基于模型敏感参数扰动的联邦学习中毒攻击

doi:10.19678/j.issn.1000-3428.0252512

摘要/Abstract

摘要： 联邦学习框架下，各参与方通过共享模型参数而非原始数据来协同训练全局模型，这种分布式训练方式在保护数据隐私的同时，也带来了新的安全挑战。由于分布式的本地训练难以监督，联邦学习系统更容易遭受模型中毒攻击。大多数现有的模型中毒攻击方法是对模型所有参数进行操作，通过统计相似性检查，可较容易检测到模型的显著改变。为了进一步分析该类攻击方法可能存在的隐秘方式，研究了一种针对联邦学习敏感参数扰动的模型中毒攻击方法（FedMSP）。该方法通过分析模型参数的梯度变化，精准识别出对模型性能具有显著影响的敏感参数，并对这些敏感参数施加扰动，以提高本地中毒模型的抗检测性，降低整体模型性能。此外，还提出了一种基于距离和方向不变性的攻击机制。该机制通过保持攻击向量的距离和方向不变，使攻击者能够有效规避现有的防御机制，显著提升模型中毒攻击的成功率。实验结果表明，针对Fashion-MNIST和CIFAR-100数据集构建联邦预测模型，当无防御条件时，该攻击方法将模型的测试准确率由原来的99.48%和61.37%分别降低至14.43%、8.27%；加入防御机制后，模型准确率回升至15.75%、10.87%，但仍显著低于正常水平。此外，FedMSP在多种安全聚合算法中展现出最优或接近最优的攻击效果，充分证明了其降低模型性能和减缓收敛速度的能力，为联邦学习的安全性研究提供了新的视角和挑战。

Abstract: Under the federated learning framework, participants collaborate to train global models by sharing model parameters instead of raw data, and this distributed training approach brings new security challenges while protecting data privacy. Because distributed local training is difficult to supervise, federated learning systems are more vulnerable to model poisoning attacks. Most existing model poisoning attack methods operate on all parameters of the model, and significant changes to the model can be detected more easily through statistical similarity checking. In order to further analyze the possible stealthy ways of this type of attack methods, a model poisoning attack method (FedMSP) for federated learning sensitive parameter perturbation is investigated. This method accurately identifies the sensitive parameters that have a significant impact on the model performance by analyzing the gradient change of the model parameters and applies perturbations to these sensitive parameters to improve the anti-detectability of locally-poisoned models and reduce the overall model performance. In addition, an attack mechanism based on distance and direction invariance is proposed. By keeping the distance and direction of the attack vectors invariant, this mechanism enables the attacker to effectively circumvent the existing defense mechanisms and significantly improves the success rate of the model poisoning attack. The experimental results show that, constructing the federal prediction model for Fashion-MNIST and CIFAR-100 datasets, when there is no defense condition, the attack method reduces the test accuracy of the model from the original 99.48% and 61.37% to 14.43% and 8.27%, respectively; after adding the defense mechanism, the accuracy of the model is rebounded to 15.75%, 10.87%, but still significantly lower than the normal level. In addition, FedMSP demonstrates optimal or near-optimal attack effects in multiple security aggregation algorithms, which fully proves its ability to reduce model performance and slow down convergence speed, and provides new perspectives and challenges for the security research of federated learning.

陈自良, 钟原, 李平. 基于模型敏感参数扰动的联邦学习中毒攻击[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0252512.

CHEN Ziliang, ZHONG Yuan, LI Ping. Federated Learning Poisoning Attacks Based on Model Sensitive Parameter Perturbations[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0252512.

参考文献

[1]Y LeCun, Y Bengio, G Hinton. Deep learning[J], Nature, 2015, 521:436–444.
[2]H Brendan McMahan, Eider Moore, Daniel Ramage, et al. Communication-Efficient Learning of Deep Networks from Decentralized Data[C]// Proceedings of the 20th International Conference on Artificial Intelligence and Statistics. Fort Lauderdale: PMLR, 2017: 1273-1282.
[3]Peter Kairouz, H Brendan McMahan, Brendan Avent, et al. Advances and Open Problems in Federated Learning[J]. Foundations and Trends® in Machine Learning, 2021, 14(1): 1-210.
[4]X Yin, Y Zhu, and J Hu. A comprehensive survey of privacy-preserving federated learning: A taxonomy, review, and future directions[J]. ACM Comput. Surveys, 2021, 54(6):1–36.
[5]H Aghakhani, D Meng, Y-X Wang, et al. Bullseye polytope: A scalable clean-label poisoning attack with improved transferability[C]//2021 IEEE European Symposium on Security and Privacy. Piscataway: IEEE, 2021: 159-178.
[6]P Blanchard, E M El Mhamdi, R Guerraoui, et al. Machine learning with adversaries: Byzantine tolerant gradient descent [C]//Advances in Neural Information Processing Systems. Red Hook: Curran Associates Inc, 2017: 118-128.
[7]Yin D, Chen Y, Ramchandran K, Bartlett P L. Byzantine-Robust Distributed Learning: Towards Optimal Statistical Rates[C]//Proceedings of the 35th International Conference on Machine Learning. Long Beach: PMLR, 2018: 5636-5645.
[8]El Mhamdi E, Guerraoui R, Rouault S. The Hidden Vulnerability of Distributed Learning in Byzantium[C]//Proceedings of the 35th International Conference on Machine Learning. Long Beach: PMLR, 2018: 3518-3527.
[9]Sichang He, Beilong Tang, Boyan Zhang, et al. Fedkit: Enabling Cross-Platform Federated Learning for Android and iOS[C]//IEEE INFOCOM 2024 - IEEE Conference on Computer Communications Workshops. Vancouver: IEEE, 2024:1-2.
[10] Liu, Linfeng, Xi, et al. Mobile Charging Station Placements in Internet of Electric Vehicles: A Federated Learning Approach[J]. IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, 2022, 23(12): 24561-24577.
[11]C Zhou, A Fu, S Yu, et al. Privacy-preserving federated learning in fog computing[J]. IEEE Internet of Things Journal, 2020, 7(11): 10782-10793.
[12]Praveer Dubey1, Mohit KumarCA2. Integrating Explainable AI with Federated Learning for Next-Generation IoT: A comprehensive review and prospective insights[J]. Computer Science Review, 2025, 56: 100697.
[13]宋华伟,李升起,万方杰,等. 非独立同分布场景下的联邦学习优化方法[J]. 计算机工程,2024,50(3): 166-172. SONG H W, LI S Q, WAN F J, et al. Federated Learning Optimization Method in Non-IID Scenarios[J]. Computer Engineering, 2024,50(3): 166-172.
[14]Lan Liu, Yi Wang, Gaoyang Liu, et al. Membership Inference Attacks Against Machine Learning Models via Prediction Sensitivity[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(3): 2341-2347.
[15]张晓均,李兴鹏,唐伟,等. 云-边融合的可验证隐私保护跨域联邦学习方案[J]. 计算机工程,2024,50(3): 148-155. ZHANG X J, LI X P, TANG W, et al. Cloud-Edge Fusion Verifiable Privacy-Preserving Cross-Domain Federated Learning Scheme[J]. Computer Engineering, 2024, 50(3): 148-155.
[16]吴若岚,陈玉玲,豆慧,等. 抗攻击的联邦学习隐私保护算法[J]. 计算机工程,2025,51(2): 179-187. WU R L, CHEN Y L, D H, et al. [J]. Computer Engineering, 2025, 51(2): 179-187.
[17]Li Minghui, Wan Wei, Lu Jianrong, et al. Shielding federated learning: Mitigating byzantine attacks with less constraints [C]//Proc of the 18th IEEE Int Conf on Mobility, Sensing and Networking. Piscataway, NJ: IEEE,2022:178-185
[18]Ansam Khraisat, Ammar Alazab, Moutaz Alazab, et al. Securing federated learning: a defense strategy against targeted data poisoning attack[J]. Discover Internet of Things, 2025, 5(1): 1-17.
[19]Jianping Wu, Jiahe Jin, Chunming Wu. Challenges and Countermeasures of Federated Learning Data Poisoning Attack Situation Prediction[J]. Mathematics,2024, 12(6): 901.
[20]Zhang, Jiale, Chen,et al. PoisonGAN: Generative Poisoning Attacks Against Federated Learning in Edge Computing Systems[J]. IEEE INTERNET OF THINGS JOURNAL, 2021, 8(5): 3310-3322.v [21]E Bagdasaryan, A Veit, Y Hua, D Estrin, V Shmatikov. How to backdoor federated learning [C]// Proceedings of the 23rd International Conference on Artificial Intelligence and Statistics (AISTATS). Virtual:PMLR, 2020: 2938-2948.
[22]Zaixi Zhang, Xiaoyu Cao, Jinyuan Jia, et al. FLDetector: Defending Federated Learning Against Model Poisoning Attacks via Detecting Malicious Clients [C]// Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. Washington: ACM, 2022: 2545–2555.
[23]Moran Baruch, Gilad Baruch, Yoav Goldberg. A Little Is Enough: Circumventing Defenses For Distributed Learning[J]. Statistics, 2019, 32:5396–5410.
[24]Virat Shejwalkar, Amir Houmansadr. Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning [C]// NSF Public Access. Amherst: University of Massachusetts Amherst, 2021:1–17.
[25]Manh Cuong Dao, Phi Le NguyenCA, Huy Hieu Pham, et al. Noisy data-based attack: A new type of untargeted attack in Federated Learning and its countermeasures[J]. Future Generation Computer Systems, 2025, 173: 107900.
[26]Sonakshi Garg, Hugo Jönsson, Gustav Kalander, et al. Poisoning Attacks on Federated Learning for Autonomous Driving[J]. Scandinavian Conference on AI, 2024,1-14.
[27]Xu J, Huang S L, Song L, et al. Byzantine-robust federated learning through collaborative malicious gradient filtering[C]//2022 IEEE 42nd International Conference on Distributed Computing Systems. London:IEEE, 2022: 1223-1235.
[28]Jiao Liu, Xinghua Li, Ximeng Liu, et al. DefendFL: A Privacy-Preserving Federated Learning Scheme Against Poisoning Attacks[J]. IEEE Transactions on Neural Networks and Learning Systems, 2025, 36(5): 9098-9111.

选择文件类型/文献管理软件名称

选择包含的内容