CN112749392A - Method and system for detecting abnormal nodes in federated learning - Google Patents

Method and system for detecting abnormal nodes in federated learning Download PDF

Info

Publication number
CN112749392A
CN112749392A CN202110020440.3A CN202110020440A CN112749392A CN 112749392 A CN112749392 A CN 112749392A CN 202110020440 A CN202110020440 A CN 202110020440A CN 112749392 A CN112749392 A CN 112749392A
Authority
CN
China
Prior art keywords
model
user
server
local
aggregation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110020440.3A
Other languages
Chinese (zh)
Other versions
CN112749392B (en
Inventor
郭晶晶
李海洋
刘玖樽
熊良成
田思怡
马建峰
高华敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202110020440.3A priority Critical patent/CN112749392B/en
Publication of CN112749392A publication Critical patent/CN112749392A/en
Application granted granted Critical
Publication of CN112749392B publication Critical patent/CN112749392B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method and a system for detecting abnormal nodes in federated learning are provided, wherein the detection method comprises the following steps: initializing a system, and performing user registration, system parameter generation and key agreement; generating a mask local model; the malicious user detection comprises the steps that the server side carries out local model aggregation to generate a confusion aggregation model, the user side carries out verification on the confusion aggregation model to generate a verification result, and the server side carries out malicious user detection according to the user side verification result; the server carries out model aggregation by using a mask local model uploaded by a non-malicious user to obtain a global model of the current iteration wheel and sends the global model to the user, and the user carries out local model updating according to the received global model. The detection system consists of an aggregation server, a trust authority and a plurality of users. The invention can improve the credibility and the accuracy of the global model while ensuring the privacy of each user, and realizes safe and reliable federal learning.

Description

Method and system for detecting abnormal nodes in federated learning
Technical Field
The invention belongs to the field of network space security, and particularly relates to a method and a system for detecting abnormal nodes in federated learning.
Background
Federal Learning (fed Learning) is a machine Learning method proposed in recent years, and is characterized in that a plurality of users collaboratively train a model by using own data under the cooperation of a server. Firstly, a user carries out model training by using local data of the user; then uploading the local model obtained by training to a server; then, the server uses a certain aggregation rule to aggregate the received user local models, so as to obtain a global model for all users to share. The machine learning paradigm can prevent training data of each user from being shared by other users and the central server, so that data privacy of the users is protected, and the federal learning is greatly concerned and developed rapidly in academia and industry in recent years.
Most existing federal learning algorithms assume that all nodes participating in federal learning are honest and credible, but in practical cases, the assumption is difficult to be established. The learners verify that the privacy information of the users can be obtained by analyzing the local models uploaded by the users, and design corresponding privacy protection aggregation rules to ensure that the server cannot directly observe the local model of each user, thereby effectively protecting the data and model privacy of the users. Meanwhile, more opportunities are provided for malicious users (also called Byzantine nodes) to upload abnormal (intentional or unintentional) local models, and the malicious users can submit arbitrarily generated parameters to the server as the local models of the malicious users, so that the whole federal learning process is influenced, and the central server finally obtains an inaccurate global model. Therefore, detecting error models uploaded by malicious users and preventing the error models from influencing the global model are important prerequisites in relation to whether federal learning can be widely applied.
Disclosure of Invention
The invention aims to provide a method and a system for detecting abnormal nodes in federated learning aiming at the problem that an aggregation server generates an inaccurate global model due to the fact that a malicious user can send any local model in the federated learning system for protecting privacy, and the credibility and the accuracy of a federated learning system training result are ensured by eliminating the influence of the malicious models uploaded by the nodes on the whole learning process.
In order to achieve the purpose, the invention has the following technical scheme:
a method for detecting abnormal nodes in federated learning comprises the following steps:
step one, system initialization, including user registration, system parameter generation and key agreement;
step two, generating a mask local model;
step three, malicious user detection, which comprises the steps that a server side conducts local model aggregation to generate a confusion aggregation model, the user side verifies the confusion aggregation model to generate a verification result, and the server side conducts malicious user detection according to the user side verification result;
and fourthly, the server performs model aggregation by using the mask local model uploaded by the non-malicious user to obtain a global model of the current iteration wheel and sends the global model to the user, and the user performs local model updating according to the received global model.
As a preferred embodiment of the present invention, the first step specifically includes:
(1.1) user uiRegistering the Federal learning System by first sending data [ d ] to the Trust Authority TAi,MAC,nonce]Wherein d isiFor user uiOf local data volume, MAC, as user uiThe nonce is a random number generated by the MAC address of (1);
(1.2) the server is the user u according to the received dataiGenerating the identity thereof and sending the identity to the user uiAnd an aggregation server AS, and then generating a system parameter pp ═ G, p, G, H by using a KA (param) algorithm]The parameters [ G, p, G,H]Distributing the data to all users;
(1.3) user uiGenerating public and private keys by using KA.gen (pp) algorithm
Figure BDA0002888330020000021
Sending the public key to an aggregation server AS, and distributing all the public keys received by the aggregation server AS to users in the system;
(1.4) user uiGenerate it and other users u by using KAjIs shared with the key.
As a preferred embodiment of the present invention, the second step specifically includes:
(2.1) user uiRespectively utilize
Figure BDA0002888330020000023
And
Figure BDA0002888330020000024
as a seed for the random number generator PRG, two sets of mask vectors m are generated according to equations (1), (2)i,j,mmi,jThe length of the vector is the same as the length of the user local model parameter;
Figure BDA0002888330020000022
Figure BDA0002888330020000031
(2.2) user uiModel training is carried out by utilizing local data of the user to obtain a local model
Figure BDA0002888330020000032
(2.3) user uiGenerating a mask local model by using formulas (5) and (6);
Figure BDA0002888330020000033
Figure BDA0002888330020000034
(2.4) user uiGenerating a mask local model list by using a formula (7) and sending the list to an aggregation server AS;
ULMi=[MLMi,1||…||MLMi,i-1||MLMi,i+1||…||MLMi,n||MLMi] (7)。
as a preferable scheme of the present invention, the step three specifically includes:
(3.1) the server uploads ULM according to all usersiGenerating a mask local model matrix MMA;
Figure BDA0002888330020000035
(3.2) the server generates an aggregation model list agg _ model by using a mask local model matrix MMA;
(3.3) the server generates a random model for model confusion to form a random _ list, wherein the number of the random models in the list is a multiple of the length of the agg _ model; the server randomly mixes the agg _ model and the random _ list to obtain a garble _ agg _ model of a confusion aggregation model list; storing the position of each model in the agg _ model in the garble _ agg _ model in an ordered set o _ position, and finally sending the garble _ agg _ model to all users;
(3.4) user uiAfter receiving the garble _ aff _ model, verifying each model in the garble _ aff _ model by using local data, recording the precision of each model, recording the positions of L models with the highest precision in the garble _ aff _ model in an ordered set s _ position, and sending the positions to a server as the verification result;
(3.5) the Server receives user uiAfter the s _ position sent, calculate:
inter_position=o_position∩s_position;
if the length of inter _ position is greater than th, consider user uiNot a malicious user, otherwise, the user u is considerediThe local model of the user is also a malicious model.
As a preferable scheme of the present invention, the step four specifically includes:
(4.1) the server updates the global model according to the malicious user detection result; firstly, the server forms all the credible users into a credible user set bs ═ uiA model uploaded by a malicious user is not adopted, and a server feeds back a randomly generated global model;
for the credible participants, the weighted average of the credible aggregation model is carried out by taking the ratio of the average value of the data volumes of every two participants to the sum of the data volumes of all credible participants as a weight, a global model is distributed to the credible participants, the specific algorithm is shown as formula (9), and the server updates the global model GM of the current round after updatingkDistributing to all trusted users;
Figure BDA0002888330020000041
(4.2) after receiving the global model, the user compares the precision of the global model with that of the local model, and selects a model with high precision as an updated local model;
(4.3) repeating the second step to the fourth step until a convergence condition is reached.
The invention also provides a system for detecting the abnormal nodes in the federated learning, which consists of an aggregation server, a trust authority and a plurality of users; the trust authority is used for initializing the system, including user registration, system parameter generation and key negotiation; the aggregation server is used for receiving the mask local models uploaded by the users and aggregating the models through aggregation rules to obtain a global model for the users to use, and is also used for carrying out malicious user detection in the process so as to avoid negative influence on the global model caused by error models sent by the malicious users; the user can use local data of the user to carry out model training to obtain a local model; in addition, a mask can be generated according to an agreed mask generation rule, a mask local model is formed by using the generated mask, and the mask local model is uploaded to the aggregation server.
Preferably, the aggregation server and the trust authority are honest and credible, and meanwhile, collusion with other entities in the system is avoided, and all users in the system cannot collude with other entities; at least two trusted users exist in the system; malicious users in the system do not have local training data, and upload a malicious mask local model to the aggregation server after the malicious users generate any local model and add masks; the state of the user during training is on-line or off-line.
Compared with the prior art, the invention has the following beneficial effects: the method can detect the malicious nodes in the privacy-protected federated learning system, and can ensure the credibility and the accuracy of the training result of the federated learning system by eliminating the influence of the malicious local models uploaded by the malicious nodes on the whole learning process. According to the method and the device, the local model added with the mask uploaded by each user can be subjected to anomaly detection under the condition that the server cannot obtain the real local model of each user, so that the privacy of each user is guaranteed, the reliability and the accuracy of the global model are improved, and safe and reliable federal learning is realized.
Drawings
FIG. 1 is a block diagram of the federated learning system architecture of the present invention;
FIG. 2 is a flow chart of a detection method for abnormal nodes in federated learning according to the present invention;
FIG. 3 is a diagram of the classification accuracy of MNIST data sets according to the present invention in terms of different numbers of users and different proportions of malicious users;
FIG. 4 is a computational overhead graph of the system for malicious user detection processes at different user numbers;
fig. 5 is a communication overhead diagram for the malicious user detection process at different user numbers of the server side and the user side.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Referring to fig. 1, a system for detecting abnormal nodes in federated learning is composed of an Aggregation Server (AS), a Trust Authority (TA) and a plurality of Users (Users).
The tasks of the system entities are respectively described as follows:
TA: the system is mainly responsible for initialization of the system, including parameters required for system generation, user registration, key distribution and the like.
AS: the method is mainly used for receiving the mask local models uploaded by the users and aggregating the models through a certain aggregation rule to obtain a global model for the users to use, and is also used for carrying out malicious user detection in the process, so that negative effects on the global model caused by error models sent by the malicious users are avoided.
Users: the method mainly takes charge of carrying out model training by utilizing local data of the user to obtain a local model, and in order to protect privacy, all participants cannot share respective data, wherein malicious users possibly do not have local data to carry out training, and a malicious local model is generated at will; and moreover, a mask is generated according to the agreed mask generation rule, a mask local model is formed by using the generated mask, and then the mask local model is uploaded to the aggregation server. In the process, because a malicious user (e.g., m in fig. 1) exists, the uploaded local model is an abnormal model, which may cause the accuracy of the aggregated global model to be reduced and even generate an erroneous global model, and further cause the global model to generate an error when executing a prediction task, thereby causing a loss.
Referring to fig. 2, a method for detecting an abnormal node in federated learning mainly includes the following steps:
the method comprises the following steps: and (5) initializing the system.
The method mainly comprises user registration, system parameter generation and key negotiation.
Step two: and generating a mask local model.
The method mainly comprises mask generation, local model training and mask local model generation.
Step three: and detecting the malicious user.
The method mainly comprises the steps that a server side conducts local model aggregation to generate a confusion aggregation model, a user side conducts verification on the confusion aggregation model to generate a verification result, and finally the server side conducts malicious user detection according to the user side verification result.
Step four: and (5) updating the model.
And the server performs model aggregation by using the mask local model uploaded by the non-malicious user to obtain a global model of the current iteration wheel and sends the global model to the user. And the user updates the local model according to the received global model.
For the privacy protection federal learning system based on safe multi-party calculation, the following operations can be realized:
(1) key generation
Key generation involves two algorithms, ka.param and ka.gen.
The algorithm ka.param (k) → pp generates (G ', G, q, H) a parameter pp of the system using the secret parameter k, G' being a group having an order q, a generator thereof being G, and H being a hash function.
Figure BDA0002888330020000061
The algorithm KA.gen utilizes parameters generated by KA.param to generate a public and private key pair of each user. Specifically, the method comprises the following steps: user u first moves from ZqIn which a random number x is selected as its private key
Figure BDA00028883300200000716
Then calculate gxAs its public key
Figure BDA0002888330020000071
(2) Key agreement
Figure BDA0002888330020000072
Users u and v through calculation
Figure BDA0002888330020000073
Obtain a shared secret s between themu,vThe algorithm satisfies the commutative law, i.e.
Figure BDA0002888330020000074
(3) Mask generation
The privacy protection scheme of the invention is to add a mask to the local model. The mask generation method specifically comprises the following steps:
assume that all users in the system are ordered, denoted as u1,u2,…,unU, user uiIs noted as xuiFor any pair of users (u)i,uj) Obtaining a common mask vector after negotiation
Figure BDA0002888330020000075
If u isiUpload to
Figure BDA0002888330020000076
ujUpload to
Figure BDA0002888330020000077
To the server, then mask
Figure BDA0002888330020000078
Will be at uiAnd ujThe uploaded models are added and then cancelled, so that the server can obtain uiAnd ujAs a global model without revealing uiAnd ujThe real local model of (2).
The mask is generated according to formulas (1) to (2):
Figure BDA0002888330020000079
Figure BDA00028883300200000710
in formula (1)
Figure BDA00028883300200000711
Is a radical of uiAnd ujIs shared with the key
Figure BDA00028883300200000712
A random number generator that is a seed.
As can be seen from equation (2)
Figure BDA00028883300200000713
After obtaining the mask, user uiIts masked local vector can be generated according to equation (3)
Figure BDA00028883300200000714
And uploaded to the server.
Figure BDA00028883300200000715
(4) Model secure syndication
And after the server receives the mask local models uploaded by all users, performing model aggregation by using a formula (4) so as to obtain the global model update of the current iteration round.
z=∑u∈Uyu (4)
For the system framework shown in fig. 1, the present invention has the following assumptions:
1. assuming that there are common named users in the system, the set { u }1,u2……,unRepresents it. The TA and AS are honest and reliable and do not collude with other entities in the system. Nor can all users in the system collude with other entities.
2. There are at least two trusted users in the system.
3. The malicious users in the system have no local training data, and the malicious users upload the malicious mask local model to the server by generating any local model (possibly well-designed) and adding the mask.
4. The problem of user disconnection in the training process is not considered in the scheme provided by the invention, but the scheme is still effective under the condition that the user disconnection exists.
The meaning of the parameters involved in the invention is shown in the following table:
Figure BDA0002888330020000081
the method for detecting the abnormal node in the federal learning provided by the embodiment of the invention specifically comprises the following steps:
(1) the method comprises the following steps: and (5) initializing the system.
(1.1) user uiRegistering the Federal learning System, first sending data [ d ] to the TAi,MAC,nonce]Wherein d isiFor user uiOf local data amount, MAC is uiThe nonce is a random number generated by the MAC address of (1);
(1.2) the server is the user u according to the received dataiGenerating its ID and sending it to uiAnd AS, and then generating a system parameter pp ═ G, p, G, H by using a KA]The parameters [ G, p, G, H]To all users.
(1.3) user uiGenerating its public and private keys using KA.gen (pp)
Figure BDA0002888330020000091
And sends the public key to the AS, and the AS distributes all the public keys received by the AS to the users in the system.
(1.4) user uiGenerate it and other users u by using KAjIs shared with the key.
(2) Step two: and generating a mask local model.
(2.1) user uiRespectively utilize
Figure BDA0002888330020000092
And
Figure BDA0002888330020000093
as a seed for the random number generator PRG, two sets of mask vectors m are generated according to equations (1), (2)i,j,mmi,jThe length of the vector is the same as the length of the user local model parameters.
(2.2) user uiModel training is carried out by utilizing local data of the user to obtain a local model
Figure BDA0002888330020000094
(2.3) user uiThe masked local model is generated using equations (5), (6).
Figure BDA0002888330020000095
Figure BDA0002888330020000096
(2.4) user uiA masked local model list is generated using equation (7) and sent to the AS.
ULMi=[MLMi,1||…||MLMi,i-1||MLMi,i+1||…||MLMi,n||MLMi] (7)
(3) Step three: and detecting the malicious user. The method mainly comprises server-side model aggregation, confusion aggregation model generation, malicious user authentication and user-side model authentication.
(3.1) first, the server uploads ULM according to all usersiA mask local model matrix MMA is generated.
Figure BDA0002888330020000097
(3.2) the server generates an aggregation model list agg _ model according to algorithm 1 using MMA.
Figure BDA0002888330020000101
(3.3) the server generates stochastic models for model obfuscation, forming a stochastic model list random _ list, where the number of stochastic models in the list should be a multiple of the length of the agg _ model.
And the server randomly mixes the agg _ model and the random _ list to obtain a confusion aggregation model list garble _ agg _ model. The position of each model in the agg _ model in the garble _ agg _ model is stored in the ordered set o _ position, and finally the garble _ agg _ model is sent to all users.
(3.4) user uiAfter receiving the garble _ agg _ model, verifying each model in the garble _ agg _ model by using local data, recording the precision of each model, recording the positions of the L models with the highest precision in the garble _ agg _ model in the ordered set s _ position as the verification result and sending the verification result to the server.
(3.5) the Server receives user uiAfter the s _ position sent, calculate:
inter_position=o_position∩s_position
if the length of inter _ position is greater than th, consider user uiNot a malicious user, otherwise, consider user uiThe local model of the user is also a malicious model.
(4) Step four: and (5) updating the model.
And (4.1) the server updates the global model according to the detection result of the malicious user. Firstly, the server forms all the credible users into a credible user set bs ═ ui}. The model uploaded by the malicious user will not be adopted and the server feeds back to its randomly generated global model. And for the credible participants, performing weighted average on the credible aggregation model by taking the ratio of the average value of the data volumes of every two participants to the sum of the data volumes of all the credible participants as a weight, and distributing a global model to the credible participants, wherein a specific algorithm is shown as a formula (9). The server updates the global model GM of the current roundkTo all trusted users.
Figure BDA0002888330020000111
(4.2) after receiving the global model, the user compares the precision of the global model with that of the local model, and selects a model with high precision as an updated local model;
(4.3) repeating steps (2.1) - (4.3) until a convergence condition is reached.
The effectiveness of the invention is verified through experiments.
The experimental environment comprises a DELL T7920 workstation, an Intel 4210R CPU, a 160G memory and a Ubuntu 18.04 operating system. The programming environment was Python 3.6.5, tensoflow 1.12.0, Keras 2.2.4, mpi4 py.0.3. All experiments used data as the MNIST dataset. Each user performs logistic regression model training using the data they own.
Fig. 3 shows the classification accuracy of the detection method of abnormal nodes in federated learning for MNIST data sets under different user numbers and different malicious user ratios, where th is 0.5, and garble _ model _ length is 3L. As can be seen from the figure, as the number of training rounds increases, the difference between the accuracy of the system with malicious users and the accuracy of the system without malicious users becomes smaller. When the number of users in the system is different and the proportion of malicious users is the same, the model precision is almost the same. It can be shown that the invention can effectively detect malicious users in the system under users of different scales.
Fig. 4 shows the computation overhead for the malicious user detection process under different user numbers, th is 0.5, m is 0.4, and garble _ model _ length is 3L, and it can be seen that, at the server side and the user side, the proportion of the computation overhead for the malicious user detection in the computation overhead of the whole system does not change with the change of the user number, and the proportion is less than 10%.
Fig. 5 shows the computation overhead for the malicious user detection process under different user numbers, th is 0.5, m is 0.4, and garble _ model _ length is 3L, and it can be seen that, at the server side, the computation overhead for the malicious user detection remains stable under different user numbers, and at the user side, the computation overhead for the malicious user detection increases in linear proportion with the increase of the user numbers. At the server side and the user side, the proportion of the calculation overhead of malicious user detection in the whole calculation overhead of the system is less than 10%.
The above-mentioned embodiments are only preferred embodiments of the present invention, and are not intended to limit the technical solution of the present invention, and it should be understood by those skilled in the art that the technical solution can be modified and replaced by a plurality of simple modifications and replacements without departing from the spirit and principle of the present invention, and the modifications and replacements also fall into the protection scope covered by the claims.

Claims (7)

1. A method for detecting abnormal nodes in federated learning is characterized by comprising the following steps:
step one, system initialization, including user registration, system parameter generation and key agreement;
step two, generating a mask local model;
step three, malicious user detection, which comprises the steps that a server side conducts local model aggregation to generate a confusion aggregation model, the user side verifies the confusion aggregation model to generate a verification result, and the server side conducts malicious user detection according to the user side verification result;
and fourthly, the server performs model aggregation by using the mask local model uploaded by the non-malicious user to obtain a global model of the current iteration wheel and sends the global model to the user, and the user performs local model updating according to the received global model.
2. The method for detecting abnormal nodes in federal learning according to claim 1, wherein the first step specifically comprises:
(1.1) user uiRegistering the Federal learning System by first sending data [ d ] to the Trust Authority TAi,MAC,nonce]Wherein d isiFor user uiOf local data volume, MAC, as user uiThe nonce is a random number generated by the MAC address of (1);
(1.2) the server is the user u according to the received dataiGenerating the identity thereof and sending the identity to the user uiWith the aggregation server AS, then using ka.p,g,H]The parameters [ G, p, G, H]Distributing the data to all users;
(1.3) user uiGenerating public and private keys by using KA.gen (pp) algorithm
Figure FDA0002888330010000011
Sending the public key to an aggregation server AS, and distributing all the public keys received by the aggregation server AS to users in the system;
(1.4) user uiGenerate it and other users u by using KAjIs shared with the key.
3. The method for detecting abnormal nodes in federal learning according to claim 1, wherein the second step specifically comprises:
(2.1) user uiRespectively utilize
Figure FDA0002888330010000012
And
Figure FDA0002888330010000013
as a seed for the random number generator PRG, two sets of mask vectors m are generated according to equations (1), (2)i,j,mmi,jThe length of the vector is the same as the length of the user local model parameter;
Figure FDA0002888330010000014
Figure FDA0002888330010000015
(2.2) user uiModel training is carried out by utilizing local data of the user to obtain a local model
Figure FDA0002888330010000016
(2.3) user uiBy using maleEquations (5), (6) generate a masked local model;
Figure FDA0002888330010000021
Figure FDA0002888330010000022
(2.4) user uiGenerating a mask local model list by using a formula (7) and sending the list to an aggregation server AS;
ULMi=[MLMi,1||…||MLMi,i-1||MLMi,i+1||…||MLMi,n||MLMi] (7)。
4. the method for detecting abnormal nodes in federal learning according to claim 1, wherein the third step specifically comprises:
(3.1) the server uploads ULM according to all usersiGenerating a mask local model matrix MMA;
Figure FDA0002888330010000023
(3.2) the server generates an aggregation model list agg _ model by using a mask local model matrix MMA;
(3.3) the server generates a random model for model confusion to form a random _ list, wherein the number of the random models in the list is a multiple of the length of the agg _ model; the server randomly mixes the agg _ model and the random _ list to obtain a garble _ agg _ model of a confusion aggregation model list; storing the position of each model in the agg _ model in the garble _ agg _ model in an ordered set o _ position, and finally sending the garble _ agg _ model to all users;
(3.4) user uiAfter receiving the garble _ agg _ model, verifying each model in the garble _ agg _ model by using local data, and recording the essence of each modelRecording the positions of the L models with the highest precision in the garble _ agg _ model in the ordered set s _ position, and sending the positions to the server as the verification results of the models;
(3.5) the Server receives user uiAfter the s _ position sent, calculate:
inter_position=o_position∩s_position;
if the length of inter _ position is greater than th, consider user uiNot a malicious user, otherwise, the user u is considerediThe local model of the user is also a malicious model.
5. The method for detecting abnormal nodes in federal learning according to claim 1, wherein the fourth step specifically comprises:
(4.1) the server updates the global model according to the malicious user detection result; firstly, the server forms all the credible users into a credible user set bs ═ uiA model uploaded by a malicious user is not adopted, and a server feeds back a randomly generated global model;
for the credible participants, the weighted average of the credible aggregation model is carried out by taking the ratio of the average value of the data volumes of every two participants to the sum of the data volumes of all credible participants as a weight, a global model is distributed to the credible participants, the specific algorithm is shown as formula (9), and the server updates the global model GM of the current round after updatingkDistributing to all trusted users;
Figure FDA0002888330010000031
(4.2) after receiving the global model, the user compares the precision of the global model with that of the local model, and selects a model with high precision as an updated local model;
(4.3) repeating the second step to the fourth step until a convergence condition is reached.
6. The utility model provides a detecting system of unusual node in bang's study which characterized in that: the system comprises an aggregation server, a trust authority and a plurality of users; the trust authority is used for initializing the system, including user registration, system parameter generation and key negotiation; the aggregation server is used for receiving the mask local models uploaded by the users and aggregating the models through aggregation rules to obtain a global model for the users to use, and is also used for carrying out malicious user detection in the process so as to avoid negative influence on the global model caused by error models sent by the malicious users; the user can use local data of the user to carry out model training to obtain a local model; in addition, a mask can be generated according to an agreed mask generation rule, a mask local model is formed by using the generated mask, and the mask local model is uploaded to the aggregation server.
7. The system for detecting abnormal nodes in federal learning as claimed in claim 6, wherein:
the aggregation server and the trust authority are honest and credible, and meanwhile, the aggregation server and the trust authority cannot collude with other entities in the system, and all users in the system cannot collude with other entities; at least two trusted users exist in the system; malicious users in the system do not have local training data, and upload a malicious mask local model to the aggregation server after the malicious users generate any local model and add masks; the state of the user during training is on-line or off-line.
CN202110020440.3A 2021-01-07 2021-01-07 Method and system for detecting abnormal nodes in federated learning Active CN112749392B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110020440.3A CN112749392B (en) 2021-01-07 2021-01-07 Method and system for detecting abnormal nodes in federated learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110020440.3A CN112749392B (en) 2021-01-07 2021-01-07 Method and system for detecting abnormal nodes in federated learning

Publications (2)

Publication Number Publication Date
CN112749392A true CN112749392A (en) 2021-05-04
CN112749392B CN112749392B (en) 2022-10-04

Family

ID=75650248

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110020440.3A Active CN112749392B (en) 2021-01-07 2021-01-07 Method and system for detecting abnormal nodes in federated learning

Country Status (1)

Country Link
CN (1) CN112749392B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221105A (en) * 2021-06-07 2021-08-06 南开大学 Robustness federated learning algorithm based on partial parameter aggregation
CN113407991A (en) * 2021-06-10 2021-09-17 交通银行股份有限公司 Private data two-party security comparison method based on trusted third party
CN113407992A (en) * 2021-06-10 2021-09-17 交通银行股份有限公司 Trusted third party-based private data two-party security equality testing method
CN113537513A (en) * 2021-07-15 2021-10-22 青岛海尔工业智能研究院有限公司 Model training method, device, system, equipment and medium based on federal learning
CN113554182A (en) * 2021-07-27 2021-10-26 西安电子科技大学 Method and system for detecting Byzantine node in horizontal federal learning system
CN113591974A (en) * 2021-07-29 2021-11-02 浙江大学 Forgetting verification method based on forgetting-prone data subset in federated learning
CN113849815A (en) * 2021-08-26 2021-12-28 兰州大学 Unified identity authentication platform based on zero trust and confidential calculation
CN114254398A (en) * 2021-12-16 2022-03-29 重庆大学 Block chain-based federated learning system and parameter aggregation method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110719158A (en) * 2019-09-11 2020-01-21 南京航空航天大学 Edge calculation privacy protection system and method based on joint learning
CN111460443A (en) * 2020-05-28 2020-07-28 南京大学 Security defense method for data manipulation attack in federated learning
US20200285980A1 (en) * 2019-03-08 2020-09-10 NEC Laboratories Europe GmbH System for secure federated learning
CN111930698A (en) * 2020-07-01 2020-11-13 南京晓庄学院 Data security sharing method based on Hash diagram and federal learning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200285980A1 (en) * 2019-03-08 2020-09-10 NEC Laboratories Europe GmbH System for secure federated learning
CN110719158A (en) * 2019-09-11 2020-01-21 南京航空航天大学 Edge calculation privacy protection system and method based on joint learning
CN111460443A (en) * 2020-05-28 2020-07-28 南京大学 Security defense method for data manipulation attack in federated learning
CN111930698A (en) * 2020-07-01 2020-11-13 南京晓庄学院 Data security sharing method based on Hash diagram and federal learning

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
GUOWEN XU等: "VerifyNet: Secure and Verifiable Federated Learning", 《IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY 》 *
NGUYEN H. TRAN等: "Federated Learning over Wireless Networks: Optimization Model Design and Analysis", 《IEEE INFOCOM 2019 - IEEE CONFERENCE ON COMPUTER COMMUNICATIONS》 *
周俊等: "联邦学习安全与隐私保护研究综述", 《西华大学学报(自然科学版)》 *
潘如晟等: "联邦学习可视化:挑战与框架", 《计算机辅助设计与图形学学报》 *
陈兵等: "联邦学习安全与隐私保护综述", 《南京航空航天大学学报》 *
陈晋音等: "深度学习模型的中毒攻击与防御综述", 《信息安全学报》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113221105A (en) * 2021-06-07 2021-08-06 南开大学 Robustness federated learning algorithm based on partial parameter aggregation
CN113407991A (en) * 2021-06-10 2021-09-17 交通银行股份有限公司 Private data two-party security comparison method based on trusted third party
CN113407992A (en) * 2021-06-10 2021-09-17 交通银行股份有限公司 Trusted third party-based private data two-party security equality testing method
CN113407992B (en) * 2021-06-10 2024-05-28 交通银行股份有限公司 Privacy data two-party safety equality testing method based on trusted third party
CN113407991B (en) * 2021-06-10 2024-05-28 交通银行股份有限公司 Privacy data two-party safety comparison method based on trusted third party
CN113537513A (en) * 2021-07-15 2021-10-22 青岛海尔工业智能研究院有限公司 Model training method, device, system, equipment and medium based on federal learning
WO2023284387A1 (en) * 2021-07-15 2023-01-19 卡奥斯工业智能研究院(青岛)有限公司 Model training method, apparatus, and system based on federated learning, and device and medium
CN113554182A (en) * 2021-07-27 2021-10-26 西安电子科技大学 Method and system for detecting Byzantine node in horizontal federal learning system
CN113554182B (en) * 2021-07-27 2023-09-19 西安电子科技大学 Detection method and system for Bayesian court node in transverse federal learning system
CN113591974A (en) * 2021-07-29 2021-11-02 浙江大学 Forgetting verification method based on forgetting-prone data subset in federated learning
CN113849815A (en) * 2021-08-26 2021-12-28 兰州大学 Unified identity authentication platform based on zero trust and confidential calculation
CN114254398A (en) * 2021-12-16 2022-03-29 重庆大学 Block chain-based federated learning system and parameter aggregation method

Also Published As

Publication number Publication date
CN112749392B (en) 2022-10-04

Similar Documents

Publication Publication Date Title
CN112749392B (en) Method and system for detecting abnormal nodes in federated learning
Lyu et al. Towards fair and privacy-preserving federated deep models
Fereidooni et al. Safelearn: Secure aggregation for private federated learning
Miao et al. Privacy-preserving Byzantine-robust federated learning via blockchain systems
Hao et al. Towards efficient and privacy-preserving federated deep learning
CN111598254B (en) Federal learning modeling method, device and readable storage medium
CN112668044B (en) Privacy protection method and device for federal learning
Hao et al. Efficient, private and robust federated learning
CN114338045A (en) Information data verifiability safety sharing method and system based on block chain and federal learning
Ma et al. Disbezant: secure and robust federated learning against byzantine attack in iot-enabled mts
Lyu et al. Towards fair and decentralized privacy-preserving deep learning with blockchain
Wang et al. Enhancing privacy preservation and trustworthiness for decentralized federated learning
CN114363043A (en) Asynchronous federated learning method based on verifiable aggregation and differential privacy in peer-to-peer network
Zhang et al. Safelearning: Enable backdoor detectability in federated learning with secure aggregation
CN116187471A (en) Identity anonymity and accountability privacy protection federal learning method based on blockchain
Zhu et al. Secure verifiable aggregation for blockchain-based federated averaging
Ye et al. VREFL: Verifiable and reconnection-efficient federated learning in IoT scenarios
Yang et al. Efficient and secure federated learning with verifiable weighted average aggregation
Malladi et al. Decentralized aggregation design and study of federated learning
Zhang et al. Safelearning: Secure aggregation in federated learning with backdoor detectability
Jiang et al. GAIN: Decentralized Privacy-Preserving Federated Learning
Behnia et al. Efficient Secure Aggregation for Privacy-Preserving Federated Machine Learning
CN113554182B (en) Detection method and system for Bayesian court node in transverse federal learning system
Lu et al. Robust and verifiable privacy federated learning
Xu et al. Fedbc: an efficient and privacy-preserving federated consensus scheme

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant