CN116862023A - Robust federal learning abnormal client detection method based on spectral clustering - Google Patents

Abstract

The invention belongs to the field of federal learning anomaly detection and discloses a robust federal learning anomaly client detection method based on spectral clustering. The server builds an undirected graph by building a prediction model and calculating cosine similarity between the local model and the prediction model; calculating a Laplacian matrix of the undirected graph to obtain a sample set; the server adopts a K-means-based spectral clustering method to cut a sample set, divides clients into three classes, and calculates trust scores according to different client classes respectively; while the server employs a behavior-based trust redemption mechanism to handle the different clients differently. According to the invention, the client is accurately divided and trust evaluation is carried out by using spectral clustering, the trust value of the client is dynamically adjusted by adopting a trust redemption mechanism based on behaviors, the situation that the client is misjudged to be malicious and the federal learning process is thoroughly isolated is avoided, the data resources of the client are fully utilized, the integrity of the federal learning process is ensured, and the accuracy of the global model is ensured.

Description

Robust federal learning abnormal client detection method based on spectral clustering

Technical Field

The invention relates to the field of federal learning anomaly detection, in particular to a robust federal learning anomaly client detection method based on spectral clustering.

Background

Federal Learning (FL) is an emerging learning paradigm based on decentralized data. In the federal learning scenario, multiple clients (e.g., smartphones, internet of things devices, edge data centers) collectively learn a machine learning model, referred to as a global model, without sharing their local training data with a cloud server. FL iteratively performs the following three steps: the server sends the current global model to the selected client; each selected client-side carries out fine adjustment on the received global model on the local training data of the client-side, and sends model parameter update or gradient update back to the server; the server aggregates the received model updates according to the aggregation rules and updates the global model.

Federal Learning (FL) is vulnerable to poisoning, and malicious clients train local models using the poisonous data, thereby sending poisonous local model updates to the server to destroy the global model. Researchers identify malicious nodes by comparing the difference between a malicious model and a normal model and provide a defense scheme based on trust evaluation to resist malicious attacks in federal learning, thereby ensuring the accuracy of a global model.

In 2021, xiaoyu Cao et al in FLTrust: byzantine-robust Federated Learning via Trust Bootstrapping, proposed a Bayesian robust federal learning FLTrust method based on trust guidance. Through collection of priori data sets and model training, a guide server performs trust evaluation on client model similarity comparison, malicious client detection is completed through evaluation results and normalization model updating, malicious attacks are resisted, and overall model accuracy is improved. In 2022, zehui Zhang et al, in detectPMFL: privacy-Preserving Momentum Federated Learning Considering Unreliable Industrial Agents, proposed a detection Privacy preserving momentum federal learning method detectPMFL that considers unreliable industrial agents. According to the method, the CKKS scheme is used for encrypting local data, the cosine similarity is used for distinguishing the industrial agents, the unreliable industrial agents are identified based on the cosine similarity, and the problem that low-quality data collected by the unreliable industrial agents reduces model accuracy is solved.

In a low-density network federation learning scene, clients are arranged sparsely, malicious clients and low-quality clients caused by natural faults exist, and the clients are reasonably classified for completing normal federation learning tasks and have the opportunity to rejoin the federation learning process. The FLTrust can resist the adaptive attack of the malicious client and carry out trust evaluation on the malicious client, but the influence caused by a natural fault node (unreliable client) is not considered; the DetectPMFL distinguishes unreliable or low quality clients for industrial agents, but does not have a corresponding redemption mechanism to rejoin the federal learning process.

Thus, the federal learning client detection mechanism still has some drawbacks, mainly represented by: (1) Network sparseness is not considered, and in a client sparse scene, malicious node isolation can cause insufficient quantity of federal learning clients to influence the performance of the global model. (2) The specificity of the scene is not considered, the quality of the client in federal learning is influenced by multiple factors such as environment and malicious attack, and the detection of the malicious client ignores the distinction between the natural fault node and the malicious node. (3) The maximization of the utilization of resources is not considered, the natural fault node is influenced by environment, communication conditions and the like, and can be misidentified as a malicious node, and meanwhile, a corresponding redemption mechanism is lacked, so that the data resources of the natural fault node are wasted. These drawbacks make the existing federal learning anomaly client detection method have poor versatility and cannot maximize the use of available resources.

Disclosure of Invention

The invention aims to provide a robust federal learning abnormal client detection method based on spectral clustering so as to solve the technical problems.

In order to achieve the above purpose, the technical scheme of the invention is as follows: a robust Federal learning anomaly client detection method based on spectral clustering comprises the following steps:

step 1, establishing a scene model;

the network model comprises 1 server and N client nodes; the server communicates with the client nodes in a communication range, the clients do not communicate with each other, each client node has the same required energy, calculation and storage resources, and the clients move in a deployment area;

in the federal learning process, each client collects data and stores the data locally; the server transmits the initial model to the client, and the client trains the initial model by using local data; the client periodically sends the model parameter values to a server, and the server establishes a global model by aggregating the model updates; obtaining a final global model through repeated iterative training;

the server is a trusted server, and the clients comprise malicious clients, fault clients and normal clients;

step 2, detecting an abnormal client;

step 2.1), establishing a prediction model;

in the initial iteration of federal learning, each client is set to be a normal client; the server issues an initial model omega ₀ To the client; after receiving the initial model, the client receives the initial model through own local Data _l Training the initial model and carrying out gradient training on the trained local modelUploading to a server; the server performs local model aggregation to obtain a global model omega _t The polymerization process is as follows:

wherein omega _t Representing the global model omega obtained by the t-th round of iteration _k,t-1 Representing a local model uploaded by a client k of a t-1 round, n _k The number of samples representing the client k, N representing the sum of the number of samples of all clients, and N representing the total number of clients;

after t-1 round of iteration, the server obtains local model gradientAggregation to obtain global model omega _t As a lower wheel prediction model M _p ；

Step 2.2), establishing a Laplace matrix;

starting from the t-th round training, a fault client and/or a malicious client exist in the client, and establishing a Laplacian matrix of the client as a spectral clustering basis for distinguishing the client category;

(2.2.1) constructing an undirected graph: in the t-th round and the subsequent training process, the client receives the model issued by the server, trains the local model by using the local data and uploads the local model to the server; after the server receives the local models uploaded by each client, calculating the gradient of each local modelAnd predictive model M _p Cosine similarity q _i Cosine similarity set q= { q ₁ ,q ₂ ,q ₃ ,…,q _N The calculation process is as follows:

defining undirected graph G (V, E), local modelThe vertex V in the undirected graph, and the edge matrix in the undirected graph is E; calculating the similarity difference between the vertex i and the vertex j to obtain a similarity difference matrix S:

S _ij ＝q _i -q _j .

setting a similarity difference threshold delta, and comparing the vertex i with the vertexThe relation between the similarity difference value of the point j and the threshold delta, when the similarity difference value does not exceed the threshold delta, connecting two vertexes in the undirected graph, and updating E _ij And E is _ji 1 is shown in the specification; namely:

(2.2.2) adjacency matrix update: establishing an adjacent matrix R, calculating cosine similarity of a local model of adjacent vertexes i and j according to the updated edge matrix E, and updating the adjacent matrix R as the weight of the edge, wherein the process is as follows:

(2.2.3) degree matrix update: establishing a degree matrix D, wherein for an undirected graph G with edge weights, each element of the degree matrix is the sum of the weights of the vertexes, and the process is as follows:

(2.2.4) Laplace matrix update: according to the adjacency matrix and the degree matrix of the undirected graph G with N vertexes, the Laplace matrix L of the undirected graph G is calculated, and the process is as follows:

L＝D-R

step 2.3), spectral clustering is carried out based on the Laplace matrix;

according to the Laplace matrix L, the eigenvalue lambda and the eigenvector p corresponding to the eigenvalue lambda are obtained, and the eigenvalue is ranked from small to large, and the eigenvector is ranked as p ₁ ,p ₂ ,…,p _N Taking the feature vectors corresponding to the first 2 non-zero feature values to form a feature vector matrix F (N x 2), wherein each row in F is taken as a 2-dimensional sample, and N samples are output to form a sample set;

spectral clustering is carried out on the samples; dividing a sample set into 3 clusters according to the distance between samples, wherein the dividing requirement is that the sum of weights of edges in the clusters is ensured to be maximum, and the weights of edges between the clusters are ensured to be minimum;

sum of squares error of center points of clusters to which each sample belongs:

wherein x is _m Represents sample m, c _m Is x _m The cluster to which the cluster belongs is selected,representing the center point corresponding to the cluster, wherein N is the average value of all points in the cluster, and N is the total number of samples;

the largest cluster c obtained by clustering ₁ The local model is uploaded by a normal client; and c ₁ The cluster closer to the distance is classified cluster c ₂ The corresponding natural fault client; a classification cluster c distant from the two clusters ₃ The client is correspondingly a malicious client;

step 3, a trust mechanism of the client;

aiming at the classified clients, three different trust evaluation and redemption mechanisms are adopted, and the normal client is redeemed through dynamically updating the trust value of the client during each iteration, so that the integrity of federal learning is ensured to the greatest extent;

step 3.1), trust evaluation model;

according to the spectral clustering result, the server respectively performs cosine similarity q on the client local model and the prediction model in each cluster according to the clustering clusters _i And (3) carrying out normalization processing, wherein the normalization process is as follows:

wherein q _min Is the minimum value of cosine similarity, q _max Is the maximum value of cosine similarity;

before each round of local model aggregation, the server obtains clients according to the normalizationEnd client _i Q of (2) _i Received client locationAnd transmission delay of uploading local model by client side +.>The trust scores are comprehensively calculated and then used as trust scores to finish trust evaluation of a normal client and a natural fault client; when the client is classified as a malicious client, the trust score is 0;

the trust score calculation process is as follows:

wherein α, β, γ are weights of local model cosine similarity, client position, model transmission delay, and α+β+γ=1, ρ is a behavior factor;

setting trust threshold trust _θ The server calculates the trust score of each client, when the trust score of the client is larger than trust _θ When the client is judged to be a trusted client, participating in the global model aggregation of the round;

step 3.2), a behavior-based trusted redemption mechanism;

establishing a trust redemption mechanism for naturally failed clients and malicious clients with trust scores below a trust threshold;

for all clients, the initial value of the behavior factor rho is set to be 1: when classified as a malicious client at a time, the behavior factor is directly set to 0; increasing the behavior factors when the continuous epsilon-cycle is judged to be a normal client side along with the increase of federal learning iteration rounds; when the behavior factor is sigma, the trust score of the client is calculated again, and when the trust score of the client exceeds the trust threshold trust _θ Setting the client behavior factor to 0.5, and enabling the local model uploaded by the client to participate in global model aggregation again; when the continuous epsilon-round of the behavior factor of the client is 0, the client is no longer involved in federal learningA process;

when classified as a natural failure client at a time, the behavior factor is set to 0.5; with the increase of federal learning iteration rounds, when the continuous epsilon/2 rounds are distinguished as normal clients, the behavior factor is set to be 1, and the local model uploaded by the clients participates in global model aggregation again.

The malicious client: the method mainly comprises the steps of initiating tag overturning attack through local data, and modifying tags of the local data to enable a local model trained by a malicious client to deviate from a normal model direction;

the fault client: the data collected by the fault client has the conditions of missing, redundancy or partial errors, the trained local model is different from the normal model, but the fault client can recover to be normal after the change of time or training iteration conditions;

normal client: the data collected by the normal client is normal, the trained local model accords with the updating direction of the global model, the precision of the global model can be improved, and the convergence of the global model is accelerated.

The spectral clustering adopts a K-means clustering method, and the flow is as follows:

(1) Randomly selecting 3 vertexes as initial cluster centers and marking as

(2) Calculate each sample x _i The distance to the center of each initial cluster, which is assigned to the cluster closest thereto:

τ is the current iteration step number, b is the b-th cluster, b=1, 2,3;

(3) For each cluster, the center of the cluster is recalculated using the samples in the cluster:

(4) Repeating the step (2) and the step (3), and ending when the clustering result is unchanged.

The invention has the beneficial effects that: according to the invention, the client is accurately divided and trust evaluation is carried out by using spectral clustering, the trust value of the client is dynamically adjusted by adopting a trust redemption mechanism based on behaviors, the situation that the client is misjudged to be malicious and the federal learning process is thoroughly isolated is avoided, the data resources of the client are fully utilized, the integrity of the federal learning process is ensured, and the accuracy of the global model is ensured.

Drawings

FIG. 1 is a federal learning scenario diagram according to the present invention;

FIG. 2 is a flowchart of a robust federal learning anomaly client detection method based on spectral clustering in an embodiment of the present invention;

fig. 3 is a flowchart of abnormal client detection based on spectral clustering according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention more clear, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. It will be apparent that the described embodiments are some, but not all, embodiments of the invention. All other embodiments, which can be made by a person skilled in the art without creative efforts, based on the described embodiments of the present invention fall within the protection scope of the present invention.

The robust federal learning abnormal client detection method based on spectral clustering is applied to federal learning scenes in which clients are arranged sparsely, part of clients are subjected to malicious label turning attack or have faults under the influence of environment and movement. As shown in fig. 1, the clients are sparsely deployed in a certain range of areas, and the clients are randomly distributed and can dynamically move in the deployment areas. The client can receive the global model issued by the server and upload the information such as the local model, the position, the transmission delay and the like of the local training to the server.

The flow of the invention is shown in fig. 2, and the embodiment of the invention provides a robust federal learning abnormal client detection method based on spectral clustering, which comprises the following steps:

step 101, the server issues an initial global model, the client trains by using local data to obtain a local model, and the local model, the position and the transmission delay are uploaded to the server together.

Step 102, the server receives the local model uploaded by the client, and builds a prediction model according to the local model parameters.

And step 103, the server builds an undirected graph according to cosine similarity between the local model and the prediction model uploaded by the client.

And 104, the server adopts a spectral clustering method to cut the undirected graph, and the clients are classified into normal, fault and malicious types.

Step 105, the server performs trust evaluation on the three types of clients and adopts different trust redemption mechanisms.

In the embodiment of the invention, the server needs to establish a prediction model to be compared with the local model uploaded by the client, so that the server needs to receive the local model, the position, the transmission delay and other information uploaded by the client through steps 101 and 102. And establishing a prediction model through the local model parameters uploaded by the client.

After the server builds the prediction model, the global model is issued again, and the local model is obtained after the client is trained by using the local data and is uploaded to the server. The server constructs the client into a graph structure by calculating cosine similarity between the local model and the prediction model, and cuts an undirected graph formed by the client by using a spectral clustering method shown in fig. 3 to obtain three types of normal, fault and malicious clients.

And after the client class detection is completed, carrying out normalization processing on cosine similarity between the client local model and the prediction model in each cluster according to the clustering clusters by the server. Before each round of local model aggregation, the server obtains cosine similarity of the client, the received client position and transmission delay of the local model uploaded by the client through normalization, and the calculated result is used as trust score to complete trust evaluation of a normal client and a natural fault client; if the client is classified as a malicious client, the trust score is 0. After the trust evaluation is completed, different trust redemption mechanisms are adopted for the failed client and the malicious client to rejoin the network or be permanently isolated.

The method comprises the following specific steps:

step 1, establishing a scene model;

the network model comprises 1 server and N client nodes; the server communicates with the client nodes in a communication range, the clients do not communicate with each other, each client node has the same required energy, calculation and storage resources, and the clients move in a deployment area;

in the federal learning process, each client collects data and stores the data locally; the server transmits the initial model to the client, and the client trains the initial model by using local data; the client periodically sends the model parameter values to a server, and the server establishes a global model by aggregating the model updates; obtaining a final global model through repeated iterative training;

the server is a trusted server, and the clients comprise malicious clients, fault clients and normal clients;

step 2, detecting an abnormal client;

step 2.1), establishing a prediction model;

in the initial iteration of federal learning, each client is set to be a normal client; the server issues an initial model omega ₀ To the client; after receiving the initial model, the client receives the initial model through own local Data _l Training the initial model and carrying out gradient training on the trained local modelUploading to a server; the server performs local model aggregation to obtain a global model omega _t The polymerization process is as follows:

wherein omega _t Representing the global model omega obtained by the t-th round of iteration _k,t-1 Representing a local model uploaded by a client k of a t-1 round, n _k The number of samples representing the client k, N representing the sum of the number of samples of all clients, and N representing the total number of clients;

after t-1 round of iteration, the server obtains local model gradientAggregation to obtain global model omega _t As a lower wheel prediction model M _p ；

Step 2.2), establishing a Laplace matrix;

starting from the t-th round training, a fault client and/or a malicious client exist in the client, and establishing a Laplacian matrix of the client as a spectral clustering basis for distinguishing the client category;

(2.2.1) constructing an undirected graph: in the t-th round and the subsequent training process, the client receives the model issued by the server, trains the local model by using the local data and uploads the local model to the server; after the server receives the local models uploaded by each client, calculating the gradient of each local modelAnd predictive model M _p Cosine similarity q _i Cosine similarity set q= { q ₁ ,q ₂ ,q ₃ ,…,q _N The calculation process is as follows:

defining undirected graph G (V, E), local modelThe vertex V in the undirected graph, and the edge matrix in the undirected graph is E; calculating the similarity difference between the vertex i and the vertex j to obtain a similarity difference matrix S:

S _ij ＝q _i -q _j .

setting a similarity difference threshold delta, comparing the relationship between the similarity difference between the vertex i and the vertex j and the threshold delta, and when the similarity difference does not exceed the threshold delta, connecting two vertexes in the undirected graph, and updating E _ij And E is _ji 1 is shown in the specification; namely:

(2.2.2) adjacency matrix update: establishing an adjacent matrix R, calculating cosine similarity of a local model of adjacent vertexes i and j according to the updated edge matrix E, and updating the adjacent matrix R as the weight of the edge, wherein the process is as follows:

(2.2.3) degree matrix update: establishing a degree matrix D, wherein for an undirected graph G with edge weights, each element of the degree matrix is the sum of the weights of the vertexes, and the process is as follows:

(2.2.4) Laplace matrix update: according to the adjacency matrix and the degree matrix of the undirected graph G with N vertexes, the Laplace matrix L of the undirected graph G is calculated, and the process is as follows:

L＝D-R

step 2.3), spectral clustering is carried out based on the Laplace matrix;

according to the Laplace matrix L, the eigenvalue lambda and the eigenvector p corresponding to the eigenvalue lambda are obtained, and the eigenvalue is ranked from small to large, and the eigenvector is ranked as p ₁ ,p ₂ ,…,p _N Taking the feature vectors corresponding to the first 2 non-zero feature values to form a feature vector matrix F (N x 2), taking each row in the F as a 2-dimensional sample, and outputting N samples in total to form a sample set;

spectral clustering is carried out on the samples; dividing a sample set into 3 clusters according to the distance between samples, wherein the dividing requirement is that the sum of weights of edges in the clusters is ensured to be maximum, and the weights of edges between the clusters are ensured to be minimum;

sum of squares error of center points of clusters to which each sample belongs:

wherein x is _m Represents sample m, c _m Is x _m The cluster to which the cluster belongs is selected,representing the center point corresponding to the cluster, wherein N is the average value of all points in the cluster, and N is the total number of samples;

the largest cluster c obtained by clustering ₁ The local model is uploaded by a normal client; and c ₁ The cluster closer to the distance is classified cluster c ₂ The corresponding natural fault client; a classification cluster c distant from the two clusters ₃ The client is correspondingly a malicious client;

step 3, a trust mechanism of the client;

aiming at the classified clients, three different trust evaluation and redemption mechanisms are adopted, and the normal client is redeemed through dynamically updating the trust value of the client during each iteration, so that the integrity of federal learning is ensured to the greatest extent;

step 3.1), trust evaluation model;

according to the spectral clustering result, the server respectively performs cosine similarity q on the client local model and the prediction model in each cluster according to the clustering clusters _i And (3) carrying out normalization processing, wherein the normalization process is as follows:

wherein q _min Is the minimum value of cosine similarity, q _max Is the maximum value of cosine similarity;

before each round of local model aggregation, the server obtains client clients according to the normalization _i Q of (2) _i Received client locationAnd transmission delay of uploading local model by client side +.>The trust scores are comprehensively calculated and then used as trust scores to finish trust evaluation of a normal client and a natural fault client; when the client is classified as a malicious client, the trust score is 0;

the trust score calculation process is as follows:

wherein α, β, γ are weights of local model cosine similarity, client position, model transmission delay, and α+β+γ=1, ρ is a behavior factor;

setting trust threshold trust _θ The server calculates the trust score of each client, when the trust score of the client is larger than trust _θ When the client is judged to be a trusted client, participating in the global model aggregation of the round;

step 3.2), a behavior-based trusted redemption mechanism;

establishing a trust redemption mechanism for naturally failed clients and malicious clients with trust scores below a trust threshold;

for all clients, the initial value of the behavior factor rho is set to be 1: when classified as a malicious client at a time, the behavior factor is directly set to 0; increasing the behavior factors when the continuous epsilon-cycle is judged to be a normal client side along with the increase of federal learning iteration rounds; when the behavior factor is sigma, the trust score of the client is calculated again, and when the trust score of the client exceeds the trust threshold trust _θ Setting the client behavior factor to 0.5, and enabling the local model uploaded by the client to participate in the whole process againLocal model aggregation; when the continuous epsilon-round of the behavior factors of the client is 0, the client does not participate in the federal learning process any more;

when classified as a natural failure client at a time, the behavior factor is set to 0.5; with the increase of federal learning iteration rounds, when the continuous epsilon/2 rounds are distinguished as normal clients, the behavior factor is set to be 1, and the local model uploaded by the clients participates in global model aggregation again.

Performing anomaly detection on the client during each iterative training of federal learning, and selecting benign clients to perform global model aggregation; meanwhile, a trust redemption mechanism is adopted to dynamically adjust the trust value of the client, so that the client which is recovered to be normal can be added into federal learning training in time.

To sum up: the server builds an undirected graph by building a prediction model and calculating cosine similarity between the local model and the prediction model; then calculating a Laplacian matrix of the undirected graph to obtain a sample set; the server adopts a K-means-based spectral clustering method to cut a sample set, divides clients into three categories of normal, fault and malicious, and calculates trust scores according to different client categories respectively; after the trust evaluation is complete, the server uses a behavior-based trust redemption mechanism to handle the failure and malicious clients differently. The robust federal learning abnormal client detection method based on spectral clustering can accurately divide the categories of clients, distinguish normal clients, natural fault clients and malicious clients, and realize higher-precision client detection; different redemption mechanisms are adopted for different clients, so that the situation that the naturally faulty client is misjudged as a malicious client and the federal learning process is thoroughly isolated, and the waste of data resources of the client is caused is avoided. The trust value of the client is dynamically adjusted by adopting a trust redemption mechanism based on behavior, so that the recovered normal client can be added into federal learning training in time, the data resource of the client is fully utilized, the integrity of the federal learning process is ensured, and the accuracy of the global model is ensured.

Claims (3)

1. A robust federal learning abnormal client detection method based on spectral clustering is characterized by comprising the following steps:

step 1, establishing a scene model;

the network model comprises 1 server and N client nodes; the server communicates with the client nodes in a communication range, the clients do not communicate with each other, each client node has the same required energy, calculation and storage resources, and the clients move in a deployment area;

in the federal learning process, each client collects data and stores the data locally; the server transmits the initial model to the client, and the client trains the initial model by using local data; the client periodically sends the model parameter values to a server, and the server establishes a global model by aggregating the model updates; obtaining a final global model through repeated iterative training;

the server is a trusted server, and the clients comprise malicious clients, fault clients and normal clients;

step 2, detecting an abnormal client;

step 2.1), establishing a prediction model;

in the initial iteration of federal learning, each client is set to be a normal client; the server issues an initial model omega ₀ To the client; after receiving the initial model, the client receives the initial model through own local Data _l Training the initial model and carrying out gradient training on the trained local modelUploading to a server; the server performs local model aggregation to obtain a global model omega _t The polymerization process is as follows:

wherein omega _t Representing the global model omega obtained by the t-th round of iteration _k,t-1 Representing a local model uploaded by a client k of a t-1 round, n _k Representing the number of samples of client k,n represents the sum of the sample numbers of all clients, N represents the total number of clients;

after t-1 round of iteration, the server obtains local model gradientAggregation to obtain global model omega _t As a lower wheel prediction model M _p ；

Step 2.2), establishing a Laplace matrix;

starting from the t-th round training, a fault client and/or a malicious client exist in the client, and establishing a Laplacian matrix of the client as a spectral clustering basis for distinguishing the client category;

(2.2.1) constructing an undirected graph: in the t-th round and the subsequent training process, the client receives the model issued by the server, trains the local model by using the local data and uploads the local model to the server; after the server receives the local models uploaded by each client, calculating the gradient of each local modelAnd predictive model M _p Cosine similarity q _i Cosine similarity set q= { q ₁ ,q ₂ ,q ₃ ,…,q _N The calculation process is as follows:

defining undirected graph G (V, E), local modelThe vertex V in the undirected graph, and the edge matrix in the undirected graph is E; calculating the similarity difference between the vertex i and the vertex j to obtain a similarity difference matrix S:

S _ij ＝q _i -q _j .

setting a similarity difference threshold delta, comparing the similarity difference between the vertex i and the vertex j with the threshold delta, and when the similarity is similarIf the degree difference value does not exceed the threshold delta, connecting two vertexes in the undirected graph, and updating E _ij And E is _ji 1 is shown in the specification; namely:

(2.2.2) adjacency matrix update: establishing an adjacent matrix R, calculating cosine similarity of a local model of adjacent vertexes i and j according to the updated edge matrix E, and updating the adjacent matrix R as the weight of the edge, wherein the process is as follows:

(2.2.3) degree matrix update: establishing a degree matrix D, wherein for an undirected graph G with edge weights, each element of the degree matrix is the sum of the weights of the vertexes, and the process is as follows:

(2.2.4) Laplace matrix update: according to the adjacency matrix and the degree matrix of the undirected graph G with N vertexes, the Laplace matrix L of the undirected graph G is calculated, and the process is as follows:

L＝D-R

step 2.3), spectral clustering is carried out based on the Laplace matrix;

according to the Laplace matrix L, the eigenvalue lambda and the eigenvector p corresponding to the eigenvalue lambda are obtained, and the eigenvalue is ranked from small to large, and the eigenvector is ranked as p ₁ ,p ₂ ,…,p _N Taking the feature vectors corresponding to the first 2 non-zero feature values to form a feature vector matrix F (N x 2), wherein each row in F is taken as a 2-dimensional sample, and N samples are output to form a sample set;

spectral clustering is carried out on the samples; dividing a sample set into 3 clusters according to the distance between samples, wherein the dividing requirement is that the sum of weights of edges in the clusters is ensured to be maximum, and the weights of edges between the clusters are ensured to be minimum;

sum of squares error of center points of clusters to which each sample belongs:

wherein x is _m Represents sample m, c _m Is x _m The cluster to which the cluster belongs is selected,representing the center point corresponding to the cluster, wherein N is the average value of all points in the cluster, and N is the total number of samples;

the largest cluster c obtained by clustering ₁ The local model is uploaded by a normal client; and c ₁ The cluster closer to the distance is classified cluster c ₂ The corresponding natural fault client; a classification cluster c distant from the two clusters ₃ The client is correspondingly a malicious client;

step 3, a trust mechanism of the client;

aiming at the classified clients, three different trust evaluation and redemption mechanisms are adopted, and the normal client is redeemed through dynamically updating the trust value of the client during each iteration, so that the integrity of federal learning is ensured to the greatest extent;

step 3.1), trust evaluation model;

according to the spectral clustering result, the server respectively performs cosine similarity q on the client local model and the prediction model in each cluster according to the clustering clusters _i And (3) carrying out normalization processing, wherein the normalization process is as follows:

wherein q _min Is the minimum value of cosine similarity, q _max Is the maximum value of cosine similarity;

before each round of local model aggregation, the server normalizes according to the aboveObtaining client clients by chemical conversion _i Q of (2) _i Received client locationAnd transmission delay of uploading local model by client side +.>The trust scores are comprehensively calculated and then used as trust scores to finish trust evaluation of a normal client and a natural fault client; when the client is classified as a malicious client, the trust score is 0;

the trust score calculation process is as follows:

wherein α, β, γ are weights of local model cosine similarity, client position, model transmission delay, and α+β+γ=1, ρ is a behavior factor;

setting trust threshold trust _θ The server calculates the trust score of each client, when the trust score of the client is larger than trust _θ When the client is judged to be a trusted client, participating in the global model aggregation of the round;

step 3.2), a behavior-based trusted redemption mechanism;

establishing a trust redemption mechanism for naturally failed clients and malicious clients with trust scores below a trust threshold;

for all clients, the initial value of the behavior factor rho is set to be 1: when classified as a malicious client at a time, the behavior factor is directly set to 0; increasing the behavior factors when the continuous epsilon-cycle is judged to be a normal client side along with the increase of federal learning iteration rounds; when the behavior factor is sigma, the trust score of the client is calculated again, and when the trust score of the client exceeds the trust threshold trust _θ Setting the client behavior factor to 0.5, and enabling the local model uploaded by the client to participate in global model aggregation again; when the behavior factor of the client is continuous epsilonThe round is 0, and the client side does not participate in the federal learning process any more;

when classified as a natural failure client at a time, the behavior factor is set to 0.5; with the increase of federal learning iteration rounds, when the continuous epsilon/2 rounds are distinguished as normal clients, the behavior factor is set to be 1, and the local model uploaded by the clients participates in global model aggregation again.

2. The robust federal learning anomaly client detection method based on spectral clustering of claim 1, wherein the malicious client: the method mainly comprises the steps of initiating tag overturning attack through local data, and modifying tags of the local data to enable a local model trained by a malicious client to deviate from a normal model direction;

the fault client: the data collected by the fault client has the conditions of missing, redundancy or partial errors, the trained local model is different from the normal model, but the fault client can recover to be normal after the change of time or training iteration conditions;

normal client: the data collected by the normal client is normal, the trained local model accords with the updating direction of the global model, the precision of the global model can be improved, and the convergence of the global model is accelerated.

3. The robust federal learning anomaly client detection method based on spectral clustering according to claim 1 or 2, wherein the spectral clustering adopts a K-means clustering method, and the flow is as follows:

(1) Randomly selecting 3 vertexes as initial cluster centers and marking as

(2) Calculate each sample x _i The distance to the center of each initial cluster, which is assigned to the cluster closest thereto:

τ is the current iteration step number, b is the b-th cluster, b=1, 2,3;

(3) For each cluster, the center of the cluster is recalculated using the samples in the cluster:

(4) Repeating the step (2) and the step (3), and ending when the clustering result is unchanged.