CN113411329A - DAGMM-based federated learning backdoor attack defense method - Google Patents

DAGMM-based federated learning backdoor attack defense method Download PDF

Info

Publication number
CN113411329A
CN113411329A CN202110675081.5A CN202110675081A CN113411329A CN 113411329 A CN113411329 A CN 113411329A CN 202110675081 A CN202110675081 A CN 202110675081A CN 113411329 A CN113411329 A CN 113411329A
Authority
CN
China
Prior art keywords
model
dagmm
client
local
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110675081.5A
Other languages
Chinese (zh)
Other versions
CN113411329B (en
Inventor
陈晋音
刘涛
张龙源
李荣昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Technology ZJUT
Original Assignee
Zhejiang University of Technology ZJUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Technology ZJUT filed Critical Zhejiang University of Technology ZJUT
Priority to CN202110675081.5A priority Critical patent/CN113411329B/en
Publication of CN113411329A publication Critical patent/CN113411329A/en
Application granted granted Critical
Publication of CN113411329B publication Critical patent/CN113411329B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Pure & Applied Mathematics (AREA)
  • Medical Informatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Probability & Statistics with Applications (AREA)
  • Algebra (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a DAGMM-based federated learning backdoor attack defense method, which comprises the following steps: (1) the client receives the global model, trains and uploads the local model and the corresponding neuron activation condition; (2) the server receives the update and calculates the loss of the corresponding client by using the DAGMM; (3) defense based on multiple rounds of reconstruction errors. The method can effectively protect the model from being attacked by the backdoor.

Description

DAGMM-based federated learning backdoor attack defense method
Technical Field
The invention relates to the technical field of backdoor attack defense, in particular to a DAGMM-based federal learning backdoor attack defense method.
Background
Federal learning has been proposed to facilitate federated model training using data from multiple clients, where the training process is coordinated by a central server. In the whole process, the data of the clients are kept local, and only the model parameters are communicated among the clients through the parameter server.
A typical training iteration works as follows: first, the central server sends the latest global model to each client. Each client then updates the model locally using the local data and reports the updated model to the parameter server. Finally, the server performs model aggregation on all submitted local updates to form a new global model that has better performance than models trained using data of any single client.
In contrast to alternative approaches that simply collect all data from the client and train the model from these data, federal learning can save communication overhead by transmitting only the model parameters, and protect privacy, since all data remains local. Therefore, joint learning has attracted a wide range of attention and is widely used for model training using data from multiple users and organizations.
However, federated learning systems are vulnerable to malicious clients. The central server has no access to the client's data and therefore cannot verify model updates from the client, especially when the system adds a secure aggregation protocol to further protect the client's privacy. In theory, a malicious client can send any updates to the server, which is easily damaged if there is no effective protection to identify malicious updates to the neural network learning weights.
Backdoor attacks are one of the most common attacks in federal learning, and an attacker can modify or spoof a classifier to assign a label of the attacker's choice to a sample with a particular characteristic. Backgate attacks typically trigger "backgate neurons" that are activated only when a backgate sample is present. Research shows that the activation condition of normal model neurons is greatly different from that of back door model neurons, and back door attacks can be greatly reduced by trimming the back door neurons without damaging too much model performance. However, this pruning approach relies on a reliable "clean" data source, which is not guaranteed in the federal learning scenario.
The invention provides a backdoor attack defense method based on a depth self-coding Gaussian mixture model (DAGMM) in horizontal federal learning, which is an anomaly detection mechanism based on the DAGMM. The method carries out abnormal detection of updating of the client based on the difference between the back door model and the normal model, does not need to access the original data of the client, and only needs to obtain the activation condition of the local model neuron. In the process of federal learning training, the central server requires each client to provide neuron activation conditions, puts the neuron activation conditions and updates into a DAGMM, and detects a back door model so as to defend back door attacks.
Disclosure of Invention
The invention aims to provide a DAGMM-based federated learning backdoor attack defense method to protect a model from backdoor attacks.
A DAGMM-based federated learning backdoor attack defense method comprises the following steps:
(1) the client receives the global model, trains and uploads the local model and the corresponding neuron activation condition;
(2) the server receives the update and calculates the loss of the corresponding client by using the DAGMM;
(3) defense based on multiple rounds of reconstruction errors.
The technical conception of the invention is as follows: the back gate input samples trigger neurons that are not normally used by normal clean input samples. These so-called "back door neurons" are utilized by attackers to recognize back door patterns and trigger inappropriate behavior, while remaining silent when the input data is clean. Therefore, at the neuron level, the posterior portal model is obviously different from the normal model.
Based on the situation, a deep self-coding Gaussian mixture model (DAGMM) is combined with a neuron activation situation to defend against a federal learning backdoor attack. Firstly, a client is required to upload the model neuron activation condition together when uploading the updated model. Putting the updates of all the clients into a DAGMM, jointly solving the reconstruction probability of the updates of all the clients, and screening abnormal clients; secondly, counting abnormal conditions of DAGMM counting in each round, and screening out customers marked for many times; and finally, sending the aggregated global model to each client, and not issuing the global model for the client identified as the attacker.
Preferably, step (1) comprises:
(1.1) the server calls a global model and distributes the global model to each client;
(1.2) after receiving the global model, the client uses the local data training model to obtain the local model finished by the round of training, and then the client obtains the activation condition ranking of all neurons according to the activation condition of each neuron;
and (1.3) packaging the model and the activation ranking and sending the packaged model and activation ranking to a server.
Further preferably, a global model is obtained through federal learning training, and the global model aggregates distributed training results from N parties to summarize test data; the federally learned training objectives are summarized as a limited optimization:
Figure BDA0003119414820000041
where N represents the existence of N parties respectively processing N local models w, each party based on a private dataset
Figure BDA0003119414820000042
Using local targets fi:Rd→ R for training, wherein ai=|DiI and
Figure BDA0003119414820000043
each data sample is represented along with a corresponding label.
Further preferably, after aggregating the distributed training results from the N-party, the global model summarizes the test data, specifically:
in the t-th round, the central server will share the current model GtSending to N selected parties, where [ N]Represents an integer set {1, 2,. ·, N }; the selected party i uses its own data set DiAnd the learning rate lr running the optimization algorithm of E local turns to locally calculate the function fiTo obtain a new local model
Figure BDA0003119414820000044
Client side updates model
Figure BDA0003119414820000045
Sent to the central server, which will average all updates with its own learning rate η to generate a new global model Gi+1
Figure BDA0003119414820000046
Preferably, step (2) comprises:
(2.1) for the updated local model matrix, first concatenating all rows in the matrix to create one-dimensional vector, which is then fed to the autoencoder of the DAGMM;
(2.2) compressing the neuron activation ranking matrix into a one-dimensional vector, computing the standard deviation of the input vector, stacking this metric to create a new vector;
and (2.3) connecting the new vector with the low-dimensional representation learned by the automatic encoder to form an output cascade vector, and feeding the output cascade vector to an estimation network for multivariate Gaussian estimation to obtain reconstruction energy.
Further preferably, the overall network structure of the DAGMM comprises a compression and estimation network;
the compression is a depth self-coding network, a low-dimensional representation Zc of an input x is obtained through the depth self-coding network, a reconstruction error characteristic Zr between the input x and a reconstructed x' and a standard deviation Zs calculated by a neuron activation matrix are obtained at the same time, and the three are spliced to form Z; the network input is estimated as Z to get a probability distribution through multiple layers of full connections.
Further preferably, the compression network calculates its low dimensional representation z as follows:
zc=h(x;θe),x′=g(zc;θd),
zr=f(x,x′),
zs=σ(x*)
z=[zc,zr,zs]
wherein z iscIs a reduced low-dimensional representation, z, learned by a depth self-encoderrIncluding features derived from reconstruction errors, zs is the standard deviation calculated from the neuron activation matrix, x*Expressed is a sample neuron activation matrix, θeAnd thetadIs the reconstructed counterpart of the depth autocoder x, h () represents the coding function, g () represents the decoding function, f () represents the function that computes the reconstructed error characteristics, σ () represents the standard deviation function; finally, the compression network feeds z to the subsequent estimation network.
Preferably, step (3) comprises:
(3.1) the central server records the reconstruction loss of each client in the first rounds, marks abnormal clients and does not perform subsequent operation;
(3.2) after recording enough rounds, counting the marked times of each client, and screening out the clients marked many times;
(3.3) repeating steps (3.1) and (3.2) and continuing to screen until there is no abnormal update.
The invention has the beneficial effects that:
(1) and carrying out back door model detection by using the DAGMM, protecting the global model and improving the robustness.
(2) In the federal learning process, the neuron activation condition and the abnormality detection are hooked, and the detection efficiency of backdoor attack is improved.
(3) The attacker is screened out at the initial stage of training, so that even if the global model has been injected into the backdoor, as training progresses, backdoor features will be erased by newly learned features and no longer exist.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
FIG. 2 is a block diagram of a DAGMM-based federated learning backdoor attack defense system of the method of the present invention;
fig. 3 is an overall network structure of a DAGMM.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-3, a DAGMM-based federated learning backdoor attack defense method includes the following steps:
(1) and the client receives the global model, trains and uploads the local model and the corresponding neuron activation condition. The federal learned training objectives can be summarized as a limited optimization:
Figure BDA0003119414820000071
where N represents the existence of N parties respectively processing N local models w, each party based on a private dataset
Figure BDA0003119414820000072
Using local targets fi:Rd→ R for training, wherein ai=|DiI and
Figure BDA0003119414820000073
each data sample is represented along with a corresponding label. The goal of federal learning is to obtain a global model that can summarize test data well after aggregating distributed training results from N parties.
Specifically, in the t-th round, the central server will currently share model GtSending to N selected parties, where [ N]Representing the set of integers 1, 2. The selected party i uses its own data set DiAnd the learning rate lr running the optimization algorithm of E local turns to locally calculate the function fiTo obtain a new local model
Figure BDA0003119414820000074
The client then updates the model
Figure BDA0003119414820000075
Sent to the central server, which will average all updates with its own learning rate η to generate a new global model Gt+1
Figure BDA0003119414820000076
For an attacker, the backdoor attack aims to mislead the trained model to predict the target tag τ on any input data embedding the pattern (i.e., trigger) selected by the attacker. The goal of backdoor attack in federal learning is to manipulate a local model and fit a main task and a backdoor task at the same time, so that a global model normally runs on an untampered data sample, and meanwhile, a high attack success rate is achieved on the backdoor data sample. Attacker i carries local data DiAnd the targets in round t of target tag τ are:
Figure BDA0003119414820000081
wherein the content of the first and second substances,
Figure BDA0003119414820000082
in order to be a sample of the data,
Figure BDA0003119414820000083
data representing the corresponding real label of the specimen, with back door trigger
Figure BDA0003119414820000084
And clean data
Figure BDA0003119414820000085
Satisfy the requirement of
Figure BDA0003119414820000086
And
Figure BDA0003119414820000087
function P is the corresponding training optimization function, and function R uses a set of parameters phi to convert clean data in any class into back-gate data with trigger patterns selected by the attacker. Thus the normal model wiConversion to back door model by maximizing the formula
Figure BDA0003119414820000088
Therefore, the algorithm steps are as follows:
(1.1) the server calls a global model and distributes the global model to each client;
(1.2) after receiving the global model, the client uses the local data training model to obtain the local model finished by the round of training, and then the client obtains the activation condition ranking of all neurons according to the activation condition of each neuron;
and (1.3) packaging the model and the activation ranking and sending the packaged model and activation ranking to a server.
(2) The server receives the update and calculates the loss of the corresponding client by using the DAGMM;
the depth self-coding Gaussian mixture model (DAGMM) is an organic combination of a neural network, EM and GMM, a low-dimensional representation and reconstruction error are generated for each input data point by using a depth automatic encoder, and the low-dimensional representation and the reconstruction error are further input into the Gaussian Mixture Model (GMM) for anomaly detection. FIG. 3 is an overall network structure of DAGMM, which is divided into two sub-structures, the left part is compressed, and is a depth self-coding network, and a low-dimensional representation Zc of an input x can be obtained through the self-coding, and meanwhile, a reconstruction error characteristic Zr between the input x and a reconstructed x' and a standard deviation Zs calculated by a neuron activation matrix are obtained, and the three are spliced to form Z; the estimation network is arranged on the right side, the neural network is also a multilayer neural network, the input is Z, the probability distribution is obtained through multilayer full connection, and the length of the probability distribution is the number of the sub-distributions in the Gaussian mixture distribution.
Compression is a deep self-coding network, and the low-dimensional representation provided by the compression network comprises two characteristic sources: (1) learning a reduced low-dimensional representation by a depth autoencoder; (2) features derived from the reconstruction error; (3) the standard deviation of the neuron activation matrix contributed by the client. Given a sample x, an activation value sample x, the compression network calculates its low dimensional representation z as follows.
zc=h(x;θe),x′=g(zc;θd),
zr=f(x,x′),
zs=σ(x*)
z=[zc,zr,zs]
Wherein z iscIs a reduced low-dimensional representation, z, learned by a depth self-encoderrComprising features derived from the reconstruction error, zsIs the standard deviation, x, calculated from the neuron activation matrix*Expressed is a sample neuron activation matrix, θeAnd thetadIs the reconstructed counterpart of the depth self-encoder x, h () represents the encoding function, g () represents the decoding function, f () represents the function that computes the reconstruction error characteristics, and σ () represents the standard deviation function. Finally, the compression network feeds z to the subsequent estimation network.
Given the low-dimensional representation z of the input samples, the estimation network performs density estimation under the GMM framework. In the presence of unknown mixed component distribution
Figure BDA0003119414820000101
And in the training stage of the mixed mean and the mixed covariance sigma, the estimation network estimates the parameters of the GMM and evaluates the likelihood/energy of the sample. The estimation network then accomplishes this by using a multi-layer neural network to predict the mixed membership of each sample. Given the low dimensional representation z and the integer K as the number of mixed components, the estimated network performs membership prediction as follows.
p=MLN(z;θm)
Figure BDA0003119414820000102
Wherein
Figure BDA0003119414820000103
Is a k-dimensional vector for membership prediction of mixed components, p is represented by θmThe output of the parameterized multi-layer network, MLN, represents the constructed multi-layer network. Given a batch of n samples and their membership predictions
Figure BDA0003119414820000109
The parameters in the GMM may be further estimated as follows:
Figure BDA0003119414820000104
wherein
Figure BDA0003119414820000105
Is a low dimensional representation ziIs predicted by the degree of membership of (a),
Figure BDA0003119414820000106
krespectively representing the probability, mean and covariance of the kth distribution in the GMM.
With the estimated parameters, the sample energy can be further inferred by:
Figure BDA0003119414820000107
where | represents the determinant of the matrix, z is the given low-dimensional representation,
Figure BDA0003119414820000108
krespectively representing the probability, mean and covariance of the kth distribution in the GMM.
In the anomaly detection, the value of E (z) can be calculated through a model, theoretically, the smaller the expected value is, the better the value is (a negative sign is added in front of a likelihood function), the larger the value of E (z) is, the more likely the value is to be an anomalous attacker, and whether the update contributed by the client is backdoor or not can be judged according to the prior threshold value obtained from the data in the training set.
Therefore, the algorithm steps are as follows:
(2.1) for the updated local model matrix, first concatenating all rows in the matrix to create one-dimensional vector, which is then fed to the autoencoder (compression network) of the DAGMM;
(2.2) then, compressing the neuron activation ranking matrix into a one-dimensional vector, computing the standard deviation of the input vector, stacking this metric to create a new vector;
and (2.3) finally, connecting the new vector with a low-dimensional representation learned by an automatic encoder (compression network) to form an output concatenated vector, and feeding the output concatenated vector to an estimation network for multivariate Gaussian estimation to obtain reconstruction energy.
(3) Defense based on multiple rounds of reconstruction errors: the central server marks the abnormal detection clients in the round, and screens out the clients after multiple rounds of verification. The specific process is as follows:
(3.1) the central server records the reconstruction loss of each client in the first rounds, marks abnormal clients, but does not perform subsequent operation, because the detection result of only one round judges that the contingency exists and needs multiple rounds of verification. The back door attack has a timeliness problem, so that even if the global model is injected into the back door, only the back door attacker is screened out and is not injected into the back door, and the original back door characteristics are erased by newly learned characteristics along with the training, so that the attack is invalid;
(3.2) after recording enough rounds, counting the marked times of each client, and screening out the clients marked many times;
(3.3) repeating the steps and continuing to screen until no abnormal update exists.
Although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that various changes in the embodiments and/or modifications of the invention can be made, and equivalents and modifications of some features of the invention can be made without departing from the spirit and scope of the invention.

Claims (8)

1. A DAGMM-based federated learning backdoor attack defense method is characterized by comprising the following steps:
(1) the client receives the global model, trains and uploads the local model and the corresponding neuron activation condition;
(2) the server receives the update and calculates the loss of the corresponding client by using the DAGMM;
(3) defense based on multiple rounds of reconstruction errors.
2. The DAGMM-based federated learning backdoor attack defense method according to claim 1, wherein step (1) includes:
(1.1) the server calls a global model and distributes the global model to each client;
(1.2) after receiving the global model, the client uses the local data training model to obtain the local model finished by the round of training, and then the client obtains the activation condition ranking of all neurons according to the activation condition of each neuron;
and (1.3) packaging the model and the activation ranking and sending the packaged model and activation ranking to a server.
3. The DAGMM-based federated learning backdoor attack defense method according to claim 1 or 2, characterized in that, a global model is obtained through the training of federated learning, and the global model is aggregated after the distributed training results from N parties to summarize the test data; the federally learned training objectives are summarized as a limited optimization:
Figure FDA0003119414810000011
where N represents the existence of N parties respectively processing N local models w, each party based on a private dataset
Figure FDA0003119414810000021
Using local targets fi:Rd→ R for training, wherein ai=|DiI and
Figure FDA0003119414810000022
each data sample is represented along with a corresponding label.
4. The DAGMM-based federated learning backdoor attack defense method according to claim 3, wherein the global model aggregates the distributed training results from the N parties to summarize test data, specifically:
in the t-th round, the central server will share the current model GtSending to N selected parties, where [ N]Represents an integer set {1, 2,. ·, N }; the selected party i uses its own data set DiAnd the learning rate lr running the optimization algorithm of E local turns to locally calculate the function fiTo obtain a new local model
Figure FDA0003119414810000023
Client side updates model
Figure FDA0003119414810000024
Sent to the central server, which will average all updates with its own learning rate η to generate a new global model Gt+1
Figure FDA0003119414810000025
5. The DAGMM-based federated learning backdoor attack defense method according to claim 1, wherein step (2) includes:
(2.1) for the updated local model matrix, first concatenating all rows in the matrix to create one-dimensional vector, which is then fed to the autoencoder of the DAGMM;
(2.2) compressing the neuron activation ranking matrix into a one-dimensional vector, computing the standard deviation of the input vector, stacking this metric to create a new vector;
and (2.3) connecting the new vector with the low-dimensional representation learned by the automatic encoder to form an output cascade vector, and feeding the output cascade vector to an estimation network for multivariate Gaussian estimation to obtain reconstruction energy.
6. The DAGMM-based federated learning backdoor attack defense method according to claim 1 or 5, wherein the overall network structure of the DAGMM includes a compression and estimation network;
the compression is a depth self-coding network, a low-dimensional representation Zc of an input x is obtained through the depth self-coding network, a reconstruction error characteristic Zr between the input x and a reconstructed x' and a standard deviation Zs calculated by a neuron activation matrix are obtained at the same time, and the three are spliced to form Z; the network input is estimated as Z to get a probability distribution through multiple layers of full connections.
7. The DAGMM-based federated learning backdoor attack defense method according to claim 6, wherein the compression network calculates its low-dimensional representation z as follows:
zc=h(x;θe),x′=g(zc;θd),
zr=f(x,x′),
zs=σ(x*)
z=[zc,zr,zs]
wherein z iscIs a reduced low-dimensional representation, z, learned by a depth self-encoderrComprising features derived from the reconstruction error, zsIs the standard deviation, x, calculated from the neuron activation matrix*Expressed is a sample neuron activation matrix, θeAnd thetadIs the reconstructed counterpart of the depth autocoder x, h () denotes the coding function, g () denotes the decoding function, f () denotes the function of calculating the reconstruction error characteristicsNumber, σ () represents a standard deviation function; finally, the compression network feeds z to the subsequent estimation network.
8. The DAGMM-based federated learning backdoor attack defense method according to claim 1, wherein step (3) includes:
(3.1) the central server records the reconstruction loss of each client in the first rounds, marks abnormal clients and does not perform subsequent operation;
(3.2) after recording enough rounds, counting the marked times of each client, and screening out the clients marked many times;
(3.3) repeating steps (3.1) and (3.2) and continuing to screen until there is no abnormal update.
CN202110675081.5A 2021-06-17 2021-06-17 Federal learning backdoor attack defense method based on DAGMM Active CN113411329B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110675081.5A CN113411329B (en) 2021-06-17 2021-06-17 Federal learning backdoor attack defense method based on DAGMM

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110675081.5A CN113411329B (en) 2021-06-17 2021-06-17 Federal learning backdoor attack defense method based on DAGMM

Publications (2)

Publication Number Publication Date
CN113411329A true CN113411329A (en) 2021-09-17
CN113411329B CN113411329B (en) 2022-06-28

Family

ID=77685001

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110675081.5A Active CN113411329B (en) 2021-06-17 2021-06-17 Federal learning backdoor attack defense method based on DAGMM

Country Status (1)

Country Link
CN (1) CN113411329B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113965359A (en) * 2021-09-29 2022-01-21 哈尔滨工业大学(深圳) Defense method and device for federal learning data virus attack
CN113962322A (en) * 2021-11-01 2022-01-21 浙江大学 Federal learning-based backdoor attack defense method and system and storable medium
CN114202397A (en) * 2022-02-17 2022-03-18 浙江君同智能科技有限责任公司 Longitudinal federal learning backdoor defense method based on neuron activation value clustering
CN114548428A (en) * 2022-04-18 2022-05-27 杭州海康威视数字技术股份有限公司 Intelligent attack detection method and device of federated learning model based on instance reconstruction
CN115134114A (en) * 2022-05-23 2022-09-30 清华大学 Longitudinal federated learning attack defense method based on discrete confusion self-encoder
CN115146759A (en) * 2022-03-06 2022-10-04 西安电子科技大学 Plug-and-play pre-training model backdoor removal system, method, device and medium
CN115333825A (en) * 2022-08-10 2022-11-11 浙江工业大学 Defense method aiming at gradient attack of federal learning neurons

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020229684A1 (en) * 2019-05-16 2020-11-19 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Concepts for federated learning, client classification and training data similarity measurement
US20200412743A1 (en) * 2019-06-25 2020-12-31 International Business Machines Corporation Detection of an adversarial backdoor attack on a trained model at inference time
CN112231756A (en) * 2020-10-29 2021-01-15 湖南科技学院 FL-EM-GMM medical user privacy protection method and system
CN112329009A (en) * 2020-10-12 2021-02-05 南京理工大学 Defense method for noise attack in joint learning
CN112365005A (en) * 2020-12-11 2021-02-12 浙江工业大学 Neuron distribution characteristic-based federal learning poisoning detection method
CN112434758A (en) * 2020-12-17 2021-03-02 浙江工业大学 Cluster-based federal learning casual vehicle attack defense method
CN112464290A (en) * 2020-12-17 2021-03-09 浙江工业大学 Vertical federal learning defense method based on self-encoder
US20210081708A1 (en) * 2019-09-16 2021-03-18 International Business Machines Corporation Automatically Determining Whether an Activation Cluster Contains Poisonous Data

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020229684A1 (en) * 2019-05-16 2020-11-19 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Concepts for federated learning, client classification and training data similarity measurement
US20200412743A1 (en) * 2019-06-25 2020-12-31 International Business Machines Corporation Detection of an adversarial backdoor attack on a trained model at inference time
US20210081708A1 (en) * 2019-09-16 2021-03-18 International Business Machines Corporation Automatically Determining Whether an Activation Cluster Contains Poisonous Data
CN112329009A (en) * 2020-10-12 2021-02-05 南京理工大学 Defense method for noise attack in joint learning
CN112231756A (en) * 2020-10-29 2021-01-15 湖南科技学院 FL-EM-GMM medical user privacy protection method and system
CN112365005A (en) * 2020-12-11 2021-02-12 浙江工业大学 Neuron distribution characteristic-based federal learning poisoning detection method
CN112434758A (en) * 2020-12-17 2021-03-02 浙江工业大学 Cluster-based federal learning casual vehicle attack defense method
CN112464290A (en) * 2020-12-17 2021-03-09 浙江工业大学 Vertical federal learning defense method based on self-encoder

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
ANTRN: "【翻译】How to Backdoor Federated Learning", 《HTTPS://BLOG.CSDN.NET/QQ_38232598/ARTICLE/DETAILS/90511818》 *
ANTRN: "【翻译】How to Backdoor Federated Learning", 《HTTPS://BLOG.CSDN.NET/QQ_38232598/ARTICLE/DETAILS/90511818》, 24 May 2019 (2019-05-24) *
王蓉等: "基于联邦学习和卷积神经网络的入侵检测方法", 《信息网络安全》 *
王蓉等: "基于联邦学习和卷积神经网络的入侵检测方法", 《信息网络安全》, no. 04, 10 April 2020 (2020-04-10) *
陈晋音等: "深度学习模型的中毒攻击与防御综述", 《信息安全学报》 *
陈晋音等: "深度学习模型的中毒攻击与防御综述", 《信息安全学报》, no. 04, 15 July 2020 (2020-07-15) *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113965359A (en) * 2021-09-29 2022-01-21 哈尔滨工业大学(深圳) Defense method and device for federal learning data virus attack
CN113965359B (en) * 2021-09-29 2023-08-04 哈尔滨工业大学(深圳) Federal learning data poisoning attack-oriented defense method and device
CN113962322A (en) * 2021-11-01 2022-01-21 浙江大学 Federal learning-based backdoor attack defense method and system and storable medium
CN114202397A (en) * 2022-02-17 2022-03-18 浙江君同智能科技有限责任公司 Longitudinal federal learning backdoor defense method based on neuron activation value clustering
CN114202397B (en) * 2022-02-17 2022-05-10 浙江君同智能科技有限责任公司 Longitudinal federal learning backdoor defense method based on neuron activation value clustering
CN115146759A (en) * 2022-03-06 2022-10-04 西安电子科技大学 Plug-and-play pre-training model backdoor removal system, method, device and medium
CN114548428A (en) * 2022-04-18 2022-05-27 杭州海康威视数字技术股份有限公司 Intelligent attack detection method and device of federated learning model based on instance reconstruction
CN115134114A (en) * 2022-05-23 2022-09-30 清华大学 Longitudinal federated learning attack defense method based on discrete confusion self-encoder
CN115134114B (en) * 2022-05-23 2023-05-02 清华大学 Longitudinal federal learning attack defense method based on discrete confusion self-encoder
CN115333825A (en) * 2022-08-10 2022-11-11 浙江工业大学 Defense method aiming at gradient attack of federal learning neurons
CN115333825B (en) * 2022-08-10 2024-04-09 浙江工业大学 Defense method for federal learning neuron gradient attack

Also Published As

Publication number Publication date
CN113411329B (en) 2022-06-28

Similar Documents

Publication Publication Date Title
CN113411329B (en) Federal learning backdoor attack defense method based on DAGMM
US11481622B2 (en) Continuous learning neural network system using rolling window
Kathareios et al. Catch it if you can: Real-time network anomaly detection with low false alarm rates
DE112021002259T5 (en) NETWORK INTRUSION DETECTION THROUGH DEEP LEARNING
US20230012220A1 (en) Method for determining likely malicious behavior based on abnormal behavior pattern comparison
CN112365005B (en) Federal learning poisoning detection method based on neuron distribution characteristics
CN109951462B (en) Application software flow anomaly detection system and method based on holographic modeling
CN112560059B (en) Vertical federal model stealing defense method based on neural pathway feature extraction
CN114189347B (en) Data safety transmission method combining data granulation and gatekeeper
CN116192523A (en) Industrial control abnormal flow monitoring method and system based on neural network
Tang et al. Low-rate DoS attack detection based on two-step cluster analysis and UTR analysis
CN113179244A (en) Federal deep network behavior feature modeling method for industrial internet boundary safety
Zhang et al. Many-objective optimization based intrusion detection for in-vehicle network security
CN114726634B (en) Knowledge graph-based hacking scene construction method and device
CN116467663A (en) Directed dynamic graph data anomaly detection method and system
CN108111539B (en) Network escape behavior detection method based on Bayesian classifier
Liu et al. Artificial Immunity-based Security Response Model for the Internet of Things.
CN114338853B (en) Block chain flow monitoring and detecting method under industrial internet
CN114912927A (en) Block chain anti-fraud analysis method and system
Chu et al. A machine learning classification model using random forest for detecting DDoS attacks
Callegari et al. Statistical approaches for network anomaly detection
CN112861913A (en) Intrusion alarm message correlation method based on graph convolution network
CN112311813B (en) Network attack identification method and device
CN112437085B (en) Network attack identification method and device
CN115758350B (en) Aggregation defense method and device for resisting poisoning attack and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant