面向半异步联邦学习的防御投毒攻击方法研究

doi:10.3969/j.issn.1671-1122.2024.10.012

信息网络安全 ›› 2024, Vol. 24 ›› Issue (10): 1578-1585.doi: 10.3969/j.issn.1671-1122.2024.10.012

面向半异步联邦学习的防御投毒攻击方法研究

吴立钊¹^,², 汪晓丁¹^,³, 徐恬⁴, 阙友雄³, 林晖¹^,²()

1.福建师范大学计算机与网络空间安全学院，福州 350117
2.网络安全与教育信息化福建省高校工程研究中心，福州 350117
3.中国热带农业科学院热带生物技术研究所，海口 571101
4.昌都市经济和信息化局，昌都 854000

收稿日期:2024-04-09 出版日期:2024-10-10 发布日期:2024-09-27
通讯作者: 林晖, linhui@fjnu.edu.cn
作者简介:吴立钊（1999—），男，福建，硕士研究生，主要研究方向为联邦学习、信息安全|汪晓丁（1982—），男，福建，副教授，博士，CCF会员，主要研究方向为网络优化与无线网络通信|徐恬（1979—），男，上海，高级工程师，主要研究方向为工业大数据、网络与数据安全|阙友雄（1980—），男，福建，研究员，博士，主要研究方向为智慧农业|林晖（1977—），男，福建，教授，博士，CCF会员，主要研究方向为机器学习、移动边缘计算、无线网络信息安全
基金资助:
国家自然科学基金海峡联合基金(U1905211);福建省高校产学研重点项目(2024H6008)

Defense Strategies against Poisoning Attacks in Semi-Asynchronous Federated Learning

WU Lizhao¹^,², WANG Xiaoding¹^,³, XU Tian⁴, QUE Youxiong³, LIN Hui¹^,²()

1. College of Computer and Cyber Security, Fujian Normal University, Fuzhou 350117, China
2. Engineering Research Center of Cyber Security and Education Information, Fujian Province University, Fuzhou 350117, China
3. Institute of Tropical Bioscience and Biotechnology, Chinese Academy of Tropical Agricultural Sciences, Haikou 571101, China
4. Changdu City Economic and Information Technology Bureau, Changdu 854000, China

Received:2024-04-09 Online:2024-10-10 Published:2024-09-27

摘要/Abstract

摘要：

联邦学习由于其分布式特性，容易遭受模型投毒攻击，即恶意客户端通过发送篡改的模型更新来破坏全局模型的准确性。在众多的联邦学习分支方法中，半异步联邦学习由于其对实时性要求较低，使得它在面对投毒攻击时显得尤为脆弱。目前，检测恶意客户端的主要手段是通过分析客户端更新的统计特征来进行区分。然而，这一方法并不适用于半异步联邦学习。由于陈旧更新中包含由延迟产生的噪声，导致现有的检测算法难以区分良性客户端的陈旧更新与攻击者的恶意更新。为了解决半异步联邦学习中的恶意客户端检测问题，文章提出了一种基于预测模型更新的检测方法SAFLD。该方法根据模型的历史更新来预测客户端的过时更新并评估恶意分数，在检测中分数较高的客户端将被标记为恶意更新客户端并移除。文章在两个基准数据集上进行了实验，结果表明，相比于现有的检测算法，SAFLD能够在半异步联邦学习场景中更加准确地检测出多种最先进的模型投毒攻击。

关键词: 半异步联邦学习, 投毒攻击, L-BFGS, 恶意客户端检测

Abstract:

Due to its distributed nature, federated learning(FL) is vulnerable to model poisoning attacks, where malicious clients can compromise the accuracy of the global model by sending tampered model updates. Among various FL branches, semi-asynchronous FL, with its lower real-time requirements, is particularly susceptible to such attacks. Currently, the primary means of detecting malicious clients involves analyzing the statistical characteristics of client updates, yet this approach is inadequate for semi-asynchronous FL. The noise introduced by delays in stale updates renders existing detection algorithms unable to distinguish between benign stale updates from clients and malicious updates from attackers. To address the issue of malicious client detection in semi-asynchronous FL, this paper proposed a detection method called SAFLD based on predicting model updates. By leveraging the historical updates of the model, SAFLD predicted stale updates from clients and assesses a maliciousness score, with higher-scoring clients being flagged as malicious and removed. Experimental validation on two benchmark datasets demonstrates that, compared to existing detection algorithms, SAFLD can more accurately detect various state-of-the-art model poisoning attacks in the context of semi-asynchronous FL.

Key words: semi-asynchronous federated learning, poisoning attack, L-BFGS, malicious client detection

中图分类号:

TP309

吴立钊, 汪晓丁, 徐恬, 阙友雄, 林晖. 面向半异步联邦学习的防御投毒攻击方法研究[J]. 信息网络安全, 2024, 24(10): 1578-1585.

WU Lizhao, WANG Xiaoding, XU Tian, QUE Youxiong, LIN Hui. Defense Strategies against Poisoning Attacks in Semi-Asynchronous Federated Learning[J]. Netinfo Security, 2024, 24(10): 1578-1585.

图/表 6

图1

图2

图3

图4

表1

表2

参考文献 24

[1]	MCMAHAN H B, MOORE E, RAMAGE D, et al. Communication-Efficient Learning of Deep Networks from Decentralized Data[C]// PMLR. Artificial Intelligence and Statistics. New York: PMLR, 2017: 1273-1282.
[2]	LI Tian, SAHU A K, ZAHEER M, et al. Federated Optimization in Heterogeneous Networks[J]. Proceedings of Machine Learning and Systems, 2020(2): 429-450.
[3]	XIE Cong, KOYEJO S, GUPTA I. Asynchronous Federated Optimization[EB/OL]. [2024-03-07]. https://arxiv.org/pdf/1903.03934.
[4]	WANG Zhongyu, ZHANG Zhaoyang, WANG Jue. Asynchronous Federated Learning over Wireless Communication Networks[C]// IEEE. ICC 2021-IEEE International Conference on Communications. New York: IEEE, 2021: 1-7.
[5]	XU Chenhao, QU Youyang, XIANG Yong, et al. Asynchronous Federated Learning on Heterogeneous Devices: A Survey[EB/OL]. (2023-10-04)[2024-03-07]. https://www.sciencedirect.com/science/article/pii/S157401372300062X?via%3Dihub.
[6]	MA Qianpiao, JIA Qingmin, LIU Jianchun, et al. Client Grouping and Time-Sharing Scheduling for Asynchronous Federated Learning in Heterogeneous Edge Computing Environment[J]. Journal on Communications, 2023, 44(11): 79-93. doi: 10.11959/j.issn.1000-436x.2023196
	马千飘, 贾庆民, 刘建春, 等. 异构边缘计算环境下异步联邦学习的节点分组与分时调度策略[J]. 通信学报, 2023, 44(11): 79-93. doi: 10.11959/j.issn.1000-436x.2023196
[7]	WU Wentai, HE Ligang, LIN Weiwei, et al. SAFA: A Semi-Asynchronous Protocol for Fast Federated Learning with Low Overhead[J]. IEEE Transactions on Computers, 2021, 70(5): 655-668.
[8]	MA Qianpiao, XU Yang, XU Hongli, et al. FedSA: A Semi-Asynchronous Federated Learning Mechanism in Heterogeneous Edge Computing[J]. IEEE Journal on Selected Areas in Communications, 2021, 39(12): 3654-3672.
[9]	ZHOU Zihao, LI Yanan, REN Xuebin, et al. Towards Efficient and Stable K-Asynchronous Federated Learning with Unbounded Stale Gradients on Non-IID Data[J]. IEEE Transactions on Parallel and Distributed Systems, 2022, 33(12): 3291-3305.
[10]	WU Shan, ZHOU Yizhi, GAO Xuesong, et al. K Asynchronous Federated Learning with Cosine Similarity Based Aggregation on Non-IID Data[C]// Springer. Lecture Notes in Computer Science. Heidelberg: Springer, 2024: 434-452.
[11]	BAGDASARYAN E, VEIT A, HUA Yiqing, et al. How to Backdoor Federated Learning[C]// PMLR. International Conference on Artificial Intelligence and Statistics. New York: PMLR, 2020: 2938-2948.
[12]	BARUCH M, BARUCH G, GOLDBERG Y. A Little is Enough: Circumventing Defenses for Distributed Learning[J]. Advances in Neural Information Processing Systems, 2019, 32: 8635-8645.
[13]	BHAGOJI A, CHAKRABORTY S, MITTAL P, et al. Analyzing Federated Learning through an Adversarial Lens[C]// PMLR. International Conference on Machine Learning. New York: PMLR, 2019: 634-643.
[14]	GAO Ying, CHEN Xiaofeng, ZHANG Yiyu, et al. A Survey of Attack and Defense Techniques for Federated Learning Systems[J]. Chinese Journal of Computers, 2023, 46(9): 1781-1805.
	高莹, 陈晓峰, 张一余, 等. 联邦学习系统攻击与防御技术研究综述[J]. 计算机学报, 2023, 46(9): 1781-1805.
[15]	DUAN Xinru, CHEN Guirong, CHEN Aiwang, et al. Review of Research on Information Security in Federated Learning[J]. Computer Engineering and Applications, 2024, 60(3): 61-77. doi: 10.3778/j.issn.1002-8331.2303-0332
	段昕汝, 陈桂茸, 陈爱网, 等. 联邦学习中的信息安全问题研究综述[J]. 计算机工程与应用, 2024, 60(3): 61-77. doi: 10.3778/j.issn.1002-8331.2303-0332
[16]	YANG Li, ZHU Lingbo, YU Yueming, et al. Review of Federal Learning and Offensive-Defensive Confrontation[J]. Netinfo Security, 2023, 23(12): 69-90.
	杨丽, 朱凌波, 于越明, 等. 联邦学习与攻防对抗综述[J]. 信息网络安全, 2023, 23(12): 69-90.
[17]	ZHANG Zaixi, CAO Xiaoyu, JIA Jinyuan, et al. FLDetector: Defending Federated Learning Against Model Poisoning Attacks via Detecting Malicious Clients[C]// ACM. Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. New York: ACM, 2022: 2545-2555.
[18]	LI Suyi, CHENG Yong, WANG Wei, et al. Learning to Detect Malicious Clients for Robust Federated Learning[EB/OL]. [2024-03-07]. https://www.xueshufan.com/publication/3003426262.
[19]	LIU D C, NOCEDAL J. On the Limited Memory BFGS Method for Large Scale Optimization[J]. Mathematical Programming, 1989, 45(1): 503-528.
[20]	KUMAR A, INGLE Y S, PANDE A, et al. Canopy Clustering: A Review on Pre-Clustering Approach to K-Means Clustering[J]. International Journal of Innovations & Advancement in Computer Science, 2014, 3(5): 22-29.
[21]	MACQUEEN J. Some Methods for Classification and Analysis of Multivariate Observations[J]. Berkeley Symposium on Mathematical Statistics and Probability, 1967, 1(14): 281-297.
[22]	ZHANG Geng, ZHANG Chengchang, ZHANG Huayu. Improved K-Means Algorithm Based on Density Canopy[J]. Knowledge-Based Systems, 2018, 145: 289-297.
[23]	CHEN Yang, SUN Xiaoyan, JIN Yaochu. Communication-Efficient Federated Deep Learning with Layerwise Asynchronous Model Update and Temporally Weighted Aggregation[J]. IEEE Transactions on Neural Networks and Learning Systems, 2020, 31(10): 4229-4238.
[24]	FANG Minghong, CAO Xiaoyu, JIA Jinyuan, et al. Local Model Poisoning Attacks to Byzantine-Robust Federated Learning[EB/OL]. [2024-03-07]. https://www.xueshufan.com/publication/2990614164.

攻击方式	检测方式	DACC	FPR	FNR
无目标投毒攻击	SAFLD	80%	0.30	0
	FLD-Norm	20%	1.00	0
	FL-Detector	40%	1.00	0
缩放攻击	SAFLD	100%	0	0
	FLD-Norm	60%	0.50	0
	FL-Detector	40%	0.50	1.00

数据集	攻击方式	无攻击	有攻击无检测	有攻击有检测
Emnist	无目标投毒攻击	93.33%	88.81%	91.33%
Emnist	缩放攻击	93.33%	85.91%	91.73%
Cifar10	无目标投毒攻击	45.92%	37.87%	45.12%
Cifar10	缩放攻击	45.92%	39.65%	44.38%

面向半异步联邦学习的防御投毒攻击方法研究

Defense Strategies against Poisoning Attacks in Semi-Asynchronous Federated Learning

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 24

相关文章 1

编辑推荐

Metrics

本文评价