CN116644433A - Data privacy and model safety test method for longitudinal federal learning - Google Patents

Abstract

The invention discloses a data privacy and model safety test method for longitudinal federal learning, which is applied to the technical field of safety of artificial intelligent distributed federal learning. The label reasoning attack step tests the privacy protection capability of a longitudinal federal learning algorithm and a corresponding defense method on label information by implementing a simple and efficient intermediate result replacement method designed by us. And in the back door attack step, a hidden and efficient back door attack method is realized by designing a trigger, enhancing the back door and adjusting the learning rate, so that the model security risk of a longitudinal federal learning algorithm and a corresponding defense method is tested.

Description

A data privacy and model security testing method for longitudinal federated learning

technical field

The invention relates to the security technical field of artificial intelligence distributed federated learning, and more specifically relates to a data privacy and model security testing method for vertical federated learning.

Background technique

Federated learning is a distributed learning paradigm in the field of artificial intelligence, which allows multiple data owners to collaboratively train a global model without revealing their local private data. According to the data sharing mode between clients, federated learning can be divided into horizontal federated learning and vertical federated learning.

In lateral federated learning, participants use labeled datasets with the same feature space but different sample spaces. During the training process, each participant trains a local classifier through supervised learning, and sends the weights to a centralized server for aggregation and updating. In longitudinal federated learning, participants have datasets with different feature spaces but the same sample space. During the training process, each participant trains a local model through gradients from the server side, and sends the intermediate results output by the local model to the server side for aggregation. In this process, only the server holds the data label, and the server can train the final classifier through supervised learning according to the intermediate results of the aggregation. Since backdoor attacks have been extensively studied in horizontal federated learning, this invention focuses on vertical federated learning.

While the backdoor attack aims to train a backdoor model that works normally on normal input samples but misclassifies special inputs (input samples with triggers maliciously designed by the attacker) as target labels or other wrong labels . The federated learning context is ideal for an attacker acting as a participant for backdoor attacks, since the server is not allowed to inspect the participant's local data and local models. Backdoor attacks have been extensively studied in horizontal federated learning scenarios, where an attacker uploads model updates from a malicious client to a server in order to insert a backdoor in the global model.

Different from traditional federated learning, vertical federated learning brings new challenges for backdoor attacks, the most imminent challenge is the lack of access to training data labels and server models. In order to cope with these challenges, it is particularly important to design a reasonable solution to obtain target data label information, and carefully construct triggers so that the backdoor can be implanted into the black box model on the server. For this reason, we propose the present invention, which is a label inference attack and backdoor attack method for vertical federated learning. It has an effective label inference and backdoor attack strategy, and it is also for testing the privacy protection of vertical federated learning algorithms and corresponding defense methods. and model security capabilities provide a new tool.

Therefore, it is an urgent problem for those skilled in the art to propose a data privacy and model security testing method for vertical federated learning to solve the difficulties existing in the prior art.

Contents of the invention

In view of this, the present invention provides a data privacy and model security testing method for vertical federated learning, by implementing label inference attacks and backdoor attacks for vertical federated learning, to test vertical federated learning algorithms and corresponding defense methods Defensive capabilities in terms of data privacy and model security.

In order to achieve the above object, the present invention provides the following technical solutions:

A data privacy and model security testing method for longitudinal federated learning, comprising the following steps:

(1) Label inference attack step, which includes the following:

S101, the attacker participates in the training process of vertical federated learning as a malicious client;

S102, the attacker steals the label information of the data through the intermediate result replacement method;

S103. The attacker performs dynamic adjustments to carry out covert label inference attacks; in a certain round of training, given a set of samples T, a set of samples with labels is inferred through label inference attacks, and the one with the smallest return gradient is selected sample, ie For the next replacement work;

(2) backdoor attack step, this step includes the following content:

S201. Obtain label information of the data through a label inference attack;

S202, designing a trigger;

S203. Add the trigger to the batch of intermediate results with the target label, and at the same time use a random strategy to enhance the attack effect;

S204. Mix the poisoned data with other normal data, and transmit it to the server;

S205 , adjust the learning rate, update the model by using the gradient information sent back by the server; judge whether the number of training rounds required by the backdoor attack is reached, and terminate the backdoor attack if it is reached, and continue S203-S205 if not.

In the above method, optionally, in step S101, the specific steps for the attacker to participate in the training process of vertical federated learning as a malicious client are as follows:

Among them, each client transfers local data into the local model held by itself to obtain the intermediate results output by the local model, and transmits the intermediate results to the server; the server performs data aggregation on the received intermediate results, and The aggregated results are transmitted to the server-side model to obtain the final prediction result of the model; the server calculates the loss function, and performs backpropagation, and transmits the obtained gradient information to the corresponding client; The information updates the local model held by itself; the training step in S101 is repeated for several rounds until the model gradually converges.

In the above-mentioned method, optionally, in step S102, the specific steps for the attacker to steal the label information of the data through the intermediate result replacement method are as follows:

During normal training, the attacker transmits the correct intermediate results to the server And got the gradient information sent back by the server/> where f ^a is the local model held by the attacker, /> is the local data of unknown label owned by the attacker, y _i is the label of this sample, but y _i is unknown to the attacker; next time the attacker will transmit the same data again /> When sending to the server, the attacker will first perform screening work to determine whether the unknown label y _i may be the label y _t that the attacker is interested in.

The method above, optional, judges The criteria for whether the label of is the target label y _t is:

where ||·|| ₂ denotes the _L2 norm, and θ and μ are two threshold parameters.

The above method, optionally, step S102 also includes:

Use all known label data to train a binary classifier H, with target label y _t data As a positive sample, data that does not have the target label y _t /> As a negative sample; where, /> is local data known to the attacker with target label y _t , /> is local data known to the attacker that does not have the target label.

The above method, optionally, step S102 also includes:

The attacker inputs all samples in the same batch into the binary classifier for label prediction, selects the top n samples with the highest prediction results for the next intermediate result replacement, and uses the final label inference results to convert these The samples are also used in the training job of the binary classifier.

The above method, optionally, step S102 also includes:

For the samples selected by the screening work, the attacker will use other intermediate results with known labels replace /> to send to the server, and obtain the gradient information returned by the server/> where y _t is the tag information that the attacker is interested in, and /> is local data with label y _t known to the attacker.

In the above method, optionally, the specific steps of designing the trigger in step S202 are as follows:

Use a superimposed trigger E, and define the data poisoning process as:

where ⊕ represents Element-wise addition, and trigger E can be expressed as:

Among them, M is the trigger mask, the value of the trigger area is 1, and the value of other areas is 0, It is the multiplication of Element-wise, β is the parameter to control the trigger amplitude, Δ=[+δ+δ,-δ,-δ,···,+δ+

δ, -δ, -δ].

In the above method, optionally, the following two random strategies are used in step S203 to enhance the attack effect:

Random strategy Dropout and random strategy Shifing.

It can be seen from the above technical solutions that, compared with the prior art, the disclosure of the present invention provides a data privacy and model security testing method for longitudinal federated learning, which has the following beneficial effects:

(1) Test the defense capabilities of the vertical federated learning algorithm and corresponding defense methods in terms of data privacy and model security by implementing label inference attacks and backdoor attacks for vertical federated learning;

(2) The test tool includes two modules, namely the label inference attack module and the backdoor attack module, to test whether the malicious participant can successfully steal the label information and implant the backdoor for the model under the current longitudinal federated learning algorithm and defense method. to achieve malicious attacks;

(3) The label reasoning attack module tests the privacy protection ability of the vertical federated learning algorithm and corresponding defense methods for label information by implementing the simple and efficient intermediate result replacement method we designed. The backdoor attack module implements a concealed and efficient backdoor attack method by designing triggers, backdoor enhancements, and adjusting the learning rate to test the model security risks of the vertical federated learning algorithm and corresponding defense methods.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.

Fig. 1 is an example of the privacy protection and model security capabilities of the present invention testing vertical federated learning calculations and corresponding defense methods;

Fig. 2 is a schematic diagram of the workflow of the tag inference attack module of the present invention;

FIG. 3 is a schematic diagram of the workflow of the backdoor attack module of the present invention.

Detailed ways

The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

Referring to Figure 1, a data privacy and model security testing method for longitudinal federated learning includes the following steps:

(1) Label inference attack step, which includes the following:

S101, the attacker participates in the training process of vertical federated learning as a malicious client;

S102, the attacker steals the label information of the data through the intermediate result replacement method;

S103. The attacker performs dynamic adjustments to carry out covert label inference attacks; in a certain round of training, given a set of samples T, a set of samples with labels is inferred through label inference attacks, and the one with the smallest return gradient is selected sample, ie For the next replacement work;

(2) backdoor attack step, this step includes the following content:

S201. Obtain label information of the data through a label inference attack;

S202, designing a trigger;

S203. Add the trigger to the batch of intermediate results with the target label, and at the same time use a random strategy to enhance the attack effect;

S204. Mix the poisoned data with other normal data, and transmit it to the server;

S205 , adjust the learning rate, update the model by using the gradient information sent back by the server; judge whether the number of training rounds required by the backdoor attack is reached, and terminate the backdoor attack if it is reached, and continue S203-S205 if not.

Further, in step S101, the specific steps for the attacker to participate in the training process of vertical federated learning as a malicious client are as follows:

Among them, each client transfers local data into the local model held by itself to obtain the intermediate results output by the local model, and transmits the intermediate results to the server; the server performs data aggregation on the received intermediate results, and The aggregated results are transmitted to the server-side model to obtain the final prediction result of the model; the server calculates the loss function, and performs backpropagation, and transmits the obtained gradient information to the corresponding client; The information updates the local model held by itself; the training step in S101 is repeated for several rounds until the model gradually converges.

Furthermore, in step S102, the specific steps for the attacker to steal the label information of the data through the intermediate result replacement method are as follows:

During normal training, the attacker transmits the correct intermediate results to the server And got the gradient information sent back by the server/> where f ^a is the local model held by the attacker, /> is the local data of unknown label owned by the attacker, y _i is the label of this sample, but y _i is unknown to the attacker; next time the attacker will transmit the same data again /> When sending to the server, the attacker will first perform screening work to determine whether the unknown label y _i may be the label y _t that the attacker is interested in.

Further, judge The criteria for whether the label of is the target label y _t is:

where ||·|| ₂ denotes the _L2 norm, and θ and μ are two threshold parameters.

Furthermore, step S102 also includes:

Use all known label data to train a binary classifier H, with target label y _t data As a positive sample, data that does not have the target label y _t /> as a negative sample. where, /> is local data known to the attacker with target label y _t , /> is local data known to the attacker that does not have the target label.

Still further, step S102 also includes:

The attacker inputs all samples in the same batch into the binary classifier for label prediction, selects the top n samples with the highest prediction results for the next intermediate result replacement, and uses the final label inference results to convert these The samples are also used in the training job of the binary classifier.

Further, step S102 also includes:

For the samples selected by the screening work, the attacker will use other intermediate results with known labels replace /> to send to the server, and obtain the gradient information returned by the server/> where y _t is the tag information that the attacker is interested in, and /> is local data with label y _t known to the attacker.

Furthermore, the specific steps of designing the trigger in step S202 are as follows:

Use a superimposed trigger E, and define the data poisoning process as:

where ⊕ represents Element-wise addition, and trigger E can be expressed as:

Among them, M is the trigger mask, the value of the trigger area is 1, and the value of other areas is 0, It is the multiplication of Element-wise, β is the parameter to control the trigger amplitude, Δ=[+δ+δ,-δ,-δ,···,+δ+

δ, -δ, -δ].

Further, in step S203, the following two random strategies are adopted to enhance the attack effect:

Random strategy Dropout and random strategy Shifing.

Referring to Figure 2, the label inference attack module includes the following steps:

S101. The attacker participates in the training process of vertical federated learning as a malicious client:

Among them, each client transfers local data into the local model held by itself to obtain the intermediate results output by the local model, and transmits the intermediate results to the server; the server performs data aggregation on the received intermediate results, and The aggregated results are transmitted to the server-side model to obtain the final prediction result of the model; the server calculates the loss function, and performs backpropagation, and transmits the obtained gradient information to the corresponding client; The information updates the local model held by itself; the above steps are repeated for several rounds until the model gradually converges.

S102. The attacker performs an intermediate result replacement method to steal the label information of the data, which specifically includes the following steps:

During normal training, the attacker transmits the correct intermediate results to the server And got the gradient information sent back by the server/> where f ^a is the local model held by the attacker, /> is the local data of the unknown label owned by the attacker, and y _i is the label of the sample, but y _i is unknown to the attacker.

At the next time the attacker will send the same data again When sending to the server, the attacker will first perform screening work to determine whether the unknown label y _i may be the label y _t that the attacker is interested in, which specifically includes the following steps:

(1) Use the data of all known labels to train a binary classifier H, the data with the target label y _t As a positive sample, data that does not have the target label y _t /> as a negative sample. where, /> is local data known to the attacker with target label y _t , /> is local data known to the attacker that does not have the target label.

(2) The attacker inputs all samples in the same batch to the binary classifier H for label prediction, selects the top n samples with the highest prediction results given by H to perform the next intermediate result replacement work, and uses the final label Inferring the results, these samples are also used in the training work of the binary classifier H.

For the samples selected by the screening work, the attacker will use other intermediate results with known labels replace /> to send to the server, and obtain the gradient information returned by the server/> where y _t is the label information that the attacker is interested in, that is to say, the attacker wants to know which data has the label y _t , and /> is local data with label y _t known to the attacker.

Comparing the gradient changes before and after the replacement, it is determined by the formula (1) (2) Is the label of is the target label y _t :

where ||·|| ₂ denotes the _L2 norm, and θ and μ are two threshold parameters.

S103. In order to avoid repeated use of static With label swapping resulting in an alert from the server, the attacker will make dynamic adjustments for covert label inference attacks. In a certain round of training, given a set of samples T, it is a set of samples inferred to have the label y _t through the label inference attack, and the sample with the smallest return gradient is selected, that is, for subsequent replacement work.

Shown in Fig. 3 with reference to, backdoor attack module, this module comprises the following steps:

S201. Construct a trigger: use a superimposed trigger E, and define the data poisoning process as:

where ⊕ represents Element-wise addition, and trigger E can be expressed as:

Among them, M is the trigger mask, the value of the trigger area is 1, and the value of other areas is 0, It is the multiplication of Element-wise, β is the parameter to control the trigger amplitude, Δ=[+δ+δ,-δ,-δ,···,+δ+

δ, -δ, -δ] (every two positive values are followed by two negative values, and every two negative values are followed by two positive values until termination). It should be noted that here is to directly add the trigger to the intermediate result on, rather than the original data sample. Because the attacker, as a client participant of vertical federated learning, only needs to upload the intermediate result to the server, and the attacker can superimpose the trigger on the intermediate result, which can realize a more effective backdoor attack.

S202. Backdoor injection in vertical federated learning is more difficult than ordinary backdoors, because attackers cannot control intermediate results from other benign participants. To enhance backdoor injection, the present invention introduces randomness into poisoned data during training to improve the performance of backdoor attacks during testing of longitudinal federated learning models. Therefore, the present invention adopts two randomization strategies for backdoor enhancement.

(1) The first random strategy Dropout: Inspired by the dropout method commonly used to alleviate the overfitting problem, in the process of implanting the backdoor, the attacker will randomly set some elements in the trigger mask to zero each time. The evaluation shows that the dropout strategy makes the backdoor attack method more robust to the trigger elimination-based backdoor defense.

(2) The second random strategy Shifing: Randomly multiply the trigger mask M by A random number γ in the range to vary the trigger amplitude slightly. where, /> is the lower limit value of the random number γ, and γ is the upper limit value of the random number γ.

S203. In the process of using gradient information to update model parameters, the attacker will appropriately increase the learning rate of the local model owned by him, and change the convergence speed of the local model, thereby enhancing the impact of the partial model held by the attacker on the final classification result. The impact of poisoned data further enhances the impact of poisoned data on the server-side model.

Taking the scenario where two client models and one server model participate in vertical federated learning as an example, the implementation process of label inference attack and backdoor attack is explained in detail, and several image data sets of MNIST, CIFAR10, ImageNette, CINIC-10 and Bank Marketing (BM), Give-Me-Some-Credit (GM) tabular data sets (structured data sets) are tested, and the corresponding models selected for each data set are shown in Table 1:

Table 1

data set server-side model client model Normal training model accuracy MNIST Layer 3 Fully Connected Network 4-layer fully connected network 94.51% CIFAR-10 Layer 3 Fully Connected Network VGG16 network 76.92% ImageNette Layer 3 Fully Connected Network VGG16 network 69.91% CINIC-10 Layer 3 Fully Connected Network VGG16 network 62.10% BM Layer 3 Fully Connected Network 4-layer fully connected network 91.98% GM Layer 3 Fully Connected Network 4-layer fully connected network 77.91%

The specific implementation includes the following steps:

Label reasoning attack module, which includes the following steps:

For MNIST, CIFAR-10, ImageNette, CINIC-10, BM, and GM, the number of samples per training batch is 128, 128, 50, 64, 100, 1000, respectively, and the number of embedding exchanges chosen is n = 14, 14, 10, 8, 6, 40. The threshold μ in the label inference attack is set as the average value of the gradient L2 norm, since the gradient L2 norm of misclassified samples is usually larger than the average value. In the implementation, it is found that μ=0.01 is suitable for different data sets. In the specific implementation, θ is 5, which is adjustable. If θ is selected to be smaller, the selection of target label samples will be stricter, but the target label samples may be ignored. .

S1. The attacker uses the intermediate result replacement method to steal the label information of the data, which specifically includes the following steps:

S101. In the normal training process, the attacker sends the correct intermediate result to the server And got the gradient information sent back by the server/> where f ^a is the local model held by the attacker, /> is the local data of the unknown label owned by the attacker, and y _i is the label of the sample, but y _i is unknown to the attacker.

S102, the attacker will transmit the same data again next time When sending to the server, the attacker will first perform screening work to determine whether the unknown label y _i may be the label y _t that the attacker is interested in, which specifically includes the following steps:

(1) Use the data of all known labels to train a binary classifier H, the data with the target label y _t As a positive sample, data that does not have the target label y _t /> as a negative sample. where, /> is local data known to the attacker with target label y _t , /> is local data known to the attacker that does not have the target label.

(2) The attacker inputs all samples in the same batch to the binary classifier H for label prediction, selects the top n samples with the highest prediction results given by H to perform the next intermediate result replacement work, and uses the final label Inferring the results, these samples are also used in the training work of the binary classifier H.

S103. For the samples selected by the screening work, the attacker will use the intermediate results of other known labels replace /> to send to the server, and obtain the gradient information returned by the server/> where y _t is the label information that the attacker is interested in, that is to say, the attacker wants to know which data has the label y _t , and /> is local data with label y _t known to the attacker.

S104, compare the gradient changes before and after replacement, and determine by formula (1)(2) Is the label of is the target label y _t :

where ||·|| ₂ denotes the _L2 norm, and θ and μ are two threshold parameters.

S2. In order to avoid repeated use of static With label swapping resulting in an alert from the server, the attacker will make dynamic adjustments for covert label inference attacks. In a certain round of training, given a set of samples T, it is a set of samples inferred to have the label y _t through the label inference attack, and the sample with the smallest return gradient is selected, that is, for subsequent replacement work.

According to the above steps, the present invention tests on various data sets, and infers labels on them. The results are shown in Table 2 below:

Table 2

data set MNIST CIFAR10 ImageNette CINIC-10 BM GM Label inference success rate 96.24% 98.11% 92.15% 98.06% 99.03% 100.00%

It can be seen that the label inference algorithm proposed by the present invention has achieved high accuracy on each data set. On MNIST, CIFAR-10, CINIC-10, BM and GM, the label inference attack accuracy is greater than 96%. On the more complex dataset ImageNette, the attack accuracy drops slightly, but is still above 92%. In addition, the label inference attack algorithm proposed in the present invention is very time-saving because it only needs one round of training (a few minutes) to infer labels, while previous label inference attacks require more time to train a semi-supervised model for subsequent inference task.

Backdoor attack module, the module includes the following steps:

For all datasets, the poisoning rate is 1%, the default value of β is 0.4 to keep the trigger hidden, and γ is set to 0.6, Set to 1.2. Choose to attack all tags to test the overall effectiveness, and the dropout ratio used is 0.75.

S1. Construct a trigger: use a superimposed trigger E, and define the data poisoning process as:

where ⊕ represents Element-wise addition, and trigger E can be expressed as:

Among them, M is the trigger mask, the value of the trigger area is 1, and the value of other areas is 0, It is the multiplication of Element-wise, β is the parameter to control the trigger amplitude, Δ=[+δ+δ,-δ,-δ,···,+δ+

δ, -δ, -δ] (every two positive values are followed by two negative values, and every two negative values are followed by two positive values until termination). It should be noted that here is to directly add the trigger to the intermediate result on, rather than the original data sample. Because the attacker, as a client participant of vertical federated learning, only needs to upload the intermediate result to the server, and the attacker can superimpose the trigger on the intermediate result, which can realize a more effective backdoor attack.

S2. To enhance the backdoor injection, the attacker introduces randomness to the poisoned data during training to improve the performance of the backdoor attack during the testing of the longitudinal federated learning model. Therefore, the attacker employs two randomization strategies for backdoor enhancement.

S201. The first random strategy Dropout: Inspired by the dropout method commonly used to alleviate the overfitting problem, in the process of implanting the backdoor, the attacker randomly resets some elements in the trigger mask to zero each time. The evaluation shows that the Dropout strategy makes this backdoor attack more robust to the elimination trigger-based backdoor defense.

S202, the second random strategy Shifing: Randomly multiply the trigger mask M by A random number γ in the range to vary the trigger amplitude slightly. where, /> is the lower limit value of the random number γ, and γ is the upper limit value of the random number γ.

S3. In the process of using gradient information to update model parameters, the attacker will appropriately increase the learning rate of the local model he owns, and change the convergence speed of the local model, thereby enhancing the impact of some models held by the attacker on the final classification result. The impact of poisoned data further enhances the impact of poisoned data on the server-side model.

Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same and similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for relevant details, please refer to the description of the method part.

The above description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Therefore, the present invention will not be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. A data privacy and model security testing method for vertical federated learning, characterized in that, comprising the following steps: (1) Label inference attack step, which includes the following: S101, the attacker participates in the training process of vertical federated learning as a malicious client; S102, the attacker steals the label information of the data through the intermediate result replacement method; S103. The attacker performs dynamic adjustments to carry out covert label inference attacks; in a certain round of training, given a set of samples T, a set of samples with labels is inferred through label inference attacks, and the one with the smallest return gradient is selected sample, ie For the next replacement work; (2) backdoor attack step, this step includes the following content: S201. Obtain label information of the data through a label inference attack; S202, designing a trigger; S203. Add the trigger to the batch of intermediate results with the target label, and at the same time use a random strategy to enhance the attack effect; S204. Mix the poisoned data with other normal data, and transmit it to the server; S205 , adjust the learning rate, update the model by using the gradient information sent back by the server; judge whether the number of training rounds required by the backdoor attack is reached, and terminate the backdoor attack if it is reached, and continue S203-S205 if not. 2. A data privacy and model security testing method for longitudinal federated learning according to claim 1, characterized in that, In step S101, the specific steps for the attacker to participate in the training process of vertical federated learning as a malicious client are as follows: Among them, each client transfers local data into the local model held by itself to obtain the intermediate results output by the local model, and transmits the intermediate results to the server; the server performs data aggregation on the received intermediate results, and The aggregated results are transmitted to the server-side model to obtain the final prediction result of the model; the server calculates the loss function, and performs backpropagation, and transmits the obtained gradient information to the corresponding client; The information updates the local model held by itself; the training step in S101 is repeated for several rounds until the model gradually converges. 3. A data privacy and model security testing method for longitudinal federated learning according to claim 1, characterized in that, In step S102, the specific steps for the attacker to steal the label information of the data through the intermediate result replacement method are as follows: During normal training, the attacker transmits the correct intermediate results to the server And got the gradient information sent back by the server/> where f ^a is the local model held by the attacker, /> is the local data of unknown label owned by the attacker, y _i is the label of this sample, but y _i is unknown to the attacker; next time the attacker will transmit the same data again /> When sending to the server, the attacker will first perform screening work to determine whether the unknown label y _i may be the label y _t that the attacker is interested in. 4. A data privacy and model security testing method for longitudinal federated learning according to claim 3, characterized in that, Step S102 also includes: Use all known label data to train a binary classifier H, with target label y _t data As a positive sample, data that does not have the target label y _t /> As a negative sample; where, /> is local data known to the attacker with target label y _t , /> is local data known to the attacker that does not have the target label. 5. A data privacy and model security testing method for longitudinal federated learning according to claim 4, characterized in that, Step S102 also includes: The attacker inputs all samples in the same batch into the binary classifier for label prediction, selects the top n samples with the highest prediction results for the next intermediate result replacement, and uses the final label inference results to convert these The samples are also used in the training job of the binary classifier. 6. A data privacy and model security testing method for longitudinal federated learning according to claim 5, characterized in that, Step S102 also includes: For the samples selected by the screening work, the attacker will use other intermediate results with known labels replace to send to the server, and obtain the gradient information returned by the server/> where y _t is the tag information that the attacker is interested in, and /> is local data with label y _t known to the attacker. 7. A data privacy and model security testing method for longitudinal federated learning according to claim 6, characterized in that, judge The criteria for whether the label of is the target label y _t is: where ||·|| ₂ denotes the _L2 norm, and θ and μ are two threshold parameters. 8. A method for testing data privacy and model security for longitudinal federated learning according to claim 1, characterized in that, The specific steps of designing the trigger in step S202 are as follows: Use a superimposed trigger E, and define the data poisoning process as: in Represents Element-wise addition, and the trigger E can be expressed as: Among them, M is the trigger mask, the value of the trigger area is 1, and the value of other areas is 0, It is the multiplication of Element-wise, β is the parameter to control the trigger amplitude, Δ=[+δ+δ,-δ,-δ,···,+δ+δ,-δ,-δ]. 9. A data privacy and model security testing method for longitudinal federated learning according to claim 1, characterized in that, In step S203, the following two random strategies are adopted to enhance the attack effect: Random strategy Dropout and random strategy Shifing.