DAGUARD：联邦学习下的分布式后门攻击防御方案

doi:10.11959/j.issn.1000-436x.2023086

Abstract

Abstract:

In order to solve the problems of distributed backdoor attack under federated learning, a distributed backdoor attack defense scheme (DAGUARD) under federated learning was proposed based on the assumption that the server selected no more than half of malicious clients for global aggregation.The partial update strategy of the triple gradient optimization algorithm (TernGrad) was designed to solve the backdoor attack and inference attack, an adaptive density clustering defense scheme was designed to solve the backdoor attacks with relatively large angle deflection, the adaptive clipping scheme was designed to limit the enhancement backdoor attack that amplify the gradients and the adaptive noise-enhancing scheme was designed to weaken distributed backdoor attacks.The experimental results show that in the federated learning scenario, the proposed scheme has better defense performance and defense stability than existing defense strategies.

Key words: federated learning, distributed backdoor attack, cluster, differential privacy

CLC Number:

TN92

Shengxing YU, Zekai CHEN, Zhong CHEN, Ximeng LIU. DAGUARD: distributed backdoor attack defense scheme under federated learning[J]. Journal on Communications, 2023, 44(5): 110-122.

Figures/Tables 9

References 36

[1]	MCMAHAN H B , MOORE E , RAMAGE D ,et al. Communication-efficient learning of deep networks from decentralized data[C]// Artificial intelligence and statistics. New York:PMLR, 2017: 1273-1282.
[2]	LIU Y , FAN T , CHEN T J ,et al. FATE:an industrial grade platform for collaborative learning with data protection[J]. The Journal of Machine Learning Research, 2021,22(1): 10320-10325.
[3]	KURUPATHI S R , MAASS W . Survey on federated learning towards privacy preserving AI[C]// Proceedings of Computer Science ＆ Information Technology (CS ＆ IT). Chennai:AIRCC Publishing Corporation, 2020: 235-253.
[4]	BOGDANOVA A , NAKAI A , OKADA Y ,et al. Federated learning system without model sharing through integration of dimensional reduced data representations[J]. arXiv Preprint,arXiv:2011.06803, 2020.
[5]	BIGGIO B , NELSON B , LASKOV P . Poisoning attacks against support vector machines[J]. arXiv Preprint,arXiv:1206.6389, 2012.
[6]	NELSON B , BARRENO M , CHI F J ,et al. Exploiting machine learning to subvert your spam filter[C]// Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. Berkeley:USENIX Association, 2008: 1-9.
[7]	FANG M H , CAO X Y , JIA J Y ,et al. Local model poisoning attacks to Byzantine-robust federated learning[C]// Proceedings of the 29th USENIX Conference on Security Symposium. Berkeley:USENIX Association, 2020: 1623-1640.
[8]	BHAGOJI A N , CHAKRABORTY S , MITTAL P ,et al. Analyzing federated learning through an adversarial lens[C]// International Conference on Machine Learning. New York:PMLR, 2019: 634-643.
[9]	XIE C , HUANG K , CHEN P Y ,et al. DBA:distributed backdoor attacks against federated learning[C]// Proceedings of the 8th International Conference on Learning Representations. [S.l.]:OpenReview, 2020: 1-19.
[10]	BAGDASARYAN E , VEIT A , HUA Y ,et al. How to backdoor federated learning[C]// International Conference on Artificial Intelligence and Statistics. New York:PMLR, 2020: 2938-2948.
[11]	YIN D , CHEN Y , RAMCHANDRAN K ,et al. Byzantine-robust distributed learning:towards optimal statistical rates[C]// International Conference on Machine Learning. New York:PMLR, 2018: 5650-5659.
[12]	BLANCHARD P , EL-MHAMDI E M , GUERRAOUI R ,et al. Machine learning with adversaries:Byzantine tolerant gradient descent[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. New York:ACM Press, 2017: 118-128.
[13]	NGUYEN T D , RIEGER P , MIETTINEN M ,et al. Poisoning attacks on federated learning-based IoT intrusion detection system[C]// Proceedings of 2020 Workshop on Decentralized IoT Systems and Security. Reston:Internet Society, 2020: 1-7.
[14]	SHOKRI R , STRONATI M , SONG C Z ,et al. Membership inference attacks against machine learning models[C]// Proceedings of 2017 IEEE Symposium on Security and Privacy (SP). Piscataway:IEEE Press, 2017: 3-18.
[15]	GANJU K R , WANG Q , YANG W ,et al. Property inference attacks on fully connected neural networks using permutation invariant representations[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 619-633.
[16]	PYRGELIS A , TRONCOSO C , CRISTOFARO E D . Knock knock,who’s there? membership inference on aggregate location data[J]. arXiv Preprint,arXiv:1708.06145, 2017.
[17]	CHEN Y D , SU L L , XU J M . Distributed statistical machine learning in adversarial settings:Byzantine gradient descent[C]// Proceedings of the 2018 ACM International Conference on Measurement and Modeling of Computer Systems. New York:ACM Press, 2018:96.
[18]	XU J , HUANG S , SONG L ,et al. SignGuard:Byzantine-robust federated learning through collaborative malicious gradient filtering[J]. arXiv Preprint,arXiv:2109.05872, 2021.
[19]	SHEN S Q , TOPLE S , SAXENA P . Auror:defending against poisoning attacks in collaborative deep learning systems[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. New York:ACM Press, 2016: 508-519.
[20]	NGUYEN T D , RIEGER P , CHEN H ,et al. FLAME:taming backdoors in federated learning[C]// Proceedings of the 31st USENIX Security Symposium. Berkeley:USENIX Association, 2022: 1415-1432.
[21]	WEN W , XU C , YAN F ,et al. TernGrad:ternary gradients to reduce communication in distributed deep learning[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. New York:ACM Press, 2017: 1508-1518.
[22]	ESTER M , KRIEGEL H P , SANDER J ,et al. A density-based algorithm for discovering clusters in large spatial databases with noise[C]// Proceedings of the Second International Conference on Knowledge Discovery and Data Mining. Palo Alto:AAAI Press, 1996: 226-231.
[23]	CAMPELLO R J G B , MOULAVI D , SANDER J . Density-based clustering based on hierarchical density estimates[C]// Pacific-Asia Conference on Knowledge Discovery and Data Mining. Berlin:Springer, 2013: 160-172.
[24]	HAN J , PEI J , TONG H . Data mining:concepts and techniques[M]. San Francisco: Margan Kaufmann, 2022.
[25]	MURTAGH F , CONTRERAS P . Algorithms for hierarchical clustering:an overview[J]. Wiley Interdisciplinary Reviews:Data Mining and Knowledge Discovery, 2012,2(1): 86-97.
[26]	KRISHNA K , NARASIMHA M M . Genetic K-means algorithm[J]. IEEE Transactions on Systems,Man,and Cybernetics,Part B (Cybernetics), 1999,29(3): 433-439.
[27]	AMINI A , WAH T Y , SAYBANI M R ,et al. A study of density-grid based clustering algorithms on data streams[C]// Proceedings of 2011 Eighth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD). Piscataway:IEEE Press, 2011: 1652-1656.
[28]	DWORK C . Differential privacy:a survey of results[C]// International Conference on Theory and Applications of Models of Computation. Berlin:Springer, 2008: 1-19.
[29]	HUANG Z H , HU R , GUO Y X ,et al. DP-ADMM:ADMM-based distributed learning with differential privacy[J]. IEEE Transactions on Information Forensics and Security, 2020,15: 1002-1012.
[30]	DWORK C , ROTH A . The algorithmic foundations of differential privacy[J]. Foundations and Trends in Theoretical Computer Science, 2013,9(3/4): 211-407.
[31]	BONAWITZ K , IVANOV V , KREUTER B ,et al. Practical secure aggregation for privacy-preserving machine learning[C]// Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 1175-1191.
[32]	ANDERSON A G , BERG C P . The high-dimensional geometry of binary neural networks[J]. arXiv Preprint,arXiv:1705.07199, 2017.
[33]	SUN Z , KAIROUZ P , SURESH A T ,et al. Can you really backdoor federated learning?[J]. arXiv Preprint,arXiv:1911.07963, 2019.
[34]	DU M , JIA R , SONG D . Robust anomaly detection and backdoor attack detection via differential privacy[J]. arXiv Preprint,arXiv:1911.07116, 2019.
[35]	LECUN Y , BOTTOU L , BENGIO Y ,et al. Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998,86(11): 2278-2324.
[36]	XIAO H , RASUL K , VOLLGRAF R . Fashion-MNIST:a novel image dataset for benchmarking machine learning algorithms[J]. arXiv Preprint,arXiv:1708.07747, 2017.

Metrics

Recommended 0

No Suggested Reading articles found!

防御方案	NIR（PDR=0.312 50）			PDR（NIR=0.25）
防御方案	0.25	0.50	0.75	0.156 25	0.312 50	0.468 75
FedAvg	100%	100%	100%	100%	100%	100%
Median	64.15%	6.18%	10.80%	6.23%	64.15%	56.72%
FLAME	1.58%	1.31%	1.98%	45.52%	1.58%	1.56%
DAGUARD	1.17%	1.08%	1.02%	0.95%	1.90%	1.79%

防御方案	NIR（PDR=0.312 50）			PDR（NIR=0.25）
防御方案	0.25	0.50	0.75	0.156 25	0.312 50	0.468 75
FedAvg	100%	100%	100%	100%	100%	100%
Median	99.96%	99.92%	100%	99.94%	99.96%	99.96%
FLAME	30.15%	17.75%	54.15%	24.16%	30.15%	26.26%
DAGUARD	11.4%	10.92%	17.44%	17.61%	11.40%	13.55%

防御方案	PDR		MNIST			FASHION
防御方案	PDR	NIR=0.25	NIR=0.50	NIR=0.75	NIR=0.25	NIR=0.50	NIR=0.75
FedAvg	0.156 25	95.23%	94.71%	94.65%	96.92%	91.05%	91.06%
	0.312 50	98.18%	94.30%	94.28%	93.24%	97.02%	97.02%
	0.468 75	97.46%	98.46%	98.36%	97.88%	98.62%	98.62%
Median	0.156 25	2.58%	2.19%	2.17%	47.23%	43.51%	43.52%
	0.312 50	12.92%	2.81%	2.71%	66.17%	62.75%	62.74%
	0.468 75	15.42%	9.32%	9.29%	56.50%	61.21%	61.19%
FLAME	0.156 25	11.16%	0.98%	0.97%	9.54%	7.81%	7.80%
	0.312 50	1.59%	0.83%	0.82%	9.38%	27.24%	27.22%
	0.468 75	1.74%	0.86%	0.85%	11.89%	7.25%	7.23%
DAGUARD	0.156 25	1.27%	0.75%	0.73%	9.38%	6.37%	6.35%
	0.312 50	0.85%	0.99%	0.98%	9.04%	6.31%	6.29%
	0.468 75	0.84%	0.78%	0.80%	6.60%	6.90%	6.85%

DAGUARD: distributed backdoor attack defense scheme under federated learning

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 36

Related Articles 15

Metrics

Recommended 0

[1]	Ling MA, Qiliang FAN, Ting XU, Guanchen GUO, Shenglin ZHANG, Yongqian SUN, Yuzhi ZHANG. Scheduling framework based on reinforcement learning in online-offline colocated cloud environment [J]. Journal on Communications, 2023, 44(6): 90-102.
[2]	Xindi MA, Qinghua LI, Qi JIANG, Zhuo MA, Sheng GAO, Youliang TIAN, Jianfeng MA. Byzantine-robust federated learning over Non-IID data [J]. Journal on Communications, 2023, 44(6): 138-153.
[3]	Kaiju LI, Qiang XU, Hao WANG. Communication-efficient federated learning method via redundant data elimination [J]. Journal on Communications, 2023, 44(5): 79-93.
[4]	Hui JIANG, Tianliu HE, Min LIU, Sheng SUN, Yuwei WANG. High-performance federated continual learning algorithm for heterogeneous streaming data [J]. Journal on Communications, 2023, 44(5): 123-136.
[5]	Youliang TIAN, Shihong WU, Ta LI, Lindong WANG, Hua ZHOU. Federated learning optimization algorithm based on incentive mechanism [J]. Journal on Communications, 2023, 44(5): 169-180.
[6]	Jiale ZHANG, Chengcheng ZHU, Xiaobing SUN, Bing CHEN. Membership inference attack and defense method in federated learning based on GAN [J]. Journal on Communications, 2023, 44(5): 193-205.
[7]	Tao FENG, Liqiu CHEN, Junli FANG, Jianming SHI. Blockchain data sharing scheme based on localized difference privacy and attribute-based searchable encryption [J]. Journal on Communications, 2023, 44(5): 224-233.
[8]	Yu DONG, Youpeng ZHANG. Conflict evidence combination method based on clustering weighting [J]. Journal on Communications, 2023, 44(3): 157-163.
[9]	Shufen ZHANG, Yanling DONG, Jingcheng XU, Haoshi WANG. AdaBoost algorithm based on target perturbation [J]. Journal on Communications, 2023, 44(2): 198-209.
[10]	Shengxing YU, Zhong CHEN. Efficient secure federated learning aggregation framework based on homomorphic encryption [J]. Journal on Communications, 2023, 44(1): 14-28.
[11]	Lingtao TANG, Di WANG, Shengyun LIU. Data augmentation scheme for federated learning with non-IID data [J]. Journal on Communications, 2023, 44(1): 164-176.
[12]	Chengsheng YUAN, Qiang GUO, Zhangjie FU. Copyright protection algorithm based on differential privacy deep fake fingerprint detection model [J]. Journal on Communications, 2022, 43(9): 181-193.
[13]	Jing ZHAO, Jun LI, Chun LONG, Wei WAN, Jinxia WEI, Kai CHEN. Unsupervised detection method of RoQ covert attacks based on multilayer features [J]. Journal on Communications, 2022, 43(9): 224-239.
[14]	Hanyi WANG, Xiaoguang LI, Wenqing BI, Yahong CHEN, Fenghua LI, Ben NIU. Multi-level local differential privacy algorithm recommendation framework [J]. Journal on Communications, 2022, 43(8): 52-64.
[15]	Shaoshuai FAN, Jianbo WU, Hui TIAN. Federated learning resource management for energy-constrained industrial IoT devices [J]. Journal on Communications, 2022, 43(8): 65-77.