CN116541831B - Dual defense method based on blockchain and federal learning - Google Patents
Dual defense method based on blockchain and federal learning Download PDFInfo
- Publication number
- CN116541831B CN116541831B CN202310814388.8A CN202310814388A CN116541831B CN 116541831 B CN116541831 B CN 116541831B CN 202310814388 A CN202310814388 A CN 202310814388A CN 116541831 B CN116541831 B CN 116541831B
- Authority
- CN
- China
- Prior art keywords
- local model
- task
- block
- trainer
- model parameters
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 116
- 230000007123 defense Effects 0.000 title claims abstract description 11
- 230000009977 dual effect Effects 0.000 title claims abstract description 10
- 230000002776 aggregation Effects 0.000 claims abstract description 42
- 238000004220 aggregation Methods 0.000 claims abstract description 42
- 238000012549 training Methods 0.000 claims abstract description 39
- 238000012795 verification Methods 0.000 claims abstract description 31
- 230000008569 process Effects 0.000 claims abstract description 25
- 230000007246 mechanism Effects 0.000 claims abstract description 14
- 238000006116 polymerization reaction Methods 0.000 claims description 22
- 230000004931 aggregating effect Effects 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 238000003672 processing method Methods 0.000 claims 1
- 231100000572 poisoning Toxicity 0.000 abstract description 7
- 230000000607 poisoning effect Effects 0.000 abstract description 7
- 238000009826 distribution Methods 0.000 description 11
- 239000004973 liquid crystal related substance Substances 0.000 description 10
- 238000004891 communication Methods 0.000 description 9
- 238000005457 optimization Methods 0.000 description 8
- 238000013473 artificial intelligence Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 6
- 238000010801 machine learning Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 239000000203 mixture Substances 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000002474 experimental method Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 238000000638 solvent extraction Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005065 mining Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000002123 temporal effect Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- 206010039203 Road traffic accident Diseases 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000001537 neural effect Effects 0.000 description 1
- 230000000379 polymerizing effect Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000013138 pruning Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000010187 selection method Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
- G06N20/20—Ensemble learning
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a dual defense method based on block chain and federal learning, which comprises the following steps: s1, judging whether the federal learning process reaches iteration times or the model accuracy reaches a set threshold, if so, exiting the learning process; otherwise, storing the task information; s2, receiving a task block by a trainer; s3, training a local model by using the local data by a trainer; s4, after training is completed, the trainer sends the local model parameters to a verifier; s5, the verifier receives the local model parameters and verifies the parameters through a common committee mechanism; s6, the verifier wraps the local model parameters which pass verification to be linked; s7, forming global model parameters by a task publisher by adopting an aggregation method; s8, updating the consensus committee to verify the next round of model according to the local model accuracy of the verifier, and returning to the step S1. The method and the system enable the malicious node to not conduct targeted attack on the specific aggregation method, and resist poisoning attack.
Description
Technical Field
The invention relates to the field of Internet of things, in particular to a dual defense method based on blockchain and federal learning.
Background
Artificial intelligence is growing increasingly rapidly in various industries, but application environments are becoming more and more complex, and potential risks are also becoming greater. Therefore, improving the credibility of artificial intelligence is of great importance. Data is the basis of artificial intelligence, and the quality of the data determines the quality of artificial intelligence to a great extent. However, in conventional distributed machine learning, there are great potential safety hazards to data, such as data leakage, data falsification, data pollution, and the like. These problems may lead to serious consequences, for example, in automatic driving, if training data is maliciously modified, even if the distortion is small, serious traffic accidents may be caused.
To address these issues, a new distributed machine learning framework, federal learning (Federated Learning), has developed. Federal learning allows multiple participants to train a shared model on a local device without directly exchanging data to protect data privacy and reduce communication overhead, improving model efficiency and generalization ability. However, federal learning also faces some security challenges, such as poisoning attacks (Poisoning Attacks) that disrupt the performance of the global model.
To prevent these attacks and improve the security and trustworthiness of the federal learning system, one possible solution is to utilize Blockchain (Blockchain) technology. The blockchain is a novel distributed computing technology, and can realize the characteristics of decentralization, non-falsification, traceability, consensus mechanism and the like. The technique can provide a secure and trusted data storage environment for federal learning, record and verify the behavior and contribution of each participant, and encourage honest collaboration through incentive mechanisms. Blockchains can also be used to verify nodes to ensure node trustworthiness and to maintain mutual trust between nodes by calculating trust values and publishing on the blockchain. In addition, blockchains may also protect the system from Bayesian attacks based on "under-chain sample mining" and "on-chain mining" schemes. Li et al (Li Y, chen C, liu N, et al A block chain-based decentralized federated learning framework with committee consensus [ J ]. IEEE Network, 2020, 35 (1): 234-241) and Karimireddy et al (Peng J, li W, ling Q. Byzantine-robust decentralized stochastic optimization over static and time-varying networks [ J ]. Signal Processing, 2021, 183: 108020) propose a common committee and robust polymerization method to resist poisoning attacks, but still have the problems of long communication delays and susceptibility to attacks on model polymerization by the polymerization method, and research into new methods to reduce poisoning attacks is highly desired.
Conventional Federated Averaging (McMahan B, moore E, ramage D, et al Communication-efficient learning of deep networks from decentralized data C Artificial intelligence and statics PMLR 2017:1273-1282) methods aggregate local model parameters uploaded by all training nodes (trainers for short), but they do not consider low-accuracy local model parameters that exclude malicious nodes. To solve this problem, li et al (Li Z, yu H, zhou T, et al Byzantine resistant secure blockchained federated learning at the edge [ J ]. Ieee Network, 2021, 35 (4): 295-301) employ a consensus mechanism to maintain a good blockchain community through mutual authentication of trainers. However, this method requires all trainers to participate in authentication, which is inefficient and costly in communication resources. Li et al (Li Y, chen C, liu N, et al A block chain-based decentralized federated learning framework with committee consensus [ J ]. IEEE Network, 2020, 35 (1): 234-241) use the Committee's approach to improve this, and by verifying the local model accuracy of the node (verifier for short), select a trainer providing a high model accuracy to form the Committee, let the Committee take charge of verifying the data and the local model parameters. The method can alleviate the problems of communication and resource overhead to a certain extent, but still has the problem P1: the decentralization of the blockchain is greatly reduced, and the process of selecting common committee members also requires significant communication and resource overhead.
The traditional aggregation method uses the number of local samples of each trainer as the aggregate weight (McMahan B, moore E, ramage D, et al Communication-efficient learning of deep networks from decentralized data [ C ]. Artificial intelligence and statics, PMLR, 2017: 1273-1282), because malicious nodes can deliberately use larger data sets to increase their own aggregate weights, thus destroying the model. To solve this problem, several studies have proposed some polymerization methods, but there are some disadvantages. For example, the Median method (Yin D, chen Y, kannan R, et al, byzantine-robust distributed learning: towards optimal statistical rates [ C ]. International Conference on Machine learning, PMLR, 2018:5650-5659) may exclude the effects of extreme local model parameters (i.e., malicious nodes intentionally create local model parameters that are much larger or much smaller than the normal range of values), but the method only uses the Median and does not fully use other local model parameter information. In contrast, the TrimmedMean method (Yin D, chen Y, kannan R, et al, byzantine-robust distributed learning: towards optimal statistical rates [ C ]. International Conference on Machine learning, PMLR, 2018:5650-5659) can discard the extreme local model parameters and fully utilize the remaining local model parameters, but has limited ability to reject the extreme local model parameters. The Krum method (Blancard P, el Mhamdi E M, guerraoui R, et al Machine learning with adversaries: byzantine tolerant gradient descent [ J ]. Advances in neural information processing systems, 2017, 30) can determine malicious local model parameters based on Euclidean distances in feature space between the local model parameters, as the local model parameters uploaded by malicious nodes can be far from the local model parameters uploaded by honest trainers. However, this approach may be affected by a single local model parameter, resulting in a large number of local model parameters being discarded. In summary, the existing method has the problem P2: an attacker may attack the target model against the aggregation method, resulting in a greatly reduced effect of the aggregation method.
Disclosure of Invention
The invention aims to: the invention aims to provide a dual defense method based on block chain and federal learning, which can prevent malicious nodes from being unable to attack a model by adopting a targeted attack method.
The technical scheme is as follows: according to the double defense method, federal learning is performed and a model frame is built in the scene of the Internet of things, and roles in the model frame mainly comprise a task publisher, a verifier and a trainer: the task publisher is an initiating node of the federal learning task; the trainer is a training node of the federal learning task; the verifier verifies the verification node of the local model parameters sent by other trainers; the method is characterized by comprising the following steps:
s1, judging whether the federal learning process reaches the iteration times or the model accuracy reachesTo threshold->If yes, exiting the learning process; otherwise, the task publisher uploads the task block and stores the information of the task in the task block;
s2, the trainer receives a task block, wherein the task block is the current latest task block;
s3, training a local model by using local data according to the information on the task block by a trainer;
s4, after training is completed, the trainer sends the local model parameters to a verifier;
s5, the verifier receives local model parameters of the trainer and verifies the parameters through a consensus committee mechanism;
s6, the verifier wraps the local model parameters which pass verification to be linked;
s7, the task publisher downloads local model parameters submitted by other verifiers from the blockchain, and adopts an HBlend aggregation method to form global model parameters, wherein the global model parameters publish data of new tasks for the task publisher;
s8, updating the consensus committee for the next round of local model verification according to the local model accuracy of the verifier, and returning to the step S1.
Further, a blockchain in the model framework can store a variety of information, the blockchain including: a task block and a local model block;
the task block and the local model block are respectively composed of a Header and a Body, and the Header comprises four fields:the method comprises the steps of carrying out a first treatment on the surface of the When a new block is added, the blockchain verifies the validity of the new block and the previously included block;
the Body of the task block contains model parameters, and each time model aggregation of one round is completed, a new block of the type is generated, and global model parameters are provided for the next round of iteration;
body of the local model block contains verifier, model accuracy and local model parameters.
Further, the blockchain validates new blocksThe new block must satisfy the following constraints as compared to the validity of the previous containing block:
wherein, the liquid crystal display device comprises a liquid crystal display device,and->For the field of the previous block, +.>And->Is a field in the new block.
Further, in step S5, a common committee mechanism is adopted to select a verifier, and the step of verifying the local model parameters is as follows:
SB1, after the federal learning task is released, the IOT equipment participates in the training task as a trainer, and the trainer set is set asTrainee->;
SB2, initial stage, all trainersAre qualified as verifiers, which constitute a consensus committee; is provided withRepresent the firstiWheel consensus committee,>the method comprises the steps of carrying out a first treatment on the surface of the Verifiers in the Committee participate in training of the local model and verify the local model parameters sent by other trainers, the verifiers are noted as;
SB3, will beThe round validators are ranked from small to large according to the accuracy of the local modelThe method comprises the steps of carrying out a first treatment on the surface of the After local model verification is selected from the consensus committee of each round, the accuracy of the local model is lower than +.>The a verifiers with the lowest accuracy are put in the set +.> In the process, the liquid crystal display device comprises a liquid crystal display device,represent the firstiWheel malicious node set,/-> Represent the firstiRound a malicious node; ;/>a local model accuracy threshold for the verifier;
SB4, slaveRemove the set-> Malicious node in (1), get the optimized consensus committee +.>:
;
SB5, whenWhen or model accuracy reaches a threshold +.>,/>Go to step SB3, < > and->Is a threshold value of the iteration number; otherwise, the consensus committee election is ended.
Further, in step S6, a local model parameter set verified by the Committee is set,/>For training personnParameter tensors of (a); set the training set for uploading the parameters as ,/>Represents the first of PnThe total number of trainees is +.>Wherein the number of malicious nodes is +.>Needs to meet-> 。
Further, the saidIn the polymerization method, a random number needs to be generated during each round of polymerizationFirst->The treatment method for the wheel is according to->Selecting, and polymerizing to obtain global model parameters +.>The expression is as follows: />Wherein (1)>Representation->Go up to->Tensor element, let->The method comprises the steps of carrying out a first treatment on the surface of the Before the execution of the polymerization process, for->Sequencing to obtain, />For the ordered local model parameters, +.>;/>Representing the ordered set of local model parameters, +.>;
Wherein, the liquid crystal display device comprises a liquid crystal display device,represents the median of the generation of a set of local model parameters, get +.> The median of (a) as a result of aggregating global model parameters +.> : /> Representing from->Delete head and tail each->Obtaining the result of the aggregated global model parameters: />
Representing dynamic removal of malicious local model parameters, the detailed steps are as follows:
SC1, set upThe initial value is 0;
SC2, calculate local model parameter List The average value of (2) is recorded as->;
SC3, slave Middle removing and->The local model parameters that differ the most are removed and the handler submitting the local model parameters is treated as a malicious node, the handler is taken from the set +.>Is removed from the substrate and is then removed, ;
SC4, ifGo to step SC2; otherwise, turning to step SC4, indicating that a threshold of number of malicious nodes for the bayer tolerance has been reached;
SC5, selectAs an aggregate global model parameter.
Compared with the prior art, the invention has the following remarkable effects:
1. in the verification stage, in order to resist poisoning attack, a federal learning and blockchain combination method is adopted, a consensus committee mechanism is provided, local model parameters uploaded by a trainer are verified through the consensus committee, and high-quality local model parameters are screened out to participate in aggregation before model aggregation; the common committee is continuously updated through the performance of a verifier in model training so as to continuously optimize the common committee;
2. in a model aggregation stage, providing a federal learning method, wherein the method comprises three optimized aggregation methods, and randomly selecting one method for aggregation in each federal learning iteration, so that malicious nodes cannot conduct targeted attack on a specific aggregation method, and thus poisoning attack is resisted; through experimental evaluation and comparison analysis with other related methods, the invention has obvious advantages in different scenes.
Drawings
FIG. 1 is a schematic diagram of the overall framework of the present invention;
FIG. 2 is a task block diagram;
FIG. 3 is a schematic block diagram of a local model;
FIG. 4 is a schematic diagram of an consensus committee election strategy;
FIG. 5 is a flowchart of an algorithm for federal learning.
Description of the embodiments
The invention is described in further detail below with reference to the drawings and the detailed description.
In order to solve the problems that the decentralization of the blockchain is greatly weakened and the process of selecting committee members also needs large communication and resource expenditure, the invention provides a consensus committee mechanism which can continuously optimize the selection and verification method of a verifier in the process of continuously iterating a global model. In the first training round, all trainers can voluntarily participate in the verification, and an initial consensus committee is formed. And then, in the global model iteration process of each round, removing a certain number of verifiers with low local model accuracy from the common committee, and forming a new common committee after optimization to verify the next round of models. Along with the continuous iteration of the model, the selection of the verifier is more and more reasonable, and the communication resource and the verification cost are also less and less.
In order to solve the problem that an attacker can attack a target model aiming at an aggregation method and the effect of a security aggregation method is greatly reduced, the invention provides an IFedAvg federal learning method. By randomly selecting different aggregation methods, malicious nodes cannot make targeted attacks aiming at specific aggregation methods.
Architecture (one) construction architecture
Federal learning is a distributed machine learning paradigm that enables multiple data owners to jointly model without sharing data, thereby solving data islanding and user privacy problems. The model framework is the whole process of federal learning in the scene of the Internet of things. The internet of things comprises various intelligent devices, such as the internet of vehicles, the internet of ships, the internet of industrial things, the medical internet of things and the like, and the devices need to have storage and calculation capabilities; such as smart watches, smart vehicles, drones, cell phones, etc., which are essentially human operated to participate in federal learning, the operator is the user in federal learning. The roles of the model of the present invention mainly include task publishers, verifiers and trainers, and the framework of the model of the present invention is shown in FIG. 1.
The role analysis in fig. 1 is as follows:
1) Task publishers: the initiating node of the federation learning task issues tasks and training parameters through the issuing task block. Each iteration is responsible for updating parameters and issuing updated task blocks.
2) Training person: and the training node of the federal learning task receives a task block issued by a task issuer, trains a local model by using local data according to information on the task block, and then sends local model parameters to a verifier.
3) The verifier: and the verification node for verifying the local model parameters broadcasted by other trainers packages the local model parameters passing verification and uploads the local model parameters to the blockchain. Each round of validators constitutes a common committee for the round. The consensus committee verifies the local model parameters and packages the verified local model parameters into a link.
As shown in fig. 1, the specific workflow of the framework of the present invention is as follows:
a1, judging whether the model federal learning process reaches the iteration timesOr the model accuracy reaches a threshold +.>If yes, exiting the learning process; otherwise, the task publisher uploads the task block to upload the taskIs stored in the task block;
a2, the trainer receives the task block (namely, the current latest task block);
a3, training a local model by using local data according to the information on the task block by a trainer;
a4, after training, the trainer sends the local model parameters to a verifier;
a5, receiving local model parameters of the trainer by the verifier, and verifying the parameters;
a6, the verifier packs the local model parameters passing verification into a chain (the verification process of the local model parameters is that the verifier uploads the verification model accuracy, and when the number of the verifier reaches two thirds of the number of the verifier in the common committee, the median in the accuracy is taken as the local model accuracy);
a7, the task publisher downloads local model parameters submitted by other verifiers from the blockchain, and the aggregation method HBlend provided by the invention is adopted to aggregate the local model parameters to form global model parameters (data are provided for the task publisher to publish a new task in the step A1, so that a new task block is generated for the trainer in the next round to use);
a8, updating the consensus committee for the next round of local model verification according to the local model accuracy of the verifier, and returning to the step S1.
(II) building blocks
The block chain in the framework model of the invention needs to store various information, such as global model parameters, local model parameters, verifier information and the like, which are respectively: the task blocks are shown in fig. 2 and the local model blocks are shown in fig. 3.
In fig. 2 and 3: each block consists of a Header and a Body, the Header mainly comprising four fields: 1) ;2)/> ;3)/> ;4) />. When a new block is added, the blockchain verifies the validity of the new block and the previously included block. Specifically, assume that the field of the previous block is And->The fields in the new block areAnd->The new block must meet the following constraints:
the content in Body of the task block has global model parameters, and then each round of model aggregation is completed, a new block of the type is generated, and the global model parameters are provided for the next round of iteration. The content in Body of the local model block is the verifier, model accuracy, local model parameters that package this block.
(III) consensus Committee mechanism
The present invention employs a consensus committee mechanism to select a verifier, which each trainer has the opportunity to become a verifier during the initial phase of the task. Because the verifier can get paid after verification, the verifier can actively participate in verification work. Regarding the selection of the authentication, direct specification of the verifier results in centralization. In the consensus committee mechanism of the present invention, all trainees can participate in the verification at the initial stage to solve the centralization problem. As shown in fig. 4, after each round of federal iterative learning, the consensus committee of the next round is elected, namely: after each round of model training and aggregation, the verifier with low accuracy of the local model is removed in the present round of consensus committee. With the continuous optimization of the consensus committee, the verification effect is better and better, the continuous simplification of the consensus committee is realized, and the required verification time is naturally reduced. The relevant parameters are shown in table 1.
Table 1 consensus committee election parameters table
The consensus committee elects (i.e., selects the verifier using the consensus committee mechanism) as follows:
b1, after the federal learning task is released, the IOT equipment can participate in the training task as a trainer, and the trainer set is set asTrainee->。
B2, initial stage, all trainersAre qualified as verifiers, which constitute a committee for consensus. Is provided with->Indicate->Wheel consensus committee,>. Verifiers in the Committee participate in training of the local model and verify the local model parameters sent by other trainers, the verifiers are noted as。
B3, the firstThe round validators are ranked from small to large according to the accuracy of the local model. After local model verification is selected from the consensus committee of each round, the accuracy of the local model is lower than +.>Is the lowest in accuracy of the verifier of (a)>The individual validators put into the collection->Middle (/ -)>A local model accuracy threshold for a verifier). />Indicate->Wheel malicious node set,/->Indicate->Wheel (S)>Malicious node->。
B4 slave ofRemove the set->Malicious node in (1), get the optimized consensus committee +.>:
B5, whenTime (+)>Threshold for number of iterations) or model accuracy reaches a threshold +.>Turning to step B3; otherwise, the consensus committee election is ended.
All participating trainers have the opportunity to participate in verifying local model parameters, increasing the decentralization ability of the model. The time required for the committee to verify is a verification time and a consensus time. Assuming that the verification time of each verifier is the same, it is noted asLet consensus time be recorded as +.>The following steps are:
wherein, the liquid crystal display device comprises a liquid crystal display device,the time when the verifier sends a request to the task publisher, and the time when the task publisher sends a pre-preparation message to the verifier; />Is the time when the verifier sends a prepare message to the task publisher, and the task publisher broadcasts to the verifierTime to prepare message; />Is the time when the verifier sent the promise message to the task publisher, and the time when the task publisher broadcast the promise message to the verifier. Each time term is related to network delay and bandwidth and message size and number, assuming that the time required for each verifier is the same. The time of the three times in the consensus process is respectivelyAnd->The total time of consensus is +.>. Thus, the total time required for the consensus committee to verify can be calculated>The method comprises the following steps: />
From the above-mentioned consensus committee update process, it can be seen thatThen->. From the above, it can be seen that, with the continuous optimization of the committee, the verification time required by the committee is also continuously reduced.
(IV) Federal learning
The invention designs a federal learning method, which is called an IFedAvg algorithm, and the core content of the method is how to abandon malicious local model parameters of malicious nodes. The hybrid polymerization method HBlend in this method includes: IMedian (Improved Median), ITrimmedMean (Improved TrimmedMean) and IFaba (Improved Faba).
Book verified by consensus committeeGround model parameter set,/>Is the tensor of the parameters of trainer n. Let the training set uploading these parameters be +.>。/>Representation->Is the nth trainer in the above. The total number of training persons is->Wherein the number of malicious nodes is +.>Needs to meet->。
The polymerization method HBlend designed by the invention needs to generate a random number during each round of polymerizationFirst->The polymerization method employed in the wheel is according to ∈ ->Selecting one of IMedian (), ITrimedMean () and IFaba (), and aggregating to obtain global model parameter +.>:
Representation->Go up to->Tensor element, let->. Before the execution of the polymerization process, for->Ordering to obtain->,/>For the ordered local model parameters, +.>。/>Representing the ordered set of local model parameters, +.>. Due to->Through sequencing, the aggregation method is not required to be sequenced when being executed, so that the aggregation method is simpler and faster to operate.
IMedian() The method generates a median of a set of local model parameters. In particular, that is to say, takingThe median of (a) as a result of aggregating global model parameters +.>:
ITrimmedMean() The statistical pruning average algorithm is transplanted to federal learning and each of the local model parameters is processed independently. From the slaveDelete head and tail respectivelyfObtaining the result of aggregating global model parameters>:
IFaba() The method is a dynamic aggregation method for dynamically removing malicious local model parameters, and comprises the following detailed implementation steps:
c1, set upThe initial value is 0;
c2, calculating a local model parameter listThe average value of (2) is recorded as->;
C3, fromMiddle removing and->The local model parameters with the largest difference are removed, and the trainer submitting the local model parameters is regarded as a malicious node, and the trainer is trainedThe person is from the collection->Remove (S) the->The method comprises the steps of carrying out a first treatment on the surface of the The expression is:
wherein, the liquid crystal display device comprises a liquid crystal display device,representation and->Local model parameters with the largest differences;
c4, ifTurning to step C2; otherwise, turning to a step C4, which indicates that the threshold of the number of malicious nodes tolerated by the Bayesian and the hormonally has been reached;
c5, selecting the parameters as the aggregate global model parameters, wherein the parameters are as follows:
as shown in fig. 5, the federal learning algorithm is implemented as follows:
step 1, issuing a federal learning task, and uploading a batch of local model parameters to be aggregated after training and verification in the framework of the embodiment.
And 2, calling the algorithm 1 after the aggregation task is initiated.
And 3, the algorithm 1 calls the algorithm 2 to update the local model parameters.
And 4, the algorithm 1 needs to call the algorithm 3 to complete robust security aggregation, and after collecting all local model parameters, the aggregation task calls the algorithm 3 to aggregate the data, so that a global model is finally formed.
Step 5, judgingWhether or not it is 0; if->If 0, executing the step 6; otherwise, step 7 is performed.
Step 6, calling the algorithm 4 aggregation methodIMedian() A round of polymerization was completed.
Step 7, judgingWhether or not it is 1, if->1, executing the step 8; otherwise, step 9 is performed.
Step 8, calling an algorithm 5 aggregation methodITrimmedMean() A round of polymerization was completed.
Step 9, calling an algorithm 6 aggregation methodIFaba() A round of polymerization was completed.
The specific FedAvg algorithm is shown in algorithm 1, table 2.
TABLE 2 Algorithm 1-FedAVg Algorithm
/>
Algorithm 1 describes the FedAVg algorithm of the present invention, and the specific implementation steps are as follows:
f1, initializing a global model weight;
F2, training a local model by using local data after the trainer receives the global parameter;
f3, uploading local model parameters by a trainer and aggregating the local model parameters into global model parameters;
f4, repeating the steps F1-F3 until the iteration times are reachedOr the model accuracy reaches a threshold +.>。
Table 3 algorithm 2-update of client model
Algorithm 2 is used as an update to the trainer model,respectively representing the local training data of the trainer, the subset divided by the local data and the local training period, wherein the data are set by the trainer, and the process of training the local model by the trainer is represented in the framework of the invention. Algorithm 1 invokes algorithm 2 and the trainer trains the local model using the local data after receiving the global parameters. After training, the trainer broadcasts local model parameters.
HBlendThe algorithm is shown in Table 4 as algorithm 3.
Table 4 Algorithm 3-HBlendAlgorithm
Algorithm 3 shows the hybrid aggregation rules of the framework of the present invention. Federal learning is a decentralized system that can collect vast amounts of data. Because the behavior of the user is not controlled, malicious nodes may deliberately upload false models to affect the convergence and output of the models. The invention designs a mixed aggregation rule, and various attacks are better dealt with by randomly selecting three optimized aggregation methods. Algorithm 3 generates a random number by generating a random numberOne of the aggregation methods IMedian, ITrimmedMean or IFaba is randomly selected, and after the selection method is completed, algorithm 3-algorithm 5 is invoked. The complexity of algorithm 3 is +.>Which is provided withThe time complexity calculation process of the algorithm is as follows: the 1 st row and the 2 nd row are executed only once, and the time complexity is +.>The method comprises the steps of carrying out a first treatment on the surface of the Lines 3-8 are if-else structures, according torSelecting different aggregation functions;IMedian( )、ITrimmedMean() AndIFaba() The temporal complexity of the algorithm is +.>And->The complexity of algorithm 3 is therefore。
Table 5 algorithm 4
The core idea of algorithm 4 is to compute the median in each dimension and then aggregate to get the global model parameters. Suppose in the dimensionOn the above, the median +.>As global model parameter->At->Scalar quantities in the dimensions are calculated, and the scalar quantity in each dimension is calculated;nis the total number of local model parameters. The time complexity calculation process of the algorithm 4 is as follows: if statements of lines 3-7 are executed only once and due to +.>Through the sequence of the steps,only the traversal array is needed to take the value of the bit number of the traversal array to be assigned to +.>The time complexity is->The method comprises the steps of carrying out a first treatment on the surface of the The complexity of the assignment operation of line 9 is +.>Because it is necessary to traverse the median of all dimensions and store +.>Is a kind of medium. Thus, the complexity of algorithm 4 is +.>。
Table 6 algorithm 5
Algorithm 5 by rankingDimensional data and removing the two ends>Data, then recalculated at +.>The average value of the dimension residual data is used as a scalar quantity of the dimension, and the scalar quantity of each dimension is calculated;nis the total number of local model parameters. The time complexity calculation process of the algorithm 5 is as follows: in line 2, the number of cycles is +.>So the temporal complexity of this part is +.>The method comprises the steps of carrying out a first treatment on the surface of the In line 3, delete +.>Individual element need->Time of (2); on line 4, calculate average need +.>Is a time of (a) to be used. The complexity of the assignment operation of line 6 is +.>Because it is necessary to traverse the average of all dimensions and store +.>Is a kind of medium. Thus, the complexity of algorithm 5 is +.>。
Table 7 algorithm 6
The core idea of algorithm 6 is to calculate the mean value of the scalar in each dimension, and then gradually remove the scalar that is most different from the mean value; the average of the remaining scalar is then calculated again, and then the scalar that differs most from this average is removed again. And circulating until the number of removed products reaches the number of all Bayesian workers, taking the final average value as the scalar of the dimension, and calculating the scalar of each dimension. The time complexity calculation process of the algorithm 6 is as follows: the number of cycles of line 2 isThe method comprises the steps of carrying out a first treatment on the surface of the The number of cycles of line 3 is +.>The method comprises the steps of carrying out a first treatment on the surface of the The circulation times of the 4 th to 5 th rows are +.>So in For circulationThe circulation times are->The method comprises the steps of carrying out a first treatment on the surface of the The complexity of the assignment operation of line 9 is +.>Because all +.>And store->Is a kind of medium. Thus, the complexity of algorithm 6 is +.>。
(V) Effect verification
And constructing a framework for simulating the federal learning polymerization process by using PyCharm, and comparing experiments and analyzing results by using different polymerization methods, attack modes and node distribution diagrams respectively.
(51) Parameter setting
The embodiment is based on the verification of the Bayesian and the horribus environment, and the experiment is setModel weight aggregation uploaded by individual nodes, wherein +.>Named honest node and->And (5) naming malicious nodes. The experiment evaluates the robustness on softmax regression task, with MNIST being used for the dataset.
MNIST: the dataset was from the national institute of standards and technology, comprising 60000 handwritten digital training images, from 0 to 9. The training set consisted of numbers written from 250 different individuals, 50% of which were senior students, 50% from staff in the census office, and the test set was also handwritten digital data in the same proportion.
Experimental specific parameter settings as shown in table 8, all image data was uniformly distributed to each worker using a square norm regularization with a coefficient of 0.01, (representing the time stamp of the training), batch of 32. The local data distribution takes the form of i.i.d. (independently synchronized distributed) and NON-i.i.d. (NON-independently synchronized distributed), respectively.
Table 8 experimental parameter set table
The main considerations of this embodiment are the following for attacks on federal learning aggregation:
1) Gaussian: the attack is a model attack, namely, a malicious node adds Gaussian noise when the local model is updated, so that the convergence and performance of the global model are affected. The attack belongs to a non-directional attack and aims to destroy the accuracy of the federal learning model.
2) Sign-flipping: the attack is a data attack, namely, malicious nodes randomly or pertinently modify part of sample labels in a local data set, so that generalization capability and accuracy of a global model are affected. The attack belongs to a non-directional attack and aims to destroy the accuracy of the federal learning model.
3) Isolation: the attack is a model attack, and malicious nodes interfere with or destroy the training process of the global model by modifying their own local model or data. The purpose of this attack is to make the global model unable to classify certain classes of data correctly, thereby reducing the accuracy and generalization ability of the model.
4) Sample-duplicate: the attack is a model attack, and malicious nodes influence the attack of the global model by copying or modifying own local data. Malicious nodes may add some samples with specific tags or features to the local data, causing the global model to generate preferences or misinterpretations of these tags or features.
(52) Experimental results
Table 9 shows various aggregation methods using I.I.D. partitioning of data based on Two-CastleNode distribution is respectively subjected toGaussian、Sign-flipping、IsolationAndSample-duplicatinin case of an attack, the accuracy of the final aggregated global model.
TABLE 9 I.I.D. case accuracy based on TWO-CASTLE node distribution
In table 9, the aggregation rule refers to how weights or parameters of a plurality of nodes are combined in distributed optimization to achieve an optimization goal. An attack pattern means that in distributed optimization there may be some malicious nodes that deliberately send wrong or random weights or parameters to interfere with the optimization process. Two dimensions are provided for the Two-Castle node distribution map, one is the number of communication rounds and the other is the accuracy; the number of communication rounds represents the number of times each participant needs to exchange model weights with the central server during the federal learning process. Accuracy represents the predictive accuracy of the federally learned model over the test set.
As can be seen from Table 9, the present invention proposesBlendThe (hybrid polymerization) method has good accuracy when exposed to these four attacks, and the accuracy of the resulting model is also higher than that of the other models.
Table 10 shows various aggregation methods using NON-I.I.D. partitioning data, based on Two-Castle node distribution, respectivelyGaussian、Sign-flipping、IsolationAndSample-duplicatinin case of an attack, the accuracy of the final aggregated global model.
TABLE 10 accuracy of TWO-CASTLE node distribution based in NON-I.I.D. cases
There are two basic types of federally learned data partitioning: i.i.d. and NON-i.i.d.; i.i.d. means that the data of each client is sampled independently from the same distribution, i.e. each client has similar data characteristics and tag distribution. NON-i.i.d. means that the data of each client is sampled from different distributions, i.e. each client has different data characteristics and tag distributions.
As can be seen from Table 10, except forsample-duplicationUnder attack, other conditionsBlendThe method is superior to other methods and suffers fromsample-duplicationIn the event of an attack,Blendthe method has the advantages that the accuracy of the model trained by the method is higher,Blendthe method is generally more robust.
Claims (5)
1. A dual defense method based on blockchain and federation learning carries out federation learning and builds a model frame in the scene of the Internet of things, and roles in the model frame mainly comprise task publishers, verifiers and trainers: the task publisher is an initiating node of the federal learning task; the trainer is a training node of the federal learning task; the verifier is a verification node for verifying local model parameters sent by other trainers; the method is characterized by comprising the following steps:
s1, judging whether the federal learning process reaches iteration times Γ or model accuracy reaches a threshold epsilon, and if so, exiting the learning process; otherwise, the task publisher uploads the task block and stores the information of the task in the task block;
s2, the trainer receives a task block, wherein the task block is the current latest task block;
s3, training a local model by using local data according to the information on the task block by a trainer;
s4, after training is completed, the trainer sends the local model parameters to a verifier;
s5, the verifier receives local model parameters of the trainer and verifies the parameters through a consensus committee mechanism;
s6, the verifier wraps the local model parameters which pass verification to be linked;
s7, the task publisher downloads local model parameters submitted by other verifiers from the blockchain, and adopts an HBlend aggregation method to form global model parameters, wherein the global model parameters publish data of new tasks for the task publisher;
in the HBlend polymerization method, a random number r epsilon {0,1,2} is required to be generated during each round of polymerization, the processing method adopted by the ith round is selected according to r, the global model parameter omega is obtained through polymerization, and the expression is as follows:
wherein x is nd Represents x n Upper d tensor element, let X d ={x 1d ,x 2d ,…,x nd },x n A parameter tensor for trainer n; before the polymerization method is executed, for X d Sequencing to obtain G d =[g 1d ,g 2d ,…,g nd ],g nd G is the ordered local model parameter nd ∈G d The method comprises the steps of carrying out a first treatment on the surface of the G represents the ordered set of local model parameters, g= { G d |d=1,2,…,R};
Wherein IMedian () represents the median that produces a set of local model parameters, taking G d The median of (2) as a result of aggregating global model parameters
Wherein ITrimmed mean () represents the slave G d F parameters from the beginning to the end are deleted to obtain the result of the aggregation of the global model parameters
Wherein IFaba () represents the dynamic removal of malicious local model parameters, the detailed steps are as follows:
SC1, setting the initial value of f to 0;
SC2, calculate local model parameter List G d The average value of (1) is recorded as
SC3, from G d Is removed from the reactorRemoving the local model parameter with the largest difference, treating a trainer submitting the local model parameter as a malicious node, removing the trainer from the set P, and removing f=f+1;
SC4, if f is not less than Z/3, go to step SC2; otherwise, turning to step SC4, indicating that a threshold of number of malicious nodes for the bayer tolerance has been reached;
SC5, selectAs an aggregate global model parameter;
s8, updating the consensus committee for the next round of local model verification according to the local model accuracy of the verifier, and returning to the step S1.
2. The dual defense method based on blockchain and federal learning of claim 1, wherein blockchains in the model framework can store a variety of information, the blockchains comprising: a task block and a local model block;
the task block and the local model block are respectively composed of a Header and a Body, and the Header comprises four fields: index, hash, previous _ hash, timestamp; when a new block is added, the blockchain verifies the validity of the new block and the previously included block;
the Body of the task block comprises model parameters, a new task block is generated after model aggregation of each round is completed, and global model parameters are provided for the next round of iteration;
body of the local model block contains verifier, model accuracy and local model parameters.
3. The dual defense method according to claim 2, wherein when the blockchain verifies the validity of the new block and the previously included block, the new block must satisfy the following constraints:
index c =index p +1
previous_hash c =hash p
timestamp c >timestampp
wherein index p 、hash p And timestamp p Index, which is a field of the previous block c 、previous_hash c And timestamp c Is a field in the new block.
4. The dual defense method based on blockchain and federal learning of claim 1, wherein in step S5, a common committee mechanism is used to select a verifier, and the step of verifying local model parameters is as follows:
SB1, after the federal learning task is released, the IOT equipment participates in the training task and serves as a trainer, a trainer set is set as M, and the trainer M epsilon M;
SB2, in the initial stage, all trainers m qualify as verifiers, and the verifiers form a consensus committee; set V i Representing the ith round of consensus committee, K i =|V i |,i≥0;Verifiers in the Committee participate in training of the local model and verify the local model parameters sent by other trainers, the verifiers are noted as v ij ∈V i ,j=1,2,…,K i ;
SB3, according to the present of the ith round of verifierThe accuracy of the ground model is ordered from small to large to obtain { v } i1 ,v i2 ,…,v iKi -a }; after local model verification is selected from the consensus committee of each round, a verifiers with lowest accuracy among verifiers with local model accuracy lower than delta are selected and put into the set F i In F i Representing an i-th round of malicious node sets, where F i ={v i1 ,v i2 ,…,v ia },v ia Representing an ith round of a malicious node;delta is the verifier's local model accuracy threshold;
SB4 from V i Removing set F from i Malicious nodes in the network are obtained to obtain optimized consensus committee V i+1 :
V i+1 =V i -F i ;
SB5, when i < Γ or the model accuracy reaches a threshold epsilon, i++, go to step SB3, Γ is the threshold of the iteration number; otherwise, the consensus committee election is ended.
5. The dual defense method based on blockchain and federal learning according to claim 4, wherein in step S6, a local model parameter set x= { X verified by the consensus committee is set 1 ,x 2 ,…,x n },x n A parameter tensor for trainer n; let the training set uploading these parameters be p= { P 1 ,p 2 ,…,p n },p n The n-th trainer in P is represented, the total number of trainees is Z= |P|, wherein the number of malicious nodes is f, and f is less than or equal to Z/3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310814388.8A CN116541831B (en) | 2023-07-05 | 2023-07-05 | Dual defense method based on blockchain and federal learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310814388.8A CN116541831B (en) | 2023-07-05 | 2023-07-05 | Dual defense method based on blockchain and federal learning |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116541831A CN116541831A (en) | 2023-08-04 |
| CN116541831B true CN116541831B (en) | 2023-10-13 |
Family
ID=87443927
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310814388.8A Active CN116541831B (en) | 2023-07-05 | 2023-07-05 | Dual defense method based on blockchain and federal learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116541831B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112434280A (en) * | 2020-12-17 | 2021-03-02 | 浙江工业大学 | Block chain-based federal learning defense method |
| CN113794675A (en) * | 2021-07-14 | 2021-12-14 | 中国人民解放军战略支援部队信息工程大学 | Distributed Internet of things intrusion detection method and system based on block chain and federal learning |
| CN114418109A (en) * | 2021-08-30 | 2022-04-29 | 河南大学 | Node selection and aggregation optimization system and method for federal learning under micro-service architecture |
| CN114679332A (en) * | 2022-04-14 | 2022-06-28 | 浙江工业大学 | APT detection method of distributed system |
-
2023
- 2023-07-05 CN CN202310814388.8A patent/CN116541831B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112434280A (en) * | 2020-12-17 | 2021-03-02 | 浙江工业大学 | Block chain-based federal learning defense method |
| CN113794675A (en) * | 2021-07-14 | 2021-12-14 | 中国人民解放军战略支援部队信息工程大学 | Distributed Internet of things intrusion detection method and system based on block chain and federal learning |
| CN114418109A (en) * | 2021-08-30 | 2022-04-29 | 河南大学 | Node selection and aggregation optimization system and method for federal learning under micro-service architecture |
| CN114679332A (en) * | 2022-04-14 | 2022-06-28 | 浙江工业大学 | APT detection method of distributed system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116541831A (en) | 2023-08-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112348204B (en) | Safe sharing method for marine Internet of things data under edge computing framework based on federal learning and block chain technology | |
| CN110460600B (en) | Joint deep learning method capable of resisting generation of counterattack network attacks | |
| Kang et al. | Incentive mechanism for reliable federated learning: A joint optimization approach to combining reputation and contract theory | |
| Chai et al. | A hierarchical blockchain-enabled federated learning algorithm for knowledge sharing in internet of vehicles | |
| Wang et al. | A platform-free proof of federated learning consensus mechanism for sustainable blockchains | |
| CN115102763B (en) | Multi-domain DDoS attack detection method and device based on trusted federal learning | |
| CN111224966B (en) | Optimal defense strategy selection method based on evolutionary network game | |
| Wang et al. | Beh-Raft-Chain: a behavior-based fast blockchain protocol for complex networks | |
| CN111245857B (en) | Channel network steady state evolution game method in block link environment | |
| CN110928951A (en) | Data sharing and arbitration method based on block chain | |
| Wang et al. | A trusted consensus scheme for collaborative learning in the edge ai computing domain | |
| Liang et al. | Co-maintained database based on blockchain for idss: A lifetime learning framework | |
| CN114372589A (en) | Federated learning method and related device | |
| Wang et al. | Blockchain-based federated learning in mobile edge networks with application in internet of vehicles | |
| CN113988310A (en) | Deep learning model selection method and device, computer equipment and medium | |
| CN115622777A (en) | Multi-center federal learning data sharing method based on alliance chain | |
| CN114629654A (en) | Trust management mechanism-oriented double-chain block chain and consensus method thereof | |
| Zeng et al. | TD-MDB: A Truth Discovery Based Multi-Dimensional Bidding Strategy for Federated Learning in Industrial IoT Systems | |
| CN116541831B (en) | Dual defense method based on blockchain and federal learning | |
| Xu et al. | A GA-ACO-local search hybrid algorithm for solving quadratic assignment problem | |
| CN116187469A (en) | Client member reasoning attack method based on federal distillation learning framework | |
| Yang et al. | Federated Continual Learning via Knowledge Fusion: A Survey | |
| Bu et al. | RepShardChain: A Reputation-Based Sharding Blockchain System in Smart City | |
| Sarkar et al. | Neural weight coordination-based vector-valued neural network synchronization | |
| CN108400883B (en) | Social layering model implementation method based on network information flow |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |