CN117171786A - Decentralizing federal learning method for resisting poisoning attack - Google Patents

Decentralizing federal learning method for resisting poisoning attack Download PDF

Info

Publication number
CN117171786A
CN117171786A CN202311053642.3A CN202311053642A CN117171786A CN 117171786 A CN117171786 A CN 117171786A CN 202311053642 A CN202311053642 A CN 202311053642A CN 117171786 A CN117171786 A CN 117171786A
Authority
CN
China
Prior art keywords
cluster
model
parameters
miners
feature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311053642.3A
Other languages
Chinese (zh)
Inventor
胡聪
姚振
卢锐轩
王鹏
张翠翠
刘翠玲
孙佳丽
张庭曾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Telecommunication Branch of State Grid Anhui Electric Power Co Ltd
Original Assignee
Information and Telecommunication Branch of State Grid Anhui Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Telecommunication Branch of State Grid Anhui Electric Power Co Ltd filed Critical Information and Telecommunication Branch of State Grid Anhui Electric Power Co Ltd
Priority to CN202311053642.3A priority Critical patent/CN117171786A/en
Publication of CN117171786A publication Critical patent/CN117171786A/en
Pending legal-status Critical Current

Links

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a decentralizing federation learning method for resisting poisoning attack, which is completed by two parts of federation learning and blockchain together; federal learning is responsible for local data collection and training; the blockchain is responsible for local model update verification and global model parameter aggregation, model update parameters and verification results generated in federal learning are stored by the blockchain, and miners on the blockchain can aggregate the global model to replace the work of a central server. The original data is still reserved in the client, so that the risk of data leakage caused by malicious attack of the blockchain network is reduced, and meanwhile, the blockchain system is used as an intermediate result in the federal learning process of the distributed account book storage, so that the transparency and traceability of the system are ensured; the block chain system replaces a central server, so that the problems of single-point faults and the like in the traditional federal learning are avoided; the influence of client poisoning attack on the federal learning process can be avoided to the greatest extent.

Description

Decentralizing federal learning method for resisting poisoning attack
Technical Field
The invention relates to a decentralised federation learning method for resisting poisoning attack, belonging to the technical field of blockchain and privacy calculation.
Background
Federal learning (Federated Learning) is a distributed machine learning method that aims to solve the problems of data privacy and data security among multiple parties. In traditional machine learning, it is often necessary to centralize all data in one central server for training, but this approach may involve centralized storage and transmission of large amounts of personal sensitive data, with privacy disclosure and data security risks. Federal learning employs a new distributed learning model that pushes machine learning algorithms to the local end of the data without the need to centralize the original data to a central server. Each participant trains the model locally and then sends model parameter updates to the central server, which aggregates and model updates. In this way, individual data is not directly exposed to the central server, only model parameters are transmitted in the network, and data leakage and data security risks are greatly reduced.
However, federal learning still has many problems, and first, federal learning relies on a central server and is easily attacked by single-point faults, man-in-the-middle and the like. Second, lack of an effective incentive mechanism may cause some clients to exit federal learning halfway. Finally, malicious attacks such as poisoning attacks, bayesian attacks and the like mislead the training process, and obviously influence the accuracy of the model on a training set, so that the model cannot be converged normally.
The blockchain is used as a distributed account book, and the defects of federal learning can be effectively overcome by the characteristics of decentralization, disclosure transparency, non-tampering, traceability and the like. The decentralization and distributed ledger properties of the blockchain enable federally learned model parameters to be stored on multiple nodes, and each node can verify the validity of the model parameters. Therefore, the malicious node can be prevented from tampering with the model parameters, and the integrity and the safety of the model are ensured. In existing work, verifying the intelligence of model parameter updates may be problematic in a practical application environment, for example, in some scenarios, the task publisher provides a reliable test data set that miners use to verify model parameter updates uploaded by clients, but in real-world situations the choice of test data set is a significant challenge. In addition, the scheme indicates that the reliability of the updated parameters is judged through the similarity of the local model parameters and the global model parameters, however, the similarity is only one measure between the model parameters, and the model quality cannot be accurately judged. Different clients may train under different data distributions, resulting in differences in the update quality of the model.
Therefore, the verification algorithm used by the invention combines the concept of improving the similarity between the k-means clustering algorithm and the cosine, and miners can effectively verify the model update parameters uploaded by the federation partner and scientifically aggregate the model by calling related intelligent contracts, thereby avoiding the influence of client poisoning attack on the federation learning process to the maximum extent.
Disclosure of Invention
In order to solve the problems, the invention provides a decentralised federal learning method for resisting poisoning attacks, which does not depend on any trusted centralized server. In this scenario, the blockchain acts as a trusted and distributed ledger for managing model updates from edge client devices. Meanwhile, in order to effectively resist the poisoning attack of the malicious client, the invention provides an algorithm for verifying the update parameters of the model, and the algorithm combines the concept of improving the similarity between the k-means clustering algorithm and the cosine. Miners on the blockchain verify each model updating parameter by calling the corresponding intelligent contract, and finally aggregate global model parameters based on the verification result, so that influence of client poisoning attack on the federal learning process is avoided to the greatest extent.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows:
a decentralizing federation learning method for resisting poisoning attack is completed by federation learning and blockchain; federal learning is responsible for local data collection and training; the blockchain is responsible for local model update verification and global model parameter aggregation, model update parameters and verification results generated in federal learning are stored by the blockchain, and miners on the blockchain can aggregate global models so as to replace the work of a central server.
The invention discloses a decentralised federation learning method for resisting poisoning attack, which is applied to a scene of constructing a shared machine learning model in cooperation among different enterprises or institutions, and realizes model training under the condition of not exposing original data.
In the scheme, the original data is still reserved in the client, the risk of data leakage caused by malicious attack of the blockchain network is reduced, meanwhile, the blockchain system is used as an intermediate result in the federal learning process of the distributed account book storage, and the decentralization and traceability of the system are ensured. And the block chain system replaces a central server, so that the problems of single-point faults and the like in the traditional federal learning are avoided. More importantly, the invention provides an algorithm for verifying the update parameters of the client model, which combines the concept of improving the similarity between the k-means clustering algorithm and the cosine, and can effectively resist the poisoning attack of the malicious client. In the blockchain system, miners can invoke intelligent contracts to verify model update parameters uploaded by federal partners and scientifically aggregate models, so that influence of client poisoning attack on a federal learning process can be avoided to the greatest extent.
The decentralised federal learning method for resisting the poisoning attack has the following roles:
global trust authority (Global Trust Authority): the global trust authority is responsible for verifying the identity of the data owner and managing the authority, so that only legally authorized users can participate in federal learning;
federal partner (client): a data owner authorized by a global trust authority wishes to build a model with other federal partners without exposing their own data;
blockchain system (Blockchain System): the blockchain system is used as a distributed ledger to record intermediate parameters of the federal learning process, and can replace a central server to perform model aggregation;
miners (miner): nodes responsible for packaging transactions and generating new blocks in a blockchain network are classified into two types in this scheme: verifying miners (Verify miners) and executing miners (execute miners), verifying that the miners are responsible for verifying model update parameters uploaded by federal partners, executing miners to be responsible for parameter aggregation and generating new blocks;
an decentralized federal learning method for protecting against poisoning attacks comprising:
(1) Identity authentication and authorization of institutions: all institutions give computing resources and identity information of own units to a global trust institution, the global trust institution verifies the authenticity and the validity of the institutions according to the received information, and only institutions passing the global identity verification have authority to participate in federal learning; an organization corresponds to a blockchain node, and an organization may include multiple federal partners;
(2) Initializing a system: before federal learning begins, all clients (federal partners) need to determine a common model structure and initialize parameters of the model on their respective devices; meanwhile, the block chain system selects and verifies miners from all block chain link points and executes miners;
(3) Local model training: all clients (federal partners) train the model locally according to the required number of iterations and upload model parameters to the corresponding validation miners;
(4) And (3) verifying local model parameters: verifying that a mineworker uses a clustering algorithm to divide model parameters into different clusters, performing once aggregation on all model parameters in each cluster, then calculating cosine similarity between an aggregation result of each cluster and a previous round of global model parameters, and finally verifying that the mineworker sends the calculation result and the corresponding cluster to the mineworker;
(5) Parameter aggregation: the executing miners firstly screen according to the calculation result of each cluster, select clusters which are relatively similar to the global model parameters of the previous round, then execute the aggregation of the global model parameters, and generate the global model parameters of the current round;
(6) Updating the blockchain: executing miners to generate new blocks, storing local model parameters into the new blocks and updating a blockchain ledger, wherein all nodes also update own ledgers and keep the consistency of blockchains, so that all nodes have the same transaction history;
(7) Global model parameter updating: allowing all clients (federation partners) to download new block data from the new block and derive new global model parameters from it and decide whether to continue the next round of federation learning, the clients (federation partners) will train using the new global model in the next training iteration.
The process of verifying miners and executing the selection of miners in the initialization stage of the system (2) is as follows: and voting up miners by all the block chain link points, obtaining that the first N block chain nodes in the total consent vote number can be used as miners, adding one miners group together, participating in random drawing by all miners of the whole miners group, and finally, taking the miners in the middle drawing as executing miners and the other miners as verifying miners. The validation miner invokes the associated smart contract to validate the local model update parameters uploaded by the federal partner. The executing miners will invoke the associated smart contracts to aggregate local model update parameters and generate new blocks.
The miner's list for the mine group is updated once every maintenance period (e.g., 12 hours), and after each round of consensus, the miners are performed and the miner's random exchanges are verified. And after the miners are executed and verified to finish the corresponding tasks, a certain reward can be obtained. Rewards are typically awarded to the corresponding blockchain nodes in the form of tokens, and generally, more rewards are earned by miners executing. Similar to DPOS, all miners of a mine group should submit deposits to a shared account under public supervision. If the miners are found to be computationally unstable, have poor availability of hardware conditions such as computers, have malicious activity or damage to the global model throughout the consensus process, the blockchain system will fail to deposit and remove the blockchain node.
In the step (4) of verifying local model parameters, when a mineworker is verified to execute a clustering algorithm, the clustering categories are taken to be different values, then the clustering algorithm is used for calculation, and then the Calinski-Harabaz index is used for evaluating each clustering result to determine the optimal clustering category.
The verification miners execute a clustering algorithm which is mainly divided into two parts: the first part is to cluster model parameters uploaded by the binding partner, the model parameter update can be divided into a plurality of categories through a clustering algorithm, and toxic model update parameters uploaded by a malicious client and model update parameters uploaded by a normal client can be divided into different categories; the second part is to test the model update parameters in each class to judge whether the model update parameters are toxic data uploaded by a malicious client, and the adopted test method is to measure the relative distance between the model parameters through cosine similarity.
The verification process of the local model parameters in the step (4) is as follows:
in the t-th round of federal learning, the ith validation miner i Receiving a set of model update parametersHe wants to determine which model update parameters are normal and which model update parameters are abnormal, where P n Contains different parts of model parameters, verifies miner's miner i The client model parameter verification is performed according to the following steps:
4.1 Will) beThe model update parameters in (a) are converted into feature vectors, illustratively for P n Verifying the miners' parameters of each part i Flattening parameters of the tensor shape into one-dimensional vectors, and finally splicing the one-dimensional vectors obtained by different partial parameters to obtain a feature_vector n Such feature vectors represent the parameter states of the model, which can be used in subsequent processing for comparison, clustering, or other analysis tasks, which result in a set of model parameter feature vectors client-feature-vector t i =[feature_vector 1 ,…,feature_vector n ];
4.2 A) will be client_feature_vceter t i The model parameter feature vectors in the model are clustered by using a K-means++ algorithm, and the K-means++ algorithm improves the step of an initial center point in the K-means algorithm, so that the model parameter feature vectors are better in clustering effect. Setting the interval of the clustering class K as [2,8 ]]The clustering algorithm is used for calculating different values of K, then the Calinski-Harabaz index is used for evaluating each clustering result, and the optimal clustering category K is determined, wherein the Calinski-Harabasz index is an internal evaluation index for evaluating the clustering result and is based on the ratio between the inter-cluster variance and the intra-cluster variance. Taking k=3 as an example, the clustering procedure follows the following steps:
4.2.1 Cluster center initialization: in the client_feature_vcitor t i One feature vector is randomly selected as a first initialized cluster center, and then the other two cluster centers are selected according to the following steps:
4.2.1.1 Computing client_feature_vceter) t i The distance between each feature vector in the database and the initialized cluster center is selected, and the shortest distance is recorded as d_i;
4.2.1.2 Selecting a new feature vector as a new cluster center, the selection principle is as follows: the point with larger distance from the initialized cluster center has larger probability of being selected as a new cluster center;
4.2.1.3 Repeating the above process until 3 clustersThe center is determined; thus, the initialization of the cluster centers is completed, 3 cluster centers are obtained and marked as feature_vector a ,feature_vector b ,feature_vector c
4.2.2 Repeating the following calculation until the cluster center is no longer changed:
4.2.2.1 Computing client_feature_vceter) t i Dividing the samples into clusters corresponding to the nearest cluster centers according to the distance between each feature vector and each cluster center point;
4.2.2.2 Calculating the mean value of all sample characteristics in each cluster, and taking the mean value as a new cluster center of each cluster; thus, clustering of the model parameter feature vectors is completed, and three clusters are obtained And a feature vector list contained in each cluster;
4.2.3 Evaluating the clustering result of the clustering algorithm by using a Calinski-Harabasz index (Calinski-Harabasz score), specifically, the index measures the compactness in the clusters and the separation between the clusters by calculating the ratio of the variance between the clusters to the variance in the clusters, and a higher Calinski-Harabasz index indicates that the clustering result has better separability and compactness;
the specific calculation steps are as follows:
4.2.3.1 Calculating the variance among clusters, namely the square sum of the distances among all clusters, and marking as B, wherein the calculation formula is as follows:
n_s represents the number of samples in the s-th cluster, d (cluster s Cluster) represents centroid cluster of the s-th cluster s Euclidean distance between the cluster and the whole mass center cluster, wherein K represents the number of clusters;
4.2.3.2 Calculating the variance in the cluster, namely the sum of squares of the distances between all samples in the cluster and the mass centers of the clusters, and marking as W, wherein the calculation formula is as follows:
cluster s feature_vector for the cluster center of the s-th cluster j For the j-th feature vector in the s-th cluster, d (feature_vector) j ,cluster i ) The Euclidean distance between all feature vectors in the s-th cluster and the cluster center;
4.2.3.3 Calculating Calinski-Harabasz index, which is marked as CH, and the calculation formula is as follows:
CH=(B/(K-1))/(W/(n-K))
wherein n is the number of all feature vectors; thus, the clustering process of the feature vectors of all model parameters is completed when K=3;
Similarly, when K takes different values, clustering all model parameter feature vectors, and calculating Calinski-Haraba index according to clustering result to finally obtain
4.3 Determining the best cluster category: at the position ofFind the maximum value CH e The numerical value corresponding to e is the optimal clustering category, and a clustering center and the category to which each model parameter belongs are finally obtained when K=e is output; to this end, the first part is completed, each of which validates miner miners i Finally, e clusters are obtained>Illustratively, a cluster e Is a list comprising all model update parameters belonging to the e-th cluster and corresponding model parameter feature vectors;
4.4 Calculating cosine similarity and returning a verification result;
4.4.1 Aggregating all model update parameters in each cluster to finally obtain e aggregated model parametersIllustratively, in cluster e, the model updates the parameters [ P ] 1 ,P 2 ,…,P m ]The polymerization is carried out according to the following formula:
m represents the number of model update parameters contained in the cluster, n represents the sum of the number of all client training data in the cluster, n i Representing the amount of training data in the ith client;
4.4.2 Calculation of (c)Model parameters in (1) and global model parameters global_P of the previous round t-1 Cosine similarity of (2) to finally obtain e cosine similarity values +.>Illustratively CS i The calculation formula is as follows:
to this end, the second part is completed, each of which validates the miners i Finally, a clustering result and a verification result are obtained, wherein the clustering result is thatWherein each cluster is a list containing all model update parameters belonging to the cluster and corresponding model parameter feature vectors, and the verification result is that
In the step (5) of parameter aggregation, when the model update parameters in the clusters selected by the miners can participate in the global model parameter aggregation, screening is performed according to a preset threshold, and if the cosine similarity corresponding to one cluster is lower than the threshold, the cluster cannot participate in the global model parameter aggregation.
Polymerization of the parameters (5) above: in order to achieve a mutual supervision mode, after each verification miner completes verification, the original local model updating parameters, the clustering result with the signature and the verification result are sent to the execution miner as responses, the execution miner receives all local model updating parameters and responses of verification workers, the verification result is checked, and then the clusters which can be subjected to global model aggregation are determined according to a preset threshold value.
Illustratively, the miners are validated asObtaining clusters that can participate in parameter aggregationCorrespondingly, the intra-cluster polymerization parameters corresponding to each clusterThe executive miners may perform parameter aggregation using the following formula:
where Z represents the number of clusters involved in federal learning, n represents the sum of the number of client training data contained in all clusters, n i Representing the sum of the amounts of training data in clients in the i-th cluster.
The miner performs the new global model parameter global_P in the update blockchain stage (5) t Put into future blocks, and finally add future blocks into the blockchain system and synchronize among all blockchain nodes.
According to the decentralization federation learning method for resisting the poisoning attack, the blockchain system is used as a distributed ledger to store intermediate results generated in the federation learning process, so that decentralization and traceability of the system are ensured. Meanwhile, in order to effectively resist the poisoning attack of the malicious client, the invention provides an algorithm for verifying the update parameters of the client model, and the algorithm combines the concept of improving the similarity between the k-means clustering algorithm and the cosine. Miners on the blockchain verify each model updating parameter by calling the corresponding intelligent contract, and finally aggregate global model parameters based on the verification result, so that the influence of the poisoning attack of the malicious client on the federal learning process is avoided to the greatest extent.
The technology not mentioned in the present invention refers to the prior art.
The technical scheme of the invention has the following beneficial effects:
in the scheme of the invention, the original data is still reserved in the client, so that the risk of data leakage caused by malicious attack of the blockchain network is reduced, and meanwhile, the blockchain system is used as an intermediate result in the federal learning process of the distributed ledger wall storage, so that the transparency and traceability of the system are ensured. And the block chain system replaces a central server, so that the problems of single-point faults and the like in the traditional federal learning are avoided. More importantly, the verification algorithm adopted by the blockchain system of the scheme can effectively verify the model update parameters uploaded by the federation partner, and can furthest avoid the influence of client poisoning attack on the federation learning process. Furthermore, federal learning and blockchain operation on different networks and devices can effectively reduce communication pressure and latency.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of the overall architecture of the scheme.
Fig. 2 is a diagram illustrating a parameter structure of the CNN model.
Detailed Description
The following description of the embodiments of the present application will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the application are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In addition, the technical features of the different embodiments of the present application described below may be combined with each other as long as they do not collide with each other.
The application discloses a decentralised federation learning method for resisting poisoning attack, which is applied to a scene of constructing a shared machine learning model in cooperation among different enterprises or institutions, and realizes model training under the condition of not exposing original data. In this example, the scheme of the embodiment of the present application will be described in detail with reference to fig. 1 and 2. The overall architecture of the scheme is shown in fig. 1 in the accessory, and the specific flow is as follows:
1. identity authentication and authorization of institutions: all institutions give computing resources and identity information of own units to a global trust institution, the global trust institution verifies the authenticity and the validity of the institutions according to the received information, and only institutions passing the global identity verification have authority to participate in federal learning; an organization corresponds to a blockchain node, and an organization may include multiple federal partners;
2. Initializing a system: before federal learning begins, all clients (federal partners) need to determine a common model structure and initialize parameters of the model on their respective devices; meanwhile, the block chain system selects and verifies miners from all block chain link points and executes miners;
the process of miner selection is as follows: all blockchain nodes participate in the vote to elect miners, the first N (N is generally defined as 101) blockchain nodes in the total agreed vote count may become miners and join together in one mining group. All miners of the whole mining group participate in random drawing, and finally, the middle-signed miners are used as executing miners, and the rest miners are used as verifying miners. The validation miner invokes the associated smart contract to validate the local model update parameters uploaded by the federal partner. The executing miners will invoke the associated smart contracts to aggregate local model update parameters and generate new blocks. The miner's list for the mine group is updated once every maintenance period (12 hours), and after each round of consensus, the miners are performed and the miner's random exchange is verified. And after the miners are executed and verified to finish the corresponding tasks, a certain reward can be obtained. Rewards are typically awarded to the corresponding blockchain nodes in the form of tokens, and generally, more rewards are earned by miners executing. Similar to DPOS, all miners of a mine group should submit deposits to a shared account under public supervision. If the miners are found to be computationally unstable, have poor availability of hardware conditions such as computers, have malicious activity or damage to the global model throughout the consensus process, the blockchain system will fail to deposit and remove the blockchain node.
3. Local model training: each federal partner trains the model locally according to the required iteration times, after each federal learning partner completes training locally, the local model updating parameters are uploaded to the block chain nodes corresponding to the institution, and the block chain nodes send the update parameters to the nearest verification miners;
4. and (3) verifying local model parameters: the verification miner invokes the intelligent contract corresponding to the algorithm 1 to verify the local model updating parameters and generate corresponding clustering results and verification results.
Algorithm 1. Client model update verification algorithm. The algorithm is executed by a verification miner and is mainly divided into two parts. The first part is to cluster model parameters uploaded by the binding partner, the model parameter update can be divided into a plurality of categories through a clustering algorithm, and toxic model update parameters uploaded by a malicious client and model update parameters uploaded by a normal client can be divided into different categories. The second part is to test the model update parameters in each class to determine whether the model update parameters are toxic data uploaded by a malicious client, and the test method used here is to measure the relative distance between the model parameters through cosine similarity.
Illustratively, in the t-th round of federal learning, miners are validated i Receiving a set of model update parametersHe wants to determine which model update parameters are normal and which model update parameters are abnormal. Wherein P is n Different parts of the model parameters are included, an example diagram is shown in fig. 2 in the annex. Miner i The client model parameter verification is performed according to the following steps:
4.1 willThe model update parameters in (a) are converted into feature vectors. Illustratively, for P n Parameters of each part in (a) miner i Parameters of the tensor shape are flattened into a one-dimensional vector. Finally, one-dimensional vectors obtained by different partial parameters are spliced to obtain a feature_vector n . Such feature vectors represent the parametric states of the model and may be used in subsequent processing for comparison, clustering or other analysis tasks. After this step is completed, a group of model parameter feature vectors client_feature_vector is obtained t i =[feature_vector 1 ,…,feature_vector n ]。
4.2 client_feature_vceter t i The model parameter feature vectors in the model are clustered by using a k-means++ algorithm. The K-means++ algorithm improves the step of an initial center point in the K-means algorithm, and is an algorithm with better clustering effect. Setting the interval of the clustering class K as [2,8 ]]And respectively using a clustering algorithm to calculate different values of K, and then evaluating each clustering result by using a Calinski-Harabaz index to determine the optimal clustering category K. The Calinski-Harabasz index is an internal evaluation index for evaluating the clustering results, which is based on the ratio between the inter-cluster variance and the intra-cluster variance. Illustratively, the clustering procedure is as follows when k=3:
4.2.1 cluster center initialization. In client_feature_vcetor t i A feature vector is randomly selected as the cluster center for the first initialization. Then selecting other two clustering centers according to the following steps:
4.2.1.1 calculating the client_feature_vceter t i The distance between the feature vector and the cluster center that has been initialized, and the shortest distance among them is selected, denoted d_i.
4.2.1.2 selecting a new feature vector as a new cluster center, wherein the selection principle is as follows: the probability of a point with a larger distance from the cluster center that has been initialized being selected as a new cluster center is larger.
4.2.1.3 repeating the above procedure until all 3 cluster centers are determined.
Thus, the initialization of the cluster centers is completed, 3 cluster centers are obtained and marked as feature_vector a ,feature_vector b ,feature_vector c
4.2.2 repeating the following calculation until the cluster center is no longer changed:
4.2.2.1 calculating the client_feature_vceter t i And dividing the samples into clusters corresponding to the nearest cluster centers by the distance between each feature vector and each cluster center point.
4.2.2.2 calculating the mean of all sample features in each cluster and taking the mean as the new cluster center for each cluster.
Thus, clustering of the model parameter feature vectors is completed, and three clusters are obtained And a list of feature vectors contained in each cluster.
4.2.3 evaluate the clustering results of the clustering algorithm using the Calinski-Harabasz index (Calinski-Harabaz score). Specifically, the index measures the compactness in the clusters and the separation between clusters by calculating the ratio of the variance between the clusters to the variance within the clusters. A higher Calinski-Harabasz index indicates that the clustering result has better separability and compactness.
The specific calculation steps are as follows:
4.2.3.1 calculates the inter-cluster variance, i.e., the sum of the squares of the distances between all clusters, denoted B. The calculation formula is as follows:
n _ s represents the number of samples in the s-th cluster. d (cluster) s Cluster) represents centroid cluster of the s-th cluster s Euclidean distance from the global centroid cluster. K represents the number of clusters.
4.2.3.2 the intra-cluster variance, i.e. the sum of squares of the distances between all intra-cluster samples and cluster centroid, is calculated and denoted W. The calculation formula is as follows:
cluster s feature_vector for the cluster center of the s-th cluster j Is the j-th feature vector in the s-th cluster.
d(feature_vector j ,cluster i ) And the Euclidean distance between all feature vectors in the s-th cluster and the cluster center.
4.2.3.3 calculating Calinski-Harabasz index, recorded as CH, and the calculation formula is:
CH=(B/(K-1))/(W/(n-K))
where n is the number of all feature vectors.
Thus, the clustering process of all model parameter feature vectors is completed when k=3.
Similarly, when K takes different values, clustering all model parameter feature vectors, and calculating Calinski-Haraba index according to clustering result to finally obtain
4.3 determining the best cluster category. At the position ofFind the maximum value CH e The value corresponding to e is the optimal clustering type. And finally obtaining a clustering center and the category to which each model parameter belongs when K=e is output.
To this end, the first part of algorithm 1 is complete. Each of which validates miner i Eventually, e clusters are obtainedIllustratively, a cluster e Is a list comprising all model update parameters belonging to the e-th cluster and corresponding model parameter feature vectors.
4.4, calculating cosine similarity and returning a verification result.
4.4.1 aggregating all model update parameters in each cluster to finally obtain e aggregated model parametersIllustratively, in cluster e, the model updates the parameters [ P ] 1 ,P 2 ,…,P m ]The polymerization is carried out according to the following formula:
m represents the number of model update parameters contained in the cluster. n represents the sum of the number of all client training data in the cluster. n is n i Representing the amount of training data in the i-th client.
4.4.2 calculationModel parameters in (1) and global model parameters global_P of the previous round t-1 Cosine similarity of (2) to finally obtain e cosine similarity values +.>Illustratively CS i The calculation formula is as follows:
to this end, the system completes algorithm 1. Each of which validates miner i And finally, a clustering result and a verification result are obtained. The clustering result isEach cluster is a list containing all model update parameters belonging to the cluster and corresponding model parameter feature vectors. The verification result is
5. Parameter aggregation: in order to perform mutual supervision, after each verifying miner completes verification, the original local model updating parameters, the clustering result with the signature and the verification result are sent to the executing miner as a response. The executing miners receive all local model updating parameters and verify the response of the open workers, examine the verification results, and then decide which clusters can be subjected to global model aggregation according to a preset threshold value. Illustratively, the miners are validated asObtaining clusters which can participate in parameter aggregation>Correspondingly, the intra-cluster aggregation parameter for each cluster>The executive miners may perform parameter aggregation using the following formula:
where Z represents the number of clusters involved in federal learning. n represents the sum of the number of client training data contained in all clusters 。n i Representing the sum of the amounts of training data in clients in the i-th cluster.
6. Updating the blockchain: executing miner to set new global model parameter global_P t Put into the future. Finally, future blocks are added to the blockchain system and synchronized among all blockchain nodes.
7. Global model parameter updating: all federation partners download new block data from the blockchain system and derive new global model parameters therefrom. The federal partner will train in the next training iteration using the new global model. And (3) experimental verification:
in order to verify the practicality and effectiveness of algorithm 1, the inventors devised a correlation experiment and performed the verification. The present solution is evaluated here by a widely used reference dataset MNIST and uses the Dirichlet distribution to model the non-independent co-distribution (non-IID) of data, in particular, for each class in the Dirichlet distribution, the corresponding element in a represents the weight or probability of that class. A larger value of a will result in a more concentrated probability distribution for the corresponding class, while a smaller value of a will result in a more distributed probability distribution. If all alpha values are equal, then the weight or probability for each category is the same, meaning that the data is independently co-distributed (IID).
The federal learning settings specific parameters are shown in table 1.
Table 1 federal learning parameter set table
Under the default condition, three attack modes are set for the poisoning attack of the malicious client, wherein the first mode is that the client does not use local data to carry out model training, but directly uploads the model parameters initialized randomly. The second is to use local data to perform model training, and after training is completed, malicious modification is performed on model parameters. And thirdly, performing certain disruption and modification on the local data set, and then using the modified data set to perform training. The experiment will be performed in two cases, the first being that an attack is randomly drawn in one attack pattern, called a single attack. The second case is where three attack modes are used together for an attack, called multiple attack.
In order to better test the algorithm 1 provided by the invention, the inventor firstly tests the accuracy of a common FedAVg algorithm on a test data set after being attacked, then combines the FedAVg algorithm with the model parameter verification algorithm (algorithm 1) provided by the invention, and finally tests the accuracy of the combined federal learning algorithm on the test data set after being attacked. The experimental results obtained are shown in Table 2.
Table 2 experimental results
As can be seen from the data in table 2, the algorithm provided by the invention can greatly improve the accuracy of the FedAvg algorithm on the test set and has a small difference from the accuracy of the FedAvg algorithm when not attacked, compared with the single FedAvg algorithm, no matter in the case of single attack or multiple attacks. Therefore, the model parameter verification algorithm (algorithm 1) provided by the invention can effectively identify the model parameters uploaded by the malicious client, and realize safe model training.

Claims (10)

1. An decentralized federal learning method for resisting a poisoning attack, which is characterized by comprising the following steps of: the method is completed by two parts of federal learning and blockchain; federal learning is responsible for local data collection and training; the blockchain is responsible for local model update verification and global model parameter aggregation, and model update parameters and verification results generated in federal learning are stored by the blockchain, and miners on the blockchain aggregate the global model, thereby replacing the work of a central server.
2. The decentralized federal learning method for combating a poisoning attack according to claim 1, wherein: comprising the following steps:
(1) Identity authentication and authorization of institutions: all institutions give computing resources and identity information of own units to a global trust institution, the global trust institution verifies the authenticity and the validity of the institutions according to the received information, and only institutions passing the global identity verification have authority to participate in federal learning;
(2) Initializing a system: before federal learning begins, all federal partners need to determine a common model structure and initialize parameters of the model on their respective devices; meanwhile, the block chain selects and verifies miners from all block chain link points and executes the miners;
(3) Local model training: all federal partners train the model locally according to the required iteration number and upload model parameters to the corresponding validation miners;
(4) And (3) verifying local model parameters: verifying that a mineworker uses a clustering algorithm to divide model parameters into different clusters, performing once aggregation on all model parameters in each cluster, then calculating cosine similarity between an aggregation result of each cluster and a previous round of global model parameters, and finally verifying that the mineworker sends the calculation result and the corresponding cluster to the mineworker;
(5) Parameter aggregation: the executing miners firstly screen according to the calculation result of each cluster, select clusters which are relatively similar to the global model parameters of the previous round, then execute the aggregation of the global model parameters, and generate the global model parameters of the current round;
(6) Updating the blockchain: executing miners to generate new blocks, storing local model parameters into the new blocks and updating a blockchain ledger, wherein all nodes also update own ledgers and keep the consistency of blockchains, so that all nodes have the same transaction history;
(7) Global model parameter updating: allowing all federation partners to download new block data from the new block and derive new global model parameters therefrom and decide whether to continue with the next round of federation learning, the federation partners will train using the new global model in the next training iteration.
3. The decentralized federal learning method for combating a poisoning attack according to claim 2, wherein: in the system initialization stage (2), the processes of verifying miners and executing the selection of the miners are as follows: voting up miners by all block chain link points, obtaining that the first N block chain nodes in the total consent ticket number can be the miners, adding one miners group together, participating in random drawing by all miners of the whole miners group, and finally taking the miners of the middle label as executing miners and the other miners as verifying miners; the miner list of the mine group is updated once every maintenance period, and after each round of consensus, the miners are executed and the random exchange of the miners is verified.
4. A method of decentralized federal learning against a poisoning attack according to claim 2 or 3, wherein: in the step (4) of verifying local model parameters, when a mineworker is verified to execute a clustering algorithm, the clustering categories are taken to be different values, then the clustering algorithm is used for calculation, and then the Calinski-Harabaz index is used for evaluating each clustering result to determine the optimal clustering category.
5. The method for decentralized federal learning against a poisoning attack according to claim 4, wherein: the verification miners execute a clustering algorithm which is divided into two parts: the first part is to cluster model parameters uploaded by the binding partner, the model parameter update is divided into a plurality of categories through a clustering algorithm, and toxic model update parameters uploaded by a malicious client and model update parameters uploaded by a normal client are divided into different categories; the second part is to test the model update parameters in each class to judge whether the model update parameters are toxic data uploaded by a malicious client, and the adopted test method is to measure the relative distance between the model parameters through cosine similarity.
6. The method of decentralized federal learning against a poisoning attack according to claim 5, wherein: the local model parameter verification process is as follows:
in the t-th round of federal learning, the ith validation miner i Receiving a set of model update parametersWherein P is n Contains different parts of model parameters, verifies miner's miner i Model parameter verification will be performed as follows:
4.1 Will) beThe model update parameters in (a) are converted into feature vectors, and the feature vectors are expressed in P n Verifying the miners' parameters of each part i Flattening parameters of the tensor shape into one-dimensional vectors, and finally splicing the one-dimensional vectors obtained by different partial parameters to obtain a feature_vector n Such feature vectors represent the parameter states of the model, and a set of model parameter feature vectors client_feature_vector is obtained after this step is completed t i =[feature_vector 1 ,...,feature_vector n ];
4.2 A) will be client_feature_vceter t i The model parameter feature vectors in the model are clustered by using a K-means++ algorithm, and the interval of the clustering class K is set as [2,8 ]]Calculating different values of K by using a clustering algorithm, evaluating each clustering result by using a Calinski-Harabaz index, and determining an optimal clustering category K;
taking k=3 as an example, the clustering procedure follows the following steps:
4.2.1 Cluster center initialization: in the client_feature_vcitor t i One feature vector is randomly selected as a first initialized cluster center, and then the other two cluster centers are selected according to the following steps:
4.2.1.1 Computing client_feature_vceter) t i The distance between each feature vector in the database and the initialized cluster center is selected, and the shortest distance is recorded as d_i;
4.2.1.2 Selecting a new feature vector as a new cluster center, the selection principle is as follows: the point with larger distance from the initialized cluster center has larger probability of being selected as a new cluster center;
4.2.1.3 Repeating the above process until all 3 cluster centers are determined; thus, the initialization of the cluster centers is completed, 3 cluster centers are obtained and marked as feature_vector a ,feature_vector b ,feature_vector c
4.2.2 Repeating the following calculation until the cluster center is no longer changed:
4.2.2.1 Computing client_feature_vceter) t i Dividing the samples into clusters corresponding to the nearest cluster centers according to the distance between each feature vector and each cluster center point;
4.2.2.2 Calculating the mean value of all sample characteristics in each cluster, and taking the mean value as a new cluster center of each cluster; thus, the model parameter feature vectors are clustered to obtain three clusters cluster_list t i =[cluster 1 ,cluster 2 ,cluster 3 ]And a feature vector list contained in each cluster;
4.2.3 Using a Calinski-Harabasz index to evaluate a clustering result of a clustering algorithm, wherein the index measures the compactness in the clusters and the separation degree between the clusters by calculating the ratio of the variance between the clusters to the variance in the clusters, and the higher Calinski-Harabasz index indicates that the clustering result has better separability and compactness;
the specific calculation steps are as follows:
4.2.3.1 Calculating the variance among clusters, namely the square sum of the distances among all clusters, and marking as B, wherein the calculation formula is as follows:
n_s represents the number of samples in the s-th cluster, d (cluster s Cluster) represents centroid cluster of the s-th cluster s Euclidean distance between the cluster and the whole mass center cluster, wherein K represents the number of clusters;
4.2.3.2 Calculating the variance in the cluster, namely the sum of squares of the distances between all samples in the cluster and the mass centers of the clusters, and marking as W, wherein the calculation formula is as follows:
cluster s feature_vector for the cluster center of the s-th cluster j For the j-th feature vector in the s-th cluster, d (feature_vector) j ,cluster i ) The Euclidean distance between all feature vectors in the s-th cluster and the cluster center;
4.2.3.3 Calculating Calinski-Harabasz index, which is marked as CH, and the calculation formula is as follows:
CH=(B/(K-1))/(W/(n-K))
wherein n is the number of all feature vectors; thus, the clustering process of the feature vectors of all model parameters is completed when K=3;
similarly, when K takes different values, clustering all model parameter feature vectors, and calculating Calinski-Haraba index according to clustering result to finally obtain
4.3 Determining the best cluster category: at the position ofFind the maximum value CH e The numerical value corresponding to e is the optimal clustering category, and a clustering center and the category to which each model parameter belongs are finally obtained when K=e is output; to this end, the first part is completed, each of which validates miner miners i Eventually, e clusters cluster_list will be obtained t i =[cluster 1 ,cluster 2 ,…,cluster e ],cluster e Is a list comprising all model update parameters belonging to the e-th cluster and corresponding model parameter feature vectors;
4.4 Calculating cosine similarity and returning a verification result;
4.4.1 Aggregating all model update parameters in each cluster to finally obtain e aggregated model parametersIllustratively, in cluster e, the model updates the parameters [ P ] 1 ,P 2 ,…,P m ]The polymerization is carried out according to the following formula:
m represents the number of model update parameters contained in the cluster, n represents the sum of the number of all client training data in the cluster, n i Representing the amount of training data in the ith client;
4.4.2 Calculation of (c)Model parameters in (1) and global model parameters global_P of the previous round t-1 Cosine similarity of (2) to finally obtain e cosine similarity values +.>Illustratively CS i The calculation formula is as follows:
to this end, the second part is completed, each of which validates the miners i Finally, a clustering result and a verification result are obtained, wherein the clustering result is thatWherein each cluster is a list containing all model update parameters belonging to the cluster and corresponding model parameter feature vectors, and the verification result is that
7. The method of decentralized federal learning against a poisoning attack according to claim 6, wherein: in the parameter aggregation stage (5), when the miners select the model updating parameters in the clusters to participate in the global model parameter aggregation, screening is performed according to a preset threshold value, and if the cosine similarity corresponding to one cluster is lower than the threshold value, the cluster cannot participate in the global model parameter aggregation.
8. The method of decentralized federal learning against a poisoning attack according to claim 7, wherein: (5) parameter polymerization: after each verification miner completes verification, the original local model updating parameters, the clustering result with the signature and the verification result are sent to the execution miner as responses, the execution miner receives all local model updating parameters and responses of the verification miner, the verification result is checked, and then the clusters can be subjected to global model aggregation according to a preset threshold value.
9. The method of decentralized federal learning against a poisoning attack according to claim 8, wherein: verifying miners' evidenceObtaining clusters which can participate in parameter aggregation>Correspondingly, the intra-cluster aggregation parameter for each cluster>The executive performs parameter aggregation using the following formula:
wherein, Z representing the number of clusters involved in federal learning, n represents that all clusters containSum of the number of client training data, n i Representing the sum of the amounts of training data in clients in the i-th cluster.
10. The method of decentralized federal learning against a poisoning attack according to claim 9, wherein: in the (5) update blockchain phase, the miners are executed to update the global model parameter global_P t Put into future blocks, and finally add future blocks into the blockchain system and synchronize among all blockchain nodes.
CN202311053642.3A 2023-08-21 2023-08-21 Decentralizing federal learning method for resisting poisoning attack Pending CN117171786A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311053642.3A CN117171786A (en) 2023-08-21 2023-08-21 Decentralizing federal learning method for resisting poisoning attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311053642.3A CN117171786A (en) 2023-08-21 2023-08-21 Decentralizing federal learning method for resisting poisoning attack

Publications (1)

Publication Number Publication Date
CN117171786A true CN117171786A (en) 2023-12-05

Family

ID=88942237

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311053642.3A Pending CN117171786A (en) 2023-08-21 2023-08-21 Decentralizing federal learning method for resisting poisoning attack

Country Status (1)

Country Link
CN (1) CN117171786A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117834297A (en) * 2024-02-29 2024-04-05 浪潮电子信息产业股份有限公司 Attack detection method, device, system, electronic equipment and readable storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117834297A (en) * 2024-02-29 2024-04-05 浪潮电子信息产业股份有限公司 Attack detection method, device, system, electronic equipment and readable storage medium
CN117834297B (en) * 2024-02-29 2024-05-28 浪潮电子信息产业股份有限公司 Attack detection method, device, system, electronic equipment and readable storage medium

Similar Documents

Publication Publication Date Title
CN112348204B (en) Safe sharing method for marine Internet of things data under edge computing framework based on federal learning and block chain technology
Liang et al. Data fusion approach for collaborative anomaly intrusion detection in blockchain-based systems
Yun et al. DQN-based optimization framework for secure sharded blockchain systems
CN112434280B (en) Federal learning defense method based on blockchain
US11651082B2 (en) Blockchain applicability framework
Batool et al. Block-FeST: A blockchain-based federated anomaly detection framework with computation offloading using transformers
CN109104413B (en) Method for solving intersection of private data for secure multi-party computation and verification method
CN108964926A (en) User trust negotiation establishing method based on two-layer block chain in heterogeneous alliance system
CN114970886B (en) Clustering-based adaptive robust collaborative learning method and device
CN111723946A (en) Federal learning method and device applied to block chain
CN111899023B (en) Block chain-based crowd-sourced method and system for crowd-sourced machine learning security through crowd sensing
CN114626547A (en) Group collaborative learning method based on block chain
CN113645197A (en) Decentralized federal learning method, device and system
CN117171786A (en) Decentralizing federal learning method for resisting poisoning attack
CN113779617B (en) State channel-based federal learning task credible supervision and scheduling method and device
KR20210087552A (en) Systems and methods for distributed resource allocation
Lin et al. DRL-based adaptive sharding for blockchain-based federated learning
CN115022326B (en) Block chain Bayesian-court fault tolerance consensus method based on collaborative filtering recommendation
CN113628049A (en) Block chain intelligent contract conflict resolution method based on group intelligence
CN115796261A (en) Block chain-based lightweight group consensus federated learning method
CA3166439A1 (en) Blockchain cybersecurity solutions
Smahi et al. BV-ICVs: A privacy-preserving and verifiable federated learning framework for V2X environments using blockchain and zkSNARKs
Ameri et al. The cellular goore game-based consensus protocol: a cognitive model for blockchain consensus
US11907874B2 (en) Apparatus and method for generation an action validation protocol
CN115687526A (en) Seismic data model sharing method based on block chain and federal learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination