Research on a Defense Method for Label Flipping Attacks Oriented to Federated Learning

doi:10.19678/j.issn.1000-3428.0260011

Abstract

Abstract: As a distributed learning architecture, federated learning allows clients to perform global model training without sharing local data, which can effectively balance the contradiction between privacy and efficiency. However, its distributed characteristics also make it vulnerable to data poisoning attacks. Malicious clients tamper with local training data to inject biased or wrong updates into the global model, so as to achieve the purpose of reducing the accuracy of the model or manipulating the behavior of the model under specific inputs. Label inversion attack, as a classical method in data poisoning attack, is simple to implement and has low computational cost, and only requires modifying local data labels without modifying features. It is difficult to be found by conventional statistical analysis, but it can effectively reduce the accuracy of the global model or complete the backdoor implantation. In order to improve the accuracy of the global model and the overall security of the system in federated learning, the model update parameters uploaded by each local client are usually screened and filtered from the server before the global model aggregation, so as to accurately identify the malicious client behavior and perform robust aggregation to resist data poisoning attacks. To solve the above problems, this paper proposes a Label Flipping Attack Defense Algorithm (LFADA) oriented to federated learning, which aims to improve the accuracy and security of the model in the face of data poisoning. LFADA uses the log-likelihood score mechanism, and first flattens and reduces the dimension of the updated parameters of each client model to construct the sample set. Secondly, the Gaussian Mixture Model (GMM) is used to model the processed updated parameter sample set. Then, the update probability of each client is quantified by the Log-Likelihood Score (LLS), and the "normality" score of each client is obtained. Then, based on the current parameter set, the filtering threshold score is set according to the required quantile, and the clients below the score are considered as malicious clients. The update parameters of all malicious clients are eliminated, and only the update parameters of the clients that pass the filtering are aggregated, so as to realize the unsupervised anomaly detection and filtering of client updates and the secure aggregation of the global model. This paper conducts experiments on the MNIST dataset, Fashion-MNIST dataset and CIFAR-10 dataset, and uniformly sets a Convolutional Neural Network (CNN) containing three convolutional blocks as the basic model to carry out label flipping attacks respectively. The experiments of model accuracy and attack success rate show that LFADA can effectively resist label flipping attacks when the proportion of malicious clients is 0.1, 0.2, 0.3 and 0.5, and LFADA still performs well when the proportion of malicious clients is 0.5. Compared with nine mainstream algorithms such as Multi-Krum, Median, Foolsgold and Lfighter, the accuracy of the model using LFADA is increased by 3.28%, 3.38% and 2.62% on average, while the attack success rate is kept low as a whole. Among them, it is lower than 3% on MNIST and Fashion-MNIST datasets, and significantly lower than most methods on CIFAR-10 dataset, which can maintain similar performance to the federal average FedAvg scheme model in the environment without poisoning attack. In terms of algorithm stability, the overall process of federated learning using LFADA can maintain overall stability throughout the training phase, especially on the more complex Fashion-MNIST and CIFAR-10 datasets, there is no large fluctuation up and down, and the overall amplitude is controllable, which is obviously stable compared with other algorithms. Time overhead experiments show that compared with the comparison algorithms, LFADA's time overhead is significantly reduced under the premise of ensuring the same accuracy and attack success rate.

摘要： 联邦学习作为一种分布式学习架构，允许客户端在不共享本地数据的前提下进行全局模型训练，能够有效平衡隐私与效率的矛盾，但其分布式特性也使其易受数据投毒攻击。恶意客户端通过篡改本地训练数据，向全局模型注入有偏差或错误的更新，从而达到降低模型准确率或在特定输入下操控模型行为的目的，其中标签反转攻击作为数据投毒攻击中的经典方法，实现简单、计算成本低，只需修改本地数据标签而无需修改特征，难以被常规统计分析发现，却能够有效降低全局模型准确率或完成后门植入。为了提高联邦学习中全局模型准确度和系统整体安全性，常常在全局模型聚合前，从服务器端筛查过滤各本地客户端上传的模型更新参数，准确识别恶意客户端行为，并进行鲁棒性聚合来抵御数据投毒攻击。针对上述问题，本文提出一种面向联邦学习的标签翻转攻击防御方法（Label Flipping Attack Defense Algorithm, LFADA），旨在提升模型在面对数据投毒时的准确度与安全性。LFADA使用对数似然得分机制，首先对各客户端模型更新后的参数进行展平、降维，从而构建样本集。其次，使用高斯混合模型（Gaussian Mixture Model，GMM）对处理后的更新参数样本集进行建模。然后，通过对数似然得分（Log-Likelihood Score，LLS）对每个客户端的更新进行概率量化，得出每个客户端的“正常性”得分。接着，基于当前参数集合根据要求的分位数设置过滤阈值得分，认为低于该得分的客户端为恶意客户端，并剔除所有恶意客户端的更新参数，只对通过筛选的客户端更新参数进行聚合更新，从而实现对客户端更新的无监督异常检测与过滤和全局模型的安全聚合。本文分别在MNIST数据集、Fashion-MNIST数据集、CIFAR-10数据集上进行实验，统一设置包含三个卷积块的卷积神经网络（Convolutional Neural Network，CNN）作为基础模型，分别进行标签翻转攻击。模型准确率和攻击成功率的实验表明，在恶意客户端比例为0.1、0.2、0.3、0.5时，LFADA能够有效抵御标签翻转攻击，且在恶意客户端比例为0.5这种高比例恶意客户端时，LFADA表现依然较好。与Multi-Krum、Median、Foolsgold、Lfighter等9种主流算法相比，使用LFADA的模型准确度平均提高3.28%、3.38%和2.62%，同时攻击成功率整体保持较低比例，其中在MNIST、Fashion-MNIST数据集上均低于3%，在CIFAR-10数据集上也显著低于多数方法，能够与无投毒攻击环境下联邦平均FedAvg方案模型的性能保持相近。在算法稳定性方面，使用LFADA的联邦学习整体过程能够在整个训练阶段保持整体稳定，尤其在较为复杂的Fashion-MNIST和CIFAR-10数据集上，未出现大幅度上下波动，整体幅度可控，较其他算法明显稳定。时间开销实验表明，与对比算法相比，在保证相同准确度和攻击成功率的前提下，LFADA的时间开销显著降低。

Zhong Han, Chen Keran. Research on a Defense Method for Label Flipping Attacks Oriented to Federated Learning[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0260011.

钟寒, 陈柯冉. 一种面向联邦学习标签翻转攻击的防御方法研究[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0260011.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0260011

References

[1] 刘嘉浪,郭延明,老明瑞,等.基于联邦学习的后门攻击与防御算法综述[J].计算机研究与发展,2024,61(10):2607-2626.Liu Jialang, Guo Yanming, Lao mingrui, et al. Survey of Backdoor Attack and Defense Algorithms Based on Federated Learning[J]. Journal of Computer Research and Development, 2024,61(10):2607-2626(inChinese)
[2] STRIPELIS D, AMBITE J L. Federated learning over harmonized data silos[C]// Proc. of the International Workshop on Health Intelligence, 2023: 27-41.
[3] Zhang Kaiyue, Song Xuan, Zhang Chenhan, et al. Challenges and future directions of secure federated learning: A survey[J]. Frontiers of Computer Science, 2022, 16(5): 1-8
[4] 林伟伟,石方,曾岚,等.联邦学习开源框架综述[J].计算机研究与发展,2023,60(07):1551-1580.Lin Weiwei, Shi Fang, Zeng Lan, et al. A review of federated learning open-source frameworks[J]. Journal of Computer Research and Development, 2023, 60(7): 1551-1580(inChinese)
[5] WEN J, ZHANG Z X, LAN Y, et al. A survey on federated learning: challenges and applications[J]. International Journal of Machine Learning and Cybernetics, 2023, 14(2): 513-535.
[6] Liu Rui, Xing Pengwei, Deng Zichao, et al. Federated graph neural networks: Overview, techniques and challenges[J]. arXiv preprint, arXiv: 2202.07256, 2023
[7] Zhang Yifei, Zeng Dun, Luo Jinglong, et al. A survey of trustworthy federated learning with perspectives on security, robustness and privacy[C]//Proc of the ACM Web Conf. New York: ACM, 2023: 1167−1176
[8] Prakash S, Hashemi H, Wang Yongqin, et al. Secure and fault tolerant decentralized learning[J]. arXiv preprint, arXiv: 2010.07541, 2020
[9] XIA G, CHEN J, YU C D, et al. Poisoning attacks in federated learning: A survey[J]. IEEE Access, 2023, 11: 10708-10722.
[10] SUN G, CONG Y, DONG J H, et al. Data poisoning attacks on federated machine learning[J]. IEEE Internet of Things Journal, 2021, 9(13): 11365-11375.
[11] Kota Y, Takeshi F. Disabling backdoor and identifying poison data by using knowledge distillation in backdoor attacks on deep neural networks[C]//Proc of the 13th ACM Workshop on Artificial Intelligence and Security. New York: ACM, 2020: 117–127
[12] ZHANG K Y, TAO G H, XU Q L, et al. FLIP: A Provable Defense Framework for Backdoor Mitigation in Federated Learning[C]// Proc. of the International Conference on Learning Representations, 2022.
[13] CAO D, CHANG S, LIN Z J, et al. Understanding Distributed Poisoning Attack in Federated Learning [C]// Proc. of the 2019 IEEE 25th International Conference on Parallel and Distributed Systems , 2019: 233-239.
[14] BIGGIO B, NELSON B, LASKOV P. Poisoning Attacks against Support Vector Machines [C]//Proc. of the International Conference on Machine Learning, 2012: 1467-1474.
[15] Gu Tianyu, Dolan-Gavitt Brendan, Garg Siddharth. BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain[C]//Proceedings of the Machine Learning and Computer Security Workshop at NeurIPS 2017, 2017.
[16] Zhu, X., Wang, S., & Liu, L. (2025). Sybil based Virtual Data Poisoning Attacks in Federated Learning [C]// Proc. of IEEE Conference on Data and Intelligent Technologies (CODIT), 2025.
[17] McMahan, H. B., Moore, E., Ramage, D., Arcas, B. A., & Feder, S. (2017). Communication-Efficient Learning of Deep Networks from Decentralized Data. Proceedings of the 20th International Conference on Artificial Intelligence and Statistics (AISTATS). arXiv:1602.05629
[18] Yin, D., Huang, X., & Shi, Y. (2018). Byzantine-Robust Distributed Learning: Towards Optimal Statistical Rates. Proceedings of the 2018 International Conference on Neural Information Processing Systems (NeurIPS), 2018.
[19] Blanchard P, Preciado V, et al. Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent[J]. Proceedings of the 2017 International Conference on Neural Information Processing Systems (NeurIPS), 2017.
[20] Liu, J., Wang, X., & Zhang, Y. (2025). A defense strategy against targeted data poisoning attack in Federated Learning. Springer Journal of Machine Learning and Cybernetics, 14(2), 513–535.
[21] Zhang, L., Liu, Y., & Wang, Q. (2025). FLAegis: A Two-Layer Defense Framework for Federated Learning Against Poisoning Attacks. Proceedings of the 2025 IEEE International Conference on Machine Learning and Applications (ICMLA).
[22] Yazdinejad A, Dehghantanha A, Karimipour H, et al. A robust privacy-preserving federated learning model against model poisoning attacks[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 1-16.
[23] 温依霖,赵乃良,曾艳,等.基于本地模型质量的客户端选择方法[J].计算机工程,2023,49(6):131-143. WENY Y,ZHAO N L,ZENG Y,etal.Clientselection method based on local model quality [J].Computer Engineering,2023,49(6):131-143.(inChinese)
[24] Asadullah T, Mohamed A, Farag S, et al. Trustworthy federated learning: A survey[J]. arXiv preprint, arXiv: 2305.11537, 2023
[25] Yang Qiang，Liu Yang Cheng Yong，et al. Federated Learning：Synthesis Lectures on Artificial Intelligence and Machine Learning[M]. San Rafael, CA: Morgan &Claypool, 2019，13：1−207
[26] Mothukuri V, Parizi R M, Pouriyeh S, et al. A survey on security and privacy of federated learning[J]. Future Generation Computer Systems, 2021, 115: 619−640
[27] 周俊.防御投毒攻击的个性化联邦学习算法[D].北京邮电大学,2025.DOI:10.26969/d.cnki.gbydu.2025.002873.Zhou Jun.Personalized Federated Learning Algorithm for Defending Against Poisoning Attacks[D].Beijing University of Posts and Telecommunications,2025.DOI:10.26969/d.cnki.gbydu.2025.002873(inChinese)
[28] Han Xiao, Kashif Rasul, and Roland Vollgraf. 2017. Fashion-MNIST:a Novel Image Dataset for Benchmarking Machine Learning Algorithms.arXiv:cs.LG/cs.LG/1708.07747 [29] Peterson J C， Battleday R M， Griffiths T L，et al.Human uncertainty makes classification more rbust ［C］//Proceedings of the IEEE/CVF international conference on computer vision. 2019：9617.
[30] Wang T, Zheng Z, Lin F. Federated learning framework based on trimmed mean aggregation rules[J].Expert Systems with Applications, 2025(1):126354.
[31] WANG X, LI Y, GUO Z, et al. FLAME: Taming backdoors in federated learning[C]//Proceedings of the 31st USENIX Security Symposium. 2022: 1415-1432.
[32] Fung C, Yoon C J M, Beschastnikh I. The limitations of federated learning in sybil settings[C]//Proc of 23rd Int Symp on Research in Attacks, Intrusions and Defenses (RAID 2020). San Sebastian: USENIX, 2020: 301−316
[33] JEBREEL N M, DOMINGO-FERRER J, SÁNCHEZ D, BLANCO-JUSTICIA A. LFighter: Defending against the label-flipping attack in federated learning[J]. Neural Networks, 2024, 170: 111-126.
[34] TOLPEGIN V, TRUEX S, GURSOY M E, LIU L. Data poisoning attacks against federated learning systems[C]//Proceedings of the European Symposium on Research in Computer Security (ESORICS). 2020: 480-501.
[35] KHRAISAT A, ALAZAB A, ALAZAB M, JAN T, SINGH S, UDDIN M A. Securing federated learning: a defense strategy against targeted data poisoning attack[J]. Discover Internet of Things, 2025, 5: 16.

Please choose a citation manager

Content to export