信息网络安全 ›› 2024, Vol. 24 ›› Issue (10): 1578-1585.doi: 10.3969/j.issn.1671-1122.2024.10.012

• 入选论文 • 上一篇    下一篇

面向半异步联邦学习的防御投毒攻击方法研究

吴立钊1,2, 汪晓丁1,3, 徐恬4, 阙友雄3, 林晖1,2()   

  1. 1.福建师范大学计算机与网络空间安全学院,福州 350117
    2.网络安全与教育信息化福建省高校工程研究中心,福州 350117
    3.中国热带农业科学院热带生物技术研究所,海口 571101
    4.昌都市经济和信息化局,昌都 854000
  • 收稿日期:2024-04-09 出版日期:2024-10-10 发布日期:2024-09-27
  • 通讯作者: 林晖, linhui@fjnu.edu.cn
  • 作者简介:吴立钊(1999—),男,福建,硕士研究生,主要研究方向为联邦学习、信息安全|汪晓丁(1982—),男,福建,副教授,博士,CCF会员,主要研究方向为网络优化与无线网络通信|徐恬(1979—),男,上海,高级工程师,主要研究方向为工业大数据、网络与数据安全|阙友雄(1980—),男,福建,研究员,博士,主要研究方向为智慧农业|林晖(1977—),男,福建,教授,博士,CCF会员,主要研究方向为机器学习、移动边缘计算、无线网络信息安全
  • 基金资助:
    国家自然科学基金海峡联合基金(U1905211);福建省高校产学研重点项目(2024H6008)

Defense Strategies against Poisoning Attacks in Semi-Asynchronous Federated Learning

WU Lizhao1,2, WANG Xiaoding1,3, XU Tian4, QUE Youxiong3, LIN Hui1,2()   

  1. 1. College of Computer and Cyber Security, Fujian Normal University, Fuzhou 350117, China
    2. Engineering Research Center of Cyber Security and Education Information, Fujian Province University, Fuzhou 350117, China
    3. Institute of Tropical Bioscience and Biotechnology, Chinese Academy of Tropical Agricultural Sciences, Haikou 571101, China
    4. Changdu City Economic and Information Technology Bureau, Changdu 854000, China
  • Received:2024-04-09 Online:2024-10-10 Published:2024-09-27

摘要:

联邦学习由于其分布式特性,容易遭受模型投毒攻击,即恶意客户端通过发送篡改的模型更新来破坏全局模型的准确性。在众多的联邦学习分支方法中,半异步联邦学习由于其对实时性要求较低,使得它在面对投毒攻击时显得尤为脆弱。目前,检测恶意客户端的主要手段是通过分析客户端更新的统计特征来进行区分。然而,这一方法并不适用于半异步联邦学习。由于陈旧更新中包含由延迟产生的噪声,导致现有的检测算法难以区分良性客户端的陈旧更新与攻击者的恶意更新。为了解决半异步联邦学习中的恶意客户端检测问题,文章提出了一种基于预测模型更新的检测方法SAFLD。该方法根据模型的历史更新来预测客户端的过时更新并评估恶意分数,在检测中分数较高的客户端将被标记为恶意更新客户端并移除。文章在两个基准数据集上进行了实验,结果表明,相比于现有的检测算法,SAFLD能够在半异步联邦学习场景中更加准确地检测出多种最先进的模型投毒攻击。

关键词: 半异步联邦学习, 投毒攻击, L-BFGS, 恶意客户端检测

Abstract:

Due to its distributed nature, federated learning(FL) is vulnerable to model poisoning attacks, where malicious clients can compromise the accuracy of the global model by sending tampered model updates. Among various FL branches, semi-asynchronous FL, with its lower real-time requirements, is particularly susceptible to such attacks. Currently, the primary means of detecting malicious clients involves analyzing the statistical characteristics of client updates, yet this approach is inadequate for semi-asynchronous FL. The noise introduced by delays in stale updates renders existing detection algorithms unable to distinguish between benign stale updates from clients and malicious updates from attackers. To address the issue of malicious client detection in semi-asynchronous FL, this paper proposed a detection method called SAFLD based on predicting model updates. By leveraging the historical updates of the model, SAFLD predicted stale updates from clients and assesses a maliciousness score, with higher-scoring clients being flagged as malicious and removed. Experimental validation on two benchmark datasets demonstrates that, compared to existing detection algorithms, SAFLD can more accurately detect various state-of-the-art model poisoning attacks in the context of semi-asynchronous FL.

Key words: semi-asynchronous federated learning, poisoning attack, L-BFGS, malicious client detection

中图分类号: