抗攻击的联邦学习隐私保护算法

doi:10.19678/j.issn.1000-3428.0068705

摘要/Abstract

摘要：

联邦学习作为新兴的分布式学习框架, 允许多个客户端在不共享原始数据的情况下共同进行全局模型的训练, 从而有效保护了数据隐私。然而, 传统联邦学习仍然存在潜在的安全隐患, 容易受到中毒攻击和推理攻击的威胁。因此, 为了提高联邦学习的安全性和模型性能, 需要准确地识别恶意客户端的行为, 同时采用梯度加噪的方法来避免攻击者通过监控梯度信息来获取客户端的数据。结合恶意客户端检测机制和本地差分隐私技术提出了一种鲁棒的联邦学习框架。该算法首先利用梯度相似性来判断和识别潜在的恶意客户端, 减小对模型训练任务产生的不良影响; 其次, 根据不同查询的敏感性以及用户的个体隐私需求, 设计一种基于动态隐私预算的本地差分隐私算法, 旨在平衡隐私保护和数据质量之间的权衡。在MNIST、CIFAR-10和MR文本分类数据集上的实验结果表明, 与3种基准算法相比, 该算法在准确性方面针对sP类客户端平均提高了3百分点, 实现了联邦学习中更高的安全性水平, 显著提升了模型性能。

关键词: 联邦学习, 中毒攻击, 推理攻击, 本地差分隐私, 隐私保护

Abstract:

Federated learning is an emerging distributed learning framework that facilitates the collective engagement of multiple clients in global model training without sharing raw data, thereby effectively safeguarding data privacy. However, traditional federated learning still harbors latent security vulnerabilities that are susceptible to poisoning and inference attacks. Therefore, enhancing the security and model performance of federated learning has become imperative for precisely identifying malicious client behavior by employing gradient noise as a countermeasure to prevent attackers from gaining access to client data through gradient monitoring. This study proposes a robust federated learning framework that combines mechanisms for malicious client detection with Local Differential Privacy (LDP) techniques. The algorithm initially employs gradient similarity to identify and classify potentially malicious clients, thereby minimizing their adverse impact on model training tasks. Subsequently, a dynamic privacy budget based on LDP is designed, to accommodate the sensitivity of different queries and individual privacy requirements, with the objective of achieving a balance between privacy preservation and data quality. Experimental results on the MNIST, CIFAR-10, and Movie Reviews (MR) text classification datasets demonstrate that compared to the three baseline algorithms, this algorithm results in an average 3 percentage points increase in accuracy for sP-type clients, thereby achieving a higher security level with significantly enhanced model performance within the federated learning framework.

Key words: federated learning, poisoning attack, inference attack, Local Differential Privacy (LDP), privacy protection

吴若岚, 陈玉玲, 豆慧, 张洋文, 龙钟. 抗攻击的联邦学习隐私保护算法[J]. 计算机工程, 2025, 51(2): 179-187.

WU Ruolan, CHEN Yuling, DOU Hui, ZHANG Yangwen, LONG Zhong. Privacy Preserving Algorithm Using Federated Learning Against Attacks[J]. Computer Engineering, 2025, 51(2): 179-187.

https://www.ecice06.com/CN/Y2025/V51/I2/179

图/表 11

图1 联邦学习框架

Fig.1 Framework of federated learning

图2 基于本地差分隐私的联邦学习框架

Fig.2 Framework of federated learning based on local differential privacy

图3 在MNIST数据集上10个gP和20% sP的准确度

Fig.3 Accuracy of 10 gP and 20% sP on the MNIST dataset

图4 在CIFAR-10数据集上10个gP和20% sP的准确度

Fig.4 Accuracy of 10 gP and 20% sP on the CIFAR-10 dataset

图5 在MNIST数据集上10个gP和110% sP的准确度

Fig.5 Accuracy of 10 gP and 110% sP on the MNIST dataset

图6 在CIFAR-10数据集上10个gP和110% sP的准确度

Fig.6 Accuracy of 10 gP and 110% sP on the CIFAR-10 dataset

图7 本文模型在不同数量的搭便车攻击下的准确度

Fig.7 Accuracy of this model under different numbers of hitchhiking attacks

图8 在3个数据集上使用不同隐私预算的准确度

Fig.8 Accuracy using different privacy budgets on the three datasets

参考文献 30

1	MAO Y Y , YOU C S , ZHANG J , et al. A survey on mobile edge computing: the communication perspective. IEEE Communications Surveys & Tutorials, 2017, 19 (4): 2322- 2358. URL
2	ZHAO B W , LIU X M , CHEN W N , et al. CrowdFL: privacy-preserving mobile crowdsensing system via federated learning. IEEE Transactions on Mobile Computing, 2023, 22 (8): 4607- 4619. doi: 10.1109/TMC.2022.3157603
3	YANG Q , LIU Y , CHEN T J , et al. Federated machine learning. ACM Transactions on Intelligent Systems and Technology, 2019, 10 (2): 1- 19. doi: 10.1145/3298981
4	KAIROUZ P , MCMAHAN H B , AVENT B , et al. Advances and open problems in federated learning. Foundations and Trends^© in Machine Learning, 2021, 14 (1-2): 1- 210. URL
5	YU S, CUI L. Poisoning attacks and counterattacks in federated learning[M]//Digital Privacy and Security. Singapore: Springer Nature Singapore, 2022: 37-54.
6	MOTHUKURI V , PARIZI R M , POURIYEH S , et al. A survey on security and privacy of federated learning. Future Generation Computer Systems, 2021, 115, 619- 640. doi: 10.1016/j.future.2020.10.007
7	LYU L , YU H , MA X J , et al. Privacy and robustness in federated learning: attacks and defenses. IEEE Transactions on Neural Networks and Learning Systems, 2022, 35 (7): 8726- 8746. URL
8	SHOKRI R, STRONATI M, SONG C Z, et al. Membership inference attacks against machine learning models[C]//Proceedings of the IEEE Symposium on Security and Privacy (SP). Washington D. C., USA: IEEE Press, 2017: 3-18.10.1109/SP.2017.41
9	SUN Y C , CHEN Y L , WU P , et al. DRL: dynamic rebalance learning for adversarial robustness of UAV with long-tailed distribution. Computer Communications, 2023, 205, 14- 23. doi: 10.1016/j.comcom.2023.04.002
10	HUANG Y , CHEN Y L , WANG X W , et al. Promoting adversarial transfer ability via dual-sampling variance aggregation and feature heterogeneity attacks. Electronics, 2023, 12 (3): 767. doi: 10.3390/electronics12030767
11	MAHAWAGA ARACHCHIGE P C , BERTOK P , KHALIL I , et al. Local differential privacy for deep learning. IEEE Internet of Things Journal, 2020, 7 (7): 5827- 5842. doi: 10.1109/JIOT.2019.2952146
12	CORMODE G, JHA S, KULKARNI T, et al. Privacy at scale: local differential privacy in practice[C]//Proceedings of the 2018 International Conference on Management of Data. New York, USA: ACM Press, 2018: 1655-1658.10.1145/3183713.3197390
13	BHAGOJI A N, CHAKRABORTY S, MITTAL P, et al. Analyzing federated learning through an adversarial lens[EB/OL]. [2023-10-25]. https://arxiv.org/pdf/1811.12470.10.48550/arXiv.1811.12470
14	FANG M H, CAO X Y, JIA J Y, et al. Local model poisoning attacks to byzantine-robust federated learning[C]//Proceedings of the 29th USENIX Conference on Security Symposium. New York, USA: ACM Press, 2020: 1623-1640.
15	ZHANG Z X, CAO X Y, JIA J Y, et al. FLDetector: defending federated learning against model poisoning attacks via detecting malicious clients[EB/OL]. [2023-10-25]: https://arxiv.org/abs/2207.09209v4.
16	XU X Y, LYU L J. A reputation mechanism is all you need: collaborative fairness and adversarial robustness in federated learning[EB/OL]. [2023-10-25]. https://arxiv.org/abs/2011.10464v2.10.48550/arXiv.2011.10464
17	BERNAU D, ROBL J, GRASSAL P W, et al. Comparing local and central differential privacy using membership inference attacks[C]//Proceedings of IFIP Annual Conference on Data and Applications Security and Privacy. Berlin, Germany: Springer, 2021: 22-42.10.1007/978-3-030-81242-3_2
18	KHALIQ A A , ANJUM A , AJMAL A B , et al. A secure and privacy preserved parking recommender system using elliptic curve cryptography and local differential privacy. IEEE Access, 2022, 10, 56410- 56426. doi: 10.1109/ACCESS.2022.3175829
19	GURSOY M E , TAMERSOY A , TRUEX S , et al. Secure and utility-aware data collection with condensed local differential privacy. IEEE Transactions on Dependable and Secure Computing, 2021, 18 (5): 2365- 2378. URL
20	温依霖, 赵乃良, 曾艳, 等. 基于本地模型质量的客户端选择方法. 计算机工程, 2023, 49 (6): 131- 143. doi: 10.19678/j.issn.1000-3428.0065658
	WEN Y Y , ZHAO N L , ZENG Y , et al. Client selection method based on local model quality. Computer Engineering, 2023, 49 (6): 131- 143. doi: 10.19678/j.issn.1000-3428.0065658
21	CAO X Y, FANG M H, LIU J, et al. FLTrust: Byzantine-robust federated learning via trust bootstrapping[EB/OL]. [2023-10-25]. https://arxiv.org/abs/2012.13995v3.10.14722/NDSS.2021.24434
22	FUNG C, YOON C J M, BESCHASTNIKH I. The limitations of federated learning in sybil settings[C]//Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses. [S. l. ]: AAAI Press, 2020: 301-316.
23	LECUN Y, CORTES C. The MNIST database of handwritten digits[EB/OL]. [2023-10-25]. http://yann.lecun.com/exdb/mnist/, 1998.
24	KRIZHEVSKY A , HINTON G . Learning multiple layers of features from tiny images. Handbook of Systemic Autoimmune Diseases, 2009, 6, 65- 72. URL
25	PANG B, LEE L. Seeing stars: exploiting class relationships for sentiment categorization with respect to rating scales[C]//Proceedings of the 43rd Annual Meeting on Association for Computational Linguistics. Morristown, USA: Association for Computational Linguistics, 2005: 35-41.10.3115/1219840.1219855
26	MCMAHAN H B, MOORE E, RAMAGE D, et al. Communication-efficient learning of deep networks from decentralized data[EB/OL]. [2023-10-25]. https://arxiv.org/pdf/1602.05629.10.48550/arXiv.1602.05629
27	WU R L , CHEN Y L , TAN C Y , et al. MDIFL: robust federated learning based on malicious detection and incentives. Applied Sciences, 2023, 13 (5): 2793. doi: 10.3390/app13052793
28	YANG Q , LIU Y , CHENG Y , et al. Federated learning. Morgan & Claypool, 2019, 12, 55- 61.
29	BIGGIO B , NELSON B , LASKOV P . Support vector machines under adversarial label noise. Journal of Machine Learning Research, 2011, 20 (3): 97- 105.
30	BERNSTEIN J, ZHAO J W, AZIZZADENESHELI K, et al. SignSGD with majority vote is communication efficient and fault tolerant[EB/OL]. [2023-10-25]. https://arxiv.org/abs/1810.05291v3.

[1]	吴小红, 李佩, 顾永跟, 陶杰. 基于EMD最优匹配的分层联邦学习算法[J]. 计算机工程, 2025, 51(2): 170-178.
[2]	陈先意, 丁思哲, 王康, 闫雷鸣, 付章杰. 一种支持安全联邦学习的主动保护模型水印框架[J]. 计算机工程, 2025, 51(1): 138-147.
[3]	王圆圆, 王世谦, 王涵, 郭正宾, 胡显承. 基于纵向联邦学习的能源排放跨界智能分析[J]. 计算机工程, 2025, 51(1): 164-173.
[4]	潘恩元, 钟原, 李平. 联邦异质性数据下半监督颈椎MRI分割模型[J]. 计算机工程, 2024, 50(9): 367-376.
[5]	李红娇, 王宝金, 王朝晖, 胡仁豪. 基于模型相似度与本地损失的双重客户端选择算法[J]. 计算机工程, 2024, 50(8): 153-164.
[6]	郑清安, 董建成, 陈亮, 阮英清, 李锦松, 许林彬. 分布式可信数据管理与隐私保护技术研究[J]. 计算机工程, 2024, 50(7): 174-186.
[7]	顾永跟, 高凌轩, 吴小红, 陶杰. 非独立同分布下联邦半监督学习的数据分享研究[J]. 计算机工程, 2024, 50(6): 188-196.
[8]	熊世强, 何道敬, 王振东, 杜润萌. 联邦学习及其安全与隐私保护研究综述[J]. 计算机工程, 2024, 50(5): 1-15.
[9]	顾永跟, 李国笑, 吴小红, 陶杰, 张艳琼. 预算约束下多任务联邦学习激励机制[J]. 计算机工程, 2024, 50(5): 149-157.
[10]	王栋, 王合建, 玄佳兴, 郑尚卓, 陈炳聪. 面向电力调度指令的区块链隐私可追踪存证方案[J]. 计算机工程, 2024, 50(5): 158-166.
[11]	卢晓天, 朴春慧, 杨兴雨, 白英杰. 基于贝叶斯网络的差分隐私高维数据发布技术研究[J]. 计算机工程, 2024, 50(5): 167-181.
[12]	张晓均, 李兴鹏, 唐伟, 郝云溥, 薛婧婷. 云-边融合的可验证隐私保护跨域联邦学习方案[J]. 计算机工程, 2024, 50(3): 148-155.
[13]	宋华伟, 李升起, 万方杰, 卫玉萍. 非独立同分布场景下的联邦学习优化方法[J]. 计算机工程, 2024, 50(3): 166-172.
[14]	刘少杰, 文斌, 王泽旭. 基于联邦学习的多技术融合数据交易方法[J]. 计算机工程, 2024, 50(3): 182-190.
[15]	叶晓东, 赵迎迎, 孙永奇, 赵思聪, 刘真. 基于非定长编码和滑动窗口的隐私保护记录链接方法[J]. 计算机工程, 2024, 50(2): 154-164.

选择文件类型/文献管理软件名称

选择包含的内容