CN114139147A - Targeted attack defense method and device - Google Patents

Targeted attack defense method and device Download PDF

Info

Publication number
CN114139147A
CN114139147A CN202111466436.6A CN202111466436A CN114139147A CN 114139147 A CN114139147 A CN 114139147A CN 202111466436 A CN202111466436 A CN 202111466436A CN 114139147 A CN114139147 A CN 114139147A
Authority
CN
China
Prior art keywords
difference
feature vector
parameter
suspected
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111466436.6A
Other languages
Chinese (zh)
Inventor
张�诚
叶红
吕博良
程佩哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202111466436.6A priority Critical patent/CN114139147A/en
Publication of CN114139147A publication Critical patent/CN114139147A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/20Ensemble learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Computing Systems (AREA)
  • Medical Informatics (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Computer Hardware Design (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a method and a device for defending against targeted attacks, relates to the field of artificial intelligence and the field of information security, can also be used in the financial field, and comprises the following steps: receiving and marking a difference parameter of a data model uploaded by a data processing requester; the data model is obtained by the data processing requester through federal machine learning; reconstructing an original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector; and according to the difference between the reconstructed feature vector and the original feature vector and a labeling result, performing targeted attack defense. According to the method and the device, the offensive behavior carried out on the specific artificial intelligence model in the federal learning system can be detected, the data processing request party with the attack possibility is timely disposed, and the targeted attack defense is completed.

Description

Targeted attack defense method and device
Technical Field
The application relates to the field of artificial intelligence and the field of information security, can be used in the field of finance, and particularly relates to a method and a device for defending against targeted attacks of participants in a bank federal learning system.
Background
Federal learning is an emerging machine learning method. When the method is used for machine learning, original training data does not need to be uploaded to a central server for unified training, and local training of all participants can be realized under the coordination of the central server, so that the problem of privacy protection in the data training process is fundamentally solved.
At present, the banking industry is beginning to develop and deploy federal learning systems based on the requirement of privacy protection. However, when applying the federal learning framework in banking, it is vulnerable to targeted attacks from client participants without defensive measures. A targeted attack, once triggered, may lead to serious information security consequences. Therefore, due to the sensitivity of banking and the need for privacy protection, targeted attacks by attackers should be detected and defended in time, and removed from the federal learning system to prevent them from maliciously damaging the machine learning model.
Disclosure of Invention
Aiming at the problems in the prior art, the application provides a targeted attack defense method and a targeted attack defense device, which can detect the aggressive behaviors performed on a specific artificial intelligence model in a federal learning system, and timely dispose a data processing request party with attack possibility to complete targeted attack defense.
In order to solve the technical problem, the application provides the following technical scheme:
in a first aspect, the present application provides a targeted attack defense method, including:
receiving and marking a difference parameter of a data model uploaded by a data processing requester; the data model is obtained by the data processing requester through federal machine learning;
reconstructing an original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector;
and according to the difference between the reconstructed feature vector and the original feature vector and a labeling result, performing targeted attack defense.
Further, the reconstructing the original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector includes:
constructing the original feature vector according to the model difference parameter;
removing suspected difference attack parameters in the difference parameters according to the weights;
and performing feature dimension raising on the difference parameter from which the suspected difference attack parameter is removed to reconstruct the original feature vector to obtain the reconstructed feature vector.
Further, the performing targeted attack defense according to the difference between the reconstructed feature vector and the original feature vector and the labeling result includes:
determining a difference between the reconstructed feature vector and the original feature vector;
screening the suspected difference attack parameter if the difference exceeds a preset detection threshold;
and positioning a suspected aggressive requester according to the labeling result and the screened suspected difference attack parameter, and rejecting the suspected aggressive requester.
Further, after the suspected offensive requester is located according to the labeling result and the screened suspected difference attack parameter, the method further includes:
inquiring whether the suspected offensive requester is screened out in the process of carrying out targeted attack defense in the past;
and if so, removing the suspected offensive requester as an actual offensive requester.
In a second aspect, the present application provides a targeted attack defense apparatus, including:
the difference parameter determining unit is used for receiving and marking the difference parameter of the data model uploaded by the data processing request party; the data model is obtained by the data processing requester through federal machine learning;
the feature vector determining unit is used for reconstructing an original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector;
and the attack defense unit is used for performing targeted attack defense according to the difference between the reconstructed feature vector and the original feature vector and the labeling result.
Further, the feature vector determination unit includes:
the original vector construction module is used for constructing the original characteristic vector according to the model difference parameter;
a suspected parameter removing module, configured to remove a suspected difference attack parameter from the difference parameters according to the weight;
and the feature vector reconstruction module is used for performing feature dimension increasing on the difference parameter after the suspected difference attack parameter is removed so as to reconstruct the original feature vector and obtain the reconstructed feature vector.
Further, the attack defense unit includes:
a difference determination module for determining a difference between the reconstructed feature vector and the original feature vector;
a suspected parameter screening module, configured to screen out the suspected difference attack parameter if the difference exceeds a preset detection threshold;
and the removing module is used for positioning a suspected aggressive requester according to the labeling result and the screened suspected difference attack parameter and removing the suspected aggressive requester.
Further, the targeted attack defense device further includes:
the history query unit is used for querying whether the suspected offensive requester is screened out in the process of carrying out targeted attack defense at the previous time;
and the rejecting unit is used for rejecting the suspected aggressive requester as an actual aggressive requester.
In a third aspect, the present application provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the targeted attack defense method when executing the program.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the targeted attack defense method.
Aiming at the problems in the prior art, the targeted attack defense method and the device can accurately identify the data processing request party to be subjected to targeted attack, prevent target attack from being implemented, strengthen the protection degree on the data privacy safety of the normal data processing request party, and improve the safety and the defense power of a federal learning system.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart of a targeted attack defense method in an embodiment of the present application;
FIG. 2 is a flowchart of obtaining a reconstructed feature vector according to an embodiment of the present application;
FIG. 3 is a flow chart of targeted attack defense in an embodiment of the present application;
FIG. 4 is a second flowchart of a targeted attack defense method according to an embodiment of the present application;
FIG. 5 is a diagram illustrating one of the structures of a targeted attack defense apparatus according to an embodiment of the present application;
fig. 6 is a structural diagram of a feature vector determination unit in the embodiment of the present application;
FIG. 7 is a diagram illustrating a structure of an attack defense unit according to an embodiment of the present application;
FIG. 8 is a second block diagram of the apparatus for defending against a targeted attack in the embodiment of the present application;
fig. 9 is a schematic structural diagram of an electronic device in an embodiment of the present application;
fig. 10 is a schematic view of an application scenario in the embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The method and the device for defending against the targeted attack provided by the present application can be used in the financial field, and can also be used in any field except the financial field.
Application scenarios of the method described herein include at least, but are not limited to, conducting financial risk defense. Specifically, a financial risk defense model such as customer financial credit assessment or money laundering risk assessment may be constructed by using the federal learning system, and then financial risk defense is performed by using the constructed model, see fig. 10.
The financial risk defense model in the embodiment of the application is constructed by a federal machine learning method. Federal machine learning is an emerging machine learning method. During learning, original training data do not need to be uploaded to a central server for unified training, so that a data processing convergence model according to business conditions is obtained, each data processing requester (also a client side participant of model training) can firstly perform local model training under the coordination of the central server to obtain a data processing local model, and then feature parameters of the data processing local model are exchanged to complete data processing local model aggregation, so that the data processing convergence model is obtained, and the problem of privacy protection in the machine learning process is fundamentally solved.
Generally, a federal learning system includes a central server 1, a large number of normal users 2, and a very small number of malicious attack users 3. Both the normal user 2 and the malicious attack user 3 can access the federal learning system through the local clients thereof. The normal user 2 may be a financial institution including a bank; these financial institutions may use their local raw training data (including financial data) for federal learning to derive a local model of financial risk defense for local financial risk defense. The malicious attack user 3 may be a user disguised as a financial institution and intended to subvert the federal learning system; the malicious attack user 3 is also a participant for constructing a financial risk defense model; but unlike normal user 2, its participation is intended to disrupt the system, disrupting the construction of the financial risk defense model. The central server 1 is used for collecting model parameters of the financial risk defense local model under a federal learning framework, then realizing aggregation of the financial risk defense local model by using the model parameters to obtain a financial risk defense aggregation model, and finally transmitting the financial risk defense aggregation model back to a user to realize financial risk defense.
In one embodiment, the federal learning system aims to construct a bank financial risk assessment model to perform bank financial risk judgment and solve the problem of identification of credit review default of the little customer. In the process of constructing the bank financial risk assessment model, the normal users 2, the malicious attack users 3 and the central server 1 all participate.
In this embodiment, all normal users 2 can use their respective normal local raw training data (including financial data) for training the local model; the original model for training the local model may be sent from the central server 1 to the client where each normal user 2 is located. The malicious attacking user 3 may have normal local raw training data (including financial data) while also having local raw training data (including financial data) for making targeted attacks; where local raw training data for targeted attacks may mislead the training process of the model, in this embodiment, the bad loan feature of the mini-client credit violation may be identified as a normal tax feature to distort the federal learning system.
It should be noted that before the central server 1 collects the model parameters of each user, the malicious attack user 3 may perform local model training by using normal local original training data and malicious local original training data that is intentionally forged, and then transmit the model parameters containing the offensiveness to the central server 1 to achieve the purpose of attack. The attack identification process in the central server 1 plays a role in eliminating malicious and forged feature data through self-encoding and self-decoding operations, and through detection statistics of the data, a malicious attack user 3 (attacker) is identified and punished, so that the safety of the federal learning system is ensured.
In an embodiment, referring to fig. 1, in order to detect an offensive behavior performed on a specific artificial intelligence model in a federal learning system, and timely handle a data processing requester with a possibility of attack to complete a targeted attack defense, the application provides a targeted attack defense method, including:
s101: receiving and marking a difference parameter of a data model uploaded by a data processing requester; the data model is obtained by the data processing requester through federal machine learning;
s102: reconstructing an original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector;
s103: and according to the difference between the reconstructed feature vector and the original feature vector and a labeling result, performing targeted attack defense.
It can be understood that, on the one hand, financial institutions including banks need to perform machine learning to complete the training of business data processing models based on the business data processing requirements at present; another aspect relates to the need for privacy protection in a variety of ways. Thus, deploying a federal learning system has become the financial institution of choice.
However, banks are vulnerable to targeted attacks from client participants when applying the federal learning framework without proper defensive measures. Once triggered, a targeted attack is likely to result in serious information security consequences. Therefore, based on the requirement of banking data sensitivity and the requirement of privacy protection, the targeted attack of the attacker can be timely detected and defended, and the attacker can be removed from the federal learning system, so that the machine learning model can be prevented from being maliciously damaged.
It should be noted that the objective of the so-called targeted attack, i.e. adversary, is to disable the trained data processing model on certain targeted subtasks, while maintaining good overall performance on the main task. For example, in image classification, an attacker may wish the data processing model to misclassify certain "distressed persons" as "good credited persons" while ensuring that other persons are correctly classified.
In the foregoing application scenario, the client participants of model training, i.e., the data processing requesters, may be branches of families. Under the framework of federal learning, each family branch can utilize original training data (including financial data) of own local branch to construct a data processing local model; the model parameters are then uploaded to a central server for subsequent model aggregation.
In the process of model aggregation, in order to detect the aggressive behavior performed on a specific model in the federal learning system, timely handle a data processing request party with attack possibility, and complete the targeted attack defense, the targeted attack defense method provided by the application is required to be applied to implement.
Specifically, firstly, model difference parameters transmitted to a central server of a bank federal learning system by each data processing request party (also called a client participating party) are processed, namely, the model difference parameters are characterized to obtain a feature vector of the difference parameters; then, performing dimension reduction, abnormal screening and data reconstruction on the feature vectors, and taking a reconstruction error value as a detection index of the targeted attack; the data with higher reconstruction error value is identified data which can have targeted attack, and the corresponding client side participant for transmitting the difference parameter is an attacker; and finally, timely disposing the attackers and defending against the targeted attack.
From the above description, the targeted attack defense method provided by the application can accurately identify the data processing requesting party to be subjected to targeted attack, prevent target attack from being implemented, strengthen the protection of data privacy security of the normal data processing requesting party, and improve the security and the defense of the federal learning system.
In an embodiment, referring to fig. 2, the reconstructing the original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector includes:
s201: constructing the original feature vector according to the model difference parameter;
s202: removing suspected difference attack parameters in the difference parameters according to the weights;
it can be understood that each client participant in the bank federal learning system can send the difference parameter of the data processing local model to the central server, so that the central server in the bank federal learning system preprocesses the difference parameter and then performs the offensive identification. Preprocessing operations include, but are not limited to, the process of normalizing data.
It should be noted that, in the federal learning system, the central server S will first apply the original training model GtSending the data to n client participants; each client participant according to a respective local data set Dk(k-1, …, n) training results in a new data processing local model Lt+1. After the client participant completes the training of the data processing local model, the client participant will send Lt +1-GtThe difference parameter is transmitted to the central server; and after collecting the difference parameter results uploaded by all client participants, the central server marks the difference parameters so as to carry out subsequent offensive identification. The labeling is to correspond the difference parameter to the client side participant, so that the client side participant can be corresponded to a specific client side participant when the difference parameter is judged to have suspected offensiveness, and the client side participant is rejected from the federal learning system.
Under normal conditions, if no attacker exists, the central server S updates and calculates the global combined model according to the received difference parameters, that is, aggregates the data processing local models to obtain a data processing aggregate model:
Figure BDA0003383091820000071
if there are client participants that are doing targeted attacks, they will try to replace the global model in the central server S with maliciously constructed global model parameters X:
Figure BDA0003383091820000072
the attacker therefore passes the model parameters to be submitted to the central server in the following manner:
Figure BDA0003383091820000073
this attack scales the weight of the attack parameter X to
Figure BDA0003383091820000074
The attack can survive in the global averaging of the central server S, and finally after multiple iterations, the attack on the federated learning system is completed by replacing the global model. The method of the present application is defense
Figure BDA0003383091820000081
Attacks on the data processing aggregation model.
The offensive identification of the federated learning system includes: intelligent encoding process, intelligent decoding process and attack identification process. In the specific implementation of S201, in the intelligent encoding process, high-dimensional mapping is first performed on the difference parameter transmitted from the client party, and data dimensionality can be generally improved by an ONE-HOT technique, and data including N discrete attribute values is expanded into a numerical feature vector of 3 × 28 × 28 size. The vector dimension is not limited in this application, and is only an example to illustrate the feasibility of the method. The intelligent encoder is formed by combining three layers of convolutional neural networks, and the sizes of convolution kernels can be 3 × 3 × 64, 3 × 3 × 128 and 7 × 7 × 32 respectively (the application is not limited to this). Different important features are extracted from each layer of convolution for learning, and a common nonlinear function Sigmoid function can be used as an activation function in the use process of the intelligent encoder; meanwhile, in order to avoid the occurrence of overfitting, the regularization process can be performed by using dropout of 0.2.
S202, in specific implementation, after three layers of convolution processing are carried out on the numerical vectors, the numerical vectors are converted into low-dimensional characteristic values with the size of 32 x 1, namely, dimension reduction processing is carried out on data; and as the data dimension decreases, the data does not carry all of the characteristic values. Therefore, in the machine learning process, important features capable of expressing the characteristics of original training data are reserved, and other redundant feature vectors are abandoned. In the process of data dimension reduction, the targeted aggressive data is intentionally set to be smaller in weight because the targeted aggressive data is intended to influence a specific target and is beneficial to hiding, namely the targeted aggressive data is lower in importance relative to other feature vectors and is automatically removed in the process of dimension reduction processing. In summary, removing the suspected differential attack parameter from the differential parameters according to the weight includes: and (4) performing feature dimension reduction on the original feature vector to remove low-weight suspected differential attack parameters in the feature dimension reduction process. What is called "low weight" can be set reasonably according to the application scenario, and the application is not limited to this. In addition, the "low weight" is relative to the weight corresponding to the non-suspected difference attack parameter.
S203: and performing feature dimension raising on the difference parameter from which the suspected difference attack parameter is removed to reconstruct the original feature vector to obtain the reconstructed feature vector.
The intelligent decoding process is designed into a structure opposite to the intelligent encoding process, namely the sizes of the convolutional networks are respectively 7 multiplied by 32, 3 multiplied by 128 and 3 multiplied by 64, and the low-dimensional feature vectors generated before are restored into the feature vectors with the size of 3 multiplied by 28 through the three-layer network of the intelligent decoder. In the process, along with the improvement of data dimensions, the bearable characteristic value space is also increased, the original size of the important characteristic is restored, and the unimportant (namely aggressive) characteristic vector is subjected to zero supplement. Therefore, the reconstructed feature vector restores the original size, but only important features (non-offensive features) are restored, and the offensive feature vector contained in the local original training data cannot be reconstructed. In summary, the performing feature dimension enhancement on the difference parameter after removing the suspected difference attack parameter to reconstruct the original feature vector to obtain a reconstructed feature vector includes: and supplementing the zero vector into the vector corresponding to the difference parameter after the suspected difference attack parameter is removed so as to complete the feature dimension increasing and obtain a reconstructed feature vector.
As can be seen from the above description, the targeted attack defense method provided by the present application can reconstruct the original feature vector corresponding to the difference parameter according to the weight of the difference parameter, so as to obtain a reconstructed feature vector.
In an embodiment, referring to fig. 3, the defending against a targeted attack according to the difference between the reconstructed feature vector and the original feature vector and the labeling result includes:
s301: determining a difference between the reconstructed feature vector and the original feature vector;
s302: judging whether the difference exceeds a preset detection threshold value or not;
s303: screening the suspected difference attack parameters;
s304: and positioning a suspected aggressive requester according to the labeling result and the screened suspected difference attack parameter, and rejecting the suspected aggressive requester.
It can be understood that the original feature vector of 3 × 28 × 28 necessarily has a certain reconstruction error compared with the reconstructed feature vector of 3 × 28 × 28. Setting the average value of all reconstruction errors as a detection threshold, wherein the reconstruction errors higher than the threshold represent larger errors before and after reconstruction, which indicates that a lot of suspected offensive data exist in the original feature vector, especially feature data elaborately designed for launching a targeted attack. According to the labeling result, the client participants who upload the data can be locked. For client participants that provide more error data, they may be flagged as being an attacker suspected of launching a targeted attack. The difference parameter corresponding to the normal client side participant is marked as 0, the difference parameter of the abnormal client side participant suspected to initiate the targeted attack is marked as 1, the marked difference parameter can be transmitted to a federal learning system for punishment treatment, and the client side participant suspected to initiate the attack (namely the suspected attack requester) is removed.
From the above description, it can be known that the targeted attack defense method provided by the present application can perform targeted attack defense according to the difference between the reconstructed feature vector and the original feature vector and the labeling result.
In an embodiment, referring to fig. 4, after the suspected offensive requester is located according to the labeling result and the screened suspected differential attack parameter, the method further includes:
s401: inquiring whether the suspected offensive requester is screened out in the process of carrying out targeted attack defense in the past;
s402: and if so, removing the suspected offensive requester as an actual offensive requester.
It can be understood that the federal learning system can be divided into a malicious data handling process and an offensive party handling process when performing attack handling.
Malicious data handling process: and receiving the marked data from the attack identification process, directly transmitting the difference parameters marked as 0 of the normal client side participants to the central server to aggregate the models of all the normal client side participants, encrypting the aggregated global model parameters, and uniformly transmitting the encrypted global model parameters back to the normal client side participants, thereby completing a round of Federal machine learning. Meanwhile, for the client side participant marked as a suspected attacker in one round of training, the central server does not transmit the aggregated global model parameters to the client side participant, but transmits the parameters with the size of 0 to the suspected attacked participant. In the next round of training, if the difference parameters of suspected offensive participants are identified as normal, the aggregated model parameters are restored from being delivered to the client participants.
The aggressive participant handling process: the difference parameter for the offending client participant marked 1 is received from the marking data in the attack identification process. In the course of federal learning, when the number of times that a certain client side participant is counted as a suspected attacker reaches 1/2 of the number of training rounds, the client side participant can be judged to be a participant who carries out a malicious targeted attack. Therefore, the Federal learning system can be blacklisted and removed, and the safety of the system is protected.
That is to say, the above process can complete aggregation operation and encryption transmission of data of each client participant, and perform accurate handling on the client participant who launches the targeted attack, thereby ensuring the security of the federal learning system.
From the above description, the targeted attack defense method provided by the application can accurately identify the data processing requesting party to be subjected to targeted attack, prevent target attack from being implemented, strengthen the protection of data privacy security of the normal data processing requesting party, and improve the security and the defense of the federal learning system.
In order to show the feasibility of the method of the present application more clearly, the specific flow chart is as follows:
step 1: and collecting the difference parameters of the data processing local model uploaded by each client participant through a central server of the federal learning system, and transmitting the collected and aggregated difference parameters.
Step 2: the difference parameter data of the client participants are characterized and converted into numerical feature vectors of 3 × 28 × 28 size. Inputting the feature vector into a three-layer neural network of an intelligent encoder, and reducing the dimension of the feature vector to be 32 multiplied by 1. In the data dimension reduction process, the feature vector with the targeted attack function is low in importance (weight) relative to other feature vectors because the feature vector is an attack on a specific target. During data dimension reduction processing, the free property of the neural network can be removed, and the dimension-reduced data only retains important features, namely feature vectors without targeted attack functions.
And step 3: and inputting the feature vector subjected to dimensionality reduction into an intelligent decoder with a structure opposite to that of the intelligent encoder to perform decoding reconstruction reduction, restoring the reconstructed feature vector to the original size, and removing the feature vector with a targeted attack function in the dimensionality reduction process without reconstruction.
And 4, step 4: and comparing the reconstruction errors between the original characteristic vector and the reconstruction characteristic vector, and setting the average value of all the reconstruction errors as an attack detection threshold value. And marking the client participants higher than the detection threshold as suspected target-oriented attackers, and marking the identified normal feature vectors and abnormal feature vectors by 0 or 1 respectively to distinguish.
And 5: accurately handling the feature vectors of the marked client participants; for the characteristic vectors (corresponding to the difference parameters) identified as normal client participants, a central server of the federal learning system carries out parameter aggregation, and the aggregated global parameters are encrypted and transmitted to the normal client participants; the client participants identified as suspected attackers do not upload their feature vectors (corresponding to their difference parameters), nor do the federated learning system pass global aggregation parameters to them, but instead pass zero parameters to them.
Step 6: counting the client participants identified as suspected targeted attack initiators in each training round; when the counted number of targeted attacks exceeds 1/2 for the number of training rounds, the client participant may be blacklisted, from which the federated learning system is excluded.
In summary, the method of the present application has the following effects and advantages:
the method includes the steps that firstly, data privacy safety of legal participants is enhanced, namely, encryption protection is carried out on data transmitted by each participant in a federal learning system, and the parameters of a federal learning model are prevented from being transmitted to an attacker through detection and identification of the offensive participants, so that the privacy data safety of the legal participants is protected.
The security and the defense power of the federal learning system are improved, namely, a means for defending the targeted attack initiated by the federal learning system in the banking industry is absent at present, the intelligent detection mechanism for encoding and decoding provided by the method can accurately identify the party initiating the attack and eliminate the malicious model parameters transmitted by the attack party in time, so that the influence of the attack on the federal learning system is avoided, and the security and the defense power of the federal learning system are improved.
Based on the same inventive concept, the embodiment of the present application further provides a targeted attack defense device, which can be used to implement the method described in the above embodiment, as described in the following embodiments. Because the principle of the targeted attack defense device for solving the problems is similar to that of the targeted attack defense method, the implementation of the targeted attack defense device can refer to the implementation of the software performance reference determination method, and repeated parts are not described again. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. While the system described in the embodiments below is preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
In an embodiment, referring to fig. 5, in order to detect an offensive behavior performed on a specific artificial intelligence model in a federal learning system, and timely handle a data processing request party with a possibility of attack to complete a targeted attack defense, the application provides a targeted attack defense apparatus, including: a difference parameter determination unit 501, a feature vector determination unit 502, and an attack defense unit 503.
A difference parameter determining unit 501, configured to receive and label a difference parameter of a data model uploaded by a data processing requester; the data model is obtained by the data processing requester through federal machine learning;
a feature vector determining unit 502, configured to reconstruct an original feature vector corresponding to the difference parameter according to the weight of the difference parameter, to obtain a reconstructed feature vector;
and an attack defense unit 503, configured to perform targeted attack defense according to the difference between the reconstructed feature vector and the original feature vector and the labeling result.
In an embodiment, referring to fig. 6, the feature vector determining unit 502 includes: an original vector construction module 601, a suspected parameter removal module 602, and a feature vector reconstruction module 603.
An original vector construction module 601, configured to construct the original feature vector according to the model difference parameter;
a suspected parameter removing module 602, configured to remove a suspected difference attack parameter in the difference parameters according to the weight;
a feature vector reconstruction module 603, configured to perform feature dimension enhancement on the difference parameter from which the suspected difference attack parameter is removed, so as to reconstruct the original feature vector, and obtain the reconstructed feature vector.
In an embodiment, referring to fig. 7, the attack defense unit 503 includes: a difference determination module 701, a suspected parameter screening module 702, and a culling module 703.
A difference determining module 701, configured to determine a difference between the reconstructed feature vector and the original feature vector;
a suspected parameter screening module 702, configured to screen out the suspected difference attack parameter if the difference exceeds a preset detection threshold;
a removing module 703, configured to locate a suspected aggressive requester according to the labeling result and the screened suspected differential attack parameter, and remove the suspected aggressive requester.
In an embodiment, referring to fig. 8, the targeted attack defense apparatus further includes: history inquiry unit 801 and culling unit 802.
A history querying unit 801, configured to query whether the suspected offensive requester has been screened out in the previous targeted attack defense process;
a rejecting unit 802, configured to reject the suspected offensive requester as an actual offensive requester.
In order to detect an aggressive behavior performed on a specific artificial intelligence model in a federal learning system, timely handle a data processing request party with a possibility of attack, and complete a targeted attack defense from a hardware level, the present application provides an embodiment of an electronic device for implementing all or part of the contents of the targeted attack defense method, where the electronic device specifically includes the following contents:
a Processor (Processor), a Memory (Memory), a communication Interface (Communications Interface) and a bus; the processor, the memory and the communication interface complete mutual communication through the bus; the communication interface is used for realizing information transmission between the targeted attack defense device and relevant equipment such as a core service system, a user terminal, a relevant database and the like; the logic controller may be a desktop computer, a tablet computer, a mobile terminal, and the like, but the embodiment is not limited thereto. In this embodiment, the logic controller may refer to the embodiment of the targeted attack defense method and the embodiment of the targeted attack defense device in the embodiments for implementation, and the contents thereof are incorporated herein, and repeated details are not repeated.
It is understood that the user terminal may include a smart phone, a tablet electronic device, a network set-top box, a portable computer, a desktop computer, a Personal Digital Assistant (PDA), an in-vehicle device, a smart wearable device, and the like. Wherein, intelligence wearing equipment can include intelligent glasses, intelligent wrist-watch, intelligent bracelet etc..
In practical applications, part of the targeted attack defense method may be executed on the electronic device side as described above, or all operations may be completed in the client device. The selection may be specifically performed according to the processing capability of the client device, the limitation of the user usage scenario, and the like. This is not a limitation of the present application. The client device may further include a processor if all operations are performed in the client device.
The client device may have a communication module (i.e., a communication unit), and may be in communication connection with a remote server to implement data transmission with the server. The server may include a server on the side of the task scheduling center, and in other implementation scenarios, the server may also include a server on an intermediate platform, for example, a server on a third-party server platform that is communicatively linked to the task scheduling central server. The server may include a single computer device, or may include a server cluster formed by a plurality of servers, or a server structure of a distributed apparatus.
Fig. 9 is a schematic block diagram of a system configuration of an electronic device 9600 according to an embodiment of the present application. As shown in fig. 9, the electronic device 9600 can include a central processor 9100 and a memory 9140; the memory 9140 is coupled to the central processor 9100. Notably, this fig. 9 is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.
In an embodiment, the targeted attack defense method functions may be integrated into the central processor 9100. The central processor 9100 may be configured to control as follows:
s101: receiving and marking a difference parameter of a data model uploaded by a data processing requester; the data model is obtained by the data processing requester through federal machine learning;
s102: reconstructing an original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector;
s103: and according to the difference between the reconstructed feature vector and the original feature vector and a labeling result, performing targeted attack defense.
From the above description, the targeted attack defense method provided by the application can accurately identify the data processing requesting party to be subjected to targeted attack, prevent target attack from being implemented, strengthen the protection of data privacy security of the normal data processing requesting party, and improve the security and the defense of the federal learning system.
In another embodiment, the targeted attack defense apparatus may be configured separately from the central processor 9100, for example, the targeted attack defense apparatus of the data compound transmission apparatus may be configured as a chip connected to the central processor 9100, and the functions of the targeted attack defense method may be implemented by the control of the central processor.
As shown in fig. 9, the electronic device 9600 may further include: a communication module 9110, an input unit 9120, an audio processor 9130, a display 9160, and a power supply 9170. It is noted that the electronic device 9600 also does not necessarily include all of the components shown in fig. 9; in addition, the electronic device 9600 may further include components not shown in fig. 9, which may be referred to in the prior art.
As shown in fig. 9, a central processor 9100, sometimes referred to as a controller or operational control, can include a microprocessor or other processor device and/or logic device, which central processor 9100 receives input and controls the operation of the various components of the electronic device 9600.
The memory 9140 can be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processing unit 9100 can execute the program stored in the memory 9140 to realize information storage or processing, or the like.
The input unit 9120 provides input to the central processor 9100. The input unit 9120 is, for example, a key or a touch input device. Power supply 9170 is used to provide power to electronic device 9600. The display 9160 is used for displaying display objects such as images and characters. The display may be, for example, an LCD display, but is not limited thereto.
The memory 9140 can be a solid state memory, e.g., Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 9140 could also be some other type of device. Memory 9140 includes a buffer memory 9141 (sometimes referred to as a buffer). The memory 9140 may include an application/function storage portion 9142, the application/function storage portion 9142 being used for storing application programs and function programs or for executing a flow of operations of the electronic device 9600 by the central processor 9100.
The memory 9140 can also include a data store 9143, the data store 9143 being used to store data, such as contacts, digital data, pictures, sounds, and/or any other data used by an electronic device. The driver storage portion 9144 of the memory 9140 may include various drivers for the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, contact book applications, etc.).
The communication module 9110 is a transmitter/receiver 9110 that transmits and receives signals via an antenna 9111. The communication module (transmitter/receiver) 9110 is coupled to the central processor 9100 to provide input signals and receive output signals, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 9110, such as a cellular network module, a bluetooth module, and/or a wireless lan module, may be disposed in the same electronic device. The communication module (transmitter/receiver) 9110 is also coupled to a speaker 9131 and a microphone 9132 via an audio processor 9130 to provide audio output via the speaker 9131 and receive audio input from the microphone 9132, thereby implementing ordinary telecommunications functions. The audio processor 9130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 9130 is also coupled to the central processor 9100, thereby enabling recording locally through the microphone 9132 and enabling locally stored sounds to be played through the speaker 9131.
Embodiments of the present application further provide a computer-readable storage medium capable of implementing all steps in the targeted attack defense method in which an execution subject in the foregoing embodiments is a server or a client, where the computer-readable storage medium stores thereon a computer program, and when the computer program is executed by a processor, the computer program implements all steps of the targeted attack defense method in which the execution subject in the foregoing embodiments is the server or the client, for example, when the processor executes the computer program, the processor implements the following steps:
s101: receiving and marking a difference parameter of a data model uploaded by a data processing requester; the data model is obtained by the data processing requester through federal machine learning;
s102: reconstructing an original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector;
s103: and according to the difference between the reconstructed feature vector and the original feature vector and a labeling result, performing targeted attack defense.
From the above description, the targeted attack defense method provided by the application can accurately identify the data processing requesting party to be subjected to targeted attack, prevent target attack from being implemented, strengthen the protection of data privacy security of the normal data processing requesting party, and improve the security and the defense of the federal learning system.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. A targeted attack defense method, comprising:
receiving and marking a difference parameter of a data model uploaded by a data processing requester; the data model is obtained by the data processing requester through federated machine learning;
reconstructing an original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector;
and according to the difference between the reconstructed feature vector and the original feature vector and a labeling result, performing targeted attack defense.
2. The method according to claim 1, wherein reconstructing the original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector comprises:
constructing the original feature vector according to the difference parameter;
removing suspected difference attack parameters in the difference parameters according to the weights;
and performing feature dimension raising on the difference parameter from which the suspected difference attack parameter is removed to reconstruct the original feature vector to obtain the reconstructed feature vector.
3. The method of claim 2, wherein removing the suspected differential attack parameter from the differential parameters according to the weight comprises:
and performing feature dimension reduction on the original feature vector to remove the suspected difference attack parameter with low weight in the feature dimension reduction process.
4. The method according to claim 2, wherein the performing feature dimension-raising on the difference parameters after removing the suspected difference attack parameters to reconstruct the original feature vector to obtain the reconstructed feature vector comprises:
and supplementing the zero vector into the vector corresponding to the difference parameter without the suspected difference attack parameter to finish the feature dimension increasing to obtain the reconstructed feature vector.
5. The method according to claim 2, wherein the defending against the targeted attack according to the difference between the reconstructed feature vector and the original feature vector and the labeling result comprises:
determining a difference between the reconstructed feature vector and the original feature vector;
screening the suspected difference attack parameter if the difference exceeds a preset detection threshold;
and positioning a suspected aggressive requester according to the labeling result and the screened suspected difference attack parameter, and rejecting the suspected aggressive requester.
6. The method of claim 3, further comprising, after locating a suspected offender according to the annotation result and the screened suspected diff attack parameter:
inquiring whether the suspected offensive requester is screened out in the process of carrying out targeted attack defense in the past;
and if so, removing the suspected offensive requester as an actual offensive requester.
7. A targeted attack defense apparatus, comprising:
the difference parameter determining unit is used for receiving and marking the difference parameter of the data model uploaded by the data processing request party; the data model is obtained by the data processing requester through federated machine learning;
the feature vector determining unit is used for reconstructing an original feature vector corresponding to the difference parameter according to the weight of the difference parameter to obtain a reconstructed feature vector;
and the attack defense unit is used for performing targeted attack defense according to the difference between the reconstructed feature vector and the original feature vector and the labeling result.
8. The targeted attack defense apparatus according to claim 7, wherein the feature vector determination unit includes:
the original vector construction module is used for constructing the original characteristic vector according to the difference parameter;
a suspected parameter removing module, configured to remove a suspected difference attack parameter from the difference parameters according to the weight;
and the feature vector reconstruction module is used for performing feature dimension increasing on the difference parameter after the suspected difference attack parameter is removed so as to reconstruct the original feature vector and obtain the reconstructed feature vector.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the targeted attack defense method according to any one of claims 1 to 6 are implemented by the processor when executing the program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the targeted attack defense method of any one of claims 1 to 6.
CN202111466436.6A 2021-11-30 2021-11-30 Targeted attack defense method and device Pending CN114139147A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111466436.6A CN114139147A (en) 2021-11-30 2021-11-30 Targeted attack defense method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111466436.6A CN114139147A (en) 2021-11-30 2021-11-30 Targeted attack defense method and device

Publications (1)

Publication Number Publication Date
CN114139147A true CN114139147A (en) 2022-03-04

Family

ID=80387615

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111466436.6A Pending CN114139147A (en) 2021-11-30 2021-11-30 Targeted attack defense method and device

Country Status (1)

Country Link
CN (1) CN114139147A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114399384A (en) * 2022-03-25 2022-04-26 鲁担(山东)数据科技有限公司 Risk strategy generation method, system and device based on privacy calculation

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114399384A (en) * 2022-03-25 2022-04-26 鲁担(山东)数据科技有限公司 Risk strategy generation method, system and device based on privacy calculation

Similar Documents

Publication Publication Date Title
US11830004B2 (en) Blockchain transaction safety
US11928681B2 (en) System and method for confidentially sharing information across a computer network
CN109564668A (en) Electronics mortgage manager and monitoring
WO2016202952A1 (en) Digital token exchange system
CN111932268B (en) Enterprise risk identification method and device
CN111428217B (en) Fraudulent party identification method, apparatus, electronic device and computer readable storage medium
CN112950357B (en) Transaction abnormal group identification method and device
CN110266676A (en) A kind of method and device of pre- preventing malicious attack
CN110751485A (en) Data processing method and equipment
CN112100642B (en) Model training method and device for protecting privacy in distributed system
JP2023539711A (en) Speed system for fraud prevention and data protection for sensitive data
US11127015B2 (en) Methods and apparatuses for fraud handling
CN110941644B (en) Policy data generation method, device, equipment and storage medium
EP3547243A1 (en) Methods and apparatuses for fraud handling
CN114139147A (en) Targeted attack defense method and device
CN112702410B (en) Evaluation system, method and related equipment based on blockchain network
CN112101691A (en) Method and device for dynamically adjusting risk level and server
WO2022150138A1 (en) Email certification system
CN113435901A (en) Transaction fraud risk detection method, device and system
CN111681090A (en) Account grouping method and device of business system, terminal equipment and storage medium
CN108632228B (en) Decision engine scheduling method and system
US20230139465A1 (en) Electronic service filter optimization
US20240121084A1 (en) Cryptographic key generation using machine learning
Achim A Cryptocurrency Spectrum Short Analysis
CN116132184A (en) Method, device and server for detecting distributed denial of service attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination