CN117150422A - Label inference attack method based on sample exchange in longitudinal federal learning system - Google Patents
Label inference attack method based on sample exchange in longitudinal federal learning system Download PDFInfo
- Publication number
- CN117150422A CN117150422A CN202311434847.6A CN202311434847A CN117150422A CN 117150422 A CN117150422 A CN 117150422A CN 202311434847 A CN202311434847 A CN 202311434847A CN 117150422 A CN117150422 A CN 117150422A
- Authority
- CN
- China
- Prior art keywords
- training
- sample
- gradient
- label
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012549 training Methods 0.000 claims abstract description 163
- 230000002159 abnormal effect Effects 0.000 claims abstract description 44
- 238000012937 correction Methods 0.000 claims description 8
- 239000013598 vector Substances 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 6
- 101100533306 Mus musculus Setx gene Proteins 0.000 claims description 3
- 230000006870 function Effects 0.000 claims description 3
- 206010006187 Breast cancer Diseases 0.000 description 2
- 208000026310 Breast neoplasm Diseases 0.000 description 2
- 230000002411 adverse Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007477 logistic regression Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/2433—Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/098—Distributed learning, e.g. federated learning
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Evolutionary Computation (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computational Linguistics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Evolutionary Biology (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the technical field of federal learning, in particular to a label inference attack method based on sample exchange in a longitudinal federal learning system, which comprises the following operation steps: constructing a longitudinal federal learning model, and training the longitudinal federal learning model; the training phase of the longitudinal federal learning model is divided into a normal convergence phase and a label inference attack phase in sequence; in the normal convergence stage, each participant trains according to the longitudinal federal learning principle; in the label deducing attack stage, defining a training sample without a label in a malicious attacker as a target attack sample, and replacing the target attack sample with a training sample with a known label to obtain an abnormal gradient of the target attack sample in each iteration training; taking the label of the corresponding sample when the second-order norm of the abnormal gradient takes the minimum value as the label of the target attack sample; the method can infer the label of the training data on the premise that the federal training task is not destroyed and is not detected by other participants.
Description
Technical Field
The invention relates to the technical field of federal learning, in particular to a label inference attack method based on sample exchange in a longitudinal federal learning system.
Background
The federal learning can realize the joint training of the machine learning model by a plurality of participants through exchanging model parameters or updating parameters on the premise that the privacy data of the user does not go out of the domain. Federal learning can be classified into horizontal federal learning and vertical federal learning according to the data distribution.
The federal study provides security assurance for data use, can avoid data security supervision risks, generally gives more attention to security in engineering realization, and in order to protect user data security, encryption algorithm or multiparty security calculation secret sharing and other modes are used to realize privacy calculation of data.
However, the encryption and decryption of large data volume in the prior art involves a large amount of calculation operations, or secret sharing is adopted to enlarge the data traffic multiple, which results in slower running speed and lower algorithm performance of the federal learning algorithm. Compared with the model training speed of the plaintext data centralized type, the existing federal learning model is different by several times or even tens of times, and the performance gap is more obvious along with the expansion of the data volume. In real business, efficiency is emphasized very much between enterprises, between users and enterprise services, if performance loss is very large, performance efficiency of a task is very slow, federal learning is affected to fall to the ground in the real business, users cannot accept services provided by the enterprises, and negative results such as business damage, user loss and the like are caused, so that adverse effects are generated on normal development of the enterprises.
Disclosure of Invention
Aiming at the technical problems in the prior safety privacy field, the invention provides a label inference attack method based on sample exchange in a longitudinal federal learning system. The method can infer the label of the training data on the premise that the federal training task is not destroyed and is not detected by other participants.
In order to achieve the above purpose, the present invention provides the following technical solutions:
a label inference attack method based on sample exchange in a longitudinal federal learning system comprises the following operation steps:
s1, constructing a longitudinal federal learning model based on a longitudinal federal learning principle, and training the longitudinal federal learning model; the participants with the training samples having labels in the longitudinal federal learning model are defined as active parties, and the rest participants are defined as passive parties; any one or a plurality of passive parties are combined to serve as malicious attackers, and the malicious attackers have training samples with known labels in training sample sets of each category;
s2, sequentially dividing a training phase of the longitudinal federal learning model into a normal convergence phase and a label inference attack phase; in the normal convergence stage, each participant trains according to the longitudinal federal learning principle; in the label deducing attack stage, defining a training sample without a label in a malicious attacker as a target attack sample, replacing the target attack sample with a training sample with a known label, and training the malicious attacker with the replaced sample according to a longitudinal federal learning principle to obtain an abnormal gradient of the target attack sample in each iteration training;
s3, calculating second-order norms of each abnormal gradient of the target attack sample, and selecting a label of the sample with the known label corresponding to the minimum second-order norms as the label of the target attack sample.
As still further aspects of the invention: the specific process of the normal convergence phase is as follows:
S2A1, when training is started, the longitudinal federal learning model performs positive correction according to the longitudinal federal learning principle
In the process of the iterative training, the gradient set transmitted back to the malicious attacker by the initiative isWhereinGThe name of the gradient set is represented,tthe number of rounds of the iteration is represented,nrepresenting the number of training samples;
S2A2, calculating second-order norms of all gradient vectors in the gradient set, and performing curve fitting on the calculated second-order norms to obtain a fitting curve;
S2A3 meterCalculating the slope of the fitted curve, if the slope of the fitted curve is smaller than the specified slope thresholdτAnd the second-order norms of the gradient vectors are smaller than the norms threshold valueεWhen the method is used, the iteration training is stopped in the normal convergence stage, and then the label inference attack stage is entered for the iteration training; otherwise, continuing the iterative training in the normal convergence stage until the condition that the iterative training is stopped in the normal convergence stage is met.
As still further aspects of the invention: assume that the normal convergence phase is at the firsttStopping the training in the iteration of the wheel, then at the firsttEntering a label inference attack stage when carrying out +1 round of iterative training; the specific process of the tag inference attack phase is as follows:
S2B1, setting that a malicious attacker has a training sample with known labels in each class of training sample set, and forming a setD p ,D p ={x 1 ,x 2 ,…,x C }, whereinx 1 Representing a training sample corresponding to a first category of labels,x 2 representing a training sample corresponding to a second type of tag,x C represent the firstCTraining samples corresponding to the types of labels, i.e. the label types of the training samples are commonCSeed;
S2B2, at the firstt+In 1 round of iterative training, for target attack samplesx i At the collectionD p Training samples for selecting known tagsx c The malicious attacker trains the target attack sample in the sample setx i Training samples substituted with known tagsx c To construct a new training sample set;
S2B3, inputting a new training sample set into a malicious attacker to perform iterative training according to a longitudinal federal learning principle, and training to obtain a target attack samplex i Is of the abnormal gradient of (2);
S2B3, in the subsequent iterative training process, using the setD p In which training samples are sequentially substituted for target attack samplesx i To obtain an abnormal gradient setG swap ,
Wherein,is shown in the firsttIn +1 round of iteration, target attack samplex i Replacement with training samplesx 1 Performing post-training to obtain an abnormal gradient; />Is shown in the firsttIn +2 round of iteration, target attack samplex i Replacement with training samplesx 2 Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+cIn round iteration, target attack samplex i Replacement with training samplesx c Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+CIn round iteration, target attack samplex i Replacement with training samplesx C And (5) training the obtained abnormal gradient.
As still further aspects of the invention: the specific steps of step S3 are as follows:
s31, target attack samplex i In the first placetThe normal gradient in the round of iterative training isComputing an abnormal gradient setG swap The gradient change distance between each abnormal gradient and the normal gradientdAnd obtain gradient change distance setDist={d 1 ,d 2 ,…,d c ,…,d C And } wherein,d 1 representation->And->A gradient change distance between the two;d 2 representation->And->A gradient change distance between the two;d c representation->And->A gradient change distance between the two;d C representation->And->A gradient change distance between the two;
s32, selecting gradient change distance setDistThe label of the training sample with the minimum value is taken as the target attack samplex i Is a label of (a).
As still further aspects of the invention: the target attack sample obtained in step S32x i The label of (2) also requires result correction: abnormal gradient set collected for malicious aggressorsG swap Detecting each abnormal gradient in the image if it occurs,αFor correcting the threshold parameter, |·| represents a second-order norm, the original model of the malicious attacker is considered to be a target attack samplex i Classification errors of (a); at this time, target attack samplex i Correction of labels into outlier gradient setsG swap And the label of the training sample corresponding to the abnormal gradient with the minimum second-order gradient norm.
As still further aspects of the invention: the gradient change distance calculation formula is as follows:
wherein,distrepresenting the euclidean distance computation function.
Compared with the prior art, the invention has the beneficial effects that:
1. the method and the device enable the passive party without the tag in the longitudinal federal learning to finish the tag deducing attack on the active party under the condition of only having a small number of data tags, and accurately deducing the tag of the training data.
2. The invention has low cost of executing the label deducing attack, does not need to additionally execute model training, and can complete the label deducing attack along with the normal training.
3. The invention has strong universality, does not need to depend on specific training protocols and data distribution, and can be implemented in various longitudinal federal learning models.
4. The invention has low attack condition, and a malicious attacker can attack only by having one training sample label of each type of sample.
Drawings
Fig. 1 is a schematic diagram of a main flow structure of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, in an embodiment of the present invention, a label inference attack method based on sample exchange in a longitudinal federal learning system mainly includes the following contents:
1. based on a longitudinal federal learning principle, constructing a longitudinal federal learning model, and training the longitudinal federal learning model; the participants with the training samples having labels in the longitudinal federal learning model are defined as active parties, and the rest participants are defined as passive parties; any one or a plurality of passive parties are combined to serve as malicious attackers, and the malicious attackers have training samples with known labels in the training sample set of each category.
2. The training phase of the longitudinal federal learning model is divided into a normal convergence phase and a label inference attack phase in sequence; in the normal convergence stage, each participant trains according to the longitudinal federal learning principle; in the label deducing attack stage, defining a training sample without a label in a malicious attacker as a target attack sample, replacing the target attack sample with a training sample with a known label, and training the malicious attacker with the replaced sample according to a longitudinal federal learning principle to obtain an abnormal gradient of the target attack sample in each iteration training.
The specific process of the normal convergence stage is as follows:
first, at the beginning of training, the longitudinal federal learning model is forward according to the longitudinal federal learning principle
In the process of the iterative training, the gradient set transmitted back to the malicious attacker by the initiative isWhereinGThe name of the gradient set is represented,tthe number of rounds of the iteration is represented,nrepresenting the number of training samples.
Then, the second order norms of the gradient vectors in the gradient set are calculated, and curve fitting is carried out on the calculated second order norms to obtain a fitting curve.
Finally, calculating the slope of the fitted curve, if the slope of the fitted curve is smaller than the specified slopeThreshold valueτAnd the second-order norms of the gradient vectors are smaller than the norms threshold valueεWhen the method is used, the iteration training is stopped in the normal convergence stage, and then the label inference attack stage is entered for the iteration training; otherwise, continuing the iterative training in the normal convergence stage until the condition that the iterative training is stopped in the normal convergence stage is met.
Assume that the normal convergence phase is at the firsttStopping the training in the iteration of the wheel, then at the firsttEntering a label inference attack stage when carrying out +1 round of iterative training; the specific process of the tag inference attack phase is as follows:
firstly, a malicious attacker is set to have a training sample with known labels in each class of training sample set, and a set is formedD p ,D p ={x 1 ,x 2 ,…,x C }, whereinx 1 Representing a training sample corresponding to a first category of labels,x 2 representing a training sample corresponding to a second type of tag,x C represent the firstCTraining samples corresponding to the types of labels, i.e. the label types of the training samples are commonCA kind of module is assembled in the module and the module is assembled in the module.
Next, at the firstt+In 1 round of iterative training, for target attack samplesx i At the collectionD p Training samples for selecting known tagsx c The malicious attacker trains the target attack sample in the sample setx i Training samples substituted with known tagsx c To construct a new training sample set.
Then, inputting the new training sample set into a malicious attacker to perform iterative training according to the longitudinal federal learning principle, and training to obtain a target attack samplex i Is of the abnormal gradient of (2)。
Finally, in the subsequent iterative training process, the set is usedD p In which training samples are sequentially substituted for target attack samplesx i To obtain an abnormal gradient setG swap ,
Wherein,is shown in the firsttIn +1 round of iteration, target attack samplex i Replacement with training samplesx 1 Performing post-training to obtain an abnormal gradient; />Is shown in the firsttIn +2 round of iteration, target attack samplex i Replacement with training samplesx 2 Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+cIn round iteration, target attack samplex i Replacement with training samplesx c Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+CIn round iteration, target attack samplex i Replacement with training samplesx C And (5) training the obtained abnormal gradient.
3. And calculating the second-order norms of the abnormal gradients of the target attack sample, and selecting the label of the sample with the known label corresponding to the minimum second-order norms as the label of the target attack sample. The method comprises the following specific steps:
first, target attack samplesx i In the first placetThe normal gradient in the round of iterative training isComputing an abnormal gradient setG swap The gradient change distance between each abnormal gradient and the normal gradientdAnd obtain a ladderDegree-varying distance setDist={d 1 ,d 2 ,…,d c ,…,d C And } wherein,d 1 representation->And->A gradient change distance between the two;d 2 representation->And->A gradient change distance between the two;d c representation->And->A gradient change distance between the two;d C representation->And->The gradient change distance between them. The gradient change distance calculation formula is as follows:
wherein,distrepresenting the euclidean distance computation function.
Then, a gradient change distance set is selectedDistThe label of the training sample with the minimum value is taken as the target attack samplex i Is a label of (a).
Wherein the obtained target attack samplex i The label of (2) also requires result correction: abnormal gradient set collected for malicious aggressorsG swap Detecting each abnormal gradient in the image if it occurs,αTo correct the threshold parameters, the original model of the malicious attacker is considered to be the target attack samplex i Classification errors of (a); at this time, target attack samplex i Correction of labels into outlier gradient setsG swap And the label of the training sample corresponding to the abnormal gradient with the minimum second-order gradient norm.
The label inference attack method provided by the invention is realized on two common longitudinal federal learning models and data sets of five real scenes. Wherein the BreastCancer dataset is a dataset for determining whether a patient has breast cancer; the census com data set is used for judging whether the annual income of the individual is greater than 50 k; the DefaultCredit data set and the GiveMeSomeCredit data set are both data sets for judging whether a person credit is default or not; the criterion dataset is a dataset used to determine whether an advertisement will be clicked on by a user. Training features are evenly distributed to the active and passive parties, wherein each class of samples of the passive party has only one sample of a known tag. The longitudinal federal learning model is VFL-LR, namely logistic regression; VFL-NN, i.e., neural networks.
The process of deducing a tag using the minimum gradient change distance is called SLIA, and the tag deducing attack to which the attack result correction is applied is named I-SLIA.
The five data sets are input into the longitudinal federal learning model for training, and according to the training results in table 1, it is known that excellent attack performance can be obtained by SLIA and I-SLIA on a plurality of data sets of different longitudinal federal models. For example, on a VFL-NN, the I-SLIA achieves over 90% attack accuracy on all data sets, beyond the accuracy of the original classification task. Note that on the defaultCredit dataset of the VFL-LR, while the attack accuracy of SLIA is only 0.0063, the raw task accuracy is only 0.5901.
TABLE 1 accuracy of label inference attack results on different longitudinal federal models
Furthermore, the present invention evaluates the impact of an attack on the original classification task. From table 2, it can be seen that the attack method of the present invention has substantially no accuracy impact on the original task. In addition, the precision of the original model is slightly improved on part of tasks, such as the GiveMeSomeCredit data set of the VFL-NN, the precision of the original task is 0.8341, the precision after attack is 0.8362, and the prediction precision of the model is improved by 0.0021%.
TABLE 2 influence of label inference attacks on raw model tasks
In a longitudinal federal model classification task with two participants involved, we assume the passive party as a malicious attacker, each class of training samples having a training sample of known labels. Setting a specified slope thresholdτIs 0.001, norm thresholdεAt 0.0001, correct the threshold parameterα0.5.
1. Normal convergence phase: gradient set returned by active party in malicious attacker recording training processAnd calculating a second-order norm value of each gradient vector, and ending the normal convergence stage of the model if the curve slope of the second-order norm fitting curve is less than 0.0001 and the second-order norms of the gradient vectors are less than a norm threshold value of 0.0001 in the 50 th round of iterative training.
2. Label inference attack phase:
a. collecting normal gradient information: carrying out normal training on a malicious attacker in the 51 st round of iterative training to obtainAnd stored in gradient set->Is a kind of medium.
b. Collecting abnormal gradient information: for target attack samplesx i Its normal gradient in 51 st round of iterative training isThe method comprises the steps of carrying out a first treatment on the surface of the In the 52 th round of iterative training, target attack samplesx i And a sample of known tagsx 0 Exchange to obtain abnormal gradient->The method comprises the steps of carrying out a first treatment on the surface of the In the 53 rd round of iterative training, target attack samplesx i And a sample of known tagsx 1 Exchange to obtain abnormal gradient->。
c. And (3) performing label reasoning attack:
target attack samplex i Is a sample of known tagsx 0 Is a label of (a).
d. And (3) correcting label reasoning attack results: assume that:
due toThe original model is therefore considered to be mispredicted. As a result of:
sample target attackx i Is corrected to a known label samplex 1 Is a label of (a).
e. By repeating the four sub-steps, as training proceeds, a malicious attacker can complete the label reasoning attack on all training samples.
The foregoing is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art, who is within the scope of the present invention, should make equivalent substitutions or modifications according to the technical scheme of the present invention and the inventive concept thereof, and should be covered by the scope of the present invention.
Claims (6)
1. The label inference attack method based on sample exchange in the longitudinal federal learning system is characterized by comprising the following operation steps:
s1, constructing a longitudinal federal learning model based on a longitudinal federal learning principle, and training the longitudinal federal learning model; the participants with the training samples having labels in the longitudinal federal learning model are defined as active parties, and the rest participants are defined as passive parties; any one or a plurality of passive parties are combined to serve as malicious attackers, and the malicious attackers have training samples with known labels in training sample sets of each category;
s2, sequentially dividing a training phase of the longitudinal federal learning model into a normal convergence phase and a label inference attack phase; in the normal convergence stage, each participant trains according to the longitudinal federal learning principle; in the label deducing attack stage, defining a training sample without a label in a malicious attacker as a target attack sample, replacing the target attack sample with a training sample with a known label, and training the malicious attacker with the replaced sample according to a longitudinal federal learning principle to obtain an abnormal gradient of the target attack sample in each iteration training;
s3, calculating second-order norms of each abnormal gradient of the target attack sample, and selecting a label of the sample with the known label corresponding to the minimum second-order norms as the label of the target attack sample.
2. The method for sample exchange-based label inference attack in a longitudinal federal learning system according to claim 1, wherein the specific procedure of the normal convergence phase is as follows:
S2A1, when training is started, the longitudinal federal learning model carries out normal iterative training according to the longitudinal federal learning principle, and in the iterative training process, the gradient set transmitted back to the malicious attacker by the initiative isWhereinGThe name of the gradient set is represented,tthe number of rounds of the iteration is represented,nrepresenting the number of training samples;
S2A2, calculating second-order norms of all gradient vectors in the gradient set, and performing curve fitting on the calculated second-order norms to obtain a fitting curve;
S2A3, calculating the slope of the fitting curve, if the slope of the fitting curve is smaller than the specified slope threshold valueτAnd the second-order norms of the gradient vectors are smaller than the norms threshold valueεWhen the method is used, the iteration training is stopped in the normal convergence stage, and then the label inference attack stage is entered for the iteration training; otherwise, continuing the iterative training in the normal convergence stage until the condition of stopping the iterative training in the normal convergence stage is satisfied.
3. The method of sample exchange based label inference attack in a longitudinal federal learning system according to claim 2, wherein the normal convergence phase is assumed to be at the first stagetStopping the training in the iteration of the wheel, then at the firsttEntering a label inference attack stage when carrying out +1 round of iterative training; the specific process of the tag inference attack phase is as follows:
S2B1, setting that a malicious attacker has a training sample with known labels in each class of training sample set, and forming a setD p ,D p ={x 1 ,x 2 ,…,x C }, whereinx 1 Representing a training sample corresponding to a first category of labels,x 2 representing a training sample corresponding to a second type of tag,x C represent the firstCTraining samples corresponding to the types of labels, i.e. the label types of the training samples are commonCSeed;
S2B2, at the firstt+In 1 round of iterative training, for target attack samplesx i At the collectionD p Training samples for selecting known tagsx c The malicious attacker trains the target attack sample in the sample setx i Training samples substituted with known tagsx c To construct a new training sample set;
S2B3, inputting a new training sample set into a malicious attacker to perform iterative training according to a longitudinal federal learning principle, and training to obtain a target attack samplex i Is of the abnormal gradient of (2);
S2B3, in the subsequent iterative training process, using the setD p In which training samples are sequentially substituted for target attack samplesx i To obtain an abnormal gradient setG swap ,
Wherein (1)>Is shown in the firsttIn +1 round of iteration, target attack samplex i Replacement with training samplesx 1 Performing post-training to obtain an abnormal gradient; />Is shown in the firsttIn +2 round of iteration, target attack samplex i Replacement with training samplesx 2 Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+cIn round iteration, target attack samplex i Replacement with training samplesx c Performing post-training to obtain an abnormal gradient; />Is shown in the firstt+CIn round iteration, target attack samplex i Replacement with training samplesx C And (5) training the obtained abnormal gradient.
4. A method of sample exchange based label inference attack in a vertical federal learning system according to claim 3, wherein the specific steps of step S3 are as follows:
s31, target attack samplex i In the first placetThe normal gradient in the round of iterative training isComputing an abnormal gradient setG swap The gradient change distance between each abnormal gradient and the normal gradientdAnd obtain gradient change distance setDist={d 1 ,d 2 ,…,d c ,…,d C And } wherein,d 1 representation->And->A gradient change distance between the two;d 2 representation->And->A gradient change distance between the two;d c representation->And->A gradient change distance between the two;d C representation->And->A gradient change distance between the two;
s32, selecting gradient change distance setDistThe label of the training sample with the minimum value is taken as the target attack samplex i Is a label of (a).
5. The method of sample exchange-based label inference attack in a longitudinal federal learning system according to claim 4, wherein the target attack sample obtained in step S32x i The label of (2) also requires result correction: abnormal gradient set collected for malicious aggressorsG swap Detecting each abnormal gradient in the image if it occurs,αFor correcting the threshold parameter, |·| represents a second-order norm, the original model of the malicious attacker is considered to be a target attack samplex i Classification errors of (a); at this time, target attack samplex i Correction of labels into outlier gradient setsG swap And the label of the training sample corresponding to the abnormal gradient with the minimum second-order gradient norm.
6. The method for sample exchange-based label inference attack in a longitudinal federal learning system according to claim 5, wherein the gradient change distance calculation formula is as follows:
wherein,distrepresenting the euclidean distance computation function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311434847.6A CN117150422B (en) | 2023-11-01 | 2023-11-01 | Label inference attack method based on sample exchange in longitudinal federal learning system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311434847.6A CN117150422B (en) | 2023-11-01 | 2023-11-01 | Label inference attack method based on sample exchange in longitudinal federal learning system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117150422A true CN117150422A (en) | 2023-12-01 |
| CN117150422B CN117150422B (en) | 2024-02-02 |
Family
ID=88912484
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311434847.6A Active CN117150422B (en) | 2023-11-01 | 2023-11-01 | Label inference attack method based on sample exchange in longitudinal federal learning system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117150422B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113657611A (en) * | 2021-08-30 | 2021-11-16 | 支付宝(杭州)信息技术有限公司 | Method and device for jointly updating model |
| CN113850399A (en) * | 2021-10-15 | 2021-12-28 | 北京航空航天大学 | Prediction confidence sequence-based federal learning member inference method |
| CN114519209A (en) * | 2022-02-08 | 2022-05-20 | 脸萌有限公司 | Method, apparatus, device and medium for protecting data |
| CN115310625A (en) * | 2022-08-08 | 2022-11-08 | 西安电子科技大学 | Longitudinal federated learning reasoning attack defense method |
| CN115630700A (en) * | 2022-11-09 | 2023-01-20 | 杭州量安科技有限公司 | Label inference attack defense method and device based on decentralized training |
| EP4131042A1 (en) * | 2021-08-04 | 2023-02-08 | Abb Schweiz Ag | Systems and methods for malicious attack detection in phasor measurement unit data |
| WO2023012230A2 (en) * | 2021-08-06 | 2023-02-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Generative adversarial-based attack in federated learning |
| CN116644433A (en) * | 2023-05-29 | 2023-08-25 | 浙江大学 | Data privacy and model safety test method for longitudinal federal learning |
| US20230274004A1 (en) * | 2022-02-25 | 2023-08-31 | Oracle International Corporation | Subject Level Privacy Attack Analysis for Federated Learning |
| CN116720219A (en) * | 2023-06-14 | 2023-09-08 | 西南交通大学 | Gradient leakage attack method, equipment and storage medium under federal learning |
| US20230308465A1 (en) * | 2023-04-12 | 2023-09-28 | Roobaea Alroobaea | System and method for dnn-based cyber-security using federated learning-based generative adversarial network |
-
2023
- 2023-11-01 CN CN202311434847.6A patent/CN117150422B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP4131042A1 (en) * | 2021-08-04 | 2023-02-08 | Abb Schweiz Ag | Systems and methods for malicious attack detection in phasor measurement unit data |
| WO2023012230A2 (en) * | 2021-08-06 | 2023-02-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Generative adversarial-based attack in federated learning |
| CN113657611A (en) * | 2021-08-30 | 2021-11-16 | 支付宝(杭州)信息技术有限公司 | Method and device for jointly updating model |
| CN113850399A (en) * | 2021-10-15 | 2021-12-28 | 北京航空航天大学 | Prediction confidence sequence-based federal learning member inference method |
| CN114519209A (en) * | 2022-02-08 | 2022-05-20 | 脸萌有限公司 | Method, apparatus, device and medium for protecting data |
| US20230274004A1 (en) * | 2022-02-25 | 2023-08-31 | Oracle International Corporation | Subject Level Privacy Attack Analysis for Federated Learning |
| CN115310625A (en) * | 2022-08-08 | 2022-11-08 | 西安电子科技大学 | Longitudinal federated learning reasoning attack defense method |
| CN115630700A (en) * | 2022-11-09 | 2023-01-20 | 杭州量安科技有限公司 | Label inference attack defense method and device based on decentralized training |
| US20230308465A1 (en) * | 2023-04-12 | 2023-09-28 | Roobaea Alroobaea | System and method for dnn-based cyber-security using federated learning-based generative adversarial network |
| CN116644433A (en) * | 2023-05-29 | 2023-08-25 | 浙江大学 | Data privacy and model safety test method for longitudinal federal learning |
| CN116720219A (en) * | 2023-06-14 | 2023-09-08 | 西南交通大学 | Gradient leakage attack method, equipment and storage medium under federal learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117150422B (en) | 2024-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wu et al. | An adaptive federated learning scheme with differential privacy preserving | |
| CN111669366B (en) | Localized differential private data exchange method and storage medium | |
| CN113689003B (en) | Mixed federal learning framework and method for safely removing third party | |
| CN112799708B (en) | Method and system for jointly updating business model | |
| WO2022160623A1 (en) | Teacher consensus aggregation learning method based on randomized response differential privacy technology | |
| Kang et al. | Privacy-preserving federated adversarial domain adaptation over feature groups for interpretability | |
| Liu et al. | D2MIF: A malicious model detection mechanism for federated learning empowered artificial intelligence of things | |
| US20240037252A1 (en) | Methods and apparatuses for jointly updating service model | |
| Cao et al. | Two-level attention model of representation learning for fraud detection | |
| CN112905187B (en) | Compiling method, compiling device, electronic equipment and storage medium | |
| CN113298267B (en) | Vertical federal model defense method based on node embedding difference detection | |
| Wang et al. | Heterogeneous defect prediction based on federated transfer learning via knowledge distillation | |
| Hsu et al. | A survey on statistical, information, and estimation—theoretic views on privacy | |
| Xu et al. | Machine unlearning: Solutions and challenges | |
| CN114282692A (en) | Model training method and system for longitudinal federal learning | |
| Zola et al. | Generative adversarial networks for bitcoin data augmentation | |
| CN117150422B (en) | Label inference attack method based on sample exchange in longitudinal federal learning system | |
| Wang et al. | Towards practical federated causal structure learning | |
| CN116341004B (en) | Longitudinal federal learning privacy leakage detection method based on feature embedding analysis | |
| Khan et al. | Vertical federated learning: A structured literature review | |
| CN112101946A (en) | Method and device for jointly training business model | |
| Deng et al. | Non-interactive and privacy-preserving neural network learning using functional encryption | |
| Jia et al. | Partial knowledge transfer in visual recognition systems via joint loss-aware consistency learning | |
| CN114386583A (en) | Longitudinal federal neural network model learning method for protecting label information | |
| CN114723012A (en) | Computing method and device based on distributed training system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |