计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (11): 356-363.doi: 10.11896/jsjkx.221200005

• 信息安全 • 上一篇    下一篇

基于随机断层与梯度剪裁的横向联邦学习后门防御研究

许文韬, 王斌君   

  1. 中国人民公安大学信息网络安全学院 北京 100038
  • 收稿日期:2022-12-01 修回日期:2023-03-13 出版日期:2023-11-15 发布日期:2023-11-06
  • 通讯作者: 王斌君(wangbinjun@ppsuc.edu.cn)
  • 作者简介:(1625592944@qq.com)
  • 基金资助:
    国家社会科学基金重点项目(20AZD114)

Backdoor Defense of Horizontal Federated Learning Based on Random Cutting and GradientClipping

XU Wentao, WANG Binjun   

  1. College of Information and Cyber Security,People's Public Security University of China,Beijing 100038,China
  • Received:2022-12-01 Revised:2023-03-13 Online:2023-11-15 Published:2023-11-06
  • About author:XU Wentao,born in 1999,postgra-duate.His main research interests include federated learning and backdoor attack.WANG Binjun,born in 1962,Ph.D,professor,Ph.D supervisor,is a member of China Computer Federation.His main research interests include network security and law enforcement.
  • Supported by:
    Key Program of National Social Science Foundation(20AZD114).

PDF (PC)

1539

摘要: 联邦学习解决了用户隐私与数据共享相悖之大数据困局,体现了“数据可用不可见”的理念。然而,联邦模型在训练过程中存在后门攻击的风险。攻击者通过本地训练一个包含后门任务的攻击模型,并将模型参数放大一定比例,从而实现将后门植入联邦模型中。针对横向联邦学习模型所面临的后门威胁,从博弈的视角,提出一种基于随机断层与梯度剪裁相结合的后门防御策略和技术方案:中心服务器在收到参与方提交的梯度信息后,随机确定每个参与方的神经网络层,然后将各参与方的梯度贡献分层聚合,并使用梯度阈值对梯度参数进行裁剪。梯度剪裁和随机断层可削弱个别参与方异常数据的影响力,使联邦模型在学习后门特征时陷入平缓期,长时间无法学习到后门特征,同时不影响正常任务的学习。如果中心服务器在平缓期内结束联邦学习,即可实现对后门攻击的防御。实验结果表明,该方法可以有效地防御联邦学习中潜在的后门威胁,同时保证了模型的准确性。因此,该方法可以应用于横向联邦学习场景中,为联邦学习的安全保驾护航。

关键词: 横向联邦学习, 后门攻击, 随机断层, 梯度剪裁

Abstract: Federated learning is a methodology that solves the contradiction of big data between user privacy and data sharing,and realize the concept of “data is invisible but available”.However,the federated model is at risk of backdoor attacks in the training process.The attacker trains a attack model containing a backdoor task locally,and amplifies the model parameters by a certain proportion to implant the backdoor into the federated model.Facing the backdoor threat in the training process of the horizontal federated learning,from the perspective of the game theory,this paper proposes a backdoor defense strategy and technical proposal based on the combination of random cutting and gradient clipping.After receiving the gradient from the participants,the central server randomly chooses the neural network layer from each participant,and aggregates the gradient contributions of each participant layer by layer.Then,the central sever clips gradient parameters according to gradient threshold.Gradient clipping and random cutting can weaken the influence generated by abnormal data from minority participants.It falls into platform state when the federated model learning backdoor features,so that it keeps failing on learning backdoor features without affecting the lear-ning process of target tasks.If the central server completes the federated learning during platform state,it can defend against backdoor attacks.Experimental results show that the proposed method can effectively defend against potential backdoor threats in fe-derated learning.At the same time,the accuracy of the model is ensured.Therefore,it can be applied in horizontal federated lear-ning scenarios,providing security protection for federated learning.

Key words: Horizontal federated learning, Backdoor attack, Random cutting, Gradient clipping

中图分类号: 

  • TP391
[1]MCMAHAN B,MOORE E,RAMAGE D,et al.Communication-efficient learning of deep networks from decentralized data[C]//Artificial Intelligence and Statistics.Florida:PMLR,2017:1273-1282.
[2]XU J,GLICKSBERG B S,SU C,et al.Federated learning for healthcare informatics[J].Journal of Healthcare Informatics Research,2021,5(1):1-19.
[3]LIN B Y,HE C,ZENG Z,et al.Fednlp:Benchmarking federated learning methods for natural language processing tasks[C]//Findings of the Association for Computational Linguistics:NAACL 2022.Stroudsburg:ACL,2022:157-175.
[4]BYRD D,POLYCHRONIADOU A.Differentially private secure multi-party computation for federated learning in financial applications[C]//Proceedings of the First ACM International Conference on AI in Finance.New York:ACM,2020:1-9.
[5]KAIROUZ P,MCMAHAN H B,AVENT B,et al.Advancesand open problems in federated learning[J].Foundations and Trends in Machine Learning,2021,14(1/2):1-210.
[6]TOLPEGIN V,TRUEX S,GURSOY M E,et al.Data poisoning attacks against federated learning systems[C]//European Symposium on Research in Computer Security.New York:Springer,2020:480-501.
[7]WANG H,SREENIVASAN K,RAJPUT S,et al.Attack of the tails:Yes,you really can backdoor federated learning[J].Advances in Neural Information Processing Systems,2020,33:16070-16084.
[8]GONG X,CHEN Y,HUANG H,et al.Coordinated Backdoor Attacks against Federated Learning with Model-Dependent Triggers[J].IEEE Network,2022,36(1):84-90.
[9]BONAWITZ K,IVANOV V,KREUTER B,et al.Practical secure aggregation for privacy-preserving machine learning[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.New York:ACM,2017:1175-1191.
[10]SUN Z,KAIROUZ P,SURESH A T,et al.Can you really backdoor federated learning?[J].arXiv:1911.07963,2019.
[11]GAO J,ZHANG B,GUO X,et al.Secure Partial Aggregation:Making Federated Learning More Robust for Industry 4.0 Applications[J].IEEE Transactions on Industrial Informatics,2022,18(9):6340-6348.
[12]LI S H,ZHENG H B,CHEN J Y,et al.Neural Path Poisoning Attack Method for Federated Learning[J].Journal of Chinese Computer Systems,2023,44(7):1578-1585.
[13]BAGDASARYAN E,VEIT A,HUA Y,et al.How to backdoor federated learning[C]//International Conference on Artificial Intelligence and Statistics.New York:PMLR,2020:2938-2948.
[14]LIU Y,MA S,AAFER Y,et al.Trojaning attack on neural networks[C]//25th Annual Network and Distributed System Security Symposium.California:The Internet Society,2018:1-11.
[15]ZHANG J,HE T,SRA S,et al.Why gradient clipping accele-rates training:A theoretical justification for adaptivity[J].ar-Xiv:1905.11881,2019.
[16]CALDAS S,DUDDU S M K,WU P,et al.Leaf:A benchmark for federated settings[J].arXiv:1812.01097,2018.
[17]LI Q,DIAO Y,CHEN Q,et al.Federated learning on non-iid data silos:An experimental study[C]//2022 IEEE 38th International Conference on Data Engineering(ICDE).New York:IEEE,2022:965-978.
[18]ZHU L,HAN S.Deep leakage from gradients[C]//Advances in Neural Information Processing Systems 32:Annual Conference on Neural Information Processing Systems.New York:Curran Associates Inc,2019:14747-14756.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发