CN115496227A - Method for training member reasoning attack model based on federal learning and application - Google Patents
Method for training member reasoning attack model based on federal learning and application Download PDFInfo
- Publication number
- CN115496227A CN115496227A CN202211212032.9A CN202211212032A CN115496227A CN 115496227 A CN115496227 A CN 115496227A CN 202211212032 A CN202211212032 A CN 202211212032A CN 115496227 A CN115496227 A CN 115496227A
- Authority
- CN
- China
- Prior art keywords
- training
- data pool
- training data
- data
- samples
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N5/00—Computing arrangements using knowledge-based models
- G06N5/04—Inference or reasoning models
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Artificial Intelligence (AREA)
- Medical Informatics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computational Linguistics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a member reasoning attack model training method based on federal learning and application thereof, wherein the method comprises the following steps: constructing a labeled training data pool based on a first training sample with a label contained by each attacker in a federated learning model, and constructing an unlabeled training data pool based on a second training sample generated by a generative confrontation network; selecting part of second training samples in the unmarked training data pool to set labels based on the antagonism characteristic active learning model, and adding the part of second training samples with the labels into the marked training data pool; and training a member reasoning attack model based on the first training sample with the label in the labeled training data pool, part of the second training sample and the second training sample left in the unlabeled training data pool. The method realizes the purposes of enriching the diversity of attack data, enhancing the training data, reducing the required data label amount to the maximum extent, reducing the data labeling cost and improving the data accuracy.
Description
Technical Field
The invention relates to the technical field of machine learning, in particular to a member reasoning attack model training method based on federal learning and application thereof.
Background
Federal learning has attracted attention in recent years due to its privacy preserving features. However, research has shown that federal learning is susceptible to various inferential attacks. Membership inference attacks are intended to determine whether target data is a member of the training data set of the target federated learning model, which poses a serious threat to the privacy of the training data set. However, member reasoning attacks in federated learning still have many deficiencies due to the lack of attack data. Previous work has shown that generative countermeasure networks (GANs) can effectively enrich attack data for attackers. However, the data generated by GANs lack tags. Previous studies labeled data by inputting the generated data into the target classifier model, but this approach was inaccurate when the results of the target model output were ambiguous.
To overcome the difficulty of lacking attack data, generative countermeasure networks (GANs) are applied for their excellent ability in data enhancement. An attacker can train a two-class attack model using rich attack data generated by the GANs to infer member information. However, enhanced membership-based reasoning attacks by GANs in federal learning still have some disadvantages. First, the GANs generated data is completely random, in which case the quality of the generated data is ragged. In addition, the data generated by GANs lack tags.
There are two methods for tagging data: the method comprises the steps of (1) manual identification and (2) query of a target model. The first method is relatively costly; the second approach is relatively more practical, however, it relies heavily on the accuracy of the target model. Furthermore, in federal learning, training data aggregation is non-independently and identically distributed, which means that it is difficult for an attacker to obtain tag information of other participants. When the target model outputs a ambiguous result, the attacker cannot identify the true tag of the generated data.
Disclosure of Invention
The invention aims to provide a member reasoning attack model training method based on federal learning and application thereof, which are used for solving the technical problems of high cost, low accuracy and the like possibly existing in the prior art when generated data is labeled by adopting a generative type countermeasure network to increase attack data due to the lack of attack data for training a member reasoning attack model.
In order to achieve the above object, an embodiment of the present invention provides a method for training a member inference attack model based on federal learning, where the method includes:
constructing a labeled training data pool based on a first training sample with a label contained by each attacker in a federated learning model, and constructing an unlabeled training data pool based on a second training sample generated by a generative confrontation network;
selecting a part of second training samples in the unlabeled training data pool to set labels based on a antagonism characteristic active learning model, and adding the part of second training samples with the labels set to the labeled training data pool;
and training the member reasoning attack model based on the first training sample with the label in the labeled training data pool, part of the second training sample and the second training sample remained in the unlabeled training data pool.
In one or more embodiments of the present invention, the creating confrontation network includes a first generator and a first discriminator, and the constructing the unlabeled training data pool based on the second training samples generated by the creating confrontation network specifically includes:
generating a plurality of second training samples based on the maximum and minimum game of the first generator and the first discriminator, wherein the plurality of second training samples and original training data in a training data set of the target federal learning model have the same bottom layer distribution;
constructing the plurality of second training samples as the unlabeled training data pool.
In one or more embodiments of the present invention, generating a plurality of second training samples based on the maxmin game of the first generator and the first discriminator specifically includes:
initializing the first generator and causing it to generate data records from random noise;
updating the first generator based on the degree of similarity between the generated data records and the original training data judged by the first discriminator, so that the first generator generates data records having the same underlying distribution as the original training data, and takes the data records having the same underlying distribution as the original training data as a second training sample.
In one or more embodiments of the invention, the method further comprises:
initializing a copy of a target federated learning model to a first arbiter of the generative countermeasure network, wherein the target federated learning model is iteratively generated by a federated learning model, and during each iteration, the attacker downloads the federated learning model in the current iteration round and locally retains a copy of the target federated learning model.
In one or more embodiments of the present invention, the selecting, by the active learning model for adversarial characterization, a part of the second training samples in the unlabeled training data pool to set labels based on the active learning model for adversarial characterization includes:
learning, based on the second generator, an underlying distribution representation of first training samples in the labeled training data pool having labels and second training samples in the unlabeled training data pool;
and selecting a second training sample with the largest information amount from the unmarked training data pool to set a label based on the antagonism characterization active learning model and the bottom layer distribution representation.
In one or more embodiments of the present invention, training the member inference attack model based on a first training sample with a label in the labeled training data pool, a part of a second training sample, and the remaining second training samples in the unlabeled training data pool specifically includes:
constructing a plurality of shadow models based on the antagonism representation active learning model;
training the plurality of shadow models by using a first training sample with a label in the labeled training data pool, a part of second training samples and the rest of second training samples in the unlabeled training data pool so as to enable the shadow models to output sample vectors;
and dividing the sample vector into a training set and a testing set, and training the member reasoning attack model by using the training set and the testing set.
In one or more embodiments of the present invention, the method for training the plurality of shadow models by using the first training sample with the label in the labeled training data pool, a part of the second training samples, and the remaining second training samples in the unlabeled training data pool further includes:
selecting remaining second training samples in the unlabeled training data pool based on the antagonism-characterizing active learning model;
mapping remaining second training samples in the unlabeled training data pool into an underlying space based on the encoder;
reconstructing the remaining second training samples in the floor space based on the second generator;
generating a third training sample with the same bottom layer distribution as the original training data based on the maximum and minimum game of the second generator and the second discriminator;
and inputting a first training sample with a label in the labeled training data pool, a part of second training samples and a third training sample in the unlabeled training data pool into the plurality of shadow models for training.
In another aspect of the present invention, there is also provided an apparatus for member inference attack model training based on federal learning, the apparatus including:
the construction module is used for constructing a labeled training data pool based on a first training sample with a label contained by each attacker in the federated learning model, and constructing an unlabeled training data pool based on a second training sample generated by the generative confrontation network;
the selection module is used for selecting a part of second training samples in the unmarked training data pool to set labels based on the antagonism characteristic active learning model and adding the part of second training samples with the set labels into the marked training data pool;
and the training module is used for training the member reasoning attack model based on the first training sample with the label in the marked training data pool, part of the second training samples and the rest of the second training samples in the unmarked training data pool.
The building module is further configured to: generating a plurality of second training samples based on the maximum and minimum game of the first generator and the first discriminator, wherein the plurality of second training samples and original training data in a training data set of the target federal learning model have the same bottom layer distribution;
constructing the plurality of second training samples as the unlabeled training data pool.
The building module is further configured to: initializing the first generator and causing it to generate data records from random noise;
updating the first generator based on the degree of similarity between the generated data records and the original training data judged by the first discriminator, so that the first generator generates data records having the same underlying distribution as the original training data, and takes the data records having the same underlying distribution as the original training data as a second training sample.
The building module is further configured to: initializing a copy of a target federated learning model to a first arbiter of the generative countermeasure network, wherein the target federated learning model is iteratively generated by a federated learning model, and during each iteration, the attacker downloads the federated learning model in the current iteration round and locally retains a copy of the target federated learning model.
The selection module is further configured to: learning, based on the second generator, an underlying distribution representation of first training samples in the labeled training data pool having labels and second training samples in the unlabeled training data pool;
and selecting a second training sample with the largest information amount from the unmarked training data pool to set a label based on the antagonism characterization active learning model and the bottom layer distribution representation.
The training module is further configured to: constructing a plurality of shadow models based on the antagonism representation active learning model;
training the plurality of shadow models by using a first training sample with a label in the labeled training data pool, a part of second training samples and the rest of second training samples in the unlabeled training data pool so as to enable the shadow models to output sample vectors;
and dividing the sample vector into a training set and a testing set, and training the member reasoning attack model by using the training set and the testing set.
The training module is further configured to: selecting remaining second training samples in the unlabeled training data pool based on the antagonism-characterizing active learning model;
mapping remaining second training samples in the unlabeled training data pool into an underlying space based on the encoder;
reconstructing the remaining second training samples in the floor space based on the second generator;
generating a third training sample with the same bottom layer distribution as the original training data based on the maximum and minimum game of the second generator and the second discriminator;
and inputting a first training sample with a label in the labeled training data pool, a part of second training samples and a third training sample in the unlabeled training data pool into the plurality of shadow models for training.
In another aspect of the present invention, there is also provided an electronic device, including:
at least one processor; and
a memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform a method of member inference attack model training based on federated learning as described above.
In another aspect of the present invention, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method for member inference attack model training based on federated learning as described above.
Compared with the prior art, according to the member reasoning attack model training method and application based on the federal learning, a generative confrontation network is introduced to generate a data sample, a confrontation representation active learning model is introduced to set a label for the data sample generated by the generative confrontation network, the labeled data sample is added into a labeled training data pool owned by an attacker to train the member reasoning attack model, diversity of attack data is enriched, training data is enhanced, the required data label amount is reduced to the maximum extent, data labeling cost is reduced, and data accuracy is improved.
On the other hand, the method realizes the maximum improvement of the performance of the member reasoning attack model by constructing a plurality of shadow models, training the plurality of shadow models based on the antagonism representation active learning model, and then training the member reasoning attack model by taking the sample vectors output by the plurality of shadow models as new training data.
Drawings
FIG. 1 is a flow diagram of a method for member inference attack model training based on federated learning, in accordance with an embodiment of the present invention;
FIG. 2 is a schematic diagram of membership inference attack of a method for membership inference attack model training based on federated learning, according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of attack data generation of a method for member inference attack model training based on federated learning, according to an embodiment of the present invention;
FIG. 4 is a model training diagram of a method for member inference attack model training based on federated learning, in accordance with an embodiment of the present invention;
fig. 5 is a graph of the comparison of the accuracy of training models for different data sets, where (a) is the accuracy graph of the MNIST data pool training model with 10 labeled data, and (b) is the accuracy graph of the CIFAR-10 data pool training model with 500 labeled data.
FIG. 6 is a schematic structural diagram of an apparatus for member inference attack model training based on federated learning according to an embodiment of the present invention;
FIG. 7 is a hardware block diagram of an electronic device trained on a member inference attack model based on federated learning, in accordance with an embodiment of the present invention.
Detailed Description
The following detailed description of the present invention is provided in conjunction with the accompanying drawings, but it should be understood that the scope of the present invention is not limited to the specific embodiments.
Throughout the specification and claims, unless explicitly stated otherwise, the word "comprise", or variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated element or component but not the exclusion of any other element or component.
Federal learning is one of machine learning, which was originally proposed to protect data privacy. Unlike traditional centralized machine learning, federated learning does not require users to upload their own raw data sets to model trainers, which can protect users' data privacy to a large extent. Federal learning protects privacy by distributing the training tasks of the model to individual users. The user is only responsible for uploading the update parameters (e.g., weight matrix or model gradient) instead of the raw data, which would typically contain private data of the individual. The working principle of federal learning is as follows: the central server shares the latest global model to each client; the client trains the model using the local data set, and then uploads model updates to the central server; the central server aggregates the updates and updates the global model.
In federal learning, a central server distributes a training task to each participant, and the participant updates and uploads a model to the central server after training the model in local data. The central server then aggregates the uploaded model updates. The advantage of federal learning is that the communication between the server and the participants is only updated by the parameters of the model, and the participants do not need to share the original data set they own.
Membership inference attacks are a serious privacy threat in federal learning, which may lead to privacy disclosure of users. Membership inference attacks aim to verify whether a piece of data is a member of the target model training data set. Under the black river setting, an attacker performs a membership inference attack by training a two-class attack model, which takes the output vector of the target model as input and outputs the probability that a given data sample is a member of the training data set. In federal learning, an attacker may be a participant or a central server. When acting as a participant, an attacker can observe updated global parameters by observing model updates and can change their parameter uploads. When the attacker is a central server, it can attack all participants either passively or actively through handset updated parameters.
The invention introduces active learning to make up the defects of passive local attackers and provides ALGANs to enhance member reasoning attack in federal learning. Adversaries can use the GANs to enrich attack data, and then select data samples with information representativeness through active learning and make labels to train attack models.
Referring to fig. 1 and fig. 2, an embodiment of the method for training the member inference attack model based on federal learning according to the present invention is described. In this embodiment, the method includes the following steps.
S101, constructing a labeled training data pool based on first training samples with labels contained in each attacker in the federated learning model, and constructing an unlabeled training data pool based on second training samples generated by the generative confrontation network.
Generative confrontation networks (GANs) are a type of deep learning neural network that is trained in a confrontational manner, first proposed by Goodfell. The generative confrontation network includes a first generator that can randomly draw samples from the challenge distribution as input and then generate the samples, and a first discriminator. The main task of the first discriminator is to distinguish the generated samples from the true samples.
In the present embodiment, new data is generated by introducing GANs to increase the data diversity of an attacker. Referring to fig. 3, the gans generate a plurality of second training samples by the infinitesimal game between the first generator and the first discriminator. Generating network g (z; theta) of a first generator G ) Is initialized and generates data records from random noise; the discrimination network f (x; theta) of the first discriminator D ) And initializing by using the target federal learning model, namely initializing a copy of the target federal learning model into a first discriminator of the generative countermeasure network. And in each iteration process, an attacker downloads the federal learning model in the current iteration round, and locally keeps a copy of the target federal learning model, wherein the copy is initialized to the first discriminator in the GANs.
Let x i For the original image in the original training data, x gen For the generated images, the minmax game between the first generator and the first discriminator may be expressed as:
L G (θ g )=E z~p(z) [log(D(G(z)))]
wherein x is i Original image, x, representing original training data gen Representing the generated image, z representing random noise, theta being a parameter in the neural network, L G Is an update function of the first generator to bring the generative data closer to the real data.
The first discriminator judges the degree of similarity between the generated data record and the original training data to update the first generator. Specifically, the first generator generates x to the first discriminator gen If the first discriminator can discriminate x gen Classifying as true data, adding itGo into D U Performing the following steps; otherwise, the first generator will be updated with the minimum loss, as shown in the above equation.
The method comprises the steps of initializing a first generator G, using a copy of a target federated learning model as a first discriminator D, distinguishing generated data from original training data by the first discriminator D until the generated data is close to the original training data, namely generating data records with the same bottom layer distribution as the original training data, using the data records as second training samples, and constructing a plurality of second training samples into an unlabeled training data pool.
After the data enhancement phase, a data set D is available gen And a data set D ori Wherein the data set D gen Is data generated by GANs, data set D ori Is a data set owned by an attacker. When an attacker participates in the model training process, the original dataset that the attacker owns has labels and is present in the training dataset of the target federated learning model. Data set D gen And a data set D ori And the attack data pools are formed together and used for training member reasoning attack models.
S102, selecting a part of second training samples in the unmarked training data pool to set labels based on the antagonism characteristic active learning model, and adding the part of second training samples with the set labels into the marked training data pool.
GANs can generate large amounts of data, but the data they generate lacks tags. In the embodiment, in order to enrich the data diversity of attackers and enhance training data, part of unlabeled data setting labels are respectively selected from data generated by the GANs in each iteration process of federal learning and are used for training member inference attack models.
In this embodiment, an antagonistic feature active learning model (ARAL) is introduced to label data generated by the GANs. The antagonism-characterizing active learning model is a semi-supervised framework for training classification models. The reason for using the antagonism characterization active learning model is that it not only uses labeled data to train the classification model, but also learns data features from unlabeled data samples. In federal learning, training data aggregation is non-independently identically distributed, which means that an attacker only owns that portion of data.
The antagonism characterization active learning model mainly comprises two stages: the antagonistic variant active learning phase and the antagonistic represent the learning phase, and the training framework thereof is shown in fig. 4. Specifically, the antagonism characteristic active learning model comprises a second generator, in an antagonism variational learning stage, the second generator learns the bottom distribution representation of a first training sample with a label in a labeled training data pool and a second training sample in an unlabeled training data pool, and selects a second training sample with the largest information amount from the unlabeled training data pool according to the selection algorithm of the antagonism characteristic active learning model and the bottom distribution representation, and the second training sample is manually labeled for the next round to complete the setting of the label. And finally, adding part of the second training samples with the set labels into the labeled training data pool for model training.
S103, training the member reasoning attack model based on the first training sample with the label in the labeled training data pool, part of the second training samples and the rest of the second training samples in the unlabeled training data pool.
In order to train the member reasoning attack model, a plurality of shadow models are firstly constructed on the basis of the antagonism characteristic active learning model, wherein the shadow models have the same framework as the target federal learning model but are trained by different data sets. And training the plurality of shadow models by using the first training sample with the label in the labeled training data pool, part of the second training sample and the rest of the second training samples in the unlabeled training data pool. In this embodiment, the second discriminator in the antagonism characteristic active learning model may be regarded as a shadow model in the member inference attack, and trained together with other parts in the antagonism characteristic active learning model.
Reactive variational active learning (VAAL) of a reactive characterization active learning model selects and selects the remaining second training samples in the unlabeled training data pool for labeling by using a variational automatic encoder with reconstruction and a reactive loss, the encoder maps the remaining second training samples in the unlabeled training data pool into a bottom space, and a second generator reconstructs the remaining second training samples in the bottom space. The method uses beta-VAE to reconstruct losses. Furthermore, antagonistic variational active learning uses a sampling function S (z) to distinguish whether data is tagged or not. If S (z) is low, the discriminator is very confident that the data is unlabeled.
The antagonism representation learning shares the encoder and the second generator with the antagonism variational active learning. A second generator in the antagonistic variational active learning can provide information about the unlabeled data to the shadow model. Here, the quasi-conditional GANs are used to improve the training of the shadow model. The goal of the second generator is to generate images to trick the discriminator into predicting them as a true image. The discriminator follows the discriminator of the standard condition GANs and comprises two parts, one is a shadow model to be trained, and the other is a true and false discrimination network. The loss of the complete training structure can be expressed as:
wherein L is G ' and L E Representing the losses of the second generator and the encoder, respectively, which are co-trained by the antagonistic variational active learning and the antagonistic representation learning. L is D Representing the loss of the first discriminator in the condition GANs. Sample function in VAAL denoted Ls, sampler; 0 gan And λ cls All values are self-defined values, and in the experiment, the value can be set to be 1, which is equivalent to one adjustment parameter in the combined training.
And generating a third training sample with the same bottom layer distribution as the original training data through the maximum and minimum game of the second generator and the second discriminator, and inputting the first training sample with the label in the marked training data pool, part of the second training sample and the third training sample in the unmarked training data pool into a plurality of shadow models for training so as to enable the shadow models to output sample vectors.
Dividing sample vectors output by the shadow model into a training set and a testing set, formatting the training set into (label, prediction, in) and formatting the testing set into (label, prediction, out), and then training a member reasoning attack model and launching member reasoning attack by using a new data set.
In the present invention, the attack method of the present invention embodiment is chosen to be evaluated on two real world datasets, namely the MNIST data pool and the CIFAR-10 data pool.
The MNIST data pool is a hand-written digital database containing 60000 training images and 10000 testing images, and has ten labels from "0" to "9", each image being formatted as 28 × 28 pixels.
The CIFAR-10 data pool is composed of 70000 images and is divided into a training data set (60000 images) and a testing data set (10000 images). The images in the CIFAR-10 data pool are mainly cats, dogs, horses, etc.
Assume that 100 clients are involved in the training of the target federated learning model. In order to more fully evaluate the attack method of the invention, the training data set of the target federated learning model is set to be non-independent identically distributed (non-iid). I.e. each client has only a part of the tag information. The attacker is a member of the training client and passively launches a membership inference attack following the training task of the target federated learning model. Each participant trained 10 rounds on the training data set at an initial learning rate of 0.001.
In particular, the attack method of the present invention can be implemented using pytorch1.0, tensorflow1.0 and Keras frameworks. In addition, a CNN-based attack model architecture can be applied to build a membership inference attack model.
The main work of ALGANs is to generate large amounts of attack data and train shadow models using ARAL. To illustrate the effectiveness of ALGANs, the accuracy of the training of the shadow model used to provide output vectors for the membership inference attack model is first demonstrated.
Assume that the MNIST data pool is 60000 images and the CIFAR-10 data pool is 70000 images. The experiment was started with an initial pool of data, where there were 10 tags in the MNIST pool of data and 500 tags in the CIFAR-10 pool of data. The same number of labels are added in each iteration process of active learning, and the training results of the previous 10 iterations of the shadow model are shown. The training accuracy of the shadow model is shown in fig. 5, in which fig. 5 (a) is a graph of the accuracy of the MNIST data pool training model with 10 labeled data, and fig. 5 (b) is a graph of the accuracy of the CIFAR-10 data pool training model with 500 labeled data. It can be easily found that even if the number of tags owned by an attacker is small, the attacker can enable the shadow model to have enough accuracy to launch member reasoning attack.
In the assessment of the accuracy of the reasoning attack, the accuracy and the recall rate of the attack are mainly represented. Here, the attack method of the present invention is compared with member inference attacks enhanced by GANs, and the performance of the attack method of the present invention is shown in table 1:
TABLE 1
| Data set | Rate of accuracy | Recall rate | F1 score |
| MNIST | 98.35% | 88.31% | 93% |
| CIFAR-10 | 93.52% | 85.45% | 89% |
As can be seen from table 1, the data pool is enriched from 500 to 60000, and the membership inference attack is performed after the membership inference attack model is completely trained, that is, after all data in the data pool are labeled, the membership inference attack is performed. The attack accuracy rate reaches 98.35% in MNIST data pool and 93.52% in CIFAR-10 data pool. The high recall rate shows that the attack method has good generalization capability.
In addition, the method verifies the influence of different training data sizes on the attack accuracy, and the data diversity is an important privacy influencing the member reasoning attack accuracy. The training data set is sized to 500, 1000, 5000, 10000, and 60000 for MNIST, and 1000, 5000, 10000, 50000, and 70000 for CIFAR-10. In the GAN enhanced membership inference attack, the generated image is directly input into the target model to obtain the label, and the newly generated data set is used to train the attack model. For the ALGANs enhanced member reasoning attack, the training of the shadow model in the invention is started from an initial data pool, the number of initial labels in the initial data pool is 10 labels in an MNIST data pool, and 500 labels in a CIFAR-10 data pool. After the shadow model is fully trained, a newly-formed attack data set is used for training the member reasoning attack model, and the attack accuracy rate is shown in table 2:
TABLE 2
As can be seen from table 2, the accuracy of the training model increases as the attack data increases. Compared with the GAN enhanced member reasoning attack, the attack method has better effect, especially when the data volume is small. The reason is that the attack performance of GAN enhanced membership inference attacks completely depends on the performance of GANs, and data generated by the GANs are not all high-quality, so that the attack accuracy is low when the data volume is low.
In the attack architecture of the invention, active learning can select images with large information amount from a data pool and extract their features. In addition, in the stage of training the model, the ARAL can also learn the characteristics of the data from the unlabeled data, and when the size of the data is upgraded, the difference between the two attack methods is reduced, mainly because the GANs can cover the defect of uneven self-generated data quality by generating a large amount of data. In contrast, the attack method of the present invention can achieve higher attack accuracy with little attack data. Furthermore, ALGANs have better performance when the images of the training data set are complex and the attacker has only a small amount of data.
Referring to fig. 6, an embodiment of the apparatus for member inference attack model training based on federal learning according to the present invention is described, and the apparatus includes a construction module 201, a selection module 202, and a training module 203.
The construction module 201 is used for constructing a labeled training data pool based on a first training sample with a label contained by each attacker in the federated learning model, and constructing an unlabeled training data pool based on a second training sample generated by the generative confrontation network;
a selecting module 202, configured to select, based on a antagonism characteristic active learning model, a part of second training samples in the unlabeled training data pool to set labels, and add the part of second training samples with the labels set to the labeled training data pool;
a training module 203, configured to train the member inference attack model based on the first training sample with the label in the labeled training data pool, a part of the second training sample, and the remaining second training samples in the unlabeled training data pool.
The building module 201 is further configured to: generating a plurality of second training samples based on the maximum and minimum game of the first generator and the first discriminator, wherein the plurality of second training samples and original training data in a training data set of the target federal learning model have the same bottom layer distribution;
constructing the plurality of second training samples as the unlabeled training data pool.
The building module 201 is further configured to: initializing the first generator and causing it to generate data records from random noise;
updating the first generator based on the degree of similarity between the generated data records and the original training data judged by the first discriminator, so that the first generator generates data records having the same underlying distribution as the original training data, and takes the data records having the same underlying distribution as the original training data as a second training sample.
The building module 201 is further configured to: initializing a copy of a target federated learning model to a first arbiter of the generative countermeasure network, wherein the target federated learning model is iteratively generated by a federated learning model, and during each iteration, the attacker downloads the federated learning model in the current iteration round and locally retains a copy of the target federated learning model.
The selection module 202 is further configured to: learning, based on the second generator, an underlying distribution representation of first training samples in the labeled training data pool having labels and second training samples in the unlabeled training data pool;
and selecting a second training sample with the largest information amount from the unmarked training data pool to set a label based on the antagonism characteristic active learning model and the bottom layer distribution representation.
The training module 203 is further configured to: constructing a plurality of shadow models based on the antagonism characterization active learning model;
training the plurality of shadow models by using a first training sample with a label in the labeled training data pool, a part of second training samples and the rest of second training samples in the unlabeled training data pool so as to enable the shadow models to output sample vectors;
and dividing the sample vector into a training set and a testing set, and training the member reasoning attack model by using the training set and the testing set.
The training module 203 is further configured to: selecting remaining second training samples in the unlabeled training data pool based on the antagonism-characterizing active learning model;
mapping remaining second training samples in the unlabeled training data pool into an underlying space based on the encoder;
reconstructing the remaining second training samples in the floor space based on the second generator;
generating a third training sample with the same bottom layer distribution as the original training data based on the maximum and minimum game of the second generator and the second discriminator;
and inputting a first training sample with a label in the labeled training data pool, a part of second training samples and a third training sample in the unlabeled training data pool into the plurality of shadow models for training.
FIG. 7 illustrates a hardware block diagram of an electronic device 30 for Federal learning-based membership inference attack model training according to an embodiment of the present description. As shown in fig. 7, the electronic device 30 may include at least one processor 301, a storage 302 (e.g., a non-volatile storage), a memory 303, and a communication interface 304, and the at least one processor 301, the storage 302, the memory 303, and the communication interface 304 are connected together via a bus 305. The at least one processor 301 executes at least one computer readable instruction stored or encoded in the memory 302.
It should be appreciated that the computer-executable instructions stored in the memory 302, when executed, cause the at least one processor 301 to perform the various operations and functions described above in connection with fig. 1-5 in the various embodiments of the present specification.
In embodiments of the present description, the electronic device 30 may include, but is not limited to: personal computers, server computers, workstations, desktop computers, laptop computers, notebook computers, mobile computing devices, smart phones, tablet computers, cellular phones, personal Digital Assistants (PDAs), handsets, messaging devices, wearable computing devices, consumer electronics, and the like.
According to one embodiment, a program product, such as a computer-readable storage medium, is provided. The computer-readable storage medium may have instructions (i.e., elements described above as being implemented in software) that, when executed by a computer, cause the computer to perform various operations and functions described above in connection with fig. 1-5 in the various embodiments of the present specification. Specifically, a system or apparatus may be provided which is provided with a readable storage medium on which software program code implementing the functions of any of the above embodiments is stored, and causes a computer or processor of the system or apparatus to read out and execute instructions stored in the readable storage medium.
According to the member reasoning attack model training method and application based on the federal learning, a generative confrontation network is introduced to generate a data sample, a confrontation representation active learning model is introduced to set a label for the data sample generated by the generative confrontation network, the labeled data sample is added into a labeled training data pool owned by an attacker to train the member reasoning attack model, diversity of attack data is enriched, training data is enhanced, required data label quantity is reduced to the maximum extent, data labeling cost is reduced, and data accuracy is improved.
On the other hand, the method realizes the maximum improvement of the performance of the member reasoning attack model by constructing a plurality of shadow models, training the plurality of shadow models based on the antagonism representation active learning model, and then training the member reasoning attack model by using the sample vectors output by the plurality of shadow models as new training data.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing descriptions of specific exemplary embodiments of the present invention have been presented for purposes of illustration and description. It is not intended to limit the invention to the precise form disclosed, and obviously many modifications and variations are possible in light of the above teaching. The exemplary embodiments were chosen and described in order to explain certain principles of the invention and its practical application to enable one skilled in the art to make and use various exemplary embodiments of the invention and various alternatives and modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the claims and their equivalents.
Claims (10)
1. A member reasoning attack model training method based on federal learning is characterized by comprising the following steps:
constructing a labeled training data pool based on a first training sample with a label contained by each attacker in a federal learning model, and constructing an unlabeled training data pool based on a second training sample generated by a generative confrontation network;
selecting a part of second training samples in the unlabeled training data pool to set labels based on a antagonism characteristic active learning model, and adding the part of second training samples with the labels set to the labeled training data pool;
and training the member reasoning attack model based on the first training sample with the label in the labeled training data pool, part of the second training sample and the second training sample remained in the unlabeled training data pool.
2. The training method of claim 1, wherein the generative confrontation network comprises a first generator and a first discriminator, and wherein constructing the unlabeled training data pool based on the second training samples generated by the generative confrontation network comprises:
generating a plurality of second training samples based on the maximum and minimum game of the first generator and the first discriminator, wherein the plurality of second training samples and original training data in a training data set of the target federal learning model have the same bottom layer distribution;
constructing the plurality of second training samples as the unlabeled training data pool.
3. The training method of claim 2, wherein generating a plurality of second training samples based on the maxmin game of the first generator and the first discriminator comprises:
initializing the first generator and causing it to generate data records from random noise;
updating the first generator based on the degree of similarity between the generated data records and the original training data judged by the first discriminator, so that the first generator generates data records having the same underlying distribution as the original training data, and takes the data records having the same underlying distribution as the original training data as a second training sample.
4. The training method of claim 2, wherein the method further comprises:
initializing a copy of a target federated learning model to a first arbiter of the generative countermeasure network, wherein the target federated learning model is iteratively generated by a federated learning model, and during each iteration, the attacker downloads the federated learning model in the current iteration round and locally retains a copy of the target federated learning model.
5. The training method of claim 1, wherein the antagonism-characterizing active learning model comprises a second generator, and wherein selecting a portion of the second training samples in the unlabeled training data pool to set labels based on the antagonism-characterizing active learning model comprises:
learning, based on the second generator, an underlying distribution representation of first training samples in the labeled training data pool having labels and second training samples in the unlabeled training data pool;
and selecting a second training sample with the largest information amount from the unmarked training data pool to set a label based on the antagonism characterization active learning model and the bottom layer distribution representation.
6. The training method according to claim 1, wherein training the membership inference attack model based on a first training sample with a label in the labeled training data pool, a part of a second training sample, and a second training sample remaining in the unlabeled training data pool comprises:
constructing a plurality of shadow models based on the antagonism representation active learning model;
training the plurality of shadow models by using a first training sample with a label in the labeled training data pool, a part of second training samples and the rest of second training samples in the unlabeled training data pool so as to enable the shadow models to output sample vectors;
and dividing the sample vector into a training set and a testing set, and training the member reasoning attack model by using the training set and the testing set.
7. The training method of claim 6, wherein the antagonism-characterizing active learning model further comprises a second discriminator, a discriminator, and an encoder, and wherein the training of the plurality of shadow models using the labeled first training samples in the labeled training data pool, a portion of the second training samples, and the remaining second training samples in the unlabeled training data pool comprises:
selecting remaining second training samples in the unlabeled training data pool based on the antagonism-characterizing active learning model;
mapping remaining second training samples in the unlabeled training data pool into an underlying space based on the encoder;
reconstructing the remaining second training samples in the floor space based on the second generator;
generating a third training sample with the same bottom layer distribution as the original training data based on the maximum and minimum game of the second generator and the second discriminator;
and inputting a first training sample with a label in the labeled training data pool, a part of second training samples and a third training sample in the unlabeled training data pool into the plurality of shadow models for training.
8. An apparatus for member reasoning attack model training based on federal learning, the apparatus comprising:
the construction module is used for constructing a labeled training data pool based on a first training sample with a label contained by each attacker in the federated learning model, and constructing an unlabeled training data pool based on a second training sample generated by the generative confrontation network;
the selection module is used for selecting a part of second training samples in the unmarked training data pool to set labels based on the antagonism characteristic active learning model and adding the part of second training samples with the labels set to the marked training data pool;
and the training module is used for training the member reasoning attack model based on the first training sample with the label in the marked training data pool, part of the second training samples and the rest of the second training samples in the unmarked training data pool.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform the method of federal learning based member inference attack model training as claimed in any of claims 1 to 7.
10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements a method of federal learning based membership inference attack model training as claimed in any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211212032.9A CN115496227A (en) | 2022-09-30 | 2022-09-30 | Method for training member reasoning attack model based on federal learning and application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211212032.9A CN115496227A (en) | 2022-09-30 | 2022-09-30 | Method for training member reasoning attack model based on federal learning and application |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115496227A true CN115496227A (en) | 2022-12-20 |
Family
ID=84472329
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211212032.9A Pending CN115496227A (en) | 2022-09-30 | 2022-09-30 | Method for training member reasoning attack model based on federal learning and application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115496227A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117372839A (en) * | 2023-10-18 | 2024-01-09 | 贵州师范大学 | Member reasoning attack method under federal learning scene in image classification field |
-
2022
- 2022-09-30 CN CN202211212032.9A patent/CN115496227A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117372839A (en) * | 2023-10-18 | 2024-01-09 | 贵州师范大学 | Member reasoning attack method under federal learning scene in image classification field |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Yu et al. | CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples. | |
| Hu et al. | A novel image steganography method via deep convolutional generative adversarial networks | |
| Hu et al. | A distributed framework for large-scale protein-protein interaction data analysis and prediction using mapreduce | |
| Liu et al. | Incdet: In defense of elastic weight consolidation for incremental object detection | |
| CN110334742B (en) | Graph confrontation sample generation method based on reinforcement learning and used for document classification and adding false nodes | |
| CN109754078A (en) | Method for optimization neural network | |
| Zhao et al. | A malware detection method of code texture visualization based on an improved faster RCNN combining transfer learning | |
| Goh et al. | Food-image Classification Using Neural Network Model | |
| CN112214499B (en) | Graph data processing method and device, computer equipment and storage medium | |
| Vallet et al. | A multi-label convolutional neural network for automatic image annotation | |
| CN112214775A (en) | Injection type attack method and device for graph data, medium and electronic equipment | |
| CN115329885A (en) | Personalized federal learning method and device based on privacy protection | |
| CN113392866A (en) | Image processing method and device based on artificial intelligence and storage medium | |
| CN112966754A (en) | Sample screening method, sample screening device and terminal equipment | |
| Chinbat et al. | Ga3n: Generative adversarial autoaugment network | |
| CN115496227A (en) | Method for training member reasoning attack model based on federal learning and application | |
| CN112364198A (en) | Cross-modal Hash retrieval method, terminal device and storage medium | |
| Peng et al. | Evaluating deep learning for image classification in adversarial environment | |
| Liu et al. | Margin-based two-stage supervised hashing for image retrieval | |
| Lim et al. | Active learning using Generative Adversarial Networks for improving generalization and avoiding distractor points | |
| Zhang et al. | MiDA: Membership inference attacks against domain adaptation | |
| CN115620089A (en) | Object representation model training method, object representation method and device | |
| Yu et al. | Balanced data driven sparsity for unsupervised deep feature learning in remote sensing images classification | |
| CN114202397A (en) | Longitudinal federal learning backdoor defense method based on neuron activation value clustering | |
| CN115700550A (en) | Label classification model training and object screening method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |