CN117540376A - Federal learning method and system supporting anti-poisoning and reasoning attack - Google Patents

Abstract

The invention belongs to the technical field of artificial intelligence, and discloses a federal learning method and a federal learning system supporting anti-poisoning and reasoning attack. Coupling a consensus mechanism based on task participation with a federal learning process; and fusing the committee authentication mechanism of the differential privacy. The invention fuses the blockchain and federal learning to ensure the transparency of the training process, and ensures the privacy of the model by using a differential privacy technology. Meanwhile, a committee mechanism is established to detect the poisoning attack in real time, so that the safe multiparty machine learning is performed in a decentralised P2P environment. The BFL of the present invention not only resists inference attacks when performing federal learning tasks, but also presents significant advantages over existing algorithms in combating poisoning attacks. BFL shows extremely high robustness against collusion attacks.

Description

Federal learning method and system supporting anti-poisoning and reasoning attack

Technical Field

The invention belongs to the technical field of artificial intelligence, and particularly relates to a federal learning method and a federal learning system supporting anti-poisoning and reasoning attack.

Background

Federal learning (Federated Learning, FL) is a distributed machine learning framework with the core feature that model training is mainly performed on the local equipment of the data owner. In contrast to traditional machine learning methods, federal learning builds a global model through distributed parameter exchange, thereby avoiding direct access or exposure to the raw data. Federal learning has been widely used in a variety of fields such as autopilot systems, visual inspection, and financial transactions, because it has demonstrated significant potential in solving data islanding problems and protecting data privacy. However, the distributed nature of federal learning also means that it must exchange model parameters among numerous devices, which increases the risk of data leakage. While in a distributed environment, ensuring the security of each device and the integrity of the data is also challenging, as malicious parties may attempt to tamper with or corrupt the model parameters. Thus, despite its great potential, how to ensure its trustworthiness and further enhance privacy security remains a major challenge of current research.

The blockchain, which is a technology for ensuring system disclosure, transparency, tamper resistance and data traceability, provides an effective solution for alleviating the trusted problem caused by server centralization in the FL framework. The training intermediate result and the global model are saved on the blockchain to prevent the potential malicious behavior of the server and reduce the single-point fault risk. The transparency and the reliability of the system can be improved by searching the participant archive data and sharing the model data through the block chain.

In federal learning, although blockchain technology provides a solution to the problem of trustworthiness, the problems of data privacy and model security have raised significant attention. One particularly significant problem is privacy leakage from the model, by which a semi-honest server can recover the participants' sensitive data information. Another urgent security issue is the poisoning attack that the participants initiate. Under such an attack, one or more malicious participants may manipulate the entire model training process by uploading a toxic local model, thereby causing the global model to produce misleading or invalid outputs. For example, malicious participants may employ model replacement techniques to introduce back-door attacks in the joint model, or by uploading model parameters that have undergone certain operations (such as flipping and zooming in), the attacker can infer which samples are used to train the target model. Furthermore, in a federally learned collaborative computing environment, there is also a potential risk of collusion attacks. In this attack mode, two or more participants are surreptitiously joined into a federation, with various means (such as data poisoning or model pollution) to the purpose of destroying the model, stealing information, or misleading the entire learning process.

Disclosure of Invention

Aiming at the problems existing in the prior art, the invention provides a federal learning method and a federal learning system supporting anti-poisoning and reasoning attack.

The invention is realized in such a way that a federal learning method supporting anti-poisoning and reasoning attack is provided, comprising the following steps:

the federal learning communication framework consists of an aggregation committee, a trainer and a validation committee; wherein randomly selected portions of the trainers constitute a validation committee, and the trainers train the model under the coordination of the aggregation committee.

In the first step, in order to enhance privacy protection, a local differential privacy technology protection model is adopted for federal learning task execution. Each trainer trains the model using a private data set on the local device and differential privacy noise encryption of the model, and then uploads the encrypted model and training parameters to the aggregation board.

Step two, the invention provides a committee verification mechanism to detect potential poisoning attacks in real time. The validation committee is responsible for testing the local model of the trainer and feeding test results back to the polymerization committee.

Step three, the polymerization committee is responsible for receiving the local model and related parameters submitted by a trainer and polymerizing the local model; in order to avoid the collusion of the trainers and the members of the verification committee from launching the attack, the invention designs an adaptive weight adjusting algorithm at the polymerization committee.

Further, the framework can significantly improve the credibility of the model aggregation process by storing training data on the blockchain. Coupling a consensus mechanism based on task participation with a federal learning process; the aggregation committee in the federal learning communication framework participates in consensus, and an aggregator is responsible for receiving the local model and related parameters submitted by a trainer, distributing the local model to a verifier for model accuracy testing, and distributing corresponding aggregation weights to the model according to the received test result. Finally, selecting an agent from the aggregation committee as a block-out person, packaging all models and training data into blocks, and publishing the blocks to a network.

Specifically, federal learning incorporating differential privacy protection includes:

1) Obtaining information such as initial state and expected iteration times of a training task from an originating block;

2) In each iteration, the trainer downloads the model of the present round of training from the blockchain and trains the model with local data while adding gaussian noise to perturb the local model, i.e

3) The trainer attaches other key training parameters including the scale of the data set and the loss function value of the model when submitting the model to the aggregation committee for formulating the aggregation weight;

4) After receiving each local model and other training parameters, the aggregation committee records the local model and distributes the model added with noise to the verification committee;

5) The verification committee members perform model performance verification by using the respective local data, and feed back the calculated verification loss to the polymerization committee;

6) After collecting all verification losses, the polymerization committee locally calculates loss values and records the evaluation result of each verifier;

7) By means of a local modelWeighting and aggregation are carried out to obtain a final global model omega ^t+1 The calculation is as follows:

8) The agent then uploads the newly generated global model, local model, and training data into the block to enhance the reliability of the training process.

Further, at the t-th round of the training process, the aggregation board elects a specific agent to calculate the validation loss weighted difference for each model:

where M is the number of validation committee members,loss of model i uploaded for trainer, < >>Loss of verification for verifier j for model i. />For the median of the validation loss of model i, the following is calculated:

quantifying the difference between the validation loss and the training loss by weighted averaging; after calculation of the weighted differences for all models, model i validates score D _i The definition can be defined by:

wherein c _d Is a predefined constant for adjusting the sensitivity of the verification score.As an absolute deviation of the median of the weighted differences, it is calculated as follows:

median of weighted differencesThe calculation is as follows:

training scoreIs expressed as:

wherein c _l Is a preset constant, like c _d . Median absolute deviationIs calculated as follows:

median of training lossIs calculated as follows:

by passing throughAnd->The framework quantifies the model's performance during the training and validation phases to derive a comprehensive scoreThe calculation is as follows:

comprehensively considering the honest of trainers and validation committees, the aggregate weight of each model consists of model score and data set size, i.e

Wherein N is _i The data set size for trainer i.

Further, using the loss values in the blocks, an aggregate weight for each model is calculatedCalculating a global model using the local models in the block +.>When->The aggregation process is an honest calculation.

Further, the federal learning framework adopts a consensus mechanism based on the PoTP, and the polymerization committee member completes the consensus specifically comprises the following steps:

(1) Consensus preparation: the task requester shares the task to the aggregation committee and the trainer through the creating block, and the trainer downloads the current round use model from the block; in the preparation stage, according to the historical task participation, the polymerization committee members are ordered in a descending order to obtain a new ordered polymerization committee list; the aggregators in the list are responsible for the generation of the blocks in turn from high to low according to the ranking, and the aggregators responsible for the generated blocks in turn are called agents;

(2) Local model collection: the agent collects an encryption model, the size of a data set and training loss from a trainer, and the local model forms a set; at the same time, the agent records these training parameters locally for evaluating model performance;

(3) Weight calculation: the agent will distribute to the validation committee, which uses the respective data set evaluation model and returns the calculated validation loss to the aggregation committee; after the agent receives all verification losses, calculating the aggregation weight of each model;

(4) And (3) block generation: the agent calculates a new round of global model and writes the new round of global model into a new block together; all relevant computing metadata is also recorded in the block;

(5) Block release: in the blockchain network, when the agent constructs a new block, the signature is added into the block head and broadcast to other aggregation committee members; each member can independently check and verify the validity of the new block; when most members agree that a new block is eligible, the block is added to the blockchain network.

Further, when the node receives a new block, a series of verification processes are performed, including: a. calculating and verifying data consistency; b. signature verification of agents and managers; after all verification processes are successfully completed, the node marks the new block as a compliance block.

Another object of the present invention is to provide a federal learning system supporting resistance to poisoning and inference attacks, which supports a federal learning method for resistance to poisoning and inference attacks, the system comprising:

a memory module configured to store training data on the blockchain;

the aggregation module is configured to receive the local model submitted by the trainer and related parameters and distribute aggregation weights according to the test result;

a differential privacy module configured to apply differential privacy noise encryption on the local model of each trainer;

the verification committee module is configured to carry out precision test on the local model and feed test results back to the aggregation module;

a committee validation mechanism configured to perform real-time poisoning attack detection based on the test results and the committee policy;

an adaptive weight adjustment algorithm configured to adjust the aggregate weight based on the performance and security metrics of the model, wherein the aggregation module is further configured to package the model and training data into chunks that are published into the network as chunkers by the agent.

In combination with the technical scheme and the technical problems to be solved, the technical scheme to be protected has the following advantages and positive effects:

First, the invention fuses the blockchain and federal learning to ensure the transparency of the training process, and uses differential privacy technology to ensure the privacy of the model. Meanwhile, a committee mechanism is established to detect the poisoning attack in real time, so that the safe multiparty machine learning is performed in a decentralised P2P environment.

The BFL of the present invention not only resists inference attacks when performing federal learning tasks, but also presents significant advantages over existing algorithms in combating poisoning attacks. BFL shows extremely high robustness against collusion attacks.

Secondly, the invention adopts a consensus mechanism based on the PoTP to coordinate the task process and realize federal learning; the invention ensures the safety of data and models in the processes of local task learning, local model verification and global model aggregation by utilizing a committee verification mechanism based on differential privacy. Meanwhile, the reliability of the model aggregation process can be remarkably improved by storing training data on the blockchain.

A novel consensus algorithm named "task participation certificate (Proof of Task Participation, poTP)" was designed for blockchains. The algorithm aims to realize efficient coordination and execution of the federal learning task flow, effectively prevent tampering of model parameters and leakage of privacy, and ensure that the whole training process is transparent.

For BFL, a privacy protection mechanism based on local differential privacy (Local Differential Privacy, LDP) was introduced and a committee-based strategy was further adopted to enhance this mechanism. Therefore, the BFL not only can effectively resist various potential security threats such as single-point faults, poison attack and the like, but also ensures privacy security in the training process.

In the aggregation stage of the model, an algorithm for adaptively adjusting the aggregation weight is provided. The method can prevent collusion attack between a trainer and other committee members, and can also effectively screen out models with poor quality, thereby ensuring high-quality aggregation of federal learning global models.

Thirdly, combining federal learning with blockchain technology and employing a method of differential privacy and committee validation mechanisms brings the following significant technological advances:

1) Enhanced data privacy protection: by using differential privacy techniques, the model update is shared while protecting individual privacy. This means that even if data is compromised, it cannot be traced back to a specific individual, thereby significantly enhancing the privacy of the data.

2) The safety of the model is improved: the model update is recorded by utilizing the non-tamperable property of the blockchain, and a real-time monitoring and committee verification mechanism is implemented, so that the risk of the model against a poisoning attack and a collusion attack is greatly reduced.

3) Traceability of data and models is ensured: all model updates are recorded on the blockchain, which provides transparency for model training and data use, and allows auditing to verify the integrity of the federal learning process.

4) Accuracy and fairness of the model are improved: the accuracy and fairness of model aggregation is ensured by the committee validation mechanism and adaptive weight adjustment algorithm, since only those model updates that are validated and of high quality are aggregated.

5) The anti-attack capability of the system is improved: the system can detect and prevent potential security threats, such as poisoning attacks and inference attacks, thereby maintaining high resistance to attacks throughout the learning process.

6) Allowing cross-domain collaboration without requiring centralized trust: even without a centralized trusted entity, different organizations can collaboratively train machine learning models, which is difficult to achieve in many traditional data sharing models.

7) Optimizing resource utilization: because the data does not need to be stored or processed in a centralized way, each participant can train the model locally, so that the data transmission cost can be reduced, and the edge computing resources are effectively utilized.

The technical progress of the invention provides a new paradigm for training a machine learning model, so that the cooperation of the cross mechanisms becomes safer and more efficient, and the protection of personal privacy is fundamentally improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of a federal learning method supporting resistance to poisoning and inference attacks provided by an embodiment of the present invention;

FIG. 2 is a diagram of a federal learning communications framework provided by an embodiment of the present invention;

FIG. 3 is a block diagram of a federal learning system supporting resistance to poisoning and inference attacks provided by an embodiment of the present invention;

FIG. 4 is a graph of time spent deploying different numbers of nodes at various stages provided by an embodiment of the invention;

FIG. 5 is a model accuracy graph at different malicious node scales provided by an embodiment of the present invention; (a) different malicious nodes account for 15%; (b) different malicious nodes account for 30%; (c) 45% of different malicious nodes;

FIG. 6 is a model accuracy graph for different collusion attack scenarios provided by an embodiment of the present invention; (a) The malicious trainer uploads the forged low training loss, and a colluded verifier generates false low verification loss, but performs honest verification on other models; (b) The collusion verifier deliberately amplifies the loss values of other models on the basis of (a); (c) Fax real training loss on malicious trainers, and collusion verifier still generates false low verification loss, but keeps honest verification on other models; (d) Collusion verifier on the basis of (c) while amplifying the loss of other models;

fig. 7 is a model score graph for different collusion attack scenarios provided by an embodiment of the present invention. (a) The malicious trainer uploads the forged low training loss, and the verifier colluded with the malicious trainer generates false low verification loss for the malicious trainer; (b) And the malicious trainer selects to upload the real training loss value.

Detailed Description

The present invention will be described in further detail with reference to the following examples in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.

Specific application embodiments and implementation schemes thereof can consider the following two scenarios:

embodiment one: medical data federal learning system

Application scene: medical data needs to be shared by multiple hospitals while protecting patient privacy to improve the accuracy of disease prediction models.

1) Establishing a security infrastructure: and installing blockchain nodes in a system participating in a hospital, so as to ensure the distribution and the security of data storage.

2) Data preparation: each hospital trains its own predictive model using a local data set and adds differential privacy noise to protect the patient data.

3) Model training and sharing: the trainer (hospital) submits the encrypted local model into the blockchain network for coordination by the aggregation board.

4) Model verification and aggregation: the validation committee consists of randomly selected participants who independently validate the model, ensuring the accuracy of the model.

5) Model updating and iteration: based on the model validation results, the aggregation committee updates the global model using an adaptive weight adjustment algorithm and stores it on the blockchain.

Embodiment two: intelligent contract driven supply chain finance

Application scene: different enterprises (manufacturers, suppliers, retailers) in the supply chain wish to build a shared credit scoring model to reduce financing costs and risk.

1) Building a blockchain platform: and building a blockchain network among enterprises for recording transaction and training data.

2) Credit scoring model training: the enterprises train a credit scoring model on the local data and ensure the privacy of the sensitive financial data through a differential privacy method.

3) Data submission and verification: the enterprise submits the encryption model to the blockchain and the validation committee verifies the performance and fairness of the model.

4) Intelligent contract implementation: model aggregation, updating, and credit score output are automatically performed using smart contracts.

5) Credit scoring application: the updated global credit scoring model is used to provide credit evidence for the business to assist it in obtaining better loan conditions in the supply chain finance.

These two embodiments show how federal learning in combination with blockchain technology can achieve the needs of data sharing and privacy protection in different industries while also maintaining the security and integrity of the model.

Aiming at the problems existing in the prior art, the invention provides a federal learning method and a federal learning system supporting anti-poisoning and reasoning attack.

As shown in fig. 1, the embodiment of the invention provides a federal learning method supporting anti-poisoning and reasoning attack, and a communication framework is composed of an aggregation committee, a trainer and a verification committee; wherein randomly selected portions of the trainers constitute a validation committee, and the trainers train the model under the coordination of the aggregation committee. The method comprises the following steps:

In the first step, in order to enhance privacy protection, a local differential privacy technology protection model is adopted for federal learning task execution. Each trainer trains the model using a private data set on the local device and differential privacy noise encryption of the model, and then uploads the encrypted model and training parameters to the aggregation board.

And step two, the invention provides a committee verification mechanism to detect the potential poisoning attack verification committee in real time to test the local model of the trainer and feed back the test result to the aggregation committee.

Step three, the polymerization committee is responsible for receiving the local model and related parameters submitted by a trainer and polymerizing the local model; in order to avoid the collusion of the trainers and the members of the verification committee from launching the attack, the invention designs an adaptive weight adjusting algorithm at the polymerization committee.

Further, the framework can significantly improve the credibility of the model aggregation process by storing training data on the blockchain. Coupling a consensus mechanism based on task participation with a federal learning process; the aggregation committee in the federal learning communication framework participates in consensus, and an aggregator is responsible for receiving the local model and related parameters submitted by a trainer, distributing the local model to a verifier for model accuracy testing, and distributing corresponding aggregation weights to the model according to the received test result. Finally, selecting an agent from the aggregation committee as a block-out person, packaging all models and training data into blocks, and publishing the blocks to a network.

As shown in fig. 2, federal learning with fused differential privacy protection provided by an embodiment of the present invention includes:

1) Obtaining information such as initial state and expected iteration times of a training task from an originating block;

2) In each iteration, the trainer downloads the model trained by the round from the blockchain and trains the model by using the local data to obtainAt the same time add Gaussian noise->To perturb the local model, i.e

3) The trainer attaches other key training parameters including the scale of the data set and the loss function value of the model when submitting the model to the aggregation committee for formulating the aggregation weight;

4) After receiving each local model and other training parameters, the aggregation committee records the local model and distributes the model added with noise to the verification committee;

5) The verification committee members perform model performance verification by using the respective local data, and feed back the calculated verification loss to the polymerization committee;

6) After collecting all verification losses, the polymerization committee locally calculates loss values and records the evaluation result of each verifier;

7) By applying a noise-added local modelWeighting and aggregation are carried out to obtain a final global model omega ^t+1 The calculation is as follows:

8) The agent then uploads the newly generated global model, local model, and training data into the block to enhance the reliability of the training process.

Further, atAt round t of the training process, the aggregation board elects a specific agent to calculate the validation loss weighted difference diff for each model _i ^t ：

Where M is the number of validation committee members,loss of model i uploaded for trainer, < >>Loss of verification for verifier j for model i. />For the median of the validation loss of model i, the following is calculated:

quantifying the difference between the validation loss and the training loss by weighted averaging; after calculation of the weighted differences for all models, model i validates score D _i The definition can be defined by:

wherein c _d Is a predefined constant for adjusting the sensitivity of the verification score.As an absolute deviation of the median of the weighted differences, it is calculated as follows:

median of weighted differencesThe calculation is as follows:

training scoreIs expressed as:

wherein c _l Is a preset constant, like c _d . Median absolute deviationIs calculated as follows:

median of training lossIs calculated as follows:

by passing throughAnd->The framework quantifies the performance of the model during the training and validation phases, Deriving a comprehensive scoreThe calculation is as follows:

comprehensively considering the honest conditions of trainers and verification committees, the aggregate weight of each modelConsisting of model scoring and dataset size, i.e

Wherein N is _i The data set size for trainer i.

Further, using the loss values in the blocks, an aggregate weight for each model is calculatedCalculating a global model using the local models in the block +.>When->The aggregation process is an honest calculation.

Further, the federal learning framework adopts a consensus mechanism based on the PoTP, and the polymerization committee member completes the consensus specifically comprises the following steps:

(1) Consensus preparation: the task requester shares the task to the aggregation committee and the trainer through the creating block, and the trainer downloads the current round use model from the block; in the preparation stage, according to the historical task participation, the polymerization committee members are ordered in a descending order to obtain a new ordered polymerization committee list; the aggregators in the list are responsible for the generation of the blocks in turn from high to low according to the ranking, and the aggregators responsible for the generated blocks in turn are called agents;

(2) Local model collection: the agent collects an encryption model, the size of a data set and training loss from a trainer, and the local model forms a set; at the same time, the agent records these training parameters locally for evaluating model performance;

(3) Weight calculation: the agent will distribute to the validation committee, which uses the respective data set evaluation model and returns the calculated validation loss to the aggregation committee; after the agent receives all verification losses, calculating the aggregation weight of each model;

(4) And (3) block generation: the agent calculates a new round of global model and writes the new round of global model into a new block together; all relevant computing metadata is also recorded in the block;

(5) Block release: in the blockchain network, when the agent constructs a new block, the signature is added into the block head and broadcast to other aggregation committee members; each member can independently check and verify the validity of the new block; when most members agree that a new block is eligible, the block is added to the blockchain network.

Further, when the node receives a new block, a series of verification processes are performed, including: a. calculating and verifying data consistency; b. signature verification of agents and managers; after all verification processes are successfully completed, the node marks the new block as a compliance block.

As shown in fig. 3, the embodiment of the invention provides a federal learning system supporting anti-poisoning and reasoning attack, which supports the federal learning method resisting the poisoning and reasoning attack; the system comprises:

The block chain module is based on a PoTP consensus mechanism and is used for coordinating the task process and realizing federation learning;

the privacy security module is used for ensuring the security of data and models in the local task learning, the local model verification and the global model aggregation process based on a committee verification mechanism of differential privacy;

and the federal learning module is used for constructing a global model through distributed parameter exchange.

The present invention provides a framework based on Go 1.20 and Python 3.10.11, where Go is used to build a blockchain, train a model using PyTorch 2.0.1 and generate noise. The block chain nodes communicate with each other by adopting a Go native RPC framework, and interact with a Python-based Tornado HTTP server through a Go native HTTP client so as to deliver the model to a training server for training, verification and aggregation. Experiments were run on Intel i5-13400 CPU (2.50 GHz,10 cores), 32GB DRAM and NVIDIA RTX 4070Ti GPU computers.

A. Experimental parameter setting

1) Blockchain settings: all nodes operate in a local server environment. For the federal learning task on each blockchain, five member constituent aggregation committees are specified.

2) Federal learning settings: in simulation experiments, the security of the BFL scheme was evaluated using the handwriting dataset MNIST. The MNIST data set contains 60000 training samples and 10000 test samples. Each sample is a gray scale image of 28 x 28 size, the image content being the numbers 0-9. The data set was randomly assigned to 60 trainees. Considering the setting of the proportion of malicious nodes, 20 trainees were selected to compose a validation committee. Experiments used 2 convolutional layers and 2 fully-connected layers to train the model, each comprising convolutional operations, reLU activation, and max pooling. Each trainer performed SGD updates locally, set a learning rate of 0.01, momentum of 0.5, batch size of 64, and number of aggregation rounds of 100. In the setting of differential privacy noise, use is made of (0.4,10 ^-5 ) -parameters of DP.

B. Blockchain performance analysis

The section performs experimental evaluation on the running efficiency of the consensus mechanism of the blockchain. In the PoTP consensus algorithm-based environment, the agent packages and stores FL training data in the blockchain as miners. Therefore, the group of experiments test the performance overhead of each stage of the training process and discuss the influence of the increase of the number of the participating nodes on the system performance.

To quantify the additional computational overhead introduced by the committee and blockchain, the experiment performed a detailed assessment of the execution time of each phase. The stages are defined as follows: 1) Training time: time for all trainers to train locally and add noise; 2) Verification time: the time required for the verifier to complete verification of all models; 3) Polymerization time: the agent calculates the aggregation weight of all models and the time for the aggregation and precision test of the global model; 4) Total time: the overall time including uploading training data and downloading the global model. The summary points in FIG. 4 include trainers and verifiers, where the number of verifiers is half that of the trainers. The average time is based on the length of each iteration averaged over 100 iterations.

Figure 4 shows the average execution time of each phase at three different node quantity deployment scales (15, 30 and 60 nodes). Experimental results show that the training time is affected by the number of trainees and their respective calculated time heterogeneity, with a slight increase. In contrast, validation, aggregation, and total time exhibit near-multiple increases. Notably, the validation phase in the BFL scheme is the most time consuming part, mainly because each validator needs to test all models. According to calculation, in three experiments, the time required for uploading training data and downloading the global model is 2.7s, 4.7s and 8.9s respectively, and the trend of the increase of the number of trainers is obvious.

C. Federal learning outcome analysis

In order to test the BFL's ability to resist attacks, this section of experiment selected an extra noise attack as the poisoning attack. Malicious trainers can add noise far exceeding the current privacy budget requirement after completing the local model training, in order to interfere with the global model and reduce its accuracy. Experimental data will be compared with the following protocol:

a) FedAVG: fedAVG calculates the average of all local models uploaded as a global model.

b) Median-AVG: median-AVG (1) divides all received local models into k batches and calculates the mean value of each batch, (2) calculates the geometric Median of the k batch model mean value, (3) uses the geometric Median model as the global model.

c) FL-RAEC: FL-RAEC at T ^trust Filtering malicious models using only the self-encoder before the round, at T ^trust The score of each model was assessed after the round by multiple rounds of random verification. The global model is calculated based on assigning aggregate weights to the models from the encoders and the validation scores. T of FL-RAEC in subsequent experiments ^trust Are each set to 40.

1) Extra noise attack

In fig. 5, 3 sub-graphs discuss the effect of different malicious node ratios of 15%, 30% and 45% on the accuracy of different solution models. Malicious trainers have employed a variety of means of attack, including injecting excessive noise, uploading false training loss, and malicious verifiers can also upload false verification loss. It can be seen that with increasing proportion of malicious nodes, the accuracy of both FedAVG and Median-AVG schemes starts to decrease to different extents around 20 rounds. This is because at the initial stage of model training, injected noise has a certain regularization effect, which improves model accuracy, but then noise accumulation causes the model to gradually deviate from the optimal solution. In contrast, the FL-RAEC scheme can effectively identify abnormal models by means of the self-encoder. When the malicious node proportion reaches 45%, the threshold of the first 50% minimum reconstruction loss given by the self-encoder is loosened, and the influence of a malicious model cannot be eliminated through the self-encoder. Furthermore, the FL-RAEC scheme relies on a multi-round anonymous trust verification mechanism that has limited defenses against interference from nearly half of malicious verifiers. In this case, therefore, the FL-RAEC can only remove most of the malicious models, and cannot completely eliminate its effect on the global model aggregation. In contrast, BFL is more robust, with model accuracy at 15% and 30% malicious node scale being nearly identical to the baseline scheme. And when 45% of malicious nodes exist, the BFL can accurately identify and reject the toxic model, and the overall model accuracy is slightly reduced because a large number of models are removed to participate in aggregation.

2) Collusion attack

The aggregation committee members take turns aggregating as agents and store training data on blockchains, which design guarantees an agent honest aggregation model. Thus, FIG. 6 depicts four scenarios of a "trainer-verifier" collusion attack, where a malicious trainer may initiate an additional noise attack. In the initial 40 rounds of iterations, whatever the collusion attack scenario, the FL-RAEC exhibits significant global model accuracy fluctuations, mainly because it is not stable based on the anomaly detection mechanism of the self-encoder. In this scenario, as shown in fig. 6a, a malicious trainer uploads the fake low training loss, and a colluded verifier generates the fake low verification loss, but performs honest verification on other models. However, after round 40, the global model accuracy of FL-RAEC tends to stabilize, about 90%. This can be attributed to the collusion verifier performing honest verification of other models, thus allowing benign models to get higher weight in the model aggregation process. Unlike the scenario of fig. 6a, fig. 6b shows that the accuracy of FL-RAEC at round 40 drops dramatically when collusion verifier deliberately amplifies the loss values of other models. This is because this behavior disrupts the normal verification process, making malicious models an excessive proportion of the weight aggregation. Fig. 6c examines a more concealed attack pattern, i.e. fax-in-training loss on malicious trainers, while collusion verifier still generates false low verification loss, but remains honest verification for other models. In this case, the model accuracy shows a decreasing trend. This suggests that FL-RAEC is not designed to adequately account for the actual training loss of a malicious trainer while performing a poisoning attack. Fig. 6d further discusses a similar but more dangerous attack pattern as fig. 6c, i.e. collusion verifier while amplifying the loss of the other model. This is similar to the result of fig. 6b, resulting in a sharp decline in FL-RAEC after iteration 40. In contrast, BFL successfully culls out malicious models by using training scores and verification scores as indicators, thereby reaching near-benchmark accuracy levels in all four collusion attack scenarios.

3) Model scoring

To investigate the effectiveness of the BFL model scoring algorithm to separate abnormal models, the present set of experiments tested the training score, validation score, and total score for each model under "trainer-validator" collusion attack. In fig. 7, the malicious node proportion is set to 45%, and a malicious trainer adopts an extra noise attack.

In fig. 7a, a malicious trainer has uploaded a fake low training loss for which a colluded verifier has generated a fake low verification loss. It can be seen that the training scores of all models are approximately the same, and it is difficult to distinguish between malicious models during the training phase, as the malicious trainers have uploaded low training losses for counterfeiting. And in the verification stage, collusion verifier fails to cause significant interference to the score of honest verifier. By applying the median absolute deviation as an anomaly detection mechanism, anomaly data is successfully culled, causing the verification score of the malicious model to be reduced to zero. Correspondingly, the benign model gets a higher score of differentiation at this stage. Thus, malicious models are successfully identified and given zero weight, while benign models obtain corresponding non-zero aggregate weights.

In fig. 7b, the observation is in sharp contrast to fig. 7 a. In this scenario, the malicious trainer chooses to upload the true training loss value. This behavior results in that during the verification phase, all models, including both malicious and benign models, obtain approximately the same verification score, and that depending on the verification score alone, malicious and benign models cannot be distinguished. However, the training loss value for the malicious model is significantly higher than that of the benign model. Thus, by using the absolute deviation of the training loss as an anomaly detection criterion, the malicious model can be effectively distinguished from the benign model. This step results in the training score for the malicious model being reduced to zero, while the benign model achieves a relatively high training score. The multi-stage evaluation mechanism successfully identifies the malicious model and sets its total score to zero. Meanwhile, the benign model obtains corresponding scores according to the comprehensive performance of the benign model.

The foregoing is merely illustrative of specific embodiments of the present invention, and the scope of the invention is not limited thereto, but any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention will be apparent to those skilled in the art within the scope of the present invention.

Claims (10)

1. A federal learning method supporting anti-poisoning and reasoning attack is characterized by comprising the following steps:

storing training data on the blockchain;

receiving a local model and related parameters which are submitted by a plurality of trainers and obtained by respective training;

differential privacy noise encryption processing is applied to each local model so as to protect the privacy of training data;

distributing the encrypted local model to a trainer belonging to a verification committee for model accuracy verification;

according to the model accuracy verification result, determining the weight of each local model in the final aggregation through a self-adaptive weight adjustment algorithm;

aggregating all the encrypted local models according to the determined weights to form an updated global model;

the global model that completes the aggregation is recorded on the blockchain to ensure that the process is traceable and non-tamperable.

2. The federal learning method supporting resistance to poisoning and inference attacks according to claim 1, further comprising the steps of:

storing training task related data on a blockchain through a consensus mechanism;

setting up a polymerization committee, and receiving the local model and related parameters uploaded by the trainers and publishing the local model and related parameters to a blockchain;

introducing a differential privacy technology in the aggregation process, and adding random noise to model parameters submitted by each trainer so as to hide sensitive information of training data;

forming a verification committee consisting of randomly selected trainers, and independently verifying the uploaded local model to ensure the accuracy and quality of the model;

the verification committee provides feedback to the aggregation committee according to the verification result, and the aggregation committee adjusts the weight of the model in final aggregation according to the feedback;

implementing real-time monitoring, and timely discovering and blocking any poisoning attack by utilizing a committee verification mechanism;

an adaptive weight adjustment algorithm is adopted to optimize the aggregated global model, resist potential collusion attacks,

wherein the steps include adding the validated model and parameters as a new block into the blockchain using the proxy to ensure the integrity and security of the model aggregation.

3. The federal learning method supporting resistance to poisoning and inference attacks according to claim 1, wherein the federal learning method employs a pair of federal learning communication frameworks consisting of an aggregation committee, a trainer, and a validation committee; randomly chosen portions of the trainers constitute the validation committee.

4. The federal learning method supporting resistance to poisoning and inference attacks of claim 3, wherein the aggregation committee is responsible for receiving the local model and related parameters submitted by the trainer and aggregating the local model;

training models by trainers under coordination of an aggregation committee, training the models by using private data sets on local equipment by each trainer, encrypting the models, and uploading the encrypted models and training parameters to the aggregation committee;

the validation committee is responsible for testing the local model of the trainer and feeding test results back to the polymerization committee.

5. The federal learning method supporting resistance to poisoning and inference attacks of claim 1, wherein federal learning further comprises:

1) Obtaining information such as initial state and expected iteration times of a training task from an originating block;

2) In each iteration, the trainer downloads the model of the present round of training from the blockchain and trains the model with local data while adding gaussian noise to perturb the local model, i.e

3) The trainer attaches other key training parameters including the scale of the data set and the loss function value of the model when submitting the model to the aggregation committee for formulating the aggregation weight;

4) After receiving each local model and other training parameters, the aggregation committee records the local model and distributes the model added with noise to the verification committee;

5) The verification committee members perform model performance verification by using the respective local data, and feed back the calculated verification loss to the polymerization committee;

6) After collecting all verification losses, the polymerization committee locally calculates loss values and records the evaluation result of each verifier;

7) By means of a local modelWeighting and aggregation are carried out to obtain a final global model omega ^t+1 The calculation is as follows:

8) The agent then uploads the newly generated global model, local model, and training data into the block to enhance the reliability of the training process.

6. The federal learning method supporting resistance to poisoning and inference attacks of claim 5, wherein, at the t-th round of the training process, the aggregation committee elects a specific agent to calculate a validation loss weighted difference for each model:

where M is the number of validation committee members, Loss of model i uploaded for trainer, < >>Loss of verification for verifier j for model i. />For the median of the validation loss of model i, the following is calculated:

quantifying the difference between the validation loss and the training loss by weighted averaging; after calculation of the weighted differences for all models, model i validates score D _i The definition can be defined by:

wherein c _d Is a predefined constant for adjusting the sensitivity of the verification score.As an absolute deviation of the median of the weighted differences, it is calculated as follows:

median of weighted differencesThe calculation is as follows:

training scoreIs expressed as:

wherein c _l Is a preset constant, like c _d . Median absolute deviationIs calculated as follows:

median of training lossIs calculated as follows:

by passing throughAnd->The framework quantifies the model's performance during the training and validation phases, giving a comprehensive score +.>The calculation is as follows:

comprehensively considering the honest of trainers and validation committees, the aggregate weight of each model consists of model score and data set size, i.e

Wherein N is _i The data set size for trainer i.

7. The federal learning method supporting resistance to poisoning and inference attacks of claim 1, wherein the aggregate weight for each model is calculated using loss values in blocks Calculating a global model using the local models in the block +.>When (when)The aggregation process is an honest calculation.

8. The federal learning method supporting resistance to poisoning and inference attacks of claim 1, wherein the framework of federal learning employs a poup-based consensus mechanism, and wherein the aggregation committee members complete the consensus comprising the steps of:

(1) Consensus preparation: the task requester shares the task to the aggregation committee and the trainer through the creating block, and the trainer downloads the current round use model from the block; in the preparation stage, according to the historical task participation, the polymerization committee members are ordered in a descending order to obtain a new ordered polymerization committee list; the aggregators in the list are responsible for the generation of the blocks in turn from high to low according to the ranking, and the aggregators responsible for the generated blocks in turn are called agents;

(2) Local model collection: the agent collects an encryption model, the size of a data set and training loss from a trainer, and the local model forms a set; at the same time, the agent records these training parameters locally for evaluating model performance;

(3) Weight calculation: the agent will distribute to the validation committee, which uses the respective data set evaluation model and returns the calculated validation loss to the aggregation committee; after the agent receives all verification losses, calculating the aggregation weight of each model;

(4) And (3) block generation: the agent calculates a new round of global model and writes the new round of global model into a new block together; all relevant computing metadata is also recorded in the block;

(5) Block release: in the blockchain network, when the agent constructs a new block, the signature is added into the block head and broadcast to other aggregation committee members; each member can independently check and verify the validity of the new block; when most members agree that a new block is eligible, the block is added to the blockchain network.

9. The federal learning method supporting resistance to poisoning and inference attacks of claim 8, wherein when a node receives a new block, a series of verification processes are performed, comprising: a. calculating and verifying data consistency; b. signature verification of agents and managers; after all verification processes are successfully completed, the node marks the new block as a compliance block.

10. A federal learning system supporting resistance to poisoning and inference attacks in accordance with a federal learning method supporting resistance to poisoning and inference attacks as claimed in any one of claims 1 to 9; characterized in that the system comprises:

a memory module configured to store training data on the blockchain;

The aggregation module is configured to receive the local model submitted by the trainer and related parameters and distribute aggregation weights according to the test result;

a differential privacy module configured to apply differential privacy noise encryption on the local model of each trainer;

the verification committee module is configured to carry out precision test on the local model and feed test results back to the aggregation module;

a committee validation mechanism configured to perform real-time poisoning attack detection based on the test results and the committee policy;

an adaptive weight adjustment algorithm configured to adjust the aggregate weight based on the performance and security metrics of the model, wherein the aggregation module is further configured to package the model and training data into chunks that are published into the network as chunkers by the agent.