DAGUARD：联邦学习下的分布式后门攻击防御方案

余晟兴; 陈泽凯; 陈钟; 刘西蒙

doi:10.11959/j.issn.1000-436x.2023086

您当前的位置：

首页 >

文章列表页 >

DAGUARD：联邦学习下的分布式后门攻击防御方案

学术论文 | 更新时间：2024-06-06

- DAGUARD：联邦学习下的分布式后门攻击防御方案
- DAGUARD: distributed backdoor attack defense scheme under federated learning
- 通信学报 2023年44卷第5期页码：110-122
- 作者机构：
  
  1. 北京大学计算机学院，北京 100871
  2. 福州大学计算机与大数据学院/软件学院，福建福州 350108
- 作者简介：
  
  [ "余晟兴（1995- ），男，福建福州人，北京大学博士生，主要研究方向为机器学习、隐私保护、区块链、可验证计算等" ]
  [ "陈泽凯（1998- ），男，广东汕头人，福州大学硕士生，主要研究方向为安全多方计算、联邦学习等" ]
  [ "陈钟（1963- ），男，江苏徐州人，博士，北京大学教授、博士生导师，主要研究方向为网络与信息安全、区块链等" ]
  [ "刘西蒙（1988- ），男，陕西西安人，博士，福州大学教授、博士生导师，主要研究方向为云安全、应用密码学和大数据安全等" ]
- 基金信息：
  
  国家自然科学基金资助项目(62072109);国家自然科学基金资助项目(62102422)
- DOI：10.11959/j.issn.1000-436x.2023086
  中图分类号： TN92
- 网络出版日期：2023-05，
  
  纸质出版日期：2023-05-25
- 稿件说明：
移动端阅览
余晟兴, 陈泽凯, 陈钟, 等. DAGUARD：联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023,44(5):110-122.

Shengxing YU, Zekai CHEN, Zhong CHEN, et al. DAGUARD: distributed backdoor attack defense scheme under federated learning[J]. Journal on communications, 2023, 44(5): 110-122.
余晟兴, 陈泽凯, 陈钟, 等. DAGUARD：联邦学习下的分布式后门攻击防御方案[J]. 通信学报, 2023,44(5):110-122. DOI： 10.11959/j.issn.1000-436x.2023086.

Shengxing YU, Zekai CHEN, Zhong CHEN, et al. DAGUARD: distributed backdoor attack defense scheme under federated learning[J]. Journal on communications, 2023, 44(5): 110-122. DOI： 10.11959/j.issn.1000-436x.2023086.

摘要

为了解决联邦学习下的分布式后门攻击等问题，基于服务器挑选最多不超过半数恶意客户端进行全局聚合的假设，提出了一种联邦学习下的分布式后门防御方案（DAGUARD）。设计了三元组梯度优化算法局部更新策略（TernGrad）以解决梯度局部调整的后门攻击和推理攻击、自适应密度聚类防御方案（AdaptDBSCAN）以解决角度偏较大的后门攻击、自适应裁剪方案以限制放大梯度的后门增强攻击和自适应加噪方案以削弱分布式后门攻击。实验结果表明，在联邦学习场景下，所提方案相比现有的防御策略具有更好的防御性能和防御稳定性。

Abstract

In order to solve the problems of distributed backdoor attack under federated learning

a distributed backdoor attack defense scheme (DAGUARD) under federated learning was proposed based on the assumption that the server selected no more than half of malicious clients for global aggregation.The partial update strategy of the triple gradient optimization algorithm (TernGrad) was designed to solve the backdoor attack and inference attack

an adaptive density clustering defense scheme was designed to solve the backdoor attacks with relatively large angle deflection

the adaptive clipping scheme was designed to limit the enhancement backdoor attack that amplify the gradients and the adaptive noise-enhancing scheme was designed to weaken distributed backdoor attacks.The experimental results show that in the federated learning scenario

the proposed scheme has better defense performance and defense stability than existing defense strategies.

关键词

Keywords

references

MCMAHAN H B , MOORE E , RAMAGE D , et al . Communication-efficient learning of deep networks from decentralized data [C ] // Artificial intelligence and statistics . New York:PMLR , 2017 : 1273 - 1282 .

LIU Y , FAN T , CHEN T J , et al . FATE:an industrial grade platform for collaborative learning with data protection [J ] . The Journal of Machine Learning Research , 2021 , 22 ( 1 ): 10320 - 10325 .

KURUPATHI S R , MAASS W . Survey on federated learning towards privacy preserving AI [C ] // Proceedings of Computer Science ＆ Information Technology (CS ＆ IT) . Chennai:AIRCC Publishing Corporation , 2020 : 235 - 253 .

BOGDANOVA A , NAKAI A , OKADA Y , et al . Federated learning system without model sharing through integration of dimensional reduced data representations [J ] . arXiv Preprint,arXiv:2011.06803 , 2020 .

BIGGIO B , NELSON B , LASKOV P . Poisoning attacks against support vector machines [J ] . arXiv Preprint,arXiv:1206.6389 , 2012 .

NELSON B , BARRENO M , CHI F J , et al . Exploiting machine learning to subvert your spam filter [C ] // Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats . Berkeley:USENIX Association , 2008 : 1 - 9 .

FANG M H , CAO X Y , JIA J Y , et al . Local model poisoning attacks to Byzantine-robust federated learning [C ] // Proceedings of the 29th USENIX Conference on Security Symposium . Berkeley:USENIX Association , 2020 : 1623 - 1640 .

BHAGOJI A N , CHAKRABORTY S , MITTAL P , et al . Analyzing federated learning through an adversarial lens [C ] // International Conference on Machine Learning . New York:PMLR , 2019 : 634 - 643 .

XIE C , HUANG K , CHEN P Y , et al . DBA:distributed backdoor attacks against federated learning [C ] // Proceedings of the 8th International Conference on Learning Representations . [S.l.]:OpenReview , 2020 : 1 - 19 .

BAGDASARYAN E , VEIT A , HUA Y , et al . How to backdoor federated learning [C ] // International Conference on Artificial Intelligence and Statistics . New York:PMLR , 2020 : 2938 - 2948 .

YIN D , CHEN Y , RAMCHANDRAN K , et al . Byzantine-robust distributed learning:towards optimal statistical rates [C ] // International Conference on Machine Learning . New York:PMLR , 2018 : 5650 - 5659 .

BLANCHARD P , EL-MHAMDI E M , GUERRAOUI R , et al . Machine learning with adversaries:Byzantine tolerant gradient descent [C ] // Proceedings of the 31st International Conference on Neural Information Processing Systems . New York:ACM Press , 2017 : 118 - 128 .

NGUYEN T D , RIEGER P , MIETTINEN M , et al . Poisoning attacks on federated learning-based IoT intrusion detection system [C ] // Proceedings of 2020 Workshop on Decentralized IoT Systems and Security . Reston:Internet Society , 2020 : 1 - 7 .

SHOKRI R , STRONATI M , SONG C Z , et al . Membership inference attacks against machine learning models [C ] // Proceedings of 2017 IEEE Symposium on Security and Privacy (SP) . Piscataway:IEEE Press , 2017 : 3 - 18 .

GANJU K R , WANG Q , YANG W , et al . Property inference attacks on fully connected neural networks using permutation invariant representations [C ] // Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2018 : 619 - 633 .

PYRGELIS A , TRONCOSO C , CRISTOFARO E D . Knock knock,who’s there? membership inference on aggregate location data [J ] . arXiv Preprint,arXiv:1708.06145 , 2017 .

CHEN Y D , SU L L , XU J M . Distributed statistical machine learning in adversarial settings:Byzantine gradient descent [C ] // Proceedings of the 2018 ACM International Conference on Measurement and Modeling of Computer Systems . New York:ACM Press , 2018 :96.

XU J , HUANG S , SONG L , et al . SignGuard:Byzantine-robust federated learning through collaborative malicious gradient filtering [J ] . arXiv Preprint,arXiv:2109.05872 , 2021 .

SHEN S Q , TOPLE S , SAXENA P . Auror:defending against poisoning attacks in collaborative deep learning systems [C ] // Proceedings of the 32nd Annual Conference on Computer Security Applications . New York:ACM Press , 2016 : 508 - 519 .

NGUYEN T D , RIEGER P , CHEN H , et al . FLAME:taming backdoors in federated learning [C ] // Proceedings of the 31st USENIX Security Symposium . Berkeley:USENIX Association , 2022 : 1415 - 1432 .

WEN W , XU C , YAN F , et al . TernGrad:ternary gradients to reduce communication in distributed deep learning [C ] // Proceedings of the 31st International Conference on Neural Information Processing Systems . New York:ACM Press , 2017 : 1508 - 1518 .

ESTER M , KRIEGEL H P , SANDER J , et al . A density-based algorithm for discovering clusters in large spatial databases with noise [C ] // Proceedings of the Second International Conference on Knowledge Discovery and Data Mining . Palo Alto:AAAI Press , 1996 : 226 - 231 .

CAMPELLO R J G B , MOULAVI D , SANDER J . Density-based clustering based on hierarchical density estimates [C ] // Pacific-Asia Conference on Knowledge Discovery and Data Mining . Berlin:Springer , 2013 : 160 - 172 .

HAN J , PEI J , TONG H . Data mining:concepts and techniques [M ] . San Francisco : Margan Kaufmann , 2022 .

MURTAGH F , CONTRERAS P . Algorithms for hierarchical clustering:an overview [J ] . Wiley Interdisciplinary Reviews:Data Mining and Knowledge Discovery , 2012 , 2 ( 1 ): 86 - 97 .

KRISHNA K , NARASIMHA M M . Genetic K-means algorithm [J ] . IEEE Transactions on Systems,Man,and Cybernetics,Part B (Cybernetics) , 1999 , 29 ( 3 ): 433 - 439 .

AMINI A , WAH T Y , SAYBANI M R , et al . A study of density-grid based clustering algorithms on data streams [C ] // Proceedings of 2011 Eighth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD) . Piscataway:IEEE Press , 2011 : 1652 - 1656 .

DWORK C . Differential privacy:a survey of results [C ] // International Conference on Theory and Applications of Models of Computation . Berlin:Springer , 2008 : 1 - 19 .

HUANG Z H , HU R , GUO Y X , et al . DP-ADMM:ADMM-based distributed learning with differential privacy [J ] . IEEE Transactions on Information Forensics and Security , 2020 , 15 : 1002 - 1012 .

DWORK C , ROTH A . The algorithmic foundations of differential privacy [J ] . Foundations and Trends in Theoretical Computer Science , 2013 , 9 ( 3/4 ): 211 - 407 .

BONAWITZ K , IVANOV V , KREUTER B , et al . Practical secure aggregation for privacy-preserving machine learning [C ] // Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2017 : 1175 - 1191 .

ANDERSON A G , BERG C P . The high-dimensional geometry of binary neural networks [J ] . arXiv Preprint,arXiv:1705.07199 , 2017 .

SUN Z , KAIROUZ P , SURESH A T , et al . Can you really backdoor federated learning? [J ] . arXiv Preprint,arXiv:1911.07963 , 2019 .

DU M , JIA R , SONG D . Robust anomaly detection and backdoor attack detection via differential privacy [J ] . arXiv Preprint,arXiv:1911.07116 , 2019 .

LECUN Y , BOTTOU L , BENGIO Y , et al . Gradient-based learning applied to document recognition [J ] . Proceedings of the IEEE , 1998 , 86 ( 11 ): 2278 - 2324 .

XIAO H , RASUL K , VOLLGRAF R . Fashion-MNIST:a novel image dataset for benchmarking machine learning algorithms [J ] . arXiv Preprint,arXiv:1708.07747 , 2017 .

浏览量

983

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

面向非独立同分布数据的联邦学习数据增强方案

基于本地化差分隐私的联邦学习方法研究

基于多方计算的安全拜占庭弹性联邦学习

空天地一体化网络中基于联邦深度强化学习的边缘协作缓存策略

基于零集中差分隐私的联邦学习激励方案