CN114785559A - Differential privacy federation learning method for resisting member reasoning attack - Google Patents
Differential privacy federation learning method for resisting member reasoning attack Download PDFInfo
- Publication number
- CN114785559A CN114785559A CN202210314533.1A CN202210314533A CN114785559A CN 114785559 A CN114785559 A CN 114785559A CN 202210314533 A CN202210314533 A CN 202210314533A CN 114785559 A CN114785559 A CN 114785559A
- Authority
- CN
- China
- Prior art keywords
- network model
- data
- global network
- client
- model parameters
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000004891 communication Methods 0.000 claims abstract description 25
- 230000006870 function Effects 0.000 claims abstract description 8
- 230000008569 process Effects 0.000 claims abstract description 7
- 230000002776 aggregation Effects 0.000 claims abstract description 4
- 238000004220 aggregation Methods 0.000 claims abstract description 4
- MZWGYEJOZNRLQE-KXQOOQHDSA-N 1-stearoyl-2-myristoyl-sn-glycero-3-phosphocholine Chemical compound CCCCCCCCCCCCCCCCCC(=O)OC[C@H](COP([O-])(=O)OCC[N+](C)(C)C)OC(=O)CCCCCCCCCCCCC MZWGYEJOZNRLQE-KXQOOQHDSA-N 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims 1
- 230000009365 direct transmission Effects 0.000 claims 1
- 230000009286 beneficial effect Effects 0.000 abstract 1
- 238000010801 machine learning Methods 0.000 description 3
- 230000003042 antagnostic effect Effects 0.000 description 2
- 230000007423 decrease Effects 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Mathematical Physics (AREA)
- Molecular Biology (AREA)
- Signal Processing (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Medical Informatics (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a differential privacy federal learning method for resisting member reasoning attack, which specifically comprises the following steps: each client uses local data to train and generate a confrontation generation network model and generate false data; for each round of federal learning communication, a server randomly selects a client participating in the round of communication, and issues global network model parameters, loss functions adopted in the training process and an optimizer; the selected client side uses the false data to train the global network model and sends the trained global network model parameters back to the server side; the server side updates global network model parameters by adopting a federal average aggregation method; and the server side judges whether to continue the next communication, if so, the server side continuously releases the global network model parameters, otherwise, the server side ends the communication and stores the global network model parameters. The invention further protects the data privacy of the client under the condition of the original data island, and is beneficial to resisting member reasoning attack.
Description
Technical Field
The invention relates to the technical field of machine learning, in particular to a differential privacy federation learning method for resisting member reasoning attack.
Background
Federal learning is a distributed machine learning framework with privacy protection technology, and aims to assist in participating in training of machine learning models through scattered clients without data leakage. The problem that different data owners cooperate without exchanging data is solved by designing a dummy model under a federal learning architecture. Because the data is not transferred, the privacy of the user can be effectively protected or the data specification is influenced.
But federal learning tends to perform poorly under resource constrained conditions, such as a small training data set, where federal learning training is hampered. Meanwhile, when some clients have insufficient data, the global network model trained by the clients can negatively affect the overall global network model when aggregated at the server side.
In the aspect of resisting member reasoning attacks, noise is generally added to parameters of a global network model in the process of training the global network model by a client side in the existing method for federal learning. The method for adding noise to the model parameters in the training process acquires the characteristic of resisting member reasoning attack at the cost of sacrificing larger model performance, has obvious defects and needs to be improved.
Disclosure of Invention
Aiming at member reasoning attack in a federated learning architecture, the invention provides a differential privacy federated learning method for resisting the member reasoning attack, so that the privacy disclosure risk of a system model is reduced, and the protection on privacy safety is enhanced.
The technical solution for realizing the purpose of the invention is as follows: a differential privacy federation learning method for resisting member reasoning attack comprises the following steps:
step 1, each client uses local data to train and generate a confrontation generation network model;
step 2, each client generates false data by using a countermeasure generation network model;
step 3, for each round of federal learning communication, a server randomly selects a client participating in the round of communication, and issues global network model parameters, loss functions adopted in the training process and an optimizer;
step 4, the selected client uses the false data to train the global network model, and sends the trained global network model parameters back to the server;
and 6, the server side judges whether to continue the next communication, if so, the step 3 is returned, otherwise, the communication is ended, and the global network model parameters are stored.
Further, the server side and the client side communicate in a mode of transmitting global network model parameters and loss functions and optimizers required by training, and training data are not transmitted directly.
Further, the countermeasure generating network model adopts a conditional countermeasure generating network, and conditional constraints are added in the countermeasure generating network to limit the types and attributes of the generated false data.
Further, when generating the dummy data using the counter generation network model, setting parameters generates the dummy data similar to the original sample, or randomly generates the dummy data.
Further, when the server selects the client participating in the current round of communication, the client trained to resist and generate the network model is selected to participate in the current round of training.
Further, the client performs training of a global network model using the dummy data, wherein: the client selects a data set participating in global network model training, and the data set comprises a false data set with a real data set doped with a set proportion or completely adopts the false data set.
Further, a federated average algorithm or an SMPC algorithm is adopted when the server side aggregates the global network model parameters.
Compared with the prior art, the invention has the remarkable advantages that: (1) the adopted federated learning architecture generates false data through an anti-generation network, expands a user data set, and simultaneously increases the capability of resisting member reasoning attack, thereby effectively protecting the data privacy of a client; (2) for the condition that the resources of the client are limited, the performance of the global network model can be effectively improved by using a strategy of resisting generation of false data generated by the network, the problem of insufficient training of the global network model caused by insufficient data volume is weakened, and the performance of the global network model is improved while the data set is enriched; (3) the method adopts the counterforce generation network to generate the false data to participate in the training of the global network model, and the performance of the global network model for resisting member reasoning attack is increased along with the increase of the proportion of the false data, but the accuracy rate of the global network model is only slightly reduced, which is superior to the traditional noise adding method for resisting member reasoning attack.
Drawings
FIG. 1 is a flow chart of a differential privacy federated learning method of the present invention for defending against membership inference attacks.
FIG. 2 is a schematic diagram of a system in the model training process of the present invention.
FIG. 3 is a graph of classifier performance trained on mnist datasets with different ratios of spurious data according to the present invention.
FIG. 4 is a graph of the effect of defending against membership inference attacks based on the mnist data set.
Detailed Description
With reference to fig. 1 to 2, the invention provides a differential privacy federation learning method for resisting member inference attack, which specifically comprises the following steps:
step 1, each client uses local data to train and generate a confrontation generation network model;
step 2, each client generates false data by using a countermeasure generation network model;
step 3, for each round of federal learning communication, a server randomly selects client terminals participating in the communication, and issues global network model parameters, loss functions adopted in the training process and an optimizer;
step 4, the selected client uses the false data to train the global network model, and sends the trained global network model parameters back to the server;
and 6, the server side judges whether to continue the next communication, if so, the step 3 is returned, otherwise, the communication is ended, and the global network model parameters are stored.
Furthermore, the server side and the client side communicate by means of transmitting global network model parameters and loss functions and optimizers required by training, and training data are not transmitted directly.
Furthermore, the countermeasure generation network model adopts a conditional countermeasure generation network, and adds conditional constraints in the countermeasure generation network to limit the types and attributes of the generated false data.
Further, when generating the dummy data using the countermeasure generation network model, setting parameters generates the dummy data like the original sample, or randomly generates the dummy data.
Further, when the server selects the client participating in the current round of communication, the client trained to resist and generate the network model is selected to participate in the current round of training.
Further, the client uses dummy data for training of the global network model, wherein: the client selects a data set participating in global network model training, and the data set comprises a false data set with a real data set doped with a set proportion or completely adopts the false data set.
Further, a Federal averaging algorithm or an SMPC algorithm is adopted when the server side aggregates the parameters of the global network model.
The invention is described in further detail below with reference to the figures and the embodiments.
Examples
The embodiment takes centralized federal learning as a basic framework and trains a classifier network (global network model) based on an mnist data set as an example, and illustrates specific implementation measures of the method:
for the client, local data (mnist data) is used for training the antagonistic generating network, and then random noise is used for generating false data (false mnist data) through the antagonistic generating network. In the training of the federated learning mnist classifier network, the client participating in the communication in the current round can use a certain amount of false data to participate in the training of the mnist classifier network issued by the server side, or can completely use the false data to participate in the training of the mnist classifier network issued by the server side, so as to replace the strategy that the client uses the real data to train in the unmodified federated learning method. The anti-generation network is like a protection layer, information of real data is hidden and protected in the anti-generation network, and the false data is used for participating in training and resisting member reasoning attack of an attacker.
For the server side, a certain number of client sides are randomly selected in each round of communication to participate in the training of the mnist classifier network model, the mnist classifier network model parameters are issued, and the loss function and the corresponding optimizer are used. And when the client end finishes training and returns the trained mnist classifier network model parameters, the server end uses the federal average to aggregate the client end mnist classifier network model parameters.
As shown in fig. 3, the abscissa is the number of communications of the federated learning server, and the ordinate is the accuracy of the mnist classifier network, where different curves represent the percentage of false data in the training set (the amount of false data participating in training/the total amount of data participating in training) when the client participating in the federated learning communications trains the mnist classifier network issued by the server, it can be seen that under the same number of communications, the accuracy of the mnist classifier network decreases with the increase of the percentage of false data in the training of the mnist classifier network, but even when the mnist classifier network is trained by completely using the false data (the percentage of false data =1), the accuracy of the mnist classifier can still reach 95% at 60 communications, and the global network model performance only decreases slightly.
In the aspect of resisting member reasoning attack, when the trained model of member reasoning attack network attack is used, the experimental result is shown in fig. 4, the abscissa is the ratio of the false data of the training set of the attacked network, the ordinate is the accuracy of the member reasoning attack network, and the benchmark is 0.5, so that the performance of the model for resisting the member reasoning attack is improved along with the improvement of the ratio of the false data.
In a traditional federal learning architecture, a client usually adopts a real data set to carry out federal learning training, and the method lacks the resistance to member reasoning attack and is difficult to prevent the privacy leakage problem generated by the client; by adopting the federated learning architecture of the method, false data is generated through the countermeasure generation network, the user data set is expanded, meanwhile, the capability of resisting member reasoning attack is increased, and the privacy of client data is effectively protected.
For the condition that the resources of the client are limited, the performance of the global network model can be effectively improved by using a strategy of resisting the generation of the network to generate false data, the problem of insufficient training of the global network model caused by insufficient data volume is weakened, and the performance of the global network model is improved while the data set is enriched;
in the aspect of resisting member reasoning attack, the method is different from the traditional method for adding noise to the model parameters, the method adopts the counterforce generation network to generate the false data to participate in the training of the global network model, the performance of the global network model for resisting the member reasoning attack is increased along with the increase of the proportion of the false data, but the accuracy rate of the global network model is only slightly reduced, and the method is superior to the traditional method for adding noise for resisting the member reasoning attack.
Claims (7)
1. A differential privacy federation learning method for resisting member reasoning attack is characterized by comprising the following steps:
step 1, each client uses local data to train and generate a confrontation generation network model;
step 2, each client generates false data by using a countermeasure generation network model;
step 3, for each round of federal learning communication, a server randomly selects client terminals participating in the communication, and issues global network model parameters, loss functions adopted in the training process and an optimizer;
step 4, the selected client uses the false data to train the global network model, and sends the trained global network model parameters back to the server;
step 5, updating global network model parameters by adopting a federal average aggregation method at the server side;
and 6, the server side judges whether to continue the next communication, if so, the step 3 is returned, otherwise, the communication is ended, and the global network model parameters are stored.
2. The differential privacy federation learning method for defending against membership inference attacks according to claim 1, wherein the server side and the client side communicate by means of transmission of global network model parameters and loss functions and optimizers required for training without direct transmission of training data.
3. The differential privacy federation learning method for defending against membership inference attacks according to claim 1, wherein the countermeasure generation network model adopts a conditional countermeasure generation network, and adds conditional constraints to the countermeasure generation network to limit the types and attributes of the generated false data.
4. The differential privacy federation learning method for defending against membership inference attacks of claim 1, wherein when the counterfeited data is generated using a counterfeited generation network model, setting parameters produces fake data similar to an original sample or randomly produces fake data.
5. The differential privacy federation learning method for resisting member inference attacks according to claim 1, wherein when the server selects the client participating in the current round of communication, the client which has been trained to resist the generation of the network model is selected to participate in the current round of training.
6. The differential privacy federated learning method against membership inference attacks according to claim 1, wherein the client uses dummy data for global network model training, wherein: the client selects a data set participating in global network model training, and the data set comprises a false data set with a real data set doped with a set proportion or completely adopts the false data set.
7. The differential privacy federation learning method for resisting member inference attacks according to claim 1, wherein a federation average algorithm or an SMPC algorithm is adopted when a server side aggregates global network model parameters.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210314533.1A CN114785559A (en) | 2022-03-29 | 2022-03-29 | Differential privacy federation learning method for resisting member reasoning attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210314533.1A CN114785559A (en) | 2022-03-29 | 2022-03-29 | Differential privacy federation learning method for resisting member reasoning attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114785559A true CN114785559A (en) | 2022-07-22 |
Family
ID=82424502
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210314533.1A Pending CN114785559A (en) | 2022-03-29 | 2022-03-29 | Differential privacy federation learning method for resisting member reasoning attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114785559A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115329388A (en) * | 2022-10-17 | 2022-11-11 | 南京信息工程大学 | Privacy enhancement method for federally generated countermeasure network |
| CN116405333A (en) * | 2023-06-09 | 2023-07-07 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Safe and efficient power system abnormal state detection terminal |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111738405A (en) * | 2020-05-11 | 2020-10-02 | 南京航空航天大学 | User-level member reasoning method based on generation countermeasure network |
| CN113516199A (en) * | 2021-07-30 | 2021-10-19 | 山西清众科技股份有限公司 | Image data generation method based on differential privacy |
| CN113553624A (en) * | 2021-07-30 | 2021-10-26 | 天津大学 | WGAN-GP privacy protection system and method based on improved PATE |
| CN114021738A (en) * | 2021-11-23 | 2022-02-08 | 湖南三湘银行股份有限公司 | Distributed generation countermeasure model-based federal learning method |
-
2022
- 2022-03-29 CN CN202210314533.1A patent/CN114785559A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111738405A (en) * | 2020-05-11 | 2020-10-02 | 南京航空航天大学 | User-level member reasoning method based on generation countermeasure network |
| CN113516199A (en) * | 2021-07-30 | 2021-10-19 | 山西清众科技股份有限公司 | Image data generation method based on differential privacy |
| CN113553624A (en) * | 2021-07-30 | 2021-10-26 | 天津大学 | WGAN-GP privacy protection system and method based on improved PATE |
| CN114021738A (en) * | 2021-11-23 | 2022-02-08 | 湖南三湘银行股份有限公司 | Distributed generation countermeasure model-based federal learning method |
Non-Patent Citations (2)
| Title |
|---|
| (DOREEN: "《数据分析综述:联邦学习中的数据安全和隐私保护问题》", pages 1 - 11, Retrieved from the Internet <URL:https://baijiahao.baidu.com/s?id=1725731633077026033&wfr=spider&for=pc> * |
| X LUO: "《利用基于GAN的特征推理防御联合学习中的攻击》", pages 2 - 3 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115329388A (en) * | 2022-10-17 | 2022-11-11 | 南京信息工程大学 | Privacy enhancement method for federally generated countermeasure network |
| CN116405333A (en) * | 2023-06-09 | 2023-07-07 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Safe and efficient power system abnormal state detection terminal |
| CN116405333B (en) * | 2023-06-09 | 2023-08-25 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Safe and efficient power system abnormal state detection terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114785559A (en) | Differential privacy federation learning method for resisting member reasoning attack | |
| Tian et al. | Evaluating reputation management schemes of internet of vehicles based on evolutionary game theory | |
| CN107038639B (en) | Alliance chain construction method compatible with multi-asset type rapid transaction | |
| Dotzer et al. | Vars: A vehicle ad-hoc network reputation system | |
| Quercia et al. | B-trust: Bayesian trust framework for pervasive computing | |
| Halabi et al. | Trust-based cooperative game model for secure collaboration in the internet of vehicles | |
| Liu et al. | Mitigating DoS attacks against pseudonymous authentication through puzzle-based co-authentication in 5G-VANET | |
| CN113794675A (en) | Distributed Internet of things intrusion detection method and system based on block chain and federal learning | |
| DE102009037864B4 (en) | Method for authenticating messages | |
| CN102333096B (en) | Creditworthiness control method and system for anonymous communication system | |
| Lu et al. | FLIP: An efficient privacy-preserving protocol for finding like-minded vehicles on the road | |
| Diaz | Anonymity metrics revisited | |
| Cao et al. | SybilFence: Improving social-graph-based sybil defenses with user negative feedback | |
| CN107612878A (en) | Dynamic window system of selection and wireless network trust management system based on game theory | |
| CN112668044A (en) | Privacy protection method and device for federal learning | |
| CN115795518B (en) | Block chain-based federal learning privacy protection method | |
| CN112865752A (en) | Filter design method based on adaptive event trigger mechanism under hybrid network attack | |
| Cui et al. | Analysis and evaluation of incentive mechanisms in P2P networks: a spatial evolutionary game theory perspective | |
| CN114363043A (en) | Asynchronous federated learning method based on verifiable aggregation and differential privacy in peer-to-peer network | |
| CN116127519A (en) | Dynamic differential privacy federal learning system based on blockchain | |
| Sun et al. | Fed-DFE: A Decentralized Function Encryption-Based Privacy-Preserving Scheme for Federated Learning. | |
| CN112560059B (en) | Vertical federal model stealing defense method based on neural pathway feature extraction | |
| Nguyen et al. | Fedchain: Secure proof-of-stake-based framework for federated-blockchain systems | |
| Hu et al. | FCTrust: A robust and efficient feedback credibility-based distributed P2P trust model | |
| CN107070954B (en) | Anonymous-based trust evaluation method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |