CN116502708A - Performance evaluation and committee voting-based Bayesian attack resistant DFL method - Google Patents

Performance evaluation and committee voting-based Bayesian attack resistant DFL method Download PDF

Info

Publication number
CN116502708A
CN116502708A CN202310480068.3A CN202310480068A CN116502708A CN 116502708 A CN116502708 A CN 116502708A CN 202310480068 A CN202310480068 A CN 202310480068A CN 116502708 A CN116502708 A CN 116502708A
Authority
CN
China
Prior art keywords
node
training
master node
model
local
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310480068.3A
Other languages
Chinese (zh)
Inventor
马鑫迪
金柔柔
李清华
张俊英
王祥宇
姜奇
马卓
张俊伟
沈玉龙
马建峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202310480068.3A priority Critical patent/CN116502708A/en
Publication of CN116502708A publication Critical patent/CN116502708A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/098Distributed learning, e.g. federated learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Biophysics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Molecular Biology (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Biomedical Technology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a DFL method for resisting Bayesian and busy-court attacks based on performance evaluation and committee voting, wherein a main node CM is randomly selected based on a consensus algorithm of credibility, and the main node CM coordinates other participants to participate in model training; the privacy of parameters in the model training process is protected based on DP and secret random number disturbance; detecting a Bayesian node in a training node TN based on a performance evaluation mode; analyzing the secret random disturbance aggregate result to detect a bayer pattern node in the candidate node CN; and verifying the model of the aggregation of the master nodes CM based on a committee voting mechanism, and detecting whether the master nodes CM are Bayesian nodes. The invention can solve the problems of Bayesian attack and privacy protection under heterogeneous data distribution and the problem of model training failure caused by single point failure under a central federal learning system architecture. The invention improves the performance of the federal learning model and accelerates the convergence rate of federal learning.

Description

基于性能评估和委员会投票的抗拜占庭攻击的DFL方法Byzantine Attack Resistant DFL Method Based on Performance Evaluation and Committee Voting

技术领域technical field

本发明属于物理技术领域,更进一步涉及电数字数据技术领域中的一种基于性能评估和委员会投票的抗拜占庭攻击的无中心分布式联邦学习DFL(DecentralizedFederated Learning)方法。本发明可以在DFL中实现抗拜占庭攻击和对参与方的隐私保护的模型训练。The invention belongs to the field of physics technology, and further relates to a non-centralized distributed federated learning DFL (Decentralized Federated Learning) method based on performance evaluation and committee voting in the field of electric digital data technology to resist Byzantine attacks. The invention can implement anti-Byzantine attack and model training for participants' privacy protection in DFL.

背景技术Background technique

联邦学习在交通、医疗的场景下表现出了出色的性能,但在部分联邦学习场景中,数据拥有者难以找到可靠的第三方服务器作为中心服务器进行模型聚合,并且由于传统的有中心联邦学习系统架构会存在单点失效的问题,导致模型训练失败。在无中心联邦学习中,由于各个节点难以对其他节点发送的数据进行校验,所以面临更加严重的拜占庭攻击问题。例如,传统的有中心联邦学习系统架构用于自动驾驶场景中,拜占庭攻击导致的模型训练失败问题尤为突出,在联邦学习中即使是一小部分恶意参与方也可以破坏全局训练,导致严重的交通事故,威胁驾驶员安全。工程实践中,不同智能车辆收集的数据分布特征呈现非独立同分布Non-IID(Non-Independent and Identically Distributed),导致不同训练节点共享的知识存在较大差异,加大拜占庭节点识别的难度。此外,即使各参与方在联邦模型训练中并未共享原始数据,攻击者仍然可以通过共享的模型参数或梯度更新反推出用户的隐私信息导致隐私泄露。Federated learning has shown excellent performance in traffic and medical scenarios, but in some federated learning scenarios, it is difficult for data owners to find a reliable third-party server as a central server for model aggregation, and due to the traditional centralized federated learning system There will be a single point of failure in the architecture, resulting in failure of model training. In decentralized federated learning, each node faces a more serious Byzantine attack problem because it is difficult for each node to verify the data sent by other nodes. For example, when the traditional central federated learning system architecture is used in autonomous driving scenarios, the problem of model training failure caused by Byzantine attacks is particularly prominent. In federated learning, even a small number of malicious participants can destroy the global training, resulting in serious traffic accidents. Accidents threaten the driver's safety. In engineering practice, the distribution characteristics of data collected by different intelligent vehicles present Non-Independent and Identical Distributed (Non-Independent and Identical Distributed), which leads to large differences in the knowledge shared by different training nodes and increases the difficulty of Byzantine node identification. In addition, even if the participants do not share the original data in the federated model training, the attacker can still deduce the user's private information through the shared model parameters or gradient updates, resulting in privacy leakage.

电子科技大学在其申请的专利文献“一种保护用户数据隐私的抗拜占庭攻击的联邦学习方法”(申请号:202111589802.7,申请公布号:CN 114239862 A)中提出了基于余弦相似度的抗拜占庭攻击的联邦学习方法。该方法将服务器端分为两个服务器,各自计算服务器模型梯度与本地模型梯度的余弦相似度,根据余弦相似度计算可信分数,利用得到的可信分数和本地模型聚合全局模型。两个服务器无法通过各自的数据获得客户端的本地数据,保护用户的数据隐私。但是,该方法仍然存在的不足之处是:采用传统的有中心联邦学习系统架构会存在单点失效问题,容易导致模型训练失败。The University of Electronic Science and Technology of China proposed an anti-Byzantine attack based on cosine similarity in its patent document "A Federated Learning Method Against Byzantine Attacks for Protecting User Data Privacy" (Application No.: 202111589802.7, Application Publication No.: CN 114239862 A) federated learning method. In this method, the server is divided into two servers, each of which calculates the cosine similarity between the server model gradient and the local model gradient, calculates the credibility score according to the cosine similarity, and uses the obtained credibility score and the local model to aggregate the global model. The two servers cannot obtain the client's local data through their own data, protecting the user's data privacy. However, the disadvantage of this method is that the traditional central federated learning system architecture will have a single point of failure, which will easily lead to model training failure.

Che C等人在其发表的论文“A decentralized federated learning frameworkvia committee mechanism with convergence guarantee”(IEEE Transactions onParallel and Distributed Systems,2022,33(12):4783-4800)中提出了CMFL方案,该方案基于对模型准确率和鲁棒性的考虑设计了两种选择策略,同时设计了委员会机制通过使用合适的选择策略来聚合训练节点上传的本地梯度,并通过选举策略来更新委员会成员。但是该方法仍然存在的不足之处是:该方法无法抵抗分布特征为Non-IID数据集下的拜占庭攻击,设计的基于欧式距离评分的选择策略面对拜占庭攻击鲁棒性不足;其次,CMFL算法中训练节点上传的是本地梯度的明文信息,委员会节点在拜占庭检测和聚合梯度时存在隐私泄露的问题。Che C et al. proposed the CMFL scheme in their paper "A decentralized federated learning framework via committee mechanism with convergence guarantee" (IEEE Transactions on Parallel and Distributed Systems, 2022, 33(12):4783-4800), which is based on the Considering the accuracy and robustness of the model, two selection strategies are designed. At the same time, the committee mechanism is designed to aggregate the local gradients uploaded by the training nodes by using the appropriate selection strategy, and update the committee members through the election strategy. However, the shortcomings of this method are: the method cannot resist the Byzantine attack under the non-IID data set, and the selection strategy based on the Euclidean distance score is not robust enough to face the Byzantine attack; secondly, the CMFL algorithm The training node uploads the plaintext information of the local gradient, and the committee node has the problem of privacy leakage when Byzantine detection and aggregation gradient.

发明内容Contents of the invention

本发明的目的在于针对上述已有技术的不足,提出了一种基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,用于解决传统的有中心联邦学习系统架构下的单点失效导致的模型训练失败问题,同时解决数据分布异质下的拜占庭攻击以及隐私保护的问题。The purpose of the present invention is to address the above-mentioned deficiencies in the prior art, and propose a DFL method based on performance evaluation and committee voting to resist Byzantine attacks, which is used to solve the model caused by single-point failure under the traditional central federated learning system architecture Training failure problem, while solving the Byzantine attack and privacy protection problems under heterogeneous data distribution.

实现本发明目的的思路是:本发明基于信誉度的共识协议Ouroboros在每轮迭代时随机选择一个主节点CM(Current Master),由主节点CM协调其它参与者参与模型训练。基于DP和秘密随机数扰动保护模型训练过程中参数的隐私。经过本地训练之后,每个训练节点TN生成一个与模型参数相同形状的秘密随机数扰动,并将其添加到本地模型得到秘密随机数扰动本地模型。训练节点TN(Training Node)将生成的秘密随机数扰动共享给候选者节点CN(Candidate Node),从而帮助主节点CM从秘密随机数扰动本地模型中恢复出全局模型。基于性能评估的方式检测训练节点TN中的拜占庭节点。分析秘密随机扰动聚合结果来检测候选者节点CN中的拜占庭节点。最后基于委员会投票机制验证主节点CM聚合的模型的正确性,检测主节点CM是否为拜占庭节点,并确保无中心联邦学习中所有参与者对模型更新和和拜占庭节点检测的结果达成共识。The idea of realizing the purpose of the present invention is: Ouroboros, a consensus protocol based on credibility, randomly selects a master node CM (Current Master) in each round of iteration, and the master node CM coordinates other participants to participate in model training. Protect the privacy of parameters during model training based on DP and secret random number perturbation. After local training, each training node TN generates a secret random number perturbation with the same shape as the model parameters, and adds it to the local model to obtain the secret random number perturbation local model. The training node TN (Training Node) shares the generated secret random number perturbation to the candidate node CN (Candidate Node), thereby helping the master node CM recover the global model from the secret random number perturbation local model. Byzantine nodes in the training node TN are detected based on performance evaluation. The secret random perturbation aggregation results are analyzed to detect Byzantine nodes among candidate nodes CN. Finally, based on the committee voting mechanism, verify the correctness of the master node CM aggregation model, detect whether the master node CM is a Byzantine node, and ensure that all participants in the decentralized federated learning reach a consensus on the model update and Byzantine node detection results.

为实现上述目的,本发明具体实现步骤包括如下:To achieve the above object, the concrete implementation steps of the present invention include as follows:

步骤1,生成每个参与者的判别样本集:Step 1, generate a discriminative sample set for each participant:

模型训练的每个参与者随机发送L个小数据样本,模型训练的每个参与者将接收到的其他参与者发送的小数据样本与其自身的小数据样本聚合后组成该参与者的判别样本集,其中,L≤3;Each participant in the model training randomly sends L small data samples, and each participant in the model training aggregates the received small data samples sent by other participants with its own small data samples to form the participant's discriminant sample set , where L≤3;

步骤2,从候选主节点CN中随机选择主节点CM,主节点CM广播全局模型;Step 2, randomly select the master node CM from the candidate master nodes CN, and the master node CM broadcasts the global model;

步骤3,训练节点TN分别使用自己的本地数据集训练全局模型,得到各自的本地模型;Step 3, the training nodes TN respectively use their own local data sets to train the global model to obtain their respective local models;

步骤4,训练节点TN利用DP生成差分隐私本地模型;Step 4, the training node TN uses DP to generate a differentially private local model;

步骤5,训练节点TN在其每个本地模型中添加秘密随机数扰动项,得到该训练节点TN的秘密随机数扰动本地模型;Step 5, the training node TN adds a secret random number perturbation item to each of its local models to obtain the secret random number perturbation local model of the training node TN;

步骤6,主节点CM基于性能评估方法检测拜占庭节点:Step 6, the master node CM detects Byzantine nodes based on the performance evaluation method:

主节点CM计算在本轮迭代时每个训练节点TN的差分隐私本地模型在判别样本集上的损失值;主节点CM计算在本轮迭代时每个训练节点TN的差分隐私本地模型的平均损失值;主节点CM将模型损失值小于平均损失值avglv的良性训练节点TN组成良性节点索引集合并将良性索引集合/>发送至候选主节点CN;The master node CM calculates the loss value of the differentially private local model of each training node TN on the discriminant sample set in the current round of iteration; the master node CM calculates the average loss of the differentially private local model of each training node TN in the current round of iteration value; the master node CM forms the benign node index set with the benign training nodes TN whose model loss value is less than the average loss value avglv and put benign index collections /> Send to candidate master node CN;

步骤7,候选主节点CN聚合秘密随机扰动项,主节点CM更新全局模型参数:Step 7, the candidate master node CN aggregates the secret random disturbance item, and the master node CM updates the global model parameters:

步骤7.1,主节点CM聚合良性节点索引集合中的秘密随机数扰动本地模型,得到加密全局模型;Step 7.1, master node CM aggregates benign node index collection The secret random number in perturbs the local model to obtain the encrypted global model;

步骤7.2,候选主节点CN接收到主节点CM发送的良性节点索引集合候选主节点CN将良性节点索引集合/>中对应的训练节点TN发送的秘密随机扰动项进行聚合,得到秘密随机扰动聚合值Rk,候选主节点CN将秘密随机扰动聚合值Rk发送给主节点CM;Step 7.2, the candidate master node CN receives the benign node index set sent by the master node CM Candidate master node CN will benign node index collection /> The secret random disturbance items sent by the corresponding training node TN are aggregated to obtain the secret random disturbance aggregation value R k , and the candidate master node CN sends the secret random disturbance aggregation value R k to the master node CM;

步骤7.3,主节点CM接收到秘密随机扰动聚合值Rk后,选择相同且占多数的Rk作为该组节点的秘密随机扰动的聚合值R,R=mode(Rk),选择该聚合值对应的候选主节点CN节点为良性节点,发送其它聚合值的候选主节点CN作为拜占庭节点,其中,R表示秘密随机扰动的聚合值,mode(·)表示求众数操作;Step 7.3, after the master node CM receives the secret random disturbance aggregate value R k , select the same and majority R k as the secret random disturbance aggregate value R of the group of nodes, R=mode(R k ), select the aggregate value The corresponding candidate master node CN node is a benign node, and the candidate master node CN that sends other aggregated values is regarded as a Byzantine node, where R represents the aggregate value of secret random disturbance, and mode( ) represents the mode operation;

步骤7.4,主节点CM将加密全局模型减去秘密随机扰动的聚合值R就可以得到更新后的全局模型;In step 7.4, the master node CM subtracts the aggregated value R of the secret random disturbance from the encrypted global model to obtain the updated global model;

步骤7.5,主节点CM结合每个训练节点TN差分隐私本地模型的损失值lossi及候选主节点CN节点返回的秘密随机扰动聚合结果Rk,将训练节点TN节点分为如下三种信任状态:当lossi∈(0,avglv)时,该训练节点TN为良性节点,当lossi≥avgle且Rk≠R时,该训练节点TN为拜占庭节点,否则,该训练节点TN为普通节点;In step 7.5, the master node CM combines the loss value loss i of the differential privacy local model of each training node TN and the secret random perturbation aggregation result R k returned by the candidate master node CN node, and divides the training node TN into the following three trust states: When loss i ∈ (0, avglv), the training node TN is a benign node, when loss i ≥ avgle and R k ≠ R, the training node TN is a Byzantine node, otherwise, the training node TN is a normal node;

步骤7.6,主节点CM更新每个训练节点TN的可信度和信誉度;Step 7.6, the master node CM updates the credibility and reputation of each training node TN;

步骤7.7,主节点CM向系统网络中广播全局模型;Step 7.7, the master node CM broadcasts the global model to the system network;

步骤8,候选主节点CN对更新后的全局模型进行投票:Step 8, the candidate master node CN votes on the updated global model:

步骤8.1,每个候选主节点CN计算更新后的全局模型在判别样本集上的损失值;Step 8.1, each candidate master node CN calculates the loss value of the updated global model on the discriminant sample set;

步骤8.2,每个候选主节点CN通过波动阈值对全局模型进行投票,若该候选主节点CN计算的更新后的全局模型在判别样本集上的损失值与上一轮迭代损失值之差的绝对值未超过波动阈值,则表明全局模型参数在正确的收敛方向,候选主节点CN投票支持更新后的全局模型,并将其广播到系统网络中;否则,候选主节点CN在系统网络中广播反对信息;Step 8.2, each candidate master node CN votes for the global model through the fluctuation threshold, if the absolute difference between the loss value of the updated global model calculated by the candidate master node CN on the discriminant sample set and the loss value of the previous iteration If the value does not exceed the fluctuation threshold, it indicates that the global model parameters are in the correct direction of convergence, and the candidate master node CN votes for the updated global model and broadcasts it to the system network; otherwise, the candidate master node CN broadcasts opposition in the system network information;

步骤8.3,若系统网络中超过一半的候选主节点CN投票支持更新后的全局模型参数,则将主节点CM判定为良性节点,执行步骤8.4;否则,将主节点CM判定为拜占庭节点,重新选择一个主节点CM,该主节点CM广播全局模型,执行步骤3;Step 8.3, if more than half of the candidate master nodes CN in the system network voted for the updated global model parameters, then judge the master node CM as a benign node, and execute step 8.4; otherwise, judge the master node CM as a Byzantine node, and reselect A master node CM, the master node CM broadcasts the global model, and performs step 3;

步骤8.4,主节点CM将全局模型、训练节点TN的可信度和信誉度广播给网络中所有节点,模型训练参与者对更新后的参数达成共识;Step 8.4, the master node CM broadcasts the global model, the credibility and credibility of the training node TN to all nodes in the network, and the model training participants reach a consensus on the updated parameters;

步骤9,更新主节点CM的可信度和信誉度,选择新主节点CM和候选主节点CN:Step 9, update the credibility and reputation of the master node CM, and select the new master node CM and candidate master node CN:

主节点CM选择信誉度较高的x个模型训练参与者作为候选主节点CN;在候选主节点CN中根据信誉度的共识协议选择新主节点CM;新主节点CM更新上一轮的主节点CM的可信度和信誉度,并将其广播到系统网络;新主节点CM广播全局模型;The master node CM selects x model training participants with high reputation as the candidate master node CN; in the candidate master node CN, a new master node CM is selected according to the consensus agreement of reputation; the new master node CM updates the master node of the previous round The credibility and reputation of CM, and broadcast it to the system network; the new master node CM broadcasts the global model;

步骤10,判断全局模型是否收敛,若是,执行步骤11;否则,执行步骤3;Step 10, judge whether the global model is convergent, if so, go to step 11; otherwise, go to step 3;

步骤11,结束协同训练,得到全局模型。Step 11, end the collaborative training and obtain the global model.

本发明与现有技术相比具有如下优点:Compared with the prior art, the present invention has the following advantages:

第一,本发明基于判别样本集上的性能评估、秘密随机扰动聚合结果分析、委员会投票机制抵抗拜占庭攻击,克服了数据分布异质下的拜占庭攻击的不足;使得本发明能够抵抗Non-IID数据集下的拜占庭攻击,保证无中心联邦学习模型的可用性。First, the present invention is based on the performance evaluation on the discriminant sample set, the analysis of secret random disturbance aggregation results, and the committee voting mechanism to resist Byzantine attacks, which overcomes the shortcomings of Byzantine attacks under heterogeneous data distribution; enables the present invention to resist Non-IID data The Byzantine attack under the set ensures the availability of the centrally federated learning model.

第二,本发明基于DP和秘密随机扰动生成差分隐私本地模型和秘密随机数扰动本地模型,克服了现有技术拜占庭节点在模型训练过程中得到参与方原本的本地模型参数导致的参与方隐私泄露的问题,使得本发明保护了本地模型聚合和拜占庭节点识别过程中的中间参数的隐私,模型训练过程中既能准确地识别拜占庭节点也能保护参与方的隐私信息,实现模型参数的安全聚合以及模型的精确训练。Second, the present invention generates a differentially private local model and a secret random number perturbation local model based on DP and secret random perturbation, which overcomes the party’s privacy leakage caused by the original local model parameters obtained by the Byzantine node during the model training process in the prior art The problem makes the present invention protect the privacy of the intermediate parameters in the process of local model aggregation and Byzantine node identification. During the model training process, it can not only accurately identify the Byzantine nodes but also protect the private information of the participants, so as to realize the safe aggregation of model parameters and Accurate training of the model.

附图说明Description of drawings

图1为本发明的流程图。Fig. 1 is a flowchart of the present invention.

具体实施方式Detailed ways

以下结合附图1和实施例,对本发明的实现步骤做进一步的描述。The implementation steps of the present invention will be further described below in conjunction with the accompanying drawing 1 and the embodiments.

本发明的实施例中有A、B、C、D、E、F、G、H、I、J、K共11个模型训练的参与者。There are 11 participants in model training of A, B, C, D, E, F, G, H, I, J, K in the embodiment of the present invention.

步骤1,生成每个参与者的判别样本集。Step 1, generate a discriminative sample set for each participant.

模型训练的每个参与者随机发送L个小数据样本,模型训练的每个参与者将接收到的其他参与者发送的小数据样本与其自身的小数据样本聚合后组成该参与者的判别样本集,其中,L≤3。本发明的实施例中A参与者向B、C、D、E、F、G、H、I、J、K这10个参与者分别发送10个数据样本,同时A接收到每个参与者发送的10个数据样本,A将接收到的10个参与者分别发送的10个数据样本共计100个数据样本和发送的10个数据样本聚合组成A的判别样本集,该判别样本集中共包含110个数据样本且近似符合IID分布特征。Each participant in the model training randomly sends L small data samples, and each participant in the model training aggregates the received small data samples sent by other participants with its own small data samples to form the participant's discriminant sample set , where L≤3. In the embodiment of the present invention, participant A sends 10 data samples to 10 participants B, C, D, E, F, G, H, I, J, and K respectively, and A receives the A aggregates 10 data samples received from 10 participants and 10 data samples sent by A to form A’s discriminant sample set. The discriminant sample set contains a total of 110 The data sample and approximately conform to the IID distribution characteristics.

步骤2,从候选主节点CN中随机选择主节点CM,主节点CM广播全局模型。Step 2, randomly select the master node CM from the candidate master nodes CN, and the master node CM broadcasts the global model.

步骤2.1,随机选择所有模型训练参与者中的一个参与者,将所选的参与者作为主节点CM。主节点CM广播全局模型的初始化参数。本发明的实施例选择参与者A作为主节点CM。参与者A构建卷积神经网络,该网络层串联的结构依次为:输入层,第一层卷积,第一池化层,第二层卷积,第二池化层,全连接层。设置网络结构的超参数及模型参数的尺寸:将输入层神经元个数设置为28×28,将第一、第二池化层的窗口尺寸设置为2×2,滑动步长设置为2,将第一、第二卷积层的卷积核尺寸均设置为5×5,激活函数采用ReLu实现。输出层神经元个数设置为10,激活函数采用SoftMax实现。CM将每层网络的权重矩阵(模型参数的大小)进行随机初始化。参与者A将初始化的全局模型,广播给所有的训练节点TN。在所有的训练节点TN中拥有模型参数的尺寸一致,模型参数大小不同。Step 2.1, randomly select one of all model training participants, and use the selected participant as the master node CM. The master node CM broadcasts the initialization parameters of the global model. Embodiments of the present invention select participant A as master node CM. Participant A builds a convolutional neural network. The structure of the network layers in series is: input layer, first convolutional layer, first pooling layer, second convolutional layer, second pooling layer, fully connected layer. Set the hyperparameters of the network structure and the size of the model parameters: set the number of neurons in the input layer to 28×28, set the window size of the first and second pooling layers to 2×2, and set the sliding step to 2, The convolution kernel sizes of the first and second convolutional layers are both set to 5×5, and the activation function is implemented using ReLu. The number of neurons in the output layer is set to 10, and the activation function is implemented using SoftMax. CM randomly initializes the weight matrix (the size of the model parameters) of each network layer. Participant A broadcasts the initialized global model to all training nodes TN. In all training nodes TN, the size of the model parameters is the same, and the size of the model parameters is different.

步骤2.2,从所有参与者中除主节点CM以外的参与者中,随机选择x个节点构成候选主节点CN,x=n×α,其中,n表示模型训练参与者的总数,a表示候选主节点CN占所有模型训练参与者的比率,且0<α<1。本发明的实施例中,从除参与者A以外的参与者B、C、D、E、F、G、H、I、J、K中,随机选择4个节点B、C、D、E构成候选主节点CN。Step 2.2, from all participants except the master node CM, randomly select x nodes to form the candidate master node CN, x=n×α, where n represents the total number of model training participants, and a represents the candidate master node CN. The ratio of node CN to all model training participants, and 0<α<1. In the embodiment of the present invention, from participants B, C, D, E, F, G, H, I, J, and K other than participant A, four nodes B, C, D, and E are randomly selected to form Candidate master node CN.

步骤3,训练节点TN分别使用自己的本地数据集训练全局模型,得到各自的本地模型。In step 3, the training nodes TN use their own local data sets to train the global model to obtain their own local models.

步骤3.1,除主节点CM以外的参与者组成训练节点TN。本发明实施例中除A以外的参与者B、C、D、E、F、G、H、I、J、K组成训练节点TN。Step 3.1, participants other than the master node CM form a training node TN. In the embodiment of the present invention, participants B, C, D, E, F, G, H, I, J, and K other than A form the training node TN.

步骤3.2,每个训练节点TN用接收到的全局模型更新自己的本地模型。Step 3.2, each training node TN updates its own local model with the received global model.

步骤3.3,每个训练节点TN将自己的本地数据集输入到自己的本地模型中,使用SGD梯度下降算法进行τ轮迭代得最优的本地模型。In step 3.3, each training node TN inputs its own local data set into its own local model, and uses the SGD gradient descent algorithm to perform τ rounds of iterations to obtain the optimal local model.

步骤4,训练节点TN利用DP生成差分隐私本地模型。Step 4, the training node TN uses DP to generate a differentially private local model.

步骤4.1,每个训练节点TN依据本地隐私需求选取隐私预算εi和松弛常量δi,模型参数的灵敏度高斯噪声的标准差设为/>其中,C是本地模型参数的裁剪阈值,DSi为第i个训练节点TN的本地数据集。本发明的实施例中,隐私预算εi默认设置为0.01,松弛常量δi默认设置为0.5。训练节点TN可以根据本地的隐私需求,设置本地合适的隐私参数。隐私预算εi越小,生成的高斯噪声/>值越大,安全性越高,但是噪声越大不利于拜占庭节点的检测。所以,训练节点TN要根据本地的隐私需要,设置合适的参数,防止加入的噪声过大,被误判为拜占庭节点。同时只要满足隐私需求,TN每次在训练中添加的局部模型的噪声都是独立的。Step 4.1, each training node TN selects a privacy budget ε i and a relaxation constant δ i according to local privacy requirements, and the sensitivity of model parameters The standard deviation of the Gaussian noise is set to /> Among them, C is the clipping threshold of the local model parameters, and DS i is the local data set of the i-th training node TN. In the embodiment of the present invention, the privacy budget ε i is set to 0.01 by default, and the slack constant δ i is set to 0.5 by default. The training node TN can set local appropriate privacy parameters according to the local privacy requirements. The smaller the privacy budget ε i is , the generated Gaussian noise /> The larger the value, the higher the security, but the larger the noise is not conducive to the detection of Byzantine nodes. Therefore, the training node TN should set appropriate parameters according to the local privacy needs to prevent the added noise from being misjudged as a Byzantine node. At the same time, as long as the privacy requirements are met, the noise of the local model added by TN each time during training is independent.

步骤4.2,每个训练节点TN生成高斯噪声服从分布/> Step 4.2, each training node TN generates Gaussian noise obey the distribution />

步骤4.3,训练节点TN将各自生成的高斯噪声添加到本地模型中,获得差分隐私本地模型,该差分隐私本地模型用于检测每个训练节点TN是否为拜占庭节点。In step 4.3, the training nodes TN add the generated Gaussian noise to the local model to obtain a differentially private local model, which is used to detect whether each training node TN is a Byzantine node.

步骤4.4,训练节点TN将差分隐私本地模型参数发送给主节点CM。Step 4.4, the training node TN sends the differential privacy local model parameters to the master node CM.

步骤5,训练节点TN在其每个本地模型中添加秘密随机数扰动项,得到该训练节点TN的秘密随机数扰动本地模型。Step 5, the training node TN adds a secret random number perturbation item to each of its local models to obtain the secret random number perturbation local model of the training node TN.

步骤5.1,每个训练节点TN生成任一元素非零的秘密随机扰动项Ri,将该秘密随机扰动项Ri添加到本地模型以生成秘密随机数扰动本地模型中。秘密随机扰动项Ri与模型参数形状相同。Step 5.1, each training node TN generates a secret random perturbation item R i with any non-zero element, and adds the secret random perturbation item R i to the local model to generate a secret random number to perturb the local model. The secret random perturbation term R i has the same shape as the model parameters.

步骤5.2,训练节点TN向所有候选主节点CN发送秘密随机扰动项,并将秘密随机数扰动本地模型参数传输给主节点CM。Step 5.2, the training node TN sends the secret random perturbation item to all candidate master nodes CN, and transmits the secret random number perturbation local model parameters to the master node CM.

步骤6,主节点CM基于性能评估检测拜占庭节点。Step 6, the master node CM detects Byzantine nodes based on performance evaluation.

主节点CM根据下式,计算在本轮迭代时每个训练节点TN的差分隐私本地模型在判别样本集上的损失值。According to the following formula, the master node CM calculates the loss value of the differentially private local model of each training node TN on the discriminant sample set in the current iteration.

其中,lossi表示第i个训练节点TN在判别样本集dds上的模型损失值,|·|表示取模操作,Li(·)表示第i个训练节点TN的损失函数,表示第i个训练节点TN的差分隐私本地模型的参数,ddsj表示dds中的第j个样本。Among them, loss i represents the model loss value of the i-th training node TN on the discriminant sample set dds, |·| represents the modulo operation, L i (·) represents the loss function of the i-th training node TN, Indicates the parameters of the differentially private local model of the i-th training node TN, and dds j indicates the j-th sample in dds.

主节点CM根据下式,计算在本轮迭代时每个训练节点TN的差分隐私本地模型的平均损失值。The master node CM calculates the average loss value of the differentially private local model of each training node TN in the current iteration according to the following formula.

其中,avglv表示第i个训练节点TN的差分隐私本地模型在判别样本集上的平均损失值,S表示训练节点TN的集合。Among them, avglv represents the average loss value of the differentially private local model of the ith training node TN on the discriminant sample set, and S represents the set of training nodes TN.

主节点CM将模型损失值小于avglv的良性训练节点TN组成良性节点索引集合并将良性索引集合/>发送至候选主节点CN。本发明实施例中模型损失值小于avglv的有{C、D、E、H、I、K},作为集合/>发送给候选主节点CN:B、C、D、E。The master node CM forms the benign node index set with the benign training nodes TN whose model loss value is less than avglv and put benign index collections /> Sent to the candidate master node CN. In the embodiment of the present invention, the model loss value is less than avglv has {C, D, E, H, I, K}, as a set /> Send to candidate master nodes CN: B, C, D, E.

步骤7,候选主节点CN聚合秘密随机扰动项,主节点CM更新全局模型参数。Step 7, the candidate master node CN aggregates the secret random disturbance item, and the master node CM updates the global model parameters.

步骤7.1,主节点CM根据下式,聚合良性节点索引集合中的秘密随机扰动本地模型,得到加密全局模型。Step 7.1, the master node CM aggregates the benign node index set according to the following formula The secret in randomly perturbs the local model to obtain an encrypted global model.

其中,表示加密全局模型中的参数,/>表示秘密随机数扰动本地模型中的参数。in, Indicates a parameter in the encrypted global model, /> Represents a parameter in the secret random number perturbation local model.

步骤7.2,候选主节点CN接收到主节点CM发送的良性节点索引集合候选主节点CN将良性节点索引集合/>中对应的训练节点TN发送的秘密随机扰动项进行聚合,得到秘密随机扰动聚合值Rk,候选主节点CN将秘密随机扰动聚合值Rk发送给主节点CM。候选主节点CN可能存在拜占庭节点,可能会返回错误的秘密随机扰动聚合值。正常来说,正常节点返回的秘密随机扰动聚合值应该是一致的,而拜占庭节点可能返回随机生成的错误秘密随机扰动聚合值。参与者B发送任意错误值给参与者A,参与者C、D、E发送正确值给参与者A。Step 7.2, the candidate master node CN receives the benign node index set sent by the master node CM Candidate master node CN will benign node index collection /> The secret random disturbance items sent by the corresponding training node TN are aggregated to obtain the secret random disturbance aggregation value R k , and the candidate master node CN sends the secret random disturbance aggregation value R k to the master node CM. There may be Byzantine nodes in the candidate master node CN, which may return wrong secret random perturbation aggregation value. Normally, the secret random perturbation aggregate value returned by normal nodes should be consistent, while Byzantine nodes may return randomly generated wrong secret random perturbation aggregate values. Participant B sends any wrong value to participant A, and participants C, D, and E send correct values to participant A.

步骤7.3,主节点CM接收到秘密随机扰动聚合值Rk后,选择相同且占多数的Rk作为该组节点的秘密随机扰动的聚合值R,R=mode(Rk),选择该聚合值对应的候选主节点CN节点为良性节点,发送其它聚合值的候选主节点CN作为拜占庭节点,其中,R表示秘密随机扰动的聚合值,mode(·)表示求众数操作。本发明实施例中参与者A接收到参与者B发送的任意错误值和参与者C、D、E发送的正确值,参与者C、D、E发送的正确值占众数,此时可以判定参与者B为拜占庭节点。Step 7.3, after the master node CM receives the secret random disturbance aggregate value R k , select the same and majority R k as the secret random disturbance aggregate value R of the group of nodes, R=mode(R k ), select the aggregate value The corresponding candidate master node CN node is a benign node, and the candidate master node CN that sends other aggregation values is a Byzantine node, where R represents the aggregate value of secret random disturbance, and mode( ) represents the mode operation. In the embodiment of the present invention, participant A receives any wrong value sent by participant B and the correct value sent by participants C, D, and E, and the correct value sent by participants C, D, and E is in the majority. At this time, it can be determined Participant B is a Byzantine node.

步骤7.4,主节点CM将加密全局模型减去秘密随机扰动的聚合值R就可以得到更新后的全局模型。In step 7.4, the master node CM subtracts the aggregated value R of the secret random disturbance from the encrypted global model to obtain the updated global model.

步骤7.5,主节点CM结合每个训练节点TN节点模型的损失值lossi及候选主节点CN节点返回的秘密随机扰动聚合结果Rk,将训练节点TN节点分为如下三种信任状态:当lossi∈(0,avglv)时为良性,当lossi≥avglv且Rk≠R时是拜占庭,否则为普通。本发明实施例中的B满足lossi≥avglv且Rk≠R的条件,所以认定B为拜占庭节点,C、D、E、H、I、K节点满足lossi∈(0,avglv)的条件,所以认定C、D、E、H、I、K为良性节点,剩余节点F、G、J为普通节点。In step 7.5, the master node CM combines the loss value loss i of each training node TN node model and the secret random disturbance aggregation result R k returned by the candidate master node CN node, and divides the training node TN into the following three trust states: when loss When i ∈ (0, avglv), it is benign, when loss i ≥ avglv and R k ≠ R, it is Byzantine, otherwise it is normal. B in the embodiment of the present invention satisfies the condition of loss i ≥ avglv and R k ≠ R, so B is considered a Byzantine node, and nodes C, D, E, H, I, and K satisfy the condition of loss i ∈ (0, avglv) , so C, D, E, H, I, K are considered benign nodes, and the remaining nodes F, G, J are normal nodes.

步骤7.6,主节点CM根据下式,更新每个训练节点TN的可信度和信誉度。In step 7.6, the master node CM updates the credibility and reputation of each training node TN according to the following formula.

其中,表示第t轮迭代时第i个训练节点TN的可信度,/>表示第t轮迭代时第i个训练节点TN的信誉度,a、b、c为Gompertz函数的标准参数,Gompertz表示刻画梯度可信度和信誉度之间关系的函数。本发明实施例中所有参与者初始化可信度/>更新B可信度更新C、D、E、H、I、K可信度/> 更新F、G、J可信度 in, Indicates the credibility of the i-th training node TN in the t-th iteration, /> Indicates the reputation of the i-th training node TN in the t-th iteration, a, b, and c are the standard parameters of the Gompertz function, and Gompertz represents a function describing the relationship between gradient credibility and reputation. In the embodiment of the present invention, all participants initialize the credibility/> Update B credibility Update C, D, E, H, I, K confidence levels /> Update F, G, J credibility

步骤7.7,主节点CM向系统网络中广播全局模型。Step 7.7, the master node CM broadcasts the global model to the system network.

步骤8,候选主节点CN对更新后的全局模型进行投票。Step 8, the candidate master node CN votes on the updated global model.

步骤8.1,每个候选主节点CN计算更新后的全局模型在判别样本集上的损失值。Step 8.1, each candidate master node CN calculates the loss value of the updated global model on the discriminant sample set.

步骤8.2,每个候选主节点CN根据下式,通过波动阈值来全局模型进行投票,若该损失值与上一轮迭代损失值之差的绝对值未超过波动阈值,则表明全局模型参数在正确的收敛方向,候选主节点CN投票支持更新后的全局模型,并将其广播到系统网络中;否则,候选主节点CN在系统网络中广播重新训练信息。In step 8.2, each candidate master node CN votes on the global model through the fluctuation threshold according to the following formula. If the absolute value of the difference between the loss value and the previous iteration loss value does not exceed the fluctuation threshold, it indicates that the global model parameters are correct. In the direction of convergence, the candidate master node CN votes for the updated global model and broadcasts it to the system network; otherwise, the candidate master node CN broadcasts retraining information in the system network.

其中,表示在第t轮时第i个训练节点TN的损失值,μ表示全局模型损失值的波动阈值。in, Indicates the loss value of the i-th training node TN at round t, and μ indicates the fluctuation threshold of the global model loss value.

步骤8.3,若系统网络中超过一半的候选主节点CN投票支持更新后的全局模型参数,则将主节点CM判定为良性节点,执行步骤8.4;否则,将主节点CM判定为拜占庭节点,重新选择一个主节点CM,该主节点CM广播全局模型,执行步骤3。本发明实施例中,参与者C、D、E投票支持这个更新的全局模型参数,参与者B不支持,超过一半的候选主节点CN投票支持更新的全局模型参数,执行步骤8.4。Step 8.3, if more than half of the candidate master nodes CN in the system network voted for the updated global model parameters, then judge the master node CM as a benign node, and execute step 8.4; otherwise, judge the master node CM as a Byzantine node, and reselect A master node CM, the master node CM broadcasts the global model, and performs step 3. In the embodiment of the present invention, participants C, D, and E vote for the updated global model parameters, but participant B does not support the updated global model parameters. More than half of the candidate master nodes CN vote for the updated global model parameters, and perform step 8.4.

步骤8.4,主节点CM将全局模型、训练节点TN的可信度和信誉度广播给网络中所有节点,模型训练参与者对更新后的参数达成共识。Step 8.4, the master node CM broadcasts the global model, the credibility and reputation of the training node TN to all nodes in the network, and the model training participants reach a consensus on the updated parameters.

步骤9,更新主节点CM的可信度和信誉度,选择新主节点CM和候选主节点CN。Step 9, updating the credibility and reputation of the master node CM, and selecting a new master node CM and a candidate master node CN.

主节点CM选择信誉度较高的x个模型训练参与者作为候选主节点CN;在候选主节点CN中根据信誉度的共识协议选择新主节点CM;新主节点CM更新上一轮的主节点CM的可信度和信誉度,并将其广播到系统网络;新主节点CM广播全局模型。The master node CM selects x model training participants with high reputation as the candidate master node CN; in the candidate master node CN, a new master node CM is selected according to the consensus agreement of reputation; the new master node CM updates the master node of the previous round CM's credibility and reputation, and broadcast it to the system network; the new master node CM broadcasts the global model.

步骤10,判断全局模型是否收敛,若是,执行步骤11;否则,执行步骤3。Step 10, judge whether the global model is converged, if so, go to step 11; otherwise, go to step 3.

步骤11,结束协同训练,得到全局模型。Step 11, end the collaborative training and obtain the global model.

Claims (10)

1.一种基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,其特征在于,主节点CM基于性能评估方法检测拜占庭节点,候选主节点CN对更新后的全局模型进行投票;该抗拜占庭攻击的DFL方法的具体步骤包括如下:1. An anti-Byzantine attack DFL method based on performance evaluation and committee voting, characterized in that the master node CM detects Byzantine nodes based on the performance evaluation method, and the candidate master node CN votes on the updated global model; the anti-Byzantine attack The specific steps of the DFL method include the following: 步骤1,生成每个参与者的判别样本集:Step 1, generate a discriminative sample set for each participant: 模型训练的每个参与者随机发送L个小数据样本,模型训练的每个参与者将接收到的其他参与者发送的小数据样本与其自身的小数据样本聚合后组成该参与者的判别样本集,其中,L≤3;Each participant in the model training randomly sends L small data samples, and each participant in the model training aggregates the received small data samples sent by other participants with its own small data samples to form the participant's discriminant sample set , where L≤3; 步骤2,从候选主节点CN中随机选择主节点CM,主节点CM广播全局模型;Step 2, randomly select the master node CM from the candidate master nodes CN, and the master node CM broadcasts the global model; 步骤3,训练节点TN分别使用自己的本地数据集训练全局模型,得到各自的本地模型;Step 3, the training nodes TN respectively use their own local data sets to train the global model to obtain their respective local models; 步骤4,训练节点TN利用DP生成差分隐私本地模型;Step 4, the training node TN uses DP to generate a differentially private local model; 步骤5,训练节点TN在其每个本地模型中添加秘密随机数扰动项,得到该训练节点TN的秘密随机数扰动本地模型;Step 5, the training node TN adds a secret random number perturbation item to each of its local models to obtain the secret random number perturbation local model of the training node TN; 步骤6,主节点CM基于性能评估方法检测拜占庭节点:Step 6, the master node CM detects Byzantine nodes based on the performance evaluation method: 主节点CM计算在本轮迭代时每个训练节点TN的差分隐私本地模型在判别样本集上的损失值;主节点CM计算在本轮迭代时每个训练节点TN的差分隐私本地模型的平均损失值;主节点CM将模型损失值小于平均损失值avglv的良性训练节点TN组成良性节点索引集合并将良性索引集合/>发送至候选主节点CN;The master node CM calculates the loss value of the differentially private local model of each training node TN on the discriminant sample set in the current round of iteration; the master node CM calculates the average loss of the differentially private local model of each training node TN in the current round of iteration value; the master node CM forms the benign node index set with the benign training nodes TN whose model loss value is less than the average loss value avglv and put benign index collections /> Send to candidate master node CN; 步骤7,候选主节点CN聚合秘密随机扰动项,主节点CM更新全局模型参数:Step 7, the candidate master node CN aggregates the secret random disturbance item, and the master node CM updates the global model parameters: 步骤7.1,主节点CM聚合良性节点索引集合中的秘密随机数扰动本地模型,得到加密全局模型;Step 7.1, master node CM aggregates benign node index collection The secret random number in perturbs the local model to obtain the encrypted global model; 步骤7.2,候选主节点CN接收到主节点CM发送的良性节点索引集合候选主节点CN将良性节点索引集合/>中对应的训练节点TN发送的秘密随机扰动项进行聚合,得到秘密随机扰动聚合值Rk,候选主节点CN将秘密随机扰动聚合值Rk发送给主节点CM;Step 7.2, the candidate master node CN receives the benign node index set sent by the master node CM Candidate master node CN will benign node index collection /> The secret random disturbance items sent by the corresponding training node TN are aggregated to obtain the secret random disturbance aggregation value R k , and the candidate master node CN sends the secret random disturbance aggregation value R k to the master node CM; 步骤7.3,主节点CM接收到秘密随机扰动聚合值Rk后,选择相同且占多数的Rk作为该组节点的秘密随机扰动的聚合值R,R=mode(Rk),选择该聚合值对应的候选主节点CN节点为良性节点,发送其它聚合值的候选主节点CN作为拜占庭节点,其中,R表示秘密随机扰动的聚合值,mode(·)表示求众数操作;Step 7.3, after the master node CM receives the secret random disturbance aggregate value R k , select the same and majority R k as the secret random disturbance aggregate value R of the group of nodes, R=mode(R k ), select the aggregate value The corresponding candidate master node CN node is a benign node, and the candidate master node CN that sends other aggregated values is regarded as a Byzantine node, where R represents the aggregate value of secret random disturbance, and mode( ) represents the mode operation; 步骤7.4,主节点CM将加密全局模型减去秘密随机扰动的聚合值R就可以得到更新后的全局模型;In step 7.4, the master node CM subtracts the aggregated value R of the secret random disturbance from the encrypted global model to obtain the updated global model; 步骤7.5,主节点CM结合每个训练节点TN差分隐私本地模型的损失值lossi及候选主节点CN节点返回的秘密随机扰动聚合结果Rk,将训练节点TN节点分为如下三种信任状态:当lossi∈(0,avglv)时,该训练节点TN为良性节点,当lossi≥avglv且Rk≠R时,该训练节点TN为拜占庭节点,否则,该训练节点TN为普通节点;In step 7.5, the master node CM combines the loss value loss i of the differential privacy local model of each training node TN and the secret random perturbation aggregation result R k returned by the candidate master node CN node, and divides the training node TN into the following three trust states: When loss i ∈ (0, avglv), the training node TN is a benign node, when loss i ≥ avglv and R k ≠ R, the training node TN is a Byzantine node, otherwise, the training node TN is a normal node; 步骤7.6,主节点CM更新每个训练节点TN的可信度和信誉度;Step 7.6, the master node CM updates the credibility and reputation of each training node TN; 步骤7.7,主节点CM向系统网络中广播全局模型;Step 7.7, the master node CM broadcasts the global model to the system network; 步骤8,候选主节点CN对更新后的全局模型进行投票:Step 8, the candidate master node CN votes on the updated global model: 步骤8.1,每个候选主节点CN计算更新后的全局模型在判别样本集上的损失值;Step 8.1, each candidate master node CN calculates the loss value of the updated global model on the discriminant sample set; 步骤8.2,每个候选主节点CN通过波动阈值对全局模型进行投票,若该候选主节点CN计算的更新后的全局模型在判别样本集上的损失值与上一轮迭代损失值之差的绝对值未超过波动阈值,则表明全局模型参数在正确的收敛方向,候选主节点CN投票支持更新后的全局模型,并将其广播到系统网络中;否则,候选主节点CN在系统网络中广播反对信息;Step 8.2, each candidate master node CN votes for the global model through the fluctuation threshold, if the absolute difference between the loss value of the updated global model calculated by the candidate master node CN on the discriminant sample set and the loss value of the previous iteration If the value does not exceed the fluctuation threshold, it indicates that the global model parameters are in the correct direction of convergence, and the candidate master node CN votes for the updated global model and broadcasts it to the system network; otherwise, the candidate master node CN broadcasts opposition in the system network information; 步骤8.3,若系统网络中超过一半的候选主节点CN投票支持更新后的全局模型参数,则将主节点CM判定为良性节点,执行步骤8.4;否则,将主节点CM判定为拜占庭节点,重新选择一个主节点CM,该主节点CM广播全局模型,执行步骤3;Step 8.3, if more than half of the candidate master nodes CN in the system network voted for the updated global model parameters, then judge the master node CM as a benign node, and execute step 8.4; otherwise, judge the master node CM as a Byzantine node, and reselect A master node CM, the master node CM broadcasts the global model, and performs step 3; 步骤8.4,主节点CM将全局模型、训练节点TN的可信度和信誉度广播给网络中所有节点,模型训练参与者对更新后的参数达成共识;Step 8.4, the master node CM broadcasts the global model, the credibility and credibility of the training node TN to all nodes in the network, and the model training participants reach a consensus on the updated parameters; 步骤9,更新主节点CM的可信度和信誉度,选择新主节点CM和候选主节点CN:Step 9, update the credibility and reputation of the master node CM, and select the new master node CM and candidate master node CN: 主节点CM选择信誉度较高的x个模型训练参与者作为候选主节点CN;在候选主节点CN中根据信誉度的共识协议选择新主节点CM;新主节点CM更新上一轮的主节点CM的可信度和信誉度,并将其广播到系统网络;新主节点CM广播全局模型;The master node CM selects x model training participants with high reputation as the candidate master node CN; in the candidate master node CN, a new master node CM is selected according to the consensus agreement of reputation; the new master node CM updates the master node of the previous round The credibility and reputation of CM, and broadcast it to the system network; the new master node CM broadcasts the global model; 步骤10,判断全局模型是否收敛,若是,执行步骤11;否则,执行步骤3;Step 10, judge whether the global model is convergent, if so, go to step 11; otherwise, go to step 3; 步骤11,结束协同训练,得到全局模型。Step 11, end the collaborative training and obtain the global model. 2.根据权利要求1所述基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,其特征在于,步骤2中所述的随机选择主节点CM和候选主节点CN的步骤如下:2. According to claim 1, the DFL method of resisting Byzantine attacks based on performance evaluation and committee voting is characterized in that, the step of randomly selecting master node CM and candidate master node CN described in step 2 is as follows: 第一步,随机选择所有模型训练参与者中的一个参与者,将所选的参与者作为主节点CM;主节点CM广播全局模型的初始化参数;The first step is to randomly select one of all model training participants, and use the selected participant as the master node CM; the master node CM broadcasts the initialization parameters of the global model; 第二步,从所有参与者中除主节点CM以外的参与者中,随机选择x个节点构成候选主节点CN;x=n×α,其中,n表示模型训练参与者的总数,α表示候选主节点CN占所有模型训练参与者的比率,且0<α<1。The second step is to randomly select x nodes from all participants except the master node CM to form the candidate master node CN; x=n×α, where n represents the total number of model training participants, and α represents the candidate The ratio of master node CN to all model training participants, and 0<α<1. 3.根据权利要求1所述基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,其特征在于,步骤3中所述训练节点TN分别使用自己的本地数据集训练全局模型的步骤如下:3. according to the DFL method of the anti-Byzantine attack based on performance evaluation and committee voting according to claim 1, it is characterized in that, the step of training node TN described in step 3 using its own local data set to train the global model is as follows: 第一步,除主节点CM以外的参与者组成训练节点TN;In the first step, participants other than the master node CM form a training node TN; 第二步,每个训练节点TN用接收到的全局模型更新自己的本地模型;In the second step, each training node TN updates its local model with the received global model; 第三步,每个训练节点TN将自己的本地数据集输入到自己的本地模型中,使用SGD梯度下降算法进行τ轮迭代得最优的本地模型。In the third step, each training node TN inputs its own local data set into its own local model, and uses the SGD gradient descent algorithm to perform τ rounds of iterations to obtain the optimal local model. 4.根据权利要求1所述基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,其特征在于,步骤4中所述训练节点TN利用DP生成差分隐私本地模型的步骤如下:4. according to the described DFL method of the anti-Byzantine attack based on performance evaluation and committee voting of claim 1, it is characterized in that, the step of training node TN described in step 4 to utilize DP to generate differential privacy local model is as follows: 第一步,每个训练节点TN依据本地隐私需求选取隐私预算εi和松弛常量δi,模型参数的灵敏度高斯噪声的标准差设为/>其中,C是本地模型参数的裁剪阈值,DSi为第i个训练节点TN的本地数据集;In the first step, each training node TN selects the privacy budget ε i and the relaxation constant δ i according to the local privacy requirements, and the sensitivity of the model parameters The standard deviation of the Gaussian noise is set to /> Among them, C is the clipping threshold of the local model parameters, and DS i is the local data set of the i-th training node TN; 第二步,每个训练节点TN生成高斯噪声服从分布/> In the second step, each training node TN generates Gaussian noise obey the distribution /> 第三步,训练节点TN将各自生成的高斯噪声添加到本地模型中,获得用于检测每个训练节点TN是否为拜占庭节点的差分隐私本地模型;In the third step, the training nodes TN add the Gaussian noise generated by each to the local model to obtain a differentially private local model for detecting whether each training node TN is a Byzantine node; 第四步,训练节点TN将差分隐私本地模型参数发送给主节点CM。In the fourth step, the training node TN sends the differential privacy local model parameters to the master node CM. 5.根据权利要求1所述基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,其特征在于,步骤5中所述在每个本地模型中添加秘密随机数扰动项的步骤如下:5. according to the described DFL method of the anti-Byzantine attack based on performance assessment and committee voting of claim 1, it is characterized in that, described in step 5, the step of adding secret random number perturbation item in each local model is as follows: 第一步,每个训练节点TN随机生成任一元素非零的秘密随机扰动项Ri,并将其添加到本地模型以生成秘密随机数扰动本地模型;In the first step, each training node TN randomly generates a secret random perturbation item R i with any non-zero element, and adds it to the local model to generate a secret random number to perturb the local model; 第二步,训练节点TN向所有候选主节点CN发送秘密随机扰动项,并将秘密随机数扰动本地模型参数传输给主节点CM。In the second step, the training node TN sends the secret random perturbation item to all candidate master nodes CN, and transmits the secret random number perturbation local model parameters to the master node CM. 6.根据权利要求1所述基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,其特征在于,步骤6中所述在本轮迭代时每个训练节点TN的差分隐私本地模型在判别样本集上的损失值是由下式得到的:6. The DFL method based on performance evaluation and committee voting according to claim 1, wherein the differentially private local model of each training node TN is in the discriminant sample set during the current round of iteration as described in step 6. The loss value on is obtained by the following formula: 其中,lossi表示第i个训练节点TN在判别样本集dds上的模型损失值,|·|表示取模操作,Li(·)表示第i个训练节点TN的损失函数,表示第i个训练节点TN的差分隐私本地模型的参数,ddsj表示dds中的第j个样本。Among them, loss i represents the model loss value of the i-th training node TN on the discriminant sample set dds, |·| represents the modulo operation, L i (·) represents the loss function of the i-th training node TN, Indicates the parameters of the differentially private local model of the i-th training node TN, and dds j indicates the j-th sample in dds. 7.根据权利要求1所述基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,其特征在于,步骤6中所述在本轮迭代时每个训练节点TN的差分隐私本地模型的平均损失值是由下式得到的:7. The DFL method of anti-Byzantine attack based on performance evaluation and committee voting according to claim 1, characterized in that, the average loss value of the differential privacy local model of each training node TN in the current round of iteration as described in step 6 is obtained by: 其中,avglv表示第i个训练节点TN的差分隐私本地模型在判别样本集上的平均损失值,S表示训练节点TN的集合。Among them, avglv represents the average loss value of the differentially private local model of the ith training node TN on the discriminant sample set, and S represents the set of training nodes TN. 8.根据权利要求1所述基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,其特征在于,步骤7.1中所述聚合良性节点索引集合中的秘密随机扰动本地模型是由下式实现的:8. The anti-Byzantine attack DFL method based on performance evaluation and committee voting according to claim 1, characterized in that, the aggregated benign node index set in step 7.1 The secret random perturbation local model in is realized by the following formula: 其中,表示加密全局模型中的参数,/>表示秘密随机数扰动本地模型中的参数。in, Indicates a parameter in the encrypted global model, /> Represents a parameter in the secret random number perturbation local model. 9.根据权利要求1所述基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,其特征在于,步骤7.6中所述更新每个训练节点TN的可信度和信誉度是由下式得到的:9. The DFL method based on performance evaluation and committee voting according to claim 1, wherein the reliability and reputation of updating each training node TN described in step 7.6 are obtained by the following formula : 其中,表示第t轮迭代时第i个训练节点TN的可信度,/>表示第t轮迭代时第i个训练节点TN的信誉度,a、b、c为Gompertz函数的标准参数,Gompertz表示刻画梯度可信度和信誉度之间关系的函数。in, Indicates the credibility of the i-th training node TN in the t-th iteration, /> Indicates the reputation of the i-th training node TN in the t-th iteration, a, b, and c are the standard parameters of the Gompertz function, and Gompertz represents a function describing the relationship between gradient credibility and reputation. 10.根据权利要求1所述基于性能评估和委员会投票的抗拜占庭攻击的DFL方法,其特征在于,步骤8.2中所述通过波动阈值评估全局模型是由下式实现的:10. The DFL method of anti-Byzantine attack based on performance evaluation and committee voting according to claim 1, characterized in that, the evaluation of the global model by the fluctuation threshold described in step 8.2 is realized by the following formula: 其中,表示在第t轮时第i个训练节点TN的损失值,μ表示全局模型损失值的波动阈值。in, Indicates the loss value of the i-th training node TN at round t, and μ indicates the fluctuation threshold of the global model loss value.
CN202310480068.3A 2023-04-28 2023-04-28 Performance evaluation and committee voting-based Bayesian attack resistant DFL method Pending CN116502708A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310480068.3A CN116502708A (en) 2023-04-28 2023-04-28 Performance evaluation and committee voting-based Bayesian attack resistant DFL method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310480068.3A CN116502708A (en) 2023-04-28 2023-04-28 Performance evaluation and committee voting-based Bayesian attack resistant DFL method

Publications (1)

Publication Number Publication Date
CN116502708A true CN116502708A (en) 2023-07-28

Family

ID=87324472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310480068.3A Pending CN116502708A (en) 2023-04-28 2023-04-28 Performance evaluation and committee voting-based Bayesian attack resistant DFL method

Country Status (1)

Country Link
CN (1) CN116502708A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117808082A (en) * 2024-02-29 2024-04-02 华侨大学 Federal learning method, device, equipment and medium for privacy protection against Bayesian attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117808082A (en) * 2024-02-29 2024-04-02 华侨大学 Federal learning method, device, equipment and medium for privacy protection against Bayesian attack
CN117808082B (en) * 2024-02-29 2024-05-14 华侨大学 Federal learning method, device, equipment and medium for privacy protection against Bayesian attack

Similar Documents

Publication Publication Date Title
Liang et al. Data fusion approach for collaborative anomaly intrusion detection in blockchain-based systems
Tekgul et al. WAFFLE: Watermarking in federated learning
Cao et al. Flcert: Provably secure federated learning against poisoning attacks
CN110674938B (en) Anti-attack defense method based on cooperative multi-task training
Gu et al. Detecting malicious model updates from federated learning on conditional variational autoencoder
Boshmaf et al. Graph-based sybil detection in social and information systems
Pang et al. A malicious node detection strategy based on fuzzy trust model and the ABC algorithm in wireless sensor network
Yadav et al. Unsupervised federated learning based IoT intrusion detection
CN108601026A (en) Perception data error attack detection method based on random sampling consistency
Dong et al. An interpretable federated learning-based network intrusion detection framework
CN116502708A (en) Performance evaluation and committee voting-based Bayesian attack resistant DFL method
CN114330750A (en) Method for detecting federated learning poisoning attack
CN113114673A (en) Network intrusion detection method and system based on generation countermeasure network
Carlini et al. No Free Lunch in" Privacy for Free: How does Dataset Condensation Help Privacy"
CN110677437A (en) User disguised attack detection method and system based on potential space countermeasure clustering
Zheng et al. Data poisoning attacks and defenses to LDP-based privacy-preserving crowdsensing
Sihag et al. Secure estimation under causative attacks
Hegazy Tag Eldien, AS; Tantawy, MM; Fouda, MM; TagElDien, HA Real-time locational detection of stealthy false data injection attack in smart grid: Using multivariate-based multi-label classification approach
Wang et al. YATA: Yet Another Proposal for Traffic Analysis and Anomaly Detection.
CN115422537A (en) Method for resisting turnover attack of federal learning label
Rezvani et al. A collaborative reputation system based on credibility propagation in wsns
CN114003960A (en) A training method of neural network model
Concone et al. A novel recruitment policy to defend against sybils in vehicular crowdsourcing
Du et al. Open World Intrusion Detection: An Open Set Recognition Method for Can Bus in Intelligent Connected Vehicles
Zhu et al. A Blockchain-Based Federated Learning for Smart Homes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination