通信学报 ›› 2023, Vol. 44 ›› Issue (5): 193-205.doi: 10.11959/j.issn.1000-436x.2023094
张佳乐1,2, 朱诚诚1,2, 孙小兵1,2, 陈兵3
修回日期:
2023-03-06
出版日期:
2023-05-25
发布日期:
2023-05-01
作者简介:
张佳乐(1994- ),男,安徽蚌埠人,博士,扬州大学讲师、硕士生导师,主要研究方向为人工智能安全、联邦学习、数据隐私保护等基金资助:
Jiale ZHANG1,2, Chengcheng ZHU1,2, Xiaobing SUN1,2, Bing CHEN3
Revised:
2023-03-06
Online:
2023-05-25
Published:
2023-05-01
Supported by:
摘要:
针对联邦学习系统极易遭受由恶意参与方在预测阶段发起的成员推理攻击行为,以及现有的防御方法在隐私保护和模型损失之间难以达到平衡的问题,探索了联邦学习中的成员推理攻击及其防御方法。首先提出2种基于生成对抗网络(GAN)的成员推理攻击方法:类级和用户级成员推理攻击,其中,类级成员推理攻击旨在泄露所有参与方的训练数据隐私,用户级成员推理攻击可以指定某一个特定的参与方;此外,进一步提出一种基于对抗样本的联邦学习成员推理防御方法(DefMIA),通过设计针对全局模型参数的对抗样本噪声添加方法,能够在保证联邦学习准确率的同时,有效防御成员推理攻击。实验结果表明,类级和用户级成员推理攻击可以在联邦学习中获得超过90%的攻击精度,而在使用DefMIA方法后,其攻击精度明显降低,接近于随机猜测(50%)。
中图分类号:
张佳乐, 朱诚诚, 孙小兵, 陈兵. 基于GAN的联邦学习成员推理攻击与防御方法[J]. 通信学报, 2023, 44(5): 193-205.
Jiale ZHANG, Chengcheng ZHU, Xiaobing SUN, Bing CHEN. Membership inference attack and defense method in federated learning based on GAN[J]. Journal on Communications, 2023, 44(5): 193-205.
表3
不同数据集下DefMIA防御方法的实验结果"
类别 | MNIST | F-MNIST | CIFAR-10 | |||||
Before | DefMIA | Before | DefMIA | Before | DefMIA | |||
0 | 0.903 | 0.501 | 0.942 | 0.512 | 0.876 | 0.483 | ||
1 | 0.961 | 0.506 | 0.922 | 0.502 | 0.889 | 0.491 | ||
2 | 0.953 | 0.551 | 0.925 | 0.524 | 0.879 | 0.507 | ||
3 | 0.977 | 0.575 | 0.921 | 0.504 | 0.874 | 0.498 | ||
4 | 0.977 | 0.597 | 0.953 | 0.533 | 0.901 | 0.503 | ||
5 | 0.896 | 0.546 | 0.932 | 0.517 | 0.877 | 0.488 | ||
6 | 0.923 | 0.549 | 0.897 | 0.503 | 0.894 | 0.502 | ||
7 | 0.924 | 0.535 | 0.933 | 0.513 | 0.886 | 0.514 | ||
8 | 0.923 | 0.529 | 0.967 | 0.539 | 0.882 | 0.489 | ||
9 | 0.921 | 0.535 | 0.929 | 0.507 | 0.906 | 0.504 |
[10] | CHEN J L , ZHANG J L , ZHAO Y C ,et al. Beyond model-level membership privacy leakage:an adversarial approach in federated learning[C]// Proceedings of 2020 29th International Conference on Computer Communications and Networks (ICCCN). Piscataway:IEEE Press, 2020: 1-9. |
[11] | HAYES J , MELIS L , DANEZIS G ,et al. LOGAN:membership inference attacks against generative models[C]// Proceedings of Privacy Enhancing Technologies Symposium. Berlin:Springer, 2019: 133-152. |
[12] | NASR M , SHOKRI R , HOUMANSADR A . Comprehensive privacy analysis of deep learning:passive and active white-box inference attacks against centralized and federated learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2019: 739-753. |
[13] | GOODFELLOW I , POUGET-ABADIE J , MIRZA M ,et al. Generative adversarial networks[J]. Communications of the ACM, 2020,63(11): 139-144. |
[14] | QU Y Y , YU S , ZHANG J W ,et al. GAN-DP:generative adversarial net driven differentially privacy-preserving big data publishing[C]// Proceedings of 2019 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2019: 1-6. |
[15] | JONSSON K V , KREITZ G , UDDIN M . Secure multi-party sorting and applications[J]. IACR Cryptology ePrint Archive, 2011:doi.eprint.iacr.org/2011/122. |
[16] | AONO Y , HAYASHI T , WANG L ,et al. Privacy-preserving deep learning via additively homomorphic encryption[J]. IEEE Transactions on Information Forensics and Security, 2017,13(5): 1333-1345. |
[17] | ABADI M , CHU A , GOODFELLOW I ,et al. Deep learning with differential privacy[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 308-318. |
[18] | JIA J Y , SALEM A , BACKES M ,et al. MemGuard:defending against black-box membership inference attacks via adversarial examples[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 259-274. |
[19] | ZHOU Y H , YE Q , LV J C . Communication-efficient federated learning with compensated overlap-FedAvg[J]. IEEE Transactions on Parallel and Distributed Systems, 2022,33(1): 192-205. |
[20] | FREDRIKSON M , JHA S , RISTENPART T . Model inversion attacks that exploit confidence information and basic countermeasures[C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2015: 1322-1333. |
[21] | TOLPEGIN V , TRUEX S , GURSOY M E ,et al. Data poisoning attacks against federated learning systems[C]// European Symposium on Research in Computer Security. Berlin:Springer, 2020: 480-501. |
[22] | ZHANG J L , CHEN J J , WU D ,et al. Poisoning attack in federated learning using generative adversarial nets[C]// Proceedings of 2019 18th IEEE International Conference on Trust,Security and Privacy In Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE). Piscataway:IEEE Press, 2019: 374-380. |
[23] | MOTHUKURI V , PARIZI R M , POURIYEH S ,et al. A survey on security and privacy of federated learning[J]. Future Generation Computer Systems, 2021,115: 619-640. |
[24] | PROUDFOOT D . Anthropomorphism and AI:Turing’s much misunderstood imitation game[J]. Artificial Intelligence, 2011,175(5-6): 950-957. |
[25] | ZHANG J L , CHEN B , CHENG X ,et al. PoisonGAN:generative poisoning attacks against federated learning in edge computing systems[J]. IEEE Internet of Things Journal, 2021,8(5): 3310-3322. |
[26] | BAGDASARYAN E , VEIT A , HUA Y ,et al. How to backdoor federated learning[C]// International Conference on Artificial Intelligence and Statistics. New York:PMLR, 2020: 2938-2948. |
[27] | XU G W , LI H W , LIU S ,et al. VerifyNet:secure and verifiable federated learning[J]. IEEE Transactions on Information Forensics and Security, 2020,15: 911-926. |
[1] | MCMAHAN H B , MOORE E , RAMAGE D ,et al. Communication-efficient learning of deep networks from decentralized data[J]. arXiv Preprint,arXiv:1602.05629, 2016. |
[2] | LI T , SAHU A K , TALWALKAR A ,et al. Federated learning:challenges,methods,and future directions[J]. IEEE Signal Processing Magazine, 2020,37(3): 50-60. |
[28] | LU Y L , HUANG X H , DAI Y Y ,et al. Blockchain and federated learning for privacy-preserved data sharing in industrial IoT[J]. IEEE Transactions on Industrial Informatics, 2020,16(6): 4177-4186. |
[29] | SALEM A , ZHANG Y , HUMBERT M ,et al. ML-leaks:model and data independent membership inference attacks and defenses on machine learning models[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 1-15. |
[3] | YANG Q , LIU Y , CHEN T J ,et al. Federated machine learning[J]. ACM Transactions on Intelligent Systems and Technology, 2019,10(2): 1-19. |
[4] | SATTLER F , WIEDEMANN S , MüLLER K R , ,et al. Robust and communication-efficient federated learning from non-i.i.d.data[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,31(9): 3400-3413. |
[30] | ZHANG J W , ZHANG J L , CHEN J J ,et al. GAN enhanced membership inference:a passive local attack in federated learning[C]// Proceedings of 2020 IEEE International Conference on Communications (ICC). Piscataway:IEEE Press, 2020: 1-6. |
[31] | HITAJ B , ATENIESE G , PEREZ-CRUZ F . Deep models under the GAN:information leakage from collaborative deep learning[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 603-618. |
[5] | TRUEX S , LIU L , GURSOY M E ,et al. Demystifying membership inference attacks in machine learning as a service[J]. IEEE Transactions on Services Computing, 2021,14(6): 2073-2089. |
[6] | WANG Z B , SONG M K , ZHANG Z F ,et al. Beyond inferring class representatives:user-level privacy leakage from federated learning[C]// Proceedings of IEEE Conference on Computer Communications. Piscataway:IEEE Press, 2019: 2512-2520. |
[32] | NGUYEN A , YOSINSKI J , CLUNE J . Deep neural networks are easily fooled:high confidence predictions for unrecognizable images[C]// Proceedings of 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2015: 427-436. |
[33] | DENG L . The MNIST database of handwritten digit images for machine learning research[best of the Web][J]. IEEE Signal Processing Magazine, 2012,29(6): 141-142. |
[7] | MELIS L , SONG C Z , CRISTOFARO E D ,et al. Exploiting unintended feature leakage in collaborative learning[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2019: 691-706. |
[8] | ZHU L , LIU Z , HAN S . Deep leakage from gradients[J]. arXiv Preprint,arXiv:1906.08935, 2019. |
[34] | XIAO H , RASUL K , VOLLGRAF R . Fashion-MNIST:a novel image dataset for benchmarking machine learning algorithms[J]. arXiv Preprint,arXiv:1708.07747, 2017. |
[35] | HE K M , ZHANG X Y , REN S Q ,et al. Deep residual learning for image recognition[C]// Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2016: 770-778. |
[9] | SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2017: 3-18. |
[36] | WU D , QI S Y , QI Y ,et al. Understanding and defending against White-box membership inference attack in deep learning[J]. Knowledge-Based Systems, 2023,259:110014. |
[1] | 马鑫迪, 李清华, 姜奇, 马卓, 高胜, 田有亮, 马建峰. 面向Non-IID数据的拜占庭鲁棒联邦学习[J]. 通信学报, 2023, 44(6): 138-153. |
[2] | 金彪, 李逸康, 姚志强, 陈瑜霖, 熊金波. GenFedRL:面向深度强化学习智能体的通用联邦强化学习框架[J]. 通信学报, 2023, 44(6): 183-197. |
[3] | 李开菊, 许强, 王豪. 冗余数据去除的联邦学习高效通信方法[J]. 通信学报, 2023, 44(5): 79-93. |
[4] | 余晟兴, 陈泽凯, 陈钟, 刘西蒙. DAGUARD:联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023, 44(5): 110-122. |
[5] | 姜慧, 何天流, 刘敏, 孙胜, 王煜炜. 面向异构流式数据的高性能联邦持续学习算法[J]. 通信学报, 2023, 44(5): 123-136. |
[6] | 田有亮, 吴柿红, 李沓, 王林冬, 周骅. 基于激励机制的联邦学习优化算法[J]. 通信学报, 2023, 44(5): 169-180. |
[7] | 苏新, 张桂福, 行鸿彦, Zenghui Wang. 基于平衡生成对抗网络的海洋气象传感网入侵检测研究[J]. 通信学报, 2023, 44(4): 124-136. |
[8] | 余晟兴, 陈钟. 基于同态加密的高效安全联邦学习聚合框架[J]. 通信学报, 2023, 44(1): 14-28. |
[9] | 汤凌韬, 王迪, 刘盛云. 面向非独立同分布数据的联邦学习数据增强方案[J]. 通信学报, 2023, 44(1): 164-176. |
[10] | 刘延华, 李嘉琪, 欧振贵, 高晓玲, 刘西蒙, MENG Weizhi, 刘宝旭. 对抗训练驱动的恶意代码检测增强方法[J]. 通信学报, 2022, 43(9): 169-180. |
[11] | 袁程胜, 郭强, 付章杰. 基于差分隐私的深度伪造指纹检测模型版权保护算法[J]. 通信学报, 2022, 43(9): 181-193. |
[12] | 王延文, 雷为民, 张伟, 孟欢, 陈新怡, 叶文慧, 景庆阳. 基于生成模型的视频图像重建方法综述[J]. 通信学报, 2022, 43(9): 194-208. |
[13] | 范绍帅, 吴剑波, 田辉. 面向能量受限工业物联网设备的联邦学习资源管理[J]. 通信学报, 2022, 43(8): 65-77. |
[14] | 李昂, 陈建新, 魏昕, 周亮. 面向6G的跨模态信号重建技术[J]. 通信学报, 2022, 43(6): 28-40. |
[15] | 莫梓嘉, 高志鹏, 杨杨, 林怡静, 孙山, 赵晨. 面向车联网数据隐私保护的高效分布式模型共享策略[J]. 通信学报, 2022, 43(4): 83-94. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|