CN117150422A - Label inference attack method based on sample exchange in longitudinal federal learning system - Google Patents

Label inference attack method based on sample exchange in longitudinal federal learning system Download PDF

Info

Publication number
CN117150422A
CN117150422A CN202311434847.6A CN202311434847A CN117150422A CN 117150422 A CN117150422 A CN 117150422A CN 202311434847 A CN202311434847 A CN 202311434847A CN 117150422 A CN117150422 A CN 117150422A
Authority
CN
China
Prior art keywords
training
sample
gradient
label
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311434847.6A
Other languages
Chinese (zh)
Other versions
CN117150422B (en
Inventor
宋金珂
程浩然
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Data Space Research Institute
Original Assignee
Data Space Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Data Space Research Institute filed Critical Data Space Research Institute
Priority to CN202311434847.6A priority Critical patent/CN117150422B/en
Publication of CN117150422A publication Critical patent/CN117150422A/en
Application granted granted Critical
Publication of CN117150422B publication Critical patent/CN117150422B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/098Distributed learning, e.g. federated learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computational Linguistics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Evolutionary Biology (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to the technical field of federal learning, in particular to a label inference attack method based on sample exchange in a longitudinal federal learning system, which comprises the following operation steps: constructing a longitudinal federal learning model, and training the longitudinal federal learning model; the training phase of the longitudinal federal learning model is divided into a normal convergence phase and a label inference attack phase in sequence; in the normal convergence stage, each participant trains according to the longitudinal federal learning principle; in the label deducing attack stage, defining a training sample without a label in a malicious attacker as a target attack sample, and replacing the target attack sample with a training sample with a known label to obtain an abnormal gradient of the target attack sample in each iteration training; taking the label of the corresponding sample when the second-order norm of the abnormal gradient takes the minimum value as the label of the target attack sample; the method can infer the label of the training data on the premise that the federal training task is not destroyed and is not detected by other participants.

Description

Label inference attack method based on sample exchange in longitudinal federal learning system
Technical Field
The invention relates to the technical field of federal learning, in particular to a label inference attack method based on sample exchange in a longitudinal federal learning system.
Background
The federal learning can realize the joint training of the machine learning model by a plurality of participants through exchanging model parameters or updating parameters on the premise that the privacy data of the user does not go out of the domain. Federal learning can be classified into horizontal federal learning and vertical federal learning according to the data distribution.
The federal study provides security assurance for data use, can avoid data security supervision risks, generally gives more attention to security in engineering realization, and in order to protect user data security, encryption algorithm or multiparty security calculation secret sharing and other modes are used to realize privacy calculation of data.
However, the encryption and decryption of large data volume in the prior art involves a large amount of calculation operations, or secret sharing is adopted to enlarge the data traffic multiple, which results in slower running speed and lower algorithm performance of the federal learning algorithm. Compared with the model training speed of the plaintext data centralized type, the existing federal learning model is different by several times or even tens of times, and the performance gap is more obvious along with the expansion of the data volume. In real business, efficiency is emphasized very much between enterprises, between users and enterprise services, if performance loss is very large, performance efficiency of a task is very slow, federal learning is affected to fall to the ground in the real business, users cannot accept services provided by the enterprises, and negative results such as business damage, user loss and the like are caused, so that adverse effects are generated on normal development of the enterprises.
Disclosure of Invention
Aiming at the technical problems in the prior safety privacy field, the invention provides a label inference attack method based on sample exchange in a longitudinal federal learning system. The method can infer the label of the training data on the premise that the federal training task is not destroyed and is not detected by other participants.
In order to achieve the above purpose, the present invention provides the following technical solutions:
a label inference attack method based on sample exchange in a longitudinal federal learning system comprises the following operation steps:
s1, constructing a longitudinal federal learning model based on a longitudinal federal learning principle, and training the longitudinal federal learning model; the participants with the training samples having labels in the longitudinal federal learning model are defined as active parties, and the rest participants are defined as passive parties; any one or a plurality of passive parties are combined to serve as malicious attackers, and the malicious attackers have training samples with known labels in training sample sets of each category;
s2, sequentially dividing a training phase of the longitudinal federal learning model into a normal convergence phase and a label inference attack phase; in the normal convergence stage, each participant trains according to the longitudinal federal learning principle; in the label deducing attack stage, defining a training sample without a label in a malicious attacker as a target attack sample, replacing the target attack sample with a training sample with a known label, and training the malicious attacker with the replaced sample according to a longitudinal federal learning principle to obtain an abnormal gradient of the target attack sample in each iteration training;
s3, calculating second-order norms of each abnormal gradient of the target attack sample, and selecting a label of the sample with the known label corresponding to the minimum second-order norms as the label of the target attack sample.
As still further aspects of the invention: the specific process of the normal convergence phase is as follows:
S2A1, when training is started, the longitudinal federal learning model performs positive correction according to the longitudinal federal learning principle
In the process of the iterative training, the gradient set transmitted back to the malicious attacker by the initiative isWhereinGThe name of the gradient set is represented,tthe number of rounds of the iteration is represented,nrepresenting the number of training samples;
S2A2, calculating second-order norms of all gradient vectors in the gradient set, and performing curve fitting on the calculated second-order norms to obtain a fitting curve;
S2A3 meterCalculating the slope of the fitted curve, if the slope of the fitted curve is smaller than the specified slope thresholdτAnd the second-order norms of the gradient vectors are smaller than the norms threshold valueεWhen the method is used, the iteration training is stopped in the normal convergence stage, and then the label inference attack stage is entered for the iteration training; otherwise, continuing the iterative training in the normal convergence stage until the condition that the iterative training is stopped in the normal convergence stage is met.
As still further aspects of the invention: assume that the normal convergence phase is at the firsttStopping the training in the iteration of the wheel, then at the firsttEntering a label inference attack stage when carrying out +1 round of iterative training; the specific process of the tag inference attack phase is as follows:
S2B1, setting that a malicious attacker has a training sample with known labels in each class of training sample set, and forming a setD p D p ={x 1 ,x 2 ,…,x C }, whereinx 1 Representing a training sample corresponding to a first category of labels,x 2 representing a training sample corresponding to a second type of tag,x C represent the firstCTraining samples corresponding to the types of labels, i.e. the label types of the training samples are commonCSeed;
S2B2, at the firstt+In 1 round of iterative training, for target attack samplesx i At the collectionD p Training samples for selecting known tagsx c The malicious attacker trains the target attack sample in the sample setx i Training samples substituted with known tagsx c To construct a new training sample set;
S2B3, inputting a new training sample set into a malicious attacker to perform iterative training according to a longitudinal federal learning principle, and training to obtain a target attack samplex i Is of the abnormal gradient of (2)
S2B3, in the subsequent iterative training process, using the setD p In which training samples are sequentially substituted for target attack samplesx i To obtain an abnormal gradient setG swap
Wherein,is shown in the firsttIn +1 round of iteration, target attack samplex i Replacement with training samplesx 1 Performing post-training to obtain an abnormal gradient; />Is shown in the firsttIn +2 round of iteration, target attack samplex i Replacement with training samplesx 2 Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+cIn round iteration, target attack samplex i Replacement with training samplesx c Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+CIn round iteration, target attack samplex i Replacement with training samplesx C And (5) training the obtained abnormal gradient.
As still further aspects of the invention: the specific steps of step S3 are as follows:
s31, target attack samplex i In the first placetThe normal gradient in the round of iterative training isComputing an abnormal gradient setG swap The gradient change distance between each abnormal gradient and the normal gradientdAnd obtain gradient change distance setDist={d 1 ,d 2 ,…,d c ,…,d C And } wherein,d 1 representation->And->A gradient change distance between the two;d 2 representation->And->A gradient change distance between the two;d c representation->And->A gradient change distance between the two;d C representation->And->A gradient change distance between the two;
s32, selecting gradient change distance setDistThe label of the training sample with the minimum value is taken as the target attack samplex i Is a label of (a).
As still further aspects of the invention: the target attack sample obtained in step S32x i The label of (2) also requires result correction: abnormal gradient set collected for malicious aggressorsG swap Detecting each abnormal gradient in the image if it occursαFor correcting the threshold parameter, |·| represents a second-order norm, the original model of the malicious attacker is considered to be a target attack samplex i Classification errors of (a); at this time, target attack samplex i Correction of labels into outlier gradient setsG swap And the label of the training sample corresponding to the abnormal gradient with the minimum second-order gradient norm.
As still further aspects of the invention: the gradient change distance calculation formula is as follows:
wherein,distrepresenting the euclidean distance computation function.
Compared with the prior art, the invention has the beneficial effects that:
1. the method and the device enable the passive party without the tag in the longitudinal federal learning to finish the tag deducing attack on the active party under the condition of only having a small number of data tags, and accurately deducing the tag of the training data.
2. The invention has low cost of executing the label deducing attack, does not need to additionally execute model training, and can complete the label deducing attack along with the normal training.
3. The invention has strong universality, does not need to depend on specific training protocols and data distribution, and can be implemented in various longitudinal federal learning models.
4. The invention has low attack condition, and a malicious attacker can attack only by having one training sample label of each type of sample.
Drawings
Fig. 1 is a schematic diagram of a main flow structure of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, in an embodiment of the present invention, a label inference attack method based on sample exchange in a longitudinal federal learning system mainly includes the following contents:
1. based on a longitudinal federal learning principle, constructing a longitudinal federal learning model, and training the longitudinal federal learning model; the participants with the training samples having labels in the longitudinal federal learning model are defined as active parties, and the rest participants are defined as passive parties; any one or a plurality of passive parties are combined to serve as malicious attackers, and the malicious attackers have training samples with known labels in the training sample set of each category.
2. The training phase of the longitudinal federal learning model is divided into a normal convergence phase and a label inference attack phase in sequence; in the normal convergence stage, each participant trains according to the longitudinal federal learning principle; in the label deducing attack stage, defining a training sample without a label in a malicious attacker as a target attack sample, replacing the target attack sample with a training sample with a known label, and training the malicious attacker with the replaced sample according to a longitudinal federal learning principle to obtain an abnormal gradient of the target attack sample in each iteration training.
The specific process of the normal convergence stage is as follows:
first, at the beginning of training, the longitudinal federal learning model is forward according to the longitudinal federal learning principle
In the process of the iterative training, the gradient set transmitted back to the malicious attacker by the initiative isWhereinGThe name of the gradient set is represented,tthe number of rounds of the iteration is represented,nrepresenting the number of training samples.
Then, the second order norms of the gradient vectors in the gradient set are calculated, and curve fitting is carried out on the calculated second order norms to obtain a fitting curve.
Finally, calculating the slope of the fitted curve, if the slope of the fitted curve is smaller than the specified slopeThreshold valueτAnd the second-order norms of the gradient vectors are smaller than the norms threshold valueεWhen the method is used, the iteration training is stopped in the normal convergence stage, and then the label inference attack stage is entered for the iteration training; otherwise, continuing the iterative training in the normal convergence stage until the condition that the iterative training is stopped in the normal convergence stage is met.
Assume that the normal convergence phase is at the firsttStopping the training in the iteration of the wheel, then at the firsttEntering a label inference attack stage when carrying out +1 round of iterative training; the specific process of the tag inference attack phase is as follows:
firstly, a malicious attacker is set to have a training sample with known labels in each class of training sample set, and a set is formedD p D p ={x 1 ,x 2 ,…,x C }, whereinx 1 Representing a training sample corresponding to a first category of labels,x 2 representing a training sample corresponding to a second type of tag,x C represent the firstCTraining samples corresponding to the types of labels, i.e. the label types of the training samples are commonCA kind of module is assembled in the module and the module is assembled in the module.
Next, at the firstt+In 1 round of iterative training, for target attack samplesx i At the collectionD p Training samples for selecting known tagsx c The malicious attacker trains the target attack sample in the sample setx i Training samples substituted with known tagsx c To construct a new training sample set.
Then, inputting the new training sample set into a malicious attacker to perform iterative training according to the longitudinal federal learning principle, and training to obtain a target attack samplex i Is of the abnormal gradient of (2)
Finally, in the subsequent iterative training process, the set is usedD p In which training samples are sequentially substituted for target attack samplesx i To obtain an abnormal gradient setG swap
Wherein,is shown in the firsttIn +1 round of iteration, target attack samplex i Replacement with training samplesx 1 Performing post-training to obtain an abnormal gradient; />Is shown in the firsttIn +2 round of iteration, target attack samplex i Replacement with training samplesx 2 Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+cIn round iteration, target attack samplex i Replacement with training samplesx c Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+CIn round iteration, target attack samplex i Replacement with training samplesx C And (5) training the obtained abnormal gradient.
3. And calculating the second-order norms of the abnormal gradients of the target attack sample, and selecting the label of the sample with the known label corresponding to the minimum second-order norms as the label of the target attack sample. The method comprises the following specific steps:
first, target attack samplesx i In the first placetThe normal gradient in the round of iterative training isComputing an abnormal gradient setG swap The gradient change distance between each abnormal gradient and the normal gradientdAnd obtain a ladderDegree-varying distance setDist={d 1 ,d 2 ,…,d c ,…,d C And } wherein,d 1 representation->And->A gradient change distance between the two;d 2 representation->And->A gradient change distance between the two;d c representation->And->A gradient change distance between the two;d C representation->And->The gradient change distance between them. The gradient change distance calculation formula is as follows:
wherein,distrepresenting the euclidean distance computation function.
Then, a gradient change distance set is selectedDistThe label of the training sample with the minimum value is taken as the target attack samplex i Is a label of (a).
Wherein the obtained target attack samplex i The label of (2) also requires result correction: abnormal gradient set collected for malicious aggressorsG swap Detecting each abnormal gradient in the image if it occursαTo correct the threshold parameters, the original model of the malicious attacker is considered to be the target attack samplex i Classification errors of (a); at this time, target attack samplex i Correction of labels into outlier gradient setsG swap And the label of the training sample corresponding to the abnormal gradient with the minimum second-order gradient norm.
The label inference attack method provided by the invention is realized on two common longitudinal federal learning models and data sets of five real scenes. Wherein the BreastCancer dataset is a dataset for determining whether a patient has breast cancer; the census com data set is used for judging whether the annual income of the individual is greater than 50 k; the DefaultCredit data set and the GiveMeSomeCredit data set are both data sets for judging whether a person credit is default or not; the criterion dataset is a dataset used to determine whether an advertisement will be clicked on by a user. Training features are evenly distributed to the active and passive parties, wherein each class of samples of the passive party has only one sample of a known tag. The longitudinal federal learning model is VFL-LR, namely logistic regression; VFL-NN, i.e., neural networks.
The process of deducing a tag using the minimum gradient change distance is called SLIA, and the tag deducing attack to which the attack result correction is applied is named I-SLIA.
The five data sets are input into the longitudinal federal learning model for training, and according to the training results in table 1, it is known that excellent attack performance can be obtained by SLIA and I-SLIA on a plurality of data sets of different longitudinal federal models. For example, on a VFL-NN, the I-SLIA achieves over 90% attack accuracy on all data sets, beyond the accuracy of the original classification task. Note that on the defaultCredit dataset of the VFL-LR, while the attack accuracy of SLIA is only 0.0063, the raw task accuracy is only 0.5901.
TABLE 1 accuracy of label inference attack results on different longitudinal federal models
Furthermore, the present invention evaluates the impact of an attack on the original classification task. From table 2, it can be seen that the attack method of the present invention has substantially no accuracy impact on the original task. In addition, the precision of the original model is slightly improved on part of tasks, such as the GiveMeSomeCredit data set of the VFL-NN, the precision of the original task is 0.8341, the precision after attack is 0.8362, and the prediction precision of the model is improved by 0.0021%.
TABLE 2 influence of label inference attacks on raw model tasks
In a longitudinal federal model classification task with two participants involved, we assume the passive party as a malicious attacker, each class of training samples having a training sample of known labels. Setting a specified slope thresholdτIs 0.001, norm thresholdεAt 0.0001, correct the threshold parameterα0.5.
1. Normal convergence phase: gradient set returned by active party in malicious attacker recording training processAnd calculating a second-order norm value of each gradient vector, and ending the normal convergence stage of the model if the curve slope of the second-order norm fitting curve is less than 0.0001 and the second-order norms of the gradient vectors are less than a norm threshold value of 0.0001 in the 50 th round of iterative training.
2. Label inference attack phase:
a. collecting normal gradient information: carrying out normal training on a malicious attacker in the 51 st round of iterative training to obtainAnd stored in gradient set->Is a kind of medium.
b. Collecting abnormal gradient information: for target attack samplesx i Its normal gradient in 51 st round of iterative training isThe method comprises the steps of carrying out a first treatment on the surface of the In the 52 th round of iterative training, target attack samplesx i And a sample of known tagsx 0 Exchange to obtain abnormal gradient->The method comprises the steps of carrying out a first treatment on the surface of the In the 53 rd round of iterative training, target attack samplesx i And a sample of known tagsx 1 Exchange to obtain abnormal gradient->
c. And (3) performing label reasoning attack:
target attack samplex i Is a sample of known tagsx 0 Is a label of (a).
d. And (3) correcting label reasoning attack results: assume that:
due toThe original model is therefore considered to be mispredicted. As a result of:
sample target attackx i Is corrected to a known label samplex 1 Is a label of (a).
e. By repeating the four sub-steps, as training proceeds, a malicious attacker can complete the label reasoning attack on all training samples.
The foregoing is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art, who is within the scope of the present invention, should make equivalent substitutions or modifications according to the technical scheme of the present invention and the inventive concept thereof, and should be covered by the scope of the present invention.

Claims (6)

1. The label inference attack method based on sample exchange in the longitudinal federal learning system is characterized by comprising the following operation steps:
s1, constructing a longitudinal federal learning model based on a longitudinal federal learning principle, and training the longitudinal federal learning model; the participants with the training samples having labels in the longitudinal federal learning model are defined as active parties, and the rest participants are defined as passive parties; any one or a plurality of passive parties are combined to serve as malicious attackers, and the malicious attackers have training samples with known labels in training sample sets of each category;
s2, sequentially dividing a training phase of the longitudinal federal learning model into a normal convergence phase and a label inference attack phase; in the normal convergence stage, each participant trains according to the longitudinal federal learning principle; in the label deducing attack stage, defining a training sample without a label in a malicious attacker as a target attack sample, replacing the target attack sample with a training sample with a known label, and training the malicious attacker with the replaced sample according to a longitudinal federal learning principle to obtain an abnormal gradient of the target attack sample in each iteration training;
s3, calculating second-order norms of each abnormal gradient of the target attack sample, and selecting a label of the sample with the known label corresponding to the minimum second-order norms as the label of the target attack sample.
2. The method for sample exchange-based label inference attack in a longitudinal federal learning system according to claim 1, wherein the specific procedure of the normal convergence phase is as follows:
S2A1, when training is started, the longitudinal federal learning model carries out normal iterative training according to the longitudinal federal learning principle, and in the iterative training process, the gradient set transmitted back to the malicious attacker by the initiative isWhereinGThe name of the gradient set is represented,tthe number of rounds of the iteration is represented,nrepresenting the number of training samples;
S2A2, calculating second-order norms of all gradient vectors in the gradient set, and performing curve fitting on the calculated second-order norms to obtain a fitting curve;
S2A3, calculating the slope of the fitting curve, if the slope of the fitting curve is smaller than the specified slope threshold valueτAnd the second-order norms of the gradient vectors are smaller than the norms threshold valueεWhen the method is used, the iteration training is stopped in the normal convergence stage, and then the label inference attack stage is entered for the iteration training; otherwise, continuing the iterative training in the normal convergence stage until the condition of stopping the iterative training in the normal convergence stage is satisfied.
3. The method of sample exchange based label inference attack in a longitudinal federal learning system according to claim 2, wherein the normal convergence phase is assumed to be at the first stagetStopping the training in the iteration of the wheel, then at the firsttEntering a label inference attack stage when carrying out +1 round of iterative training; the specific process of the tag inference attack phase is as follows:
S2B1, setting that a malicious attacker has a training sample with known labels in each class of training sample set, and forming a setD p D p ={x 1 ,x 2 ,…,x C }, whereinx 1 Representing a training sample corresponding to a first category of labels,x 2 representing a training sample corresponding to a second type of tag,x C represent the firstCTraining samples corresponding to the types of labels, i.e. the label types of the training samples are commonCSeed;
S2B2, at the firstt+In 1 round of iterative training, for target attack samplesx i At the collectionD p Training samples for selecting known tagsx c The malicious attacker trains the target attack sample in the sample setx i Training samples substituted with known tagsx c To construct a new training sample set;
S2B3, inputting a new training sample set into a malicious attacker to perform iterative training according to a longitudinal federal learning principle, and training to obtain a target attack samplex i Is of the abnormal gradient of (2)
S2B3, in the subsequent iterative training process, using the setD p In which training samples are sequentially substituted for target attack samplesx i To obtain an abnormal gradient setG swap
Wherein (1)>Is shown in the firsttIn +1 round of iteration, target attack samplex i Replacement with training samplesx 1 Performing post-training to obtain an abnormal gradient; />Is shown in the firsttIn +2 round of iteration, target attack samplex i Replacement with training samplesx 2 Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+cIn round iteration, target attack samplex i Replacement with training samplesx c Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+CIn round iteration, target attack samplex i Replacement with training samplesx C And (5) training the obtained abnormal gradient.
4. A method of sample exchange based label inference attack in a vertical federal learning system according to claim 3, wherein the specific steps of step S3 are as follows:
s31, target attack samplex i In the first placetThe normal gradient in the round of iterative training isComputing an abnormal gradient setG swap The gradient change distance between each abnormal gradient and the normal gradientdAnd obtain gradient change distance setDist={d 1 ,d 2 ,…,d c ,…,d C And } wherein,d 1 representation->And->A gradient change distance between the two;d 2 representation->And->A gradient change distance between the two;d c representation->And->A gradient change distance between the two;d C representation->And->A gradient change distance between the two;
s32, selecting gradient change distance setDistThe label of the training sample with the minimum value is taken as the target attack samplex i Is a label of (a).
5. The method of sample exchange-based label inference attack in a longitudinal federal learning system according to claim 4, wherein the target attack sample obtained in step S32x i The label of (2) also requires result correction: abnormal gradient set collected for malicious aggressorsG swap Detecting each abnormal gradient in the image if it occursαFor correcting the threshold parameter, |·| represents a second-order norm, the original model of the malicious attacker is considered to be a target attack samplex i Classification errors of (a); at this time, target attack samplex i Correction of labels into outlier gradient setsG swap And the label of the training sample corresponding to the abnormal gradient with the minimum second-order gradient norm.
6. The method for sample exchange-based label inference attack in a longitudinal federal learning system according to claim 5, wherein the gradient change distance calculation formula is as follows:
wherein,distrepresenting the euclidean distance computation function.
CN202311434847.6A 2023-11-01 2023-11-01 Label inference attack method based on sample exchange in longitudinal federal learning system Active CN117150422B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311434847.6A CN117150422B (en) 2023-11-01 2023-11-01 Label inference attack method based on sample exchange in longitudinal federal learning system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311434847.6A CN117150422B (en) 2023-11-01 2023-11-01 Label inference attack method based on sample exchange in longitudinal federal learning system

Publications (2)

Publication Number Publication Date
CN117150422A true CN117150422A (en) 2023-12-01
CN117150422B CN117150422B (en) 2024-02-02

Family

ID=88912484

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311434847.6A Active CN117150422B (en) 2023-11-01 2023-11-01 Label inference attack method based on sample exchange in longitudinal federal learning system

Country Status (1)

Country Link
CN (1) CN117150422B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113657611A (en) * 2021-08-30 2021-11-16 支付宝(杭州)信息技术有限公司 Method and device for jointly updating model
CN113850399A (en) * 2021-10-15 2021-12-28 北京航空航天大学 Prediction confidence sequence-based federal learning member inference method
CN114519209A (en) * 2022-02-08 2022-05-20 脸萌有限公司 Method, apparatus, device and medium for protecting data
CN115310625A (en) * 2022-08-08 2022-11-08 西安电子科技大学 Longitudinal federated learning reasoning attack defense method
CN115630700A (en) * 2022-11-09 2023-01-20 杭州量安科技有限公司 Label inference attack defense method and device based on decentralized training
EP4131042A1 (en) * 2021-08-04 2023-02-08 Abb Schweiz Ag Systems and methods for malicious attack detection in phasor measurement unit data
WO2023012230A2 (en) * 2021-08-06 2023-02-09 Telefonaktiebolaget Lm Ericsson (Publ) Generative adversarial-based attack in federated learning
CN116644433A (en) * 2023-05-29 2023-08-25 浙江大学 Data privacy and model safety test method for longitudinal federal learning
US20230274004A1 (en) * 2022-02-25 2023-08-31 Oracle International Corporation Subject Level Privacy Attack Analysis for Federated Learning
CN116720219A (en) * 2023-06-14 2023-09-08 西南交通大学 Gradient leakage attack method, equipment and storage medium under federal learning
US20230308465A1 (en) * 2023-04-12 2023-09-28 Roobaea Alroobaea System and method for dnn-based cyber-security using federated learning-based generative adversarial network

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4131042A1 (en) * 2021-08-04 2023-02-08 Abb Schweiz Ag Systems and methods for malicious attack detection in phasor measurement unit data
WO2023012230A2 (en) * 2021-08-06 2023-02-09 Telefonaktiebolaget Lm Ericsson (Publ) Generative adversarial-based attack in federated learning
CN113657611A (en) * 2021-08-30 2021-11-16 支付宝(杭州)信息技术有限公司 Method and device for jointly updating model
CN113850399A (en) * 2021-10-15 2021-12-28 北京航空航天大学 Prediction confidence sequence-based federal learning member inference method
CN114519209A (en) * 2022-02-08 2022-05-20 脸萌有限公司 Method, apparatus, device and medium for protecting data
US20230274004A1 (en) * 2022-02-25 2023-08-31 Oracle International Corporation Subject Level Privacy Attack Analysis for Federated Learning
CN115310625A (en) * 2022-08-08 2022-11-08 西安电子科技大学 Longitudinal federated learning reasoning attack defense method
CN115630700A (en) * 2022-11-09 2023-01-20 杭州量安科技有限公司 Label inference attack defense method and device based on decentralized training
US20230308465A1 (en) * 2023-04-12 2023-09-28 Roobaea Alroobaea System and method for dnn-based cyber-security using federated learning-based generative adversarial network
CN116644433A (en) * 2023-05-29 2023-08-25 浙江大学 Data privacy and model safety test method for longitudinal federal learning
CN116720219A (en) * 2023-06-14 2023-09-08 西南交通大学 Gradient leakage attack method, equipment and storage medium under federal learning

Also Published As

Publication number Publication date
CN117150422B (en) 2024-02-02

Similar Documents

Publication Publication Date Title
Wu et al. An adaptive federated learning scheme with differential privacy preserving
CN111669366B (en) Localized differential private data exchange method and storage medium
CN113689003B (en) Mixed federal learning framework and method for safely removing third party
CN112799708B (en) Method and system for jointly updating business model
WO2022160623A1 (en) Teacher consensus aggregation learning method based on randomized response differential privacy technology
Kang et al. Privacy-preserving federated adversarial domain adaptation over feature groups for interpretability
Liu et al. D2MIF: A malicious model detection mechanism for federated learning empowered artificial intelligence of things
US20240037252A1 (en) Methods and apparatuses for jointly updating service model
Cao et al. Two-level attention model of representation learning for fraud detection
CN112905187B (en) Compiling method, compiling device, electronic equipment and storage medium
CN113298267B (en) Vertical federal model defense method based on node embedding difference detection
Wang et al. Heterogeneous defect prediction based on federated transfer learning via knowledge distillation
Hsu et al. A survey on statistical, information, and estimation—theoretic views on privacy
Xu et al. Machine unlearning: Solutions and challenges
CN114282692A (en) Model training method and system for longitudinal federal learning
Zola et al. Generative adversarial networks for bitcoin data augmentation
CN117150422B (en) Label inference attack method based on sample exchange in longitudinal federal learning system
Wang et al. Towards practical federated causal structure learning
CN116341004B (en) Longitudinal federal learning privacy leakage detection method based on feature embedding analysis
Khan et al. Vertical federated learning: A structured literature review
CN112101946A (en) Method and device for jointly training business model
Deng et al. Non-interactive and privacy-preserving neural network learning using functional encryption
Jia et al. Partial knowledge transfer in visual recognition systems via joint loss-aware consistency learning
CN114386583A (en) Longitudinal federal neural network model learning method for protecting label information
CN114723012A (en) Computing method and device based on distributed training system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant