(2): 198-209. |
[11] | 余晟兴, 陈钟. 基于同态加密的高效安全联邦学习聚合框架[J]. 通信学报, 2023, 44(1): 14-28. |
[12] | 汤凌韬, 王迪, 刘盛云. 面向非独立同分布数据的联邦学习数据增强方案[J]. 通信学报, 2023, 44(1): 164-176. |
[13] | 袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022, 43(9): 181-193. |
[14] | 赵静, 李俊, 龙春, 万巍, 魏金侠, 陈凯. 基于多层次特征的RoQ隐蔽攻击无监督检测方法[J]. 通信学报, 2022, 43(9): 224-239. |
[15] | 王瀚仪, 李效光, 毕文卿, 陈亚虹, 李凤华, 牛犇. 多级本地化差分隐私算法推荐框架[J]. 通信学报, 2022, 43(8): 52-64. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|