CN113806768A - Lightweight federated learning privacy protection method based on decentralized security aggregation - Google Patents

Lightweight federated learning privacy protection method based on decentralized security aggregation Download PDF

Info

Publication number
CN113806768A
CN113806768A CN202110966055.8A CN202110966055A CN113806768A CN 113806768 A CN113806768 A CN 113806768A CN 202110966055 A CN202110966055 A CN 202110966055A CN 113806768 A CN113806768 A CN 113806768A
Authority
CN
China
Prior art keywords
user
model
global
aggregation
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110966055.8A
Other languages
Chinese (zh)
Inventor
沈蒙
顾艾婧
张�杰
王婧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN202110966055.8A priority Critical patent/CN113806768A/en
Publication of CN113806768A publication Critical patent/CN113806768A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Databases & Information Systems (AREA)
  • Artificial Intelligence (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a lightweight federal learning privacy protection method based on decentralized security aggregation, and belongs to the technical field of data privacy protection. And constructing a safe decentralized aggregation platform by utilizing the edge nodes and the block chains of the alliances on the user side, and cooperatively performing an aggregation process on the platform. Each user segments the local model and sends it separately to each connected edge node. And each user generates a global random number, divides the global random number and shares the global random number with the edge nodes connected with the user. And then, all edge nodes are subjected to safe decentralized aggregation, each user can receive the global model added with the self-defined global random number disturbance, the edge nodes participating in the aggregation cannot know the global model, and each user can remove the added disturbance to obtain the original global model. The method can realize privacy protection without encryption operation, and is superior to the prior art in the aspects of calculation efficiency, model accuracy and privacy protection on member reasoning attack.

Description

Lightweight federated learning privacy protection method based on decentralized security aggregation
Technical Field
The invention relates to a lightweight federal learning privacy protection method based on decentralized security aggregation, aims to achieve user-side lightweight training and reduce privacy disclosure threats of a traditional central aggregator by using decentralized security aggregation, and belongs to the technical field of data privacy protection.
Background
In recent years, Federal Learning (FL) has been widely used as a new distributed Learning framework.
Federated learning is a unified machine learning model that allows multiple participants to collaboratively train using local data, with privacy preservation. In each round of training, the participants respectively obtain local models according to their own data sets, and then a central aggregator aggregates the local models, and the aggregator constructs a global model and sends the global model to the participants for the next round of training. Although the user's local training data is not disclosed in the federal learning process, frequent parameter sharing between training participants and aggregators can be exploited by malicious participants, resulting in divulgence of data privacy.
In recent years, attacks against federal learning have come into endlessly, wherein member reasoning attacks are a typical kind of attacks. The member reasoning attack aims to train an attack model to deduce whether data records exist in a training data set. These attacks are roughly classified into local attacks and global attacks based on a priori knowledge obtained by the attacker. By observing changes in the local model updates, a malicious participant can initiate a local attack on the participant. A global attack is usually initiated by a malicious aggregator, which isolates a participant and sends it a well-constructed global model. Since the victim trains the local model using a carefully constructed global model, the attacker can infer more private information from the local model updates. Therefore, member reasoning attack poses a huge threat to the privacy of the data set of the federal learning participant.
The prior art generally implements federal learning privacy protection by:
(1) the Privacy of the global model is protected by adding Differential Privacy (DP) noise to the global model.
The purpose of differential privacy is to hide the customer's contribution during training, which can ensure that the privacy of the global model is not known to the participants.
However, this method cannot protect local privacy, the aggregator can still obtain all local models, which will result in member inference attacks on local privacy by the aggregator, and model accuracy is also compromised.
(2) Homomorphic Encryption (Homomorphic Encryption) technology is utilized to protect gradients on honest but curious cloud servers.
However, the encryption and decryption operations in each round of training incur a significant amount of encryption and decryption computation and communication costs. Its application cost in a large-scale environment is high and may affect the efficiency of the machine learning model.
(3) The privacy of the local model is protected by using secret sharing techniques and adding random perturbations.
The homomorphic hash function is integrated with a pseudorandom technology as an infrastructure of a verifiable method, allowing participants to verify the correctness of cloud server execution at an acceptable cost.
However, the participants are less burdened with secret sharing computations and frequent communication costs and the global model still faces the risk of privacy leakage.
In view of the foregoing, privacy protection for federal learning remains a number of challenges.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, and creatively provides a lightweight federal learning privacy protection method based on decentralized security aggregation to solve the technical problem of federal learning privacy protection.
The innovation points of the invention are as follows: and on the user side, a safe decentralized aggregation platform is constructed by utilizing the edge nodes and the block chains of the alliances. On this platform, the polymerization process is carried out in coordination. Each user is connected with N edge nodes, and model segmentation is performed locally.
In order to protect the privacy of the local model and ensure the accuracy, the invention designs a safety parameter segmentation and recovery algorithm based on random disturbance, and each user segments the local model (namely parameters) and respectively sends the segmented local model (namely parameters) to each connected edge node. Under the byzantine assumption, neither a single edge node nor a group of cooperating edge nodes can recover the local model. Meanwhile, in order to protect the privacy of the global model, each user generates a global random number, and the global random numbers are divided and respectively shared to the edge nodes connected with the user. Then, all edge nodes will perform secure decentralized aggregation, and each user will receive the global model with its own global random number perturbation added.
Therefore, the edge nodes participating in aggregation cannot know the global model, and each user can remove the added disturbance to obtain the original global model. The method can realize privacy protection without time-consuming encryption operation, thereby ensuring the lightweight training process of the user side.
In the method, each user is a data holder and is responsible for updating the local model in the federal learning process. Each user randomly connects N edge nodes, and the number of the edge nodes is not less than the total number of the Byzantine nodes. The edge nodes provide a user with a secure decentralized local model aggregation, which plays two roles: the local model aggregators and the blockchain consensus nodes. The edge node is a secure aggregated service platform established at the edge of the user network, and the service provider provides storage, computation and network resources, is responsible for local models and performs partial model aggregation.
Firstly, each user segments the model parameters to generate a well-constructed global random number, and segments the global random number through a parameter segmentation algorithm.
The user then sends the segmented model parameters and global random number to its connected edge nodes.
And then, the edge nodes carry out local model aggregation and upload the local model aggregation to the block chain. And the block chain classified account book is used as a data sharing platform, and global model aggregation is completed by using a global model aggregation contract to obtain a global model covered by global random numbers. During the operation of the intelligent contracts, each edge node inquires data of other edge nodes from the block chain shared account book. Meanwhile, by adopting an access control security policy, except for each edge node and each user, other entities cannot acquire data uploaded to the general ledger.
And finally, the edge node sends the global model to a corresponding user, and the global random number is completely eliminated by the user to obtain a final global model. And realizing user-side lightweight training based on a global model, thereby reducing the threat of privacy disclosure.
Advantageous effects
Compared with the prior art, the method of the invention has the following advantages:
and constructing a safe decentralized aggregation platform by utilizing the edge nodes and the block chains of the alliances at the user side, and cooperatively performing an aggregation process on the platform to perform privacy protection on the global and local models.
(1) The method is suitable for federal learning privacy protection in a decentralized platform environment.
(2) The present invention allows privacy preserving training to be performed in a lightweight manner without loss of model accuracy. A safe decentralized aggregation platform is adopted to replace a centralized aggregator, so that data privacy leakage can be avoided;
(3) the invention designs a safety parameter division and recovery algorithm based on one-time filling, protects local and global models, reduces the calculation overhead of a user side, and ensures the high availability of the models without losing precision.
(4) The invention carries out strict safety analysis and proves the safety of the proposal.
A large number of experiments prove that the method is superior to the prior art in the aspects of calculation efficiency, model accuracy and privacy protection on member reasoning attack.
Drawings
FIG. 1 is a collaboration model upon which the method of the present invention relies;
fig. 2 is an interactive protocol process of the method of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It should be noted that the practice of the present invention is not limited to the following examples, and any modification or variation of the present invention may be made without departing from the scope of the present invention.
A lightweight federated learning privacy protection method based on decentralized security aggregation. And on the user side, a safe decentralized aggregation platform is constructed by utilizing the edge nodes and the block chains of the alliances. On this platform, the polymerization process is carried out in coordination.
Specifically, the method comprises the following steps:
step 1: each user in federal learning connects N edge nodes. And each user segments the model parameters to generate a global random number. The global random number is partitioned by parameter partitioning and sent to each connected edge node separately.
Specifically, the method comprises the following steps:
step 1.1: edge nodes establish alliance block chains, reach consensus and establish a safe decentralized aggregation platform.
Step 1.2: each user generates a global random number to mask the global model during each subsequent training round.
In Federal learning training, selected users train local models under respective local data sets, and then user u is calculatediLocal model of
Figure BDA0003223981210000041
The method comprises the following steps:
step 1.2.1: initializing a global model w0Training round number T and learning rate lambda;
step 1.2.2: for each round of training process, selecting user U from user set UsParticipating in training;
step 1.2.3: for each user UsLocal model training is carried out through formula 1;
Figure BDA0003223981210000042
wherein, wt-1Representing the parameters of the training model in the previous round, eta representing the learning rate,
Figure BDA0003223981210000043
representing the gradient, L the loss function, w the model parameters, b the model parameters.
Step 1.3: using a parameter segmentation algorithm to map local model parameters
Figure BDA0003223981210000044
And user uiGlobal random number of
Figure BDA0003223981210000051
The segmentation is performed, sent to each connected edge node separately, and uploaded to the decentralized security aggregation intelligent contract.
In the parameter segmentation algorithm, v is set as a parameter, n is a segmentation number generated after segmentation is needed, seed is a random number seed, and PRG is a random number generator, and the method comprises the following steps:
step 1.3.1: generating a set of pseudo-random numbers using PRG (seed), resulting in { r }1,r2,…,rnDenotes n pseudo random numbers.
Step 1.3.2: a segmentation parameter v.
V. thei=v+ri-ri+1I ∈ {1,2, …, n +1}, let vn=v+rn-r0
Wherein v isi,vnRepresenting model parameters, ri,ri+1Representing a pseudo random number.
Step 1.3.3: return a set of vi,i∈{1,2,…,n+1}。
Step 2: the aggregation party performs decentralized security aggregation, and comprises the following steps:
step 2.1: edge node EdgjAggregating all partitioned local models using global random numbers of users selected in the next round of training
Figure BDA0003223981210000052
Step 2.2: uploading post-aggregation local models from blockchains
Figure BDA0003223981210000053
To block chain classification ledger. And the block chain classified account book is used as a data sharing platform, and global model aggregation is carried out by utilizing a global model aggregation contract.
Step 2.3: when all edge node data returns to all sets
Figure BDA0003223981210000054
Thereafter, the edge nodes compute and return the global model covered by the global random number
Figure BDA0003223981210000055
The global model is derived from user uiGlobal random number of
Figure BDA0003223981210000056
And (6) covering.
And step 3: and removing the global random number covered on the global model by the user to obtain the global model.
User uiTo obtain
Figure BDA0003223981210000057
Then, the global random number added by the user-defined user is removed
Figure BDA0003223981210000058
By passing
Figure BDA0003223981210000059
Figure BDA00032239812100000510
Thereby obtaining a global model gt
And 4, step 4: and realizing user-side lightweight training based on a global model, thereby reducing the threat of privacy disclosure.
Example 1
In this embodiment, a cooperation model based on the lightweight privacy protection federal learning method based on decentralized security aggregation is established, as shown in fig. 1.
Fig. 1 depicts the following decentralized security aggregation scenario: each user holds a local data set and updates the local model in the FL flow. Each user is randomly connected with a plurality of edge nodes, the user divides the model parameters to generate a well-constructed global random number, and the global random number is divided through parameter division. The divided parameters and the global random number are transmitted to the connection node. The edge nodes provide safe and decentralized local model aggregation for users, receive the segmented local models and perform partial model aggregation. And uploading the partial aggregation model to a block chain ledger for global aggregation to obtain a global model covered by a global random number. The block chain ledger serves as a data sharing platform and aims to help complete model aggregation. A global model aggregation contract runs in a blockchain. In the running process of the intelligent contract, each edge node can inquire data of other edge nodes from the block chain shared account book, complete global aggregation and send the data to a global model covered by the user-defined random number. The user can eventually remove the random number to get the final model.
Depending on the model in fig. 1, when the method of the present invention is specifically implemented, the following steps are taken:
step A: the number of users is set to 100, 1000 and 10000, which respectively represent the applications of small, medium and large user scale, and the proportion of users selected to participate in training is 5%, 10% and 15%.
Training and testing was performed on CNN networks according to steps 1 to 3 using MNIST data sets (http:// yann. letter. com/exdb/MNIST /), with MNIST set to IID by default. The model accuracy R is calculated by equation 2, where tpIs the number of correctly classified positive instances, fnIs the number of active instances of misclassification.
R=tp/(fn+tp) (2)
Example model accuracies obtained from training at different user scale scenarios are shown in table 1.
TABLE 1 accuracy results for different user scales
Figure BDA0003223981210000061
As can be seen from FIG. 2, the training loss drops faster on both small and medium user scales, concluding that the training loss is almost independent of the percentage of users selected. However, with a larger user size, the greater the proportion of users selected, the faster the training loss will decrease. This is because in a large scale situation, more users are engaged in training, each user usage having fewer instances of data. The highest accuracy of the training model at different user scales has almost no relation to the percentage of users selected. In all three user scales, the method can train a high-precision model.
And B: the user side training time and the aggregation side (edge node side) time are calculated.
And C: calculating the block chain communication time, namely the delay of calling intelligent contract sharing and inquiring data, and the communication time between the user and the edge node.
Example training time overhead in different user size scenarios is shown in table 2.
TABLE 2 training time overhead
Figure BDA0003223981210000071
As can be seen from table 2, the percentage of users selected has no effect on the training time on both the user side and the aggregation side. This is because an increase in the number of selected users only increases the computational overhead of random number generation, which is a lightweight operation. Then, with all three user scales, the time cost is very small, which proves that the training is a lightweight training on the user side. This is because the operation of this part does not involve encryption and decryption work. The larger the user scale, the less training time consumption on the user side. The reason is that more users means fewer data instances. In all cases, the time cost on the side of the polymerizer is very small. This is because the edge nodes only have to continue the addition operation and do not need to do any additional heavy computational work.
Example communication time overhead per round of training blockchains is shown in table 3.
TABLE 3 Block chain communication time overhead for each round of training
Figure BDA0003223981210000072
Figure BDA0003223981210000081
As can be seen from table 3, as the number of blockchains increases, this overhead also increases, which is caused by the characteristics of the blockchains. However, since the local aggregation process of each blockchain node is independent in parallel, there is no significant change in time. Similarly, as the number of users increases, each user operates independently of the other, and thus the communication time overhead does not vary significantly.
Example 2
In the embodiment, results of the method in various scenes are compared, and the privacy protection method has high training accuracy and efficiency. This example is compared to existing methods, all of which are intended to protect data privacy during federal learning. Federal learning has no privacy protection measures. HEDL protects the privacy of the local model with HE encryption in distributed deep learning. The DPFed ensures the privacy of the common global model unknown to the user by adding DP noise in the global model. PSA and VerifyNet protect the privacy of local models by covering random perturbations. The comparison experiment of these existing methods and the method is performed to obtain the comparison result of the accuracy and the time overhead of the training model, as shown in tables 4 and 5.
TABLE 4 comparison of the precision accuracy of different methods at different user scales
Figure BDA0003223981210000082
TABLE 5 comparison of the calculation time overhead for different methods at different user scales
Figure BDA0003223981210000083
Figure BDA0003223981210000091
As can be seen from Table 4, the method is superior to DPFed in model accuracy, and a noise mechanism is not added into the global model, so that the condition that the model is damaged is avoided. At the same time, the method has the same level of accuracy as HEDL, VerifyNet and PSA. These methods do not have a significant loss in accuracy compared to traditional federal learning methods.
The results of the communication time comparison with the prior art method are given in table 5. The method has obvious advantages because time-consuming operations such as encryption and decryption are not needed. Compared with the two methods of VerifyNet and PSA, which adopt secret sharing, the user-side computation time overhead is higher than that of the method. Because in the HEDL where the client needs a lot of homomorphic operations, the performance of the method is superior to that of the HEDL. The server-side time cost is also comparable to other comparison methods. The overall time cost of the process increases slightly with the increase in customer size, while HEFed, VerifyNet and PSA increase.
Example 3
In the embodiment, results of the method in various scenes are compared, and the privacy protection method has a resistance effect on member reasoning attack. The member reasoning attack method is used for attacking five different methods of Federal learning, HEDL, DPFed, VerifyNet and PSA, a CIFAR-10 dataset (https:// www.cs.toronto.edu/. about. kriz/CIFAR. html) is used for member reasoning attack, and attack comparison results are shown in Table 6.
TABLE 6 comparison results of different methods for resisting member reasoning attack
Figure BDA0003223981210000092
As can be seen from table 6, conventional FL, VerifyNet and PSA cannot defend against membership inference attacks, because the central server can still expose the global model. In HEDL, the server can only obtain encrypted local models and global models, and the attack precision is very low. In the method, the attack precision is kept at a lower level, which means that the attack model is a guess of the global model, because an attacker can only obtain virtual random number model parameters, and other attacks such as attribute reasoning attack and the like are carried out under the knowledge condition of the local model or the global model. On the basis, the attack can not achieve higher attack precision as the result of the membership inference attack.
While the embodiments of the present invention have been described in connection with the drawings and examples, it will be apparent to those skilled in the art that various modifications can be made without departing from the principles of this patent, and it is intended to cover all modifications that are within the scope of this patent.

Claims (5)

1. The lightweight federated learning privacy protection method based on decentralized security aggregation is characterized in that each user is a data holder and is responsible for updating a local model in a federated learning process; each user is randomly connected with N edge nodes, and the number of the edge nodes is not less than the total number of Byzantine nodes;
the edge nodes provide a secure decentralized local model aggregation for the user, which plays two roles: local model aggregators and blockchain consensus nodes; the edge node is a safe aggregation service platform established at the edge of the user network, and a service provider provides storage, calculation and network resources, is responsible for local models and executes partial model aggregation;
firstly, each user segments model parameters to generate a well-constructed global random number, and segments the global random number through a parameter segmentation algorithm;
then, the user sends the divided model parameters and the global random number to the edge node connected with the user;
then, the edge nodes carry out local model aggregation and upload the local model aggregation to a block chain;
the block chain classified account is used as a data sharing platform, global model aggregation is completed by using a global model aggregation contract, and a global model covered by global random numbers is obtained; in the running process of the intelligent contract, each edge node inquires data of other edge nodes from the block chain shared account book; meanwhile, an access control security strategy is adopted, and except for each edge node and each user, other entities cannot acquire data uploaded to the general ledger;
finally, the edge node sends the global model to the corresponding user, and the global random number is completely eliminated by the user to obtain a final global model;
and realizing user-side lightweight training based on a global model, thereby reducing the threat of privacy disclosure.
2. The decentralized safety aggregation based lightweight federated learning privacy protection method according to claim 1, wherein the method for generating the global random number by segmenting the model parameters by each user is as follows:
in Federal learning training, selected users train local models under respective local data sets, and then user u is calculatediLocal model of
Figure FDA0003223981200000011
The method comprises the following steps:
first, the global model w is initialized0Training round number T and learning rate lambda;
then, for each round of training process, selecting user U from user set UsParticipating in training;
then, forAt each user UsLocal model training is carried out through formula 1;
Figure FDA0003223981200000012
wherein, wt-1Representing the parameters of the training model in the previous round, eta representing the learning rate,
Figure FDA0003223981200000013
representing the gradient, L the loss function, w the model parameters, b the model parameters.
3. The decentralized security aggregation based lightweight federated learning privacy protection method according to claim 1, wherein the method of partitioning global random numbers by parameter partitioning and sending them to each connected edge node respectively is as follows:
using a parameter segmentation algorithm to map local model parameters
Figure FDA0003223981200000021
And user uiGlobal random number of
Figure FDA0003223981200000022
Partitioning, respectively sending the partitioned data to each connected edge node, and uploading the partitioned data to an intelligent contract for decentralized security aggregation;
in the parameter segmentation algorithm, v is set as a parameter, n is a segmentation number generated after segmentation is needed, seed is a random number seed, and PRG is a random number generator, and the method comprises the following steps:
first, a set of pseudo random numbers is generated using PRG (seed), resulting in { r }1,r2,…,rnRepresents n pseudo random numbers;
then, the segmentation parameter v:
v. thei=v+ri-ri+1I ∈ {1,2, …, n +1}, let vn=v+rn-r0
Wherein v isi、vnRepresenting model parameters, ri、ri+1Representing a pseudo-random number;
finally u, return a set of vi,i∈{1,2,…,n+1}。
4. The decentralized security aggregation based lightweight federated learning privacy protection method of claim 1, wherein a method for an aggregator to perform decentralized security aggregation is as follows:
first, an edge node EdgjAggregating all partitioned local models using global random numbers of users selected in the next round of training
Figure FDA0003223981200000023
The aggregated local model is then uploaded from the blockchain
Figure FDA0003223981200000024
Sorting accounts into block chains; the block chain classified account book is used as a data sharing platform, and global model aggregation is carried out by utilizing a global model aggregation contract;
when all edge node data returns to all sets
Figure FDA0003223981200000025
Thereafter, the edge nodes compute and return the global model covered by the global random number
Figure FDA0003223981200000026
The global model is derived from user uiGlobal random number of
Figure FDA0003223981200000027
And (6) covering.
5. The decentralized security aggregation based lightweight federated learning privacy protection method of claim 1, wherein the method is characterized in thatUser uiGet a global model
Figure FDA0003223981200000028
Then, the random number added by user-defined is removed
Figure FDA0003223981200000029
By passing
Figure FDA00032239812000000210
Thereby obtaining a global model gt
Figure FDA00032239812000000211
Representing user uiThe global random number of (2).
CN202110966055.8A 2021-08-23 2021-08-23 Lightweight federated learning privacy protection method based on decentralized security aggregation Pending CN113806768A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110966055.8A CN113806768A (en) 2021-08-23 2021-08-23 Lightweight federated learning privacy protection method based on decentralized security aggregation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110966055.8A CN113806768A (en) 2021-08-23 2021-08-23 Lightweight federated learning privacy protection method based on decentralized security aggregation

Publications (1)

Publication Number Publication Date
CN113806768A true CN113806768A (en) 2021-12-17

Family

ID=78893847

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110966055.8A Pending CN113806768A (en) 2021-08-23 2021-08-23 Lightweight federated learning privacy protection method based on decentralized security aggregation

Country Status (1)

Country Link
CN (1) CN113806768A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114297722A (en) * 2022-03-09 2022-04-08 广东工业大学 Privacy protection asynchronous federal sharing method and system based on block chain
CN114357526A (en) * 2022-03-15 2022-04-15 中电云数智科技有限公司 Differential privacy joint training method for medical diagnosis model for resisting inference attack
CN116109608A (en) * 2023-02-23 2023-05-12 智慧眼科技股份有限公司 Tumor segmentation method, device, equipment and storage medium
CN116489637A (en) * 2023-04-25 2023-07-25 北京交通大学 Mobile edge computing method oriented to meta universe and based on privacy protection
CN116760634A (en) * 2023-08-14 2023-09-15 国网天津市电力公司信息通信公司 Data privacy protection method, system, equipment and storage medium
CN116756764A (en) * 2023-05-04 2023-09-15 浙江大学 Model blocking aggregation privacy protection method for lithography hotspot detection
CN116756764B (en) * 2023-05-04 2024-06-04 浙江大学 Model blocking aggregation privacy protection method for lithography hotspot detection

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114297722A (en) * 2022-03-09 2022-04-08 广东工业大学 Privacy protection asynchronous federal sharing method and system based on block chain
CN114357526A (en) * 2022-03-15 2022-04-15 中电云数智科技有限公司 Differential privacy joint training method for medical diagnosis model for resisting inference attack
CN116109608A (en) * 2023-02-23 2023-05-12 智慧眼科技股份有限公司 Tumor segmentation method, device, equipment and storage medium
CN116489637A (en) * 2023-04-25 2023-07-25 北京交通大学 Mobile edge computing method oriented to meta universe and based on privacy protection
CN116489637B (en) * 2023-04-25 2023-11-03 北京交通大学 Mobile edge computing method oriented to meta universe and based on privacy protection
CN116756764A (en) * 2023-05-04 2023-09-15 浙江大学 Model blocking aggregation privacy protection method for lithography hotspot detection
CN116756764B (en) * 2023-05-04 2024-06-04 浙江大学 Model blocking aggregation privacy protection method for lithography hotspot detection
CN116760634A (en) * 2023-08-14 2023-09-15 国网天津市电力公司信息通信公司 Data privacy protection method, system, equipment and storage medium
CN116760634B (en) * 2023-08-14 2023-11-07 国网天津市电力公司信息通信公司 Data privacy protection method, system, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN113806768A (en) Lightweight federated learning privacy protection method based on decentralized security aggregation
Liu et al. Privacy-enhanced federated learning against poisoning adversaries
Li et al. Privacy-preserving federated learning framework based on chained secure multiparty computing
Zhu et al. Privacy-preserving DDoS attack detection using cross-domain traffic in software defined networks
Mansouri et al. Sok: Secure aggregation based on cryptographic schemes for federated learning
Zhang et al. Dubhe: Towards data unbiasedness with homomorphic encryption in federated learning client selection
Rathee et al. Elsa: Secure aggregation for federated learning with malicious actors
Hao et al. Efficient, private and robust federated learning
Veugen et al. A framework for secure computations with two non-colluding servers and multiple clients, applied to recommendations
Lycklama et al. Rofl: Robustness of secure federated learning
Erkin et al. Privacy enhanced recommender system
Liu et al. Privacy preserving decision tree mining from perturbed data
Li et al. Efficient privacy-preserving federated learning with unreliable users
Zhang et al. Safelearning: Enable backdoor detectability in federated learning with secure aggregation
Xu et al. LaF: Lattice-based and communication-efficient federated learning
CN114363043A (en) Asynchronous federated learning method based on verifiable aggregation and differential privacy in peer-to-peer network
Liu et al. Privacy preserving pca for multiparty modeling
Cheung et al. Fedsgc: Federated simple graph convolution for node classification
CN117216805A (en) Data integrity audit method suitable for resisting Bayesian and hordeolum attacks in federal learning scene
Zhou et al. Securing federated learning enabled NWDAF architecture with partial homomorphic encryption
CN114760023A (en) Model training method and device based on federal learning and storage medium
Li et al. An adaptive communication-efficient federated learning to resist gradient-based reconstruction attacks
Zhang et al. Safelearning: Secure aggregation in federated learning with backdoor detectability
Li et al. Privacy-Preserving and Poisoning-Defending Federated Learning in Fog Computing
CN116861994A (en) Privacy protection federal learning method for resisting Bayesian attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination