信息网络安全 ›› 2022, Vol. 22 ›› Issue (1): 55-63.doi: 10.3969/j.issn.1671-1122.2022.01.007

• 技术研究 • 上一篇    下一篇

基于数据属性修改的联邦学习隐私保护策略

徐硕, 张睿, 夏辉()   

  1. 中国海洋大学信息科学与工程学部计算机科学与技术学院,青岛 266100
  • 收稿日期:2021-10-08 出版日期:2022-01-10 发布日期:2022-02-16
  • 通讯作者: 夏辉 E-mail:xiahui@ouc.edu.cn
  • 作者简介:徐硕(1998—),男,山东,博士研究生,主要研究方向为隐私保护、联邦学习和人工智能安全|张睿(1995—),女,山东,博士研究生,主要研究方向为物联网安全、人工智能安全和网络防御|夏辉(1986—),男,山东,教授,博士,主要研究方向为无线自组织网络、物联网安全、人工智能安全、隐私保护、边缘计算和联邦学习
  • 基金资助:
    国家自然科学基金面上项目(62172377);国家自然科学基金面上项目(61872205);山东省自然科学基金面上项目(ZR2019MF018)

Privacy-preserving Strategies for Federated Learning Based on Data Attribute Modification

XU Shuo, ZHANG Rui, XIA Hui()   

  1. College of Computer Science and Technology, Faculty of Information Science and Engineering, Ocean University of China, Qingdao 266100, China
  • Received:2021-10-08 Online:2022-01-10 Published:2022-02-16
  • Contact: XIA Hui E-mail:xiahui@ouc.edu.cn

摘要:

针对大部分联邦学习防御方法存在降低联邦学习实用性、计算效率低和防御攻击种类单一等问题,文章提出一种基于变分自编码器的属性修改框架,在客户端对数据预处理以达到保护联邦学习的目的。首先,为了提高算法计算效率,文章提出一种基于迁移学习的变分自编码器训练方案来减少客户端训练周期;其次,利用变分自编码器具有连续性的潜变量,设计了一种基于属性分布约束规则的属性修改方案来实现客户端训练数据的重构。实验结果表明,属性修改方案可以成功分离和控制图像的属性向量,通过将原始图像改变为带有相应属性的重构图像,保护了客户端数据隐私。将修改后的图像用于训练联邦学习分类任务,其准确率可达94.44%,体现了方案的可用性,并且该方案可以成功防御非主属性隐私泄露和基于数据中毒的后门攻击。

关键词: 联邦学习, 隐私保护, 变分自编码器, 迁移学习

Abstract:

Most defense methods suffer from weak federated learning utility, low computational efficiency, and defense against a single type of attack. To solve the above problems, this paper proposed an attribute modification framework based on variational auto-encoders to achieve the purpose of protecting federated learning by pre-processing the data at the client. First, to improve the computational efficiency of the algorithm and utilize the computational and storage resources of the server, this paper proposed a transfer learning based variational auto-encoders training scheme to reduce the client training epochs. Secondly, to balance practicality and privacy and to utilize the latent variables with continuous properties of the variational auto-encoders, this paper designed an attribute modification scheme based on attribute distribution constraint rules to achieve the reconstruction of client training data. Detailed experimental results show that the attribute modification scheme can successfully separate and control the attribute vectors of an image, protecting client data privacy by changing the original image to a reconstructed image with corresponding attributes. The usability of the scheme is demonstrated by the fact that the images with three modified attributes can be used to train the federated learning classification task with accuracy of 94.44%. And the scheme successfully defends against unintended feature leakage and backdoor attacks based on data poisoning.

Key words: federated learning, privacy protection, VAE, transfer learning

中图分类号: