计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (11): 356-367.doi: 10.11896/jsjkx.231000158

• 信息安全 • 上一篇    下一篇

PRFL:一种隐私保护联邦学习鲁棒聚合方法

高琦1, 孙奕1, 盖新貌3, 王友贺1, 杨帆1,2   

  1. 1 信息工程大学密码工程学院 郑州 450001
    2 中国人民解放军61623部队 北京 100036
    3 中国人民解放军93216部队 北京 100085
  • 收稿日期:2023-10-23 修回日期:2024-03-29 出版日期:2024-11-15 发布日期:2024-11-06
  • 通讯作者: 孙奕(11112072@bjtu.edu.cn)
  • 作者简介:(qig_57@163.com)

PRFL:Privacy-preserving Robust Aggregation Method for Federated Learning

GAO Qi1, SUN Yi1, GAI Xinmao3, WANG Youhe1, YANG Fan1,2   

  1. 1 School of Cryptography Engineering,Information Engineering University,Zhengzhou 450001,China
    2 Unit 61623,Beijing 100036,China
    3 Unit 93216,Beijing 100085,China
  • Received:2023-10-23 Revised:2024-03-29 Online:2024-11-15 Published:2024-11-06
  • About author:GAO Qi,born in 1998,postgraduate.His main research interests include fe-derated learning and privacy protection.
    SUN Yi,born in 1979,Ph.D,associate professor,Ph.D supervisor.Her main research interests include network and information security,and data security exchange.

PDF (PC)

289

摘要: 联邦学习允许用户通过交换模型参数共同训练一个模型,能够降低数据泄露风险。但研究发现,通过模型参数仍能推断出用户隐私信息。对此,许多研究提出了模型隐私保护聚合方法。此外,恶意用户可通过提交精心构造的投毒模型破坏联邦学习聚合,且模型在隐私保护下聚合,恶意用户可以实施更加隐蔽的投毒攻击。为了在实现隐私保护的同时抵抗投毒攻击,提出了一种隐私保护联邦学习鲁棒聚合方法PRFL。PRFL不仅能够有效防御拜占庭用户发起的投毒攻击,还保证了本地模型的隐私性、全局模型的准确性和高效性。首先,提出了一种双服务器结构下轻量级模型隐私保护聚合方法,实现模型隐私保护聚合,同时保证全局模型的准确性并且不会引入开销问题;然后,提出了一种密态模型距离计算方法,在不暴露本地模型参数的同时允许双方服务器计算出模型距离,并基于该方法和局部离群因子算法(Local Outlier Factor,LOF)设计了一种投毒模型检测方法;最后,对PRFL的安全性进行了分析。在两种真实图像数据集上的实验结果表明:无攻击时,PRFL可以取得与FedAvg相近的模型准确率;PRFL在数据独立同分布(IID)和非独立同分布(Non-IID)设置下能有效防御3种先进的投毒攻击,并优于现有的Krum,Median,Trimmed mean方法。

关键词: 联邦学习, 隐私保护, 投毒攻击, 鲁棒聚合, 离群值

Abstract: Federated learning allows users to train a model together by exchanging model parameters and can reduce the risk of data leakage.However,studies have found that user privacy information can still be inferred through model parameters,and many studies have proposed model privacy-preserving aggregation methods.Moreover,malicious users can corrupt federated learning aggregation by submitting carefully constructed poisoning models,and with models aggregated under privacy protection,malicious users can implement more hidden poisoning attacks.In order to implement privacy protection while resisting poisoning attacks,a privacy-preserving federated learning robust aggregation method named PRFL is proposed.PRFL can not only effectively defends against poisoning attacks launched by Byzantine users,but also guarantee the privacy of the local model,the accuracy and efficiency of the global model.Specifically,a lightweight model privacy-preserving aggregation method under dual-server architecture is first proposed to achieve the privacy-preserving aggregation of the model,while guaranteeing the accuracy of global model without introducing overhead problems.Then a secret model distance computation method is proposed,which allows both servers to compute model distances without exposing the local model parameters,and poisoning model detection method is designed based on this method and local outlier factor(LOF) algorithm.Finally,security of PRFL is analysed.Experimental results on two real image datasets show that PRFL can obtain similar model accuracy to FedAvg under no attack,and PRFL can effectively defend against three advanced poisoning attacks and outperform existing Krum,Median,and Trimmed mean methods in both the data independent identically distributed(IID) and non-IID settings.

Key words: Federated learning, Privacy protection, Poisoning attack, Robust aggregation, Outlier

中图分类号: 

  • TP391
[1] MCMAHAN B,MOORE E,RAMAGE D,et al.Communica-tion-Efficient Learning of Deep Networks from Decentralized Data[C]//Proceedings of the 2017 International Conference on Artificial Intelligence and Statistics.Brookline:Microtome Publishing,2017:1273-1282.
[2] VOIGT P,BUSSCHE A V D.The Eu General Data Protection Regulation(GDPR)[M].Berlin:Springer,2017:1-383.
[3] KAIROUZ P,MCMAHAN H B,AVENT B,et al.Advancesand Open Problems in Federated Learning[J].Foundations and Trends in Machine Learning,2021,14(1/2):1-210.
[4] MOTHUKURI V,PARIZI R M,POURIYEH S,et al.A Survey on Security and Privacy of Federated Learning[J].Future Ge-neration Computer Systems-the International Journal of Escience,2021,115:619-640.
[5] SHOKRI R,STRONATI M,SONG C Z,et al.Membership Inference Attacks against Machine Learning Models[C]//Proceedings of the 2017 IEEE Symposium on Security and Privacy.New York:IEEE Press,2017:3-18.
[6] ZHU L G,LIU Z J,HAN S.Deep Leakage from Gradients[C]//Proceedings of the 2019 International Conference on Neural Information Processing Systems.Los Angeles:NIPS,2019:1323-1334.
[7] SALEM A,ZHANG Y,HUMBERT M,et al.ML-Leaks:Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models[C]//Proceedings of the 2019 Network and Distributed System Security Symposium.Reston:Internet Society,2019:1-15.
[8] GEIPING J,BAUERMEISTER H,DRÖGE H,et al.Inverting Gradients-How Easy Is It to Break Privacy in Federated Lear-ning?[C]//Proceedings of the 2020 International Conference on NeuralInformation Processing Systems.Los Angeles:NIPS,2020:16937-16947.
[9] MANSOURI M,ÖNEN M,JABALLAH W B,et al.Sok:SecureAggregation Based on Cryptographic Schemes for Federated Learning[J].Proceedings on Privacy Enhancing Technologies,2023,2023(1):140-157.
[10] WEI K,LI J,DING M,et al.Federated Learning with Differential Privacy:Algorithms and Performance Analysis[J].IEEE Transactions on Information Forensics and Security,2020,15:3454-3469.
[11] ZHOU H,YANG G,HUANG Y,et al.Privacy-Preserving and Verifiable Federated Learning Framework for Edge Computing[J].IEEE Transactions on Information Forensics and Security,2023,18:565-580.
[12] STEVENS T,SKALKA C,VINCENT C,et al.Efficient Diffe-rentially Private Secure Aggregation for Federated Learning Via Hardness of Learning with Errors[C]//Proceedings of the 2022 USENIX Security Symposium.Boston:USENIX Association,2022:1379-1395.
[13] MA J,NAAS S A,SIGG S,et al.Privacy-Preserving Federated Learning Based on Multi-Key Homomorphic Encryption[J].International Journal of Intelligent Systems,2022,37(9):5880-5901.
[14] PHONG L T,AONO Y,HAYASHI T,et al.Privacy-Preserving Deep Learning Via Additively Homomorphic Encryption[J].IEEE Transactions on Information Forensics and Security,2018,13(5):1333-1345.
[15] ZHU H,WANG R,JIN Y,et al.Distributed Additive Encryption and Quantization for Privacy Preserving Federated Deep Learning[J].Neurocomputing,2021,463:309-327.
[16] FUNG C,YOON C J M,BESCHASTNIKH I.The Limitations of Federated Learning in Sybil Settings[C]//Proceedings of the 2020 International Symposium on Research in Attacks,Intrusions and Defenses.USENIX Association,2020:301-316.
[17] BLANCHARD P,MHAMDI E M E,GUERRAOUI R,et al.Machine Learning with Adversaries:Byzantine Tolerant Gra-dient Descent[C]//Proceedings of the 2017 International Conference on Neural Information Processing Systems.Los Ange-les:NIPS,2017:118-128.
[18] YIN D,CHEN Y,KANNAN R,et al.Byzantine-Robust Distri-buted Learning:Towards Optimal Statistical Rates[C]//Procee-dings of the 2018 International Conference on Machine Lear-ning.San Diego:JMLR,2018:5650-5659.
[19] SUN Z,KAIROUZ P,SURESH A T,et al.Can You ReallyBackdoor Federated Learning?[J].arXiv:abs/1911.07963,2019.
[20] SO J,GÜLER B,AVESTIMEHR A S.Byzantine-Resilient Se-cure Federated Learning[J].IEEE Journal on Selected Areas in Communications,2021,39(7):2168-2181.
[21] MA Z,MA J,MIAO Y,et al.ShieldFL:Mitigating Model Poi-soning Attacks in Privacy-Preserving Federated Learning[J].IEEE Transactions on Information Forensics and Security,2022,17:1639-1654.
[22] LIU X,LI H,XU G,et al.Privacy-Enhanced Federated Learning against Poisoning Adversaries[J].IEEE Transactions on Information Forensics and Security,2021,16:4574-4588.
[23] NASERI M,HAYES J,DE CRISTOFARO E.Local and Central Differential Privacy for Robustness and Privacy in Federated Learning[C]//Proceedings of the 2022 Network and Distributed System Security Symposium.Reston:Internet Society,2022:1-19.
[24] JEBREEL N M,DOMINGO-FERRER J,BLANCO-JUSTICIA A,et al.Enhanced Security and Privacy Via Fragmented Federated Learning[J].IEEE Transactions on Neural Networks and Learning Systems,2024,35(5):6703-6717.
[25] BREUNIG M M,KRIEGEL H P,NG R T,et al.LOF:Identi-fying Density-Based Local Outliers[C]//Proceedings of the 2000 ACM SIGMOD International Conference on Management of data.New York:Association Computing Machinery,2000:93-104.
[26] LIU Z,GUO J,LAM K Y,et al.Efficient Dropout-Resilient Aggregation for Privacy-Preserving Machine Learning[J].IEEE Transactions on Information Forensics and Security,2023,18:1839-1854.
[27] JAHANI-NEZHAD T,MADDAH-ALI M A,LI S,et al.Swift-Agg:Communication-Efficient and Dropout-Resistant Secure Aggregation for Federated Learning with Worst-Case Security Guarantees[C]//Proceedings of the 2022 IEEE International Symposium on Information Theory(ISIT).Espoo:IEEE,2022:103-108.
[28] FANG M,CAO X,JIA J,et al.Local Model Poisoning Attacks to Byzantine-Robust Federated Learning[C]//Proceedings of the 2020 USENIX Security Symposium.Berkeley:USENIX Asso-ciation,2020:1623-1640.
[29] LI L,XU W,CHEN T,et al.RSA:Byzantine-Robust Stochastic Aggregation Methods for Distributed Learning from Heterogeneous Datasets[C]//Proceedings of the 2019 AAAI Conference on Artificial Intelligence Palo Alto:AAAI Press,2019:1544-1551.
[30] LI T,HU S,BEIRAMI A,et al.Ditto:Fair and Robust Federated Learning through Personalization[C]//Proceedings of the 2021 International Conference on Machine Learning.San Diego:JMLR,2021:6357-6368.
[31] BAGDASARYAN E,VEIT A,HUA Y,et al.How to BackdoorFederated Learning[C]//Proceedings of the 2020 International Conference on Artificial Intelligence and Statistics.Boston:Addison Wesley Publishing Company,2020:2938-2948.
[32] OZDAYI M S,KANTARCIOGLU M,GEL Y R.Defendingagainst Backdoors in Federated Learning with Robust Learning Rate[C]//Proceedings of the 2021 AAAI Conference on Artificial Intelligence.Palo Alto:AAAI Press,2021:9268-9276.
[33] MA X,SUN X,WU Y,et al.Differentially Private Byzantine-Robust Federated Learning[J].IEEE Transactions on Parallel and Distributed Systems,2022,33(12):3690-3701.
[34] CHEN X,YU H,JIA X,et al.APFed:Anti-Poisoning Attacks in Privacy-Preserving Heterogeneous Federated Learning[J].IEEE Transactions on Information Forensics and Security,2023,18:5749-5761.
[35] XIE C,HUANG K,CHEN P Y,et al.DBA:Distributed Back-door Attacks against Federated Learning[C]//Proceedings of the 2020 International Conference on Learning Representations.2020:1-15.
[36] JAGIELSKI M,OPREA A,BIGGIO B,et al.Manipulating Machine Learning:Poisoning Attacks and Countermeasures for Regression Learning[C]//Proceedings of the 2018 IEEE Sympo-sium on Security and Privacy.New York:IEEE Press,2018:19-35.
[37] MOHASSEL P,ZHANG Y.SecureML:A System for ScalablePrivacy-Preserving Machine Learning[C]//Proceedings of the 2017 IEEE Symposium on Security and Privacy.New York:IEEE Press,2017:19-38.
[38] XU G W,LI H W,ZHANG Y,et al.Privacy-Preserving Federated Deep Learning with Irregular Users[J].IEEE Transactions on Dependable and Secure Computing,2022,19(2):1364-1381.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发