CN112434758B - Clustering-based federal learning pick-up car attack defense method - Google Patents
Clustering-based federal learning pick-up car attack defense method Download PDFInfo
- Publication number
- CN112434758B CN112434758B CN202011499170.0A CN202011499170A CN112434758B CN 112434758 B CN112434758 B CN 112434758B CN 202011499170 A CN202011499170 A CN 202011499170A CN 112434758 B CN112434758 B CN 112434758B
- Authority
- CN
- China
- Prior art keywords
- pick
- client
- attack
- probability
- reconstruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 230000007123 defense Effects 0.000 title claims abstract description 22
- 238000012216 screening Methods 0.000 claims abstract description 30
- 238000012360 testing method Methods 0.000 claims abstract description 21
- 230000008569 process Effects 0.000 claims abstract description 7
- 238000001914 filtration Methods 0.000 claims description 42
- 238000009826 distribution Methods 0.000 claims description 29
- 238000012549 training Methods 0.000 claims description 18
- 230000006870 function Effects 0.000 claims description 9
- 230000002776 aggregation Effects 0.000 claims description 5
- 238000004220 aggregation Methods 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 2
- 230000002159 abnormal effect Effects 0.000 abstract description 6
- 238000001514 detection method Methods 0.000 description 3
- 239000011159 matrix material Substances 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000009827 uniform distribution Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02T—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
- Y02T10/00—Road transport of goods or passengers
- Y02T10/10—Internal combustion engine [ICE] based vehicles
- Y02T10/40—Engine management systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Security & Cryptography (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Computer Hardware Design (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Medical Informatics (AREA)
- Mathematical Physics (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Probability & Statistics with Applications (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Traffic Control Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a clustering-based federal learning pick-up attack defense method, which comprises the steps of 1) detecting pick-up attack clients by using a variation self-encoder, protecting the privacy of a model and improving the robustness; 2) In the federal learning process, collecting reconstruction probabilities of multiple rounds of variation self-encoders, and screening abnormal pick-up attack clients according to similarity of clustering results on a time domain after clustering the reconstruction probabilities; 3) And receiving a test result of the local sample data on the aggregated global model by the client, and reflecting whether the client is a pick-up attacker or not according to the test result, thereby protecting the privacy of the model and preventing the privacy from being revealed.
Description
Technical Field
The invention belongs to the field of security defense for federal learning, and particularly relates to a clustering-based federal learning riding car attack defense method.
Background
Federal learning has been a concern since its proposal. In federal learning, a distributed training model with two roles, a client and a central server. The clients do not upload private data, but update the global model locally, with only model parameters (gradient information) being communicated between the clients. Typical training iterations work as follows. First, the central server sends the latest global model to each client. Each client then updates the model locally using the local data and uploads the updated model. Finally, the central server performs model aggregation on all submitted local updates to form a new global model that has better performance than models trained using data of any single client. Federal learning can save communication overhead by transmitting only model parameters and preserve privacy, as opposed to an alternative method of simply collecting all data from clients and training the model from these data, as all data remains local.
In recent years, due to the privacy of FL, a subtle threat has been presented: the clients that were previously acting as passive data providers are now actively engaged in the training process. This therefore brings many novel ways of attack, which brings new challenges to privacy and security.
In a federal learning environment, each contributing client may receive a reward, and there may be some clients that are pretended to be contributing skill rewards. Such clients are called lift-off attacks and the process of generating false weights to report to a central server is called lift-off attacks. There may be two main motivations for free ride-on attackers to submit false updates. First, the customer may not have the required data, or worry about data privacy, so the local data is not available for model training. On the other hand, the client may wish to save local CPU cycles or other computing resources.
In the current federal learning of the ride vehicle attack, the strongest attack strategy is the incremental weight attack. For incremental weight attacks, consider a complex attacker that generates false gradient updates by subtracting two previously received global models and adding gaussian noise. The lift may attempt to avoid detection by adding gaussian noise with zero mean and some standard deviation so that the resulting gradient update matrix has a standard deviation similar to other clients.
Because in the safety critical field, the attack of the taking and the riding vehicle brings great harm and causes model leakage, the attack is a great challenge for the safety application field of federal learning, and the improvement of the robustness of federal learning makes the effective and safe application of the attack in the safety decision field increasingly important to people.
Disclosure of Invention
In view of the above, the present invention aims to provide a cluster-based federal learning pick-up attack defense method, so as to protect privacy information of clients and a global model of federal learning from being revealed.
In order to achieve the above object, the present invention provides the following technical solutions:
a cluster-based federal learning pick-up attack defense method comprises the following steps:
the server takes the updated model obtained by the training of the client as the input of the variation self-encoder, calculates the reconstruction probability of the variation self-encoder on the updated model, and performs the first screening and filtering of the pick-up attack client according to the reconstruction probability;
for each client, the server clusters the reconstruction probability of the update model trained in multiple rounds, and performs second screening and filtering of the pick-up attack client according to the similarity of the clustering results in the time domain;
the server side aggregates the update models which are left after the secondary screening and filtering to obtain a global model, distributes the global model to the client side for the next training, and uploads the test precision of the global model by using the local sample data when the client side performs the next training on the global model, so that the third screening and filtering on the excrement taking attack client side is realized according to the test precision.
Compared with the prior art, the clustering-based federal learning pick-up attack defense method has the following beneficial effects:
1) The variational self-encoder is utilized to detect a pick-up attack client, so that the privacy of a model is protected, and the robustness is improved; 2) In the federal learning process, collecting reconstruction probabilities of multiple rounds of variation self-encoders, and screening abnormal pick-up attack clients according to similarity of clustering results on a time domain after clustering the reconstruction probabilities; 3) And receiving a test result of the local sample data on the aggregated global model by the client, and reflecting whether the client is a pick-up attacker or not according to the test result, thereby protecting the privacy of the model and preventing the privacy from being revealed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a cluster-based federal learning pick-up attack defense method provided by an embodiment of the invention;
fig. 2 is an algorithm schematic diagram of a cluster-based federal learning pick-up attack defense method according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the detailed description is presented by way of example only and is not intended to limit the scope of the invention.
Aiming at the privacy security problem of federal learning, particularly the privacy disclosure problem caused by the aggregated global model, the pick-up car attack deceives the central server by submitting false updates. The embodiment provides a cluster-based federal learning pick-up attack defense method for protecting a model from being leaked.
FIG. 1 is a schematic flow chart of a cluster-based federal learning pick-up attack defense method provided by an embodiment of the invention; fig. 2 is an algorithm schematic diagram of a cluster-based federal learning pick-up attack defense method according to an embodiment of the present invention. As shown in fig. 1 and fig. 2, the cluster-based federal learning pick-up car attack defense method provided by the embodiment includes the following steps:
and step 1, the server performs first screening and filtering of the pick-up attack client according to the reconstruction probability of the change self-encoder on the updated model.
In federal learning, update model parameters of a client are uploaded to a server, and the server serves as a central server to aggregate the uploaded update models. Among the plurality of clients, there are pick-up attack clients, and attack strategies of such attackers are random weight attack and incremental weight attack. For a random weight attack, a ride attacker will attempt to construct a gradient update matrix with the same dimensions as the received global model by randomly sampling each value from a uniform distribution within the range R, R. A ride attacker may have prior model training experience, so R closely mimics the updating of other normal clients.
Incremental weight attacks are complex attacks that generate false gradient updates by subtracting two previously received global models and adding gaussian noise. A ride attacker may attempt to avoid detection by adding gaussian noise with zero mean and some standard deviation so that the resulting gradient update matrix has a standard deviation similar to other clients. Assume that a pick-up attacker receives the global model M of the jth-1 round j-1 And global model M of jth round j Therefore, the update of the riding attacker is as follows
Where η represents the scaling of the selected weight update and N is the added noise. This shows that the pseudo-gradient constructed at round j updates G i,j f In the j-th round of construction, essentially all clients submit average gradient updates in the previous round j-1.
In order to avoid the influence of the abnormal update model uploaded by the pick-up attacker on the global model and prevent the pick-up attacker from stealing the global model and the privacy information of other clients, the clients need to be subjected to abnormal detection when all update models are aggregated, and possible pick-up attack clients are filtered out.
In the embodiment, the first filtering and filtering of the pick-up attack client side are carried out according to the reconstruction probability of the variation self-encoder on the updated model. The server takes the updated model obtained by training the client as the input of the variation self-encoder, calculates the reconstruction probability of the variation self-encoder on the updated model, screens out the pick-up attack client according to the reconstruction probability, and realizes the first screening and filtering of the abnormal client.
A Variational Automatic Encoder (VAE) is a Directed Probability Graphic Model (DPGM) that includes an encoder and a decoder, both approximated by a neural network, forming an architecture similar to an automatic encoder. The objective function of the VAE is a variable lower bound of the marginal likelihood function of the data because the marginal likelihood function is difficult to express in an analytical form. In an embodiment, a likelihood function of the data is used as the reconstruction probability, that is, the reconstruction probability of the model parameters from the encoder is:
wherein p is θ (x (i) ) The ith data point x representing the input variation from the encoder (i) Is used as reconstruction probability, z represents hidden variables sampled in hidden variable probability distribution obtained by encoding data x by an encoder with parameter theta, and p θ (z) represents the prior probability distribution of the hidden variable z,the hidden variable z passing parameter is +.>Approximate posterior probability distribution, D, of a decoder of (2) KL (. Cndot.) represents the KL divergence, which is used to measure the similarity of two probability distributions, L (-) represents the lower variation bound of the log likelihood function of the ith data point, and its calculation formula is:
wherein,representation for data point x (i) The hidden variable z passing parameter of (2) is +.>Approximate posterior probability distribution, p, of a decoder of (c) θ (x|z) represents probability distribution of probability of data x given latent variable z,/-, for data x>Representing approximate posterior probability distribution +.>And probability distribution p θ KL divergence between (x|z) forcingSimilar to p θ (x|z) working as regularization term, < ->Representing by approximating the posterior probability distribution +.>Coding and probability distribution p θ (x|z) decoding to reconstruct the expectation of data x;
the overall boundary likelihood function is the sum of the boundary likelihood functions of all data points, which can be written as:
where N is the sum of the boundary likelihood functions of the data points. Since the KL distance is always a non-negative number, the requirements are satisfied
It is emphasized that VAEs model parameters of the distribution, not the distribution itself. That is, the encoder output q φ The parameter of (z|x), while the actual value of the hidden variable z is obtained by sampling q (z; f (x, phi)). So thatThe encoder and decoder of the VAE are referred to as probability encoder and decoder. f (x, phi) represents the complex relationship of data x and hidden variable z in a neural network. Given z, to obtain a reconstruction vector, we need to obtain the distribution p from g (z, θ) θ (x|z) parameter, g (z, θ) is the output of the encoder hidden layer, and then from p θ (x; g (z, θ)) samples to obtain x. Therefore, when the reconstruction probability is calculated by using the variation self-encoder, updating of each client is input into the encoder of the variation self-encoder to perform dimension reduction to obtain Gaussian distribution, noise is randomly sampled from the Gaussian distribution, and the reconstruction probability is calculated by deriving random latent variables of parameters of the original input variable distribution. The parameters of the input variable distribution are reconstructed, not the input variables themselves.
In one embodiment, when the first filtering and filtering of the pick-up attack client is performed according to the reconstruction probabilities, the reconstruction probabilities corresponding to the update models of the clients are compared, the client corresponding to the reconstruction probability that the difference between the reconstruction probabilities and the average value of all the reconstruction probabilities is larger than the set threshold is used as the pick-up attack client and filtered, and the first filtering and filtering of the pick-up attack client is realized.
In another embodiment, when the first filtering and filtering of the pick-up attack client is performed according to the reconstruction probability, the reconstruction probabilities corresponding to the updated models of the clients are ordered, and the clients corresponding to the reconstruction probabilities with the adjacent reconstruction probabilities different from the tolerance threshold are used as pick-up attack clients and filtered according to the ordering result, so that the first filtering and filtering of the pick-up attack clients is realized.
And 2, clustering the reconstruction probability of the update model trained in multiple rounds by the server side aiming at each client side, and carrying out second screening and filtering on the pick-up attack client side according to the similarity of the clustering results in the time domain.
After the first round of screening is carried out on the client side by the server side, the second screening and filtering of the pick-up attack client side are carried out on the more robust client side according to the historical reconstruction probability. The historical reconstruction probability can be clustered, the clustering condition is observed, and because the strategy of the pick-up attack is to add random noise, an attacker cannot know the size of the noise added each time exactly, and therefore the updating of the attacker is obviously different from that of a normal participant in time sequence, and the updating is removed.
In the embodiment, the t-SNE algorithm is adopted to cluster the reconstruction probability of the update model trained in multiple rounds, and the second screening and filtering of the pick-up attack client side are carried out according to the similarity of the clustering results in the time domain.
In specific implementation, the process of clustering the multi-training update model of each client by adopting the t-SNE algorithm and carrying out second screening and filtering on the pick-up attack client according to the clustering result is as follows:
firstly, initializing K clustering centers, and enabling the distance between the reconstruction probability and the clustering centers to meet t-distribution;
wherein z is i Represents the reconstruction probability, μ of the ith j Represents the j-th cluster center, mu j′ Represents the j' th to the cluster center, I.I 2 Represents the square of the distance, α represents the degree of freedom of allocation, q i,j Representing reconstruction probability z i Belonging to cluster center mu j Probability of (2);
in an embodiment, the following three points are considered: 1. the prediction is enhanced, q distribution is the probability of belonging to cluster j, then p appears to be more original if represented using a conventional distribution. 2. The higher the confidence, the greater the probability of belonging to a certain cluster. 3. The loss contribution of each centroid is normalized to prevent a large class of distortion-hidden feature space. Therefore, the loss contribution of each cluster center then also needs to be normalized to prevent the large class of distortion reconstruction probabilities, then:
wherein,the method is used for normalizing the loss contribution of each cluster center so as to prevent the large class of distortion reconstruction probabilities, wherein N is the number of rounds trained by each client to the current round, namely the total number of reconstruction probabilities corresponding to each client to the current round, and p i,j Representing reconstruction probability z i Belonging to cluster center mu j Auxiliary probabilities of (a);
next, the probability q is measured in terms of KL divergence i,j And an auxiliary probability p i,j Similarity L of (2):
and finally, comparing the similarity L of two adjacent rounds of each client, and if the difference of the similarity L of the two rounds is larger than a set threshold, considering the client as a pick-up attack client and filtering, so as to realize the second screening and filtering of the pick-up attack client.
And 3, the server side realizes third screening and filtering of the pick-up car attack client side according to the testing precision of the client side on the global model.
In the embodiment, the server side aggregates the update models which are filtered and filtered for the second time to obtain a global model, distributes the global model to the client side for the next training, and uploads the test precision of the global model by using the local sample data when the client side trains the global model for the next time, so that the third filtering and filtering of the pick-up car attack client side is realized according to the test precision.
When the method is implemented, the server side can aggregate the update model which is filtered and filtered out by the secondary screening in the following two ways to obtain a global model;
mode one: the average aggregation mode is that the updated model parameters of all clients are averaged to obtain global model parameters;
mode two: and the weighting aggregation mode is to assign weight to the updated model parameters of each client, and then to weight and sum the updated model parameters of all the clients to obtain global model parameters.
Because the taking and taking car attacker does not have local sample data and training ability, the taking and taking car attacker cannot test the global model and has no test precision, and based on the test precision, when the third screening and filtering of the taking and taking car attack client is realized, if the client cannot generate the test precision and has no uploading test precision, the client is considered to be the taking and taking car attack client and is filtered, and the third screening and filtering of the taking and taking car attack client is realized.
In the embodiment, during each round of training, three times of screening and filtering are adopted for the client until no pick-up car attack client is detected for a plurality of times continuously, the screening and filtering operation is stopped, the rest clients are considered to be reliable clients, and the federal learning for a plurality of rounds can be directly carried out.
The federal learning pick-up attack defense method based on the clustering provided by the embodiment comprises the steps of 1) detecting pick-up attack clients by using a variation self-encoder, protecting the privacy of a model and improving the robustness; 2) In the federal learning process, collecting reconstruction probabilities of multiple rounds of variation self-encoders, and screening abnormal pick-up attack clients according to similarity of clustering results on a time domain after clustering the reconstruction probabilities; 3) And receiving a test result of the local sample data on the aggregated global model by the client, and reflecting whether the client is a pick-up attacker or not according to the test result, thereby protecting the privacy of the model and preventing the privacy from being revealed.
The foregoing detailed description of the preferred embodiments and advantages of the invention will be appreciated that the foregoing description is merely illustrative of the presently preferred embodiments of the invention, and that no changes, additions, substitutions and equivalents of those embodiments are intended to be included within the scope of the invention.
Claims (8)
1. The federal learning and taking car attack defending method based on the clustering is characterized by comprising the following steps of:
the server takes the updated model obtained by the training of the client as the input of the variation self-encoder, calculates the reconstruction probability of the variation self-encoder on the updated model, and performs the first screening and filtering of the pick-up attack client according to the reconstruction probability;
for each client, the server clusters the reconstruction probability of the update model trained in multiple rounds, and performs second screening and filtering of the pick-up attack client according to the similarity of the clustering results in the time domain;
the server side aggregates the update models which are filtered out by the secondary screening to obtain a global model, distributes the global model to the client side for the next training, and uploads the test precision of the global model by using the local sample data when the client side trains the global model for the next time, so that the third screening and filtering of the pick-up car attack client side are realized according to the test precision; wherein, calculate the reconstruction probability of the variation from the encoder to the model parameters according to equation (1):
wherein p is θ (x (i) ) The ith data point x representing the input variation from the encoder (i) Is used as reconstruction probability, z represents hidden variables sampled in hidden variable probability distribution obtained by encoding data x by an encoder with parameter theta, and p θ (z) represents the prior probability distribution of the hidden variable z,the hidden variable z passing parameter is +.>Approximate posterior probability distribution, D, of a decoder of (2) KL (. Cndot.) represents the KL divergence, which is used to measure the similarity of two probability distributions, L (-) represents the lower variation bound of the log likelihood function of the ith data point, and its calculation formula is:
wherein,representation for data point x (i) The hidden variable z passing parameter of (2) is +.>Approximate posterior probability distribution, p, of a decoder of (c) θ (x|z) represents probability distribution of probability of data x given latent variable z,/-, for data x>Representing by approximating the posterior probability distribution +.>Coding and probability distribution p θ (x|z) decoding to reconstruct the expectations of data x.
2. The cluster-based federal learning pick-up attack defense method according to claim 1, wherein when the pick-up attack clients are screened and filtered for the first time according to the reconstruction probability, the reconstruction probability corresponding to the update model of each client is compared, and the client corresponding to the reconstruction probability that the difference between the reconstruction probability and the average value of all the reconstruction probabilities is greater than the set threshold is used as the pick-up attack client and filtered, so that the first screening and filtering of the pick-up attack client are realized.
3. The cluster-based federal learning pick-up attack defense method of claim 1, wherein when the pick-up attack clients are screened and filtered for the first time according to the reconstruction probability, the reconstruction probabilities corresponding to the update models of the clients are ordered, and clients corresponding to the reconstruction probabilities with the adjacent reconstruction probabilities different by more than a tolerance threshold are used as pick-up attack clients and filtered according to the ordering result, so that the first screening and filtering of the pick-up attack clients are realized.
4. The clustering-based federal learning pick-up attack defense method according to claim 1, wherein the t-SNE algorithm is adopted to cluster the reconstruction probability of the update model trained in multiple rounds, and the pick-up attack client is filtered out for the second time according to the similarity of the clustering results in the time domain.
5. The clustered federal learning pick-up attack defense method according to claim 4, wherein the process of clustering the updated model of the multi-training of each client by using the t-SNE algorithm and performing the second filtering of the pick-up attack client according to the clustering result is as follows:
firstly, initializing K clustering centers, and enabling the distance between the reconstruction probability and the clustering centers to meet t-distribution;
wherein z is i Represents the reconstruction probability, μ of the ith j Represents the j-th cluster center, mu j′ Representing the j' th cluster center, I.I 2 Represents the square of the distance, α represents the degree of freedom of allocation, q i,j Representing reconstruction probability z i Belonging to cluster center mu j Probability of (2);
then, the loss contribution of each cluster center is normalized to prevent the large class of distortion reconstruction probabilities, then:
wherein,to normalize the loss contribution of each cluster center against a large class of distortion reconstruction probabilities, N being the current to each clientThe number of rounds trained by the round, namely the total number of reconstruction probabilities corresponding to the current round from each client, p i,j Representing reconstruction probability z i Belonging to cluster center mu j Auxiliary probabilities of (a);
next, the probability q is measured in terms of KL divergence i,j And an auxiliary probability p i,j Similarity L of (2):
and finally, comparing the similarity L of two adjacent rounds of each client, and if the difference of the similarity L of the two rounds is larger than a set threshold, considering the client as a pick-up attack client and filtering, so as to realize the second screening and filtering of the pick-up attack client.
6. The cluster-based federal learning pick-up attack defense method of claim 1, wherein the server aggregates the update model remaining after the secondary filtering to obtain a global model in the following two ways;
mode one: the average aggregation mode is that the updated model parameters of all clients are averaged to obtain global model parameters;
mode two: and the weighting aggregation mode is to assign weight to the updated model parameters of each client, and then to weight and sum the updated model parameters of all the clients to obtain global model parameters.
7. The cluster-based federal learning pick-up attack defense method according to claim 1, wherein when the third screening and filtering of the pick-up attack client is implemented according to the test precision, if the client cannot generate the test precision and does not upload the test precision, the client is considered to be the pick-up attack client and filtered, so that the third screening and filtering of the pick-up attack client is implemented.
8. The cluster-based federal learning pick-up attack defense method according to claim 1, wherein three filtering operations are adopted for the client during each training round until the pick-up attack client is not detected a plurality of times continuously, and the filtering operation is stopped.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011499170.0A CN112434758B (en) | 2020-12-17 | 2020-12-17 | Clustering-based federal learning pick-up car attack defense method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011499170.0A CN112434758B (en) | 2020-12-17 | 2020-12-17 | Clustering-based federal learning pick-up car attack defense method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112434758A CN112434758A (en) | 2021-03-02 |
| CN112434758B true CN112434758B (en) | 2024-02-13 |
Family
ID=74696712
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011499170.0A Active CN112434758B (en) | 2020-12-17 | 2020-12-17 | Clustering-based federal learning pick-up car attack defense method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112434758B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113205115B (en) * | 2021-04-12 | 2022-03-04 | 武汉大学 | Method and system for resisting neural network backdoor attack based on image feature analysis |
| CN113360896B (en) * | 2021-06-03 | 2022-09-20 | 哈尔滨工业大学 | Free Rider attack detection method under horizontal federated learning architecture |
| CN113360897A (en) * | 2021-06-03 | 2021-09-07 | 哈尔滨工业大学 | Free Rider attack method under horizontal federated learning architecture |
| CN113297575B (en) * | 2021-06-11 | 2022-05-17 | 浙江工业大学 | Multi-channel graph vertical federal model defense method based on self-encoder |
| CN113411329B (en) * | 2021-06-17 | 2022-06-28 | 浙江工业大学 | Federal learning backdoor attack defense method based on DAGMM |
| CN113344220B (en) * | 2021-06-18 | 2022-11-11 | 山东大学 | User screening method, system and equipment based on local model gradient in federated learning and storage medium |
| CN113688387B (en) * | 2021-07-30 | 2023-08-22 | 华东师范大学 | Method for defending federal learning poisoning attack based on dual detection of server and client |
| CN113780344B (en) * | 2021-08-05 | 2023-08-22 | 中山大学 | Hierarchical clustering-based federal learning method and hierarchical clustering-based federal learning system |
| CN113902131B (en) * | 2021-12-06 | 2022-03-08 | 中国科学院自动化研究所 | Updating method of node model for resisting discrimination propagation in federal learning |
| CN114548428B (en) * | 2022-04-18 | 2022-08-16 | 杭州海康威视数字技术股份有限公司 | Intelligent attack detection method and device of federated learning model based on instance reconstruction |
| CN115618969B (en) * | 2022-12-19 | 2023-04-07 | 湖南工商大学 | Data selection method based on clustering and ring topology |
| CN115905648B (en) * | 2023-01-06 | 2023-05-23 | 北京锘崴信息科技有限公司 | Gaussian mixture model-based user group and financial user group analysis method and device |
| CN116248249B (en) * | 2023-04-23 | 2023-12-08 | 东南大学 | Group confusion attack method based on gaps in federal learning |
| CN116434950B (en) * | 2023-06-05 | 2023-08-29 | 山东建筑大学 | Diagnosis system for autism spectrum disorder based on data clustering and ensemble learning |
| CN116383771B (en) * | 2023-06-06 | 2023-10-27 | 云南电网有限责任公司信息中心 | Network anomaly intrusion detection method and system based on variation self-coding model |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110008696A (en) * | 2019-03-29 | 2019-07-12 | 武汉大学 | A kind of user data Rebuilding Attack method towards the study of depth federation |
| CN111460443A (en) * | 2020-05-28 | 2020-07-28 | 南京大学 | Security defense method for data manipulation attack in federated learning |
-
2020
- 2020-12-17 CN CN202011499170.0A patent/CN112434758B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110008696A (en) * | 2019-03-29 | 2019-07-12 | 武汉大学 | A kind of user data Rebuilding Attack method towards the study of depth federation |
| CN111460443A (en) * | 2020-05-28 | 2020-07-28 | 南京大学 | Security defense method for data manipulation attack in federated learning |
Non-Patent Citations (1)
| Title |
|---|
| 联邦学习安全与隐私保护研究综述;周俊;方国英;吴楠;;西华大学学报(自然科学版)(第04期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112434758A (en) | 2021-03-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112434758B (en) | Clustering-based federal learning pick-up car attack defense method | |
| CN111914256B (en) | Defense method for machine learning training data under toxic attack | |
| US20230308465A1 (en) | System and method for dnn-based cyber-security using federated learning-based generative adversarial network | |
| CN112257063B (en) | Cooperative game theory-based detection method for backdoor attacks in federal learning | |
| US20190294786A1 (en) | Intelligent Security Risk Assessment | |
| CN111641634B (en) | Honey net based active defense system and method for industrial control network | |
| CN112365005B (en) | Federal learning poisoning detection method based on neuron distribution characteristics | |
| CN111726350B (en) | Internal threat detection method based on VAE and BPNN | |
| CN112039903A (en) | Network security situation assessment method based on deep self-coding neural network model | |
| CN110162958B (en) | Method, apparatus and recording medium for calculating comprehensive credit score of device | |
| CN117056951B (en) | Data security management method for digital platform | |
| Xu et al. | Agic: Approximate gradient inversion attack on federated learning | |
| Al-Maslamani et al. | Secure federated learning for iot using drl-based trust mechanism | |
| CN117336071A (en) | Internet of things equipment safety protection method and device based on distributed AI | |
| CN115758387A (en) | Information security risk assessment method | |
| Gan et al. | Exploitation analysis of byzantine attack for cooperative spectrum sensing | |
| Li et al. | Research on intrusion detection based on neural network optimized by genetic algorithm | |
| CN113962712A (en) | Method for predicting fraud gangs and related equipment | |
| Alruwaythi et al. | User behavior trust modeling in cloud security | |
| Liu et al. | Improved detection of user malicious behavior through log mining based on IHMM | |
| Eillot et al. | A predictive model for cloud computing security in banking sector using Levenberg Marquardt back propagation with cuckoo search | |
| Karthik et al. | Residual based temporal attention convolutional neural network for detection of distributed denial of service attacks in software defined network integrated vehicular adhoc network | |
| CN116056087B (en) | Network attack detection method, device and equipment | |
| Chen et al. | An Investigation of Recent Backdoor Attacks and Defenses in Federated Learning | |
| Bansal et al. | Securing fingerprint images using a hybrid technique |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |