CN117807597A - Robust personalized federal learning method facing back door attack - Google Patents
Robust personalized federal learning method facing back door attack Download PDFInfo
- Publication number
- CN117807597A CN117807597A CN202410043699.3A CN202410043699A CN117807597A CN 117807597 A CN117807597 A CN 117807597A CN 202410043699 A CN202410043699 A CN 202410043699A CN 117807597 A CN117807597 A CN 117807597A
- Authority
- CN
- China
- Prior art keywords
- client
- training
- local
- model
- back door
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 238000000605 extraction Methods 0.000 claims abstract description 30
- 210000002569 neuron Anatomy 0.000 claims abstract description 6
- 230000006870 function Effects 0.000 claims description 11
- 239000011159 matrix material Substances 0.000 claims description 10
- 230000008569 process Effects 0.000 claims description 10
- 230000002776 aggregation Effects 0.000 claims description 4
- 238000004220 aggregation Methods 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 2
- 230000008034 disappearance Effects 0.000 claims description 2
- 238000004880 explosion Methods 0.000 claims description 2
- 230000008014 freezing Effects 0.000 claims description 2
- 238000007710 freezing Methods 0.000 claims description 2
- 238000011478 gradient descent method Methods 0.000 claims description 2
- 238000011423 initialization method Methods 0.000 claims description 2
- 238000005070 sampling Methods 0.000 claims description 2
- 230000003094 perturbing effect Effects 0.000 claims 1
- 230000000694 effects Effects 0.000 abstract description 4
- 238000013459 approach Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008030 elimination Effects 0.000 description 3
- 238000003379 elimination reaction Methods 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000011109 contamination Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a robust personalized federal learning method for back door attack, which comprises a heterogeneous personalized model training method and a back door attack resisting method based on parameter disturbance. The universal data representation is learned through the combined training feature extraction layer, the generalization capability of the model is improved, the client selects a local classifier structure suitable for the client according to self computing resources and data distribution, the full use of hardware resources is realized, and meanwhile, the self classifier structure can be protected from being leaked; the client adds Gaussian noise to the backdoor neurons in the feature extractor, so that the fitting degree of the model to the backdoor triggers is reduced, and the backdoor attack effect of the malicious client is relieved.
Description
Technical Field
The invention belongs to the technical field of federal learning application, and particularly relates to a model heterogeneous personalized federal learning algorithm based on parameter decoupling and a back door feature elimination algorithm based on malicious parameter disturbance, which not only can realize the training of personalized models adapting to local data by each client under a data dependent and same-distribution scene, but also can reduce the risk of the models being implanted into the back door in the training process.
Background
Federal learning is a distributed learning framework that allows users to co-train a global model while preserving personal privacy (e.g., health data) by iterative communication between a central server and edge devices (e.g., smartphones and IoT sensors). This approach effectively solves the privacy challenges of modern computing devices collecting large amounts of private data. However, due to the non-independent co-distribution nature of the data between clients, the global model performance of federal learning may be impacted.
To solve this problem, model personalization has become a leading edge approach. The method is based on a global neural network and generates a local model by optimizing independent personalized descriptors for each client, so that more reasonable gradient and parameter sharing are realized. The personalized federal learning allows clients in the system to train a personalized neural network more suitable for local data while improving model generalization performance using other client information. In a variety of federal learning application scenarios, such personalized models have proven to be superior to the single model approach of traditional federal learning.
However, the existing personalized federal learning improves the model performance to a certain extent, but because the devices participating in training have different computing resources and network bandwidths, sharing the same network structure makes the training process converge slowly or cannot fully exert the advantages of high-performance devices. In addition, the special training mechanism makes the global model extremely vulnerable to back door attacks, in which an attacker implants back doors in the global model by making harmful gradients or model updates, resulting in misclassification of the model on the subset of data with triggers. The attack can lead the client performing local training on the basis of the global model to introduce malicious updating, so that the backdoor is implanted into all clients participating in training. To combat such attacks, various server-side defense strategies have been developed that aim to prevent the introduction of malicious updates during the model aggregation phase. However, in cases where malicious clients are relatively large, these defenses cannot ensure the resistance to back door attacks of personalized federal learning. More importantly, once the global model is contaminated, even if it is not subsequently attacked, this contamination persists in subsequent training rounds and these server-based defensive approaches are not effectively addressed.
Disclosure of Invention
Aiming at the problems existing in the existing personalized federal learning, the invention provides a personalized federal learning algorithm with heterogeneous models, the models are divided into shared feature extractors and local classifiers with different structures, and a client can select models with different complexity to participate in training according to self computing resources. And a back door characteristic elimination algorithm based on malicious parameter disturbance. And identifying the back door neurons in the global model by calculating model differences obtained by training of the front and back wheels, and applying noise to the back door neurons in the local training process to reduce the learning effect of the back door neurons on the back door triggers, so that the aim of resisting back door attacks is fulfilled.
The robust personalized federal learning method for the back door attack is characterized by comprising the following steps:
firstly, randomly initializing a linear classifier of a training model of each client and a plurality of adjacent network layers as personalized layers, then combining the linear classifier and feature extractors received from a server into a complete training model, training on a local training data set, calculating the fluctuation range of the feature extractor parameters after the local training compared with the fluctuation range of the previous round, adding Gaussian noise to parameters with small difference, uploading the decoupled feature extractor parameters to the server, reserving the personalized classification layers locally, and training in an iterative mode until the model converges. The method is easy to combine with the existing personalized federal learning method based on parameter decoupling because only the linear classifier is adjusted, and can reduce communication overhead because of fewer transmitted model parameters. Moreover, compared to existing personalization policies, the personalization layers of the parties are not restricted to have the same structure.
The flow is shown in figure 1, and specifically comprises the following steps:
step 1: a federal learning system is built comprising a central server and N clients, all participants sharing the same feature extractor, but local classifiers of different structure from the other participants can be designed based on their own computing resources or for intellectual property protection reasons.
Step 2: for the feature extraction layer, a model pre-trained on a large dataset may be used for initialization, providing a good starting point for federal learning. For the local classifier layer, a standard random initialization method such as Xavier initialization or He initialization is used, so that the initial distribution of weights is adjusted according to the number of input and output units to avoid gradient disappearance or explosion at the initial stage of training.
Step 3: in order to reduce communication overhead and calculation cost, before each round of training is started, the availability of all clients is checked, a proper proportion is selected from available client sets to participate in training by using a simple random sampling method, and the server transmits the feature extractor parameters obtained by the previous round of aggregation to the selected clients.
Step 4: if the current round is round 1, each client trains a complete model directly on the local data by a random gradient descent method, otherwise, the local classifier parameters are frozen, only the feature extraction parameters are updated, the general features of the cross-equipment data are learned, and the generalization performance of the model is improved.
Step 5: and (3) aiming at the back gate feature weights possibly introduced in the step (4), reducing the overfitting capability of the back gate neurons to the triggers by interfering with the small-amplitude elements on the Hessian matrix of the loss function with respect to the feature extractor by adding Gaussian noise.
Step 6: and uploading the feature extractor with the back door feature elimination to a server for global aggregation.
Step 7: and the client-side fixes the characteristic extraction layer parameters, updates the heterogeneous local classifier by using random gradient descent, and further improves the performance of the model on local data distribution.
Step 8: judging whether the given training round is reached, if so, entering a step 9, otherwise, returning to the step 3 to continue the iterative training.
Step 9: each client combines the global feature extractor and the local classifier into a heterogeneous personalized model for resisting back door attacks.
Compared with the prior art, the invention has the following advantages:
in the application of federal learning, due to the significant difference of client data distribution, it is unlikely to train a global model suitable for all clients, and the existence of a large difference in model optimization direction is caused by the property of independent same distribution, so that the convergence efficiency and performance of the global model are affected, on the other hand, the computing resources and network bandwidths of all participating devices are different, the same network structure can cause that the computing load of low-performance devices is very high and the performance of high-performance devices is wasted, and in order to protect intellectual property rights, the participants can require that the model structure of themselves is protected from being known by other participants while the model effect is improved by using other data. In addition, in the training process, malicious equipment can send malicious update to the server so as to realize back door attack. In order to solve the problems, the invention provides a robust personalized federal learning method for model isomerism, which divides parameters into two parts based on hierarchical division of model parameters: one part is a characteristic extraction parameter which is used for learning general data representation and training by a classical federal learning algorithm; another part is the personalized local classifier parameters, which remain on the client after the update on the local data is completed to maintain its uniqueness. The client side perturbs the back door features after receiving the feature extraction parameters, so that the resistance to back door attacks is effectively improved.
Drawings
FIG. 1 is a schematic diagram of a model heterogeneous personalized federal learning framework for back door attack resistance;
FIG. 2 is a flow chart of model heterogeneous personalized federal learning training against back door attacks;
fig. 3 is a feature extraction layer and heterogeneous local classifier partition diagram.
Detailed Description
The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings.
The personalized federal learning framework for resisting back door attack provided by the invention is shown in figure 1. The upper half shows the personalized federal learning process without any attacker, and the lower half shows the process of suffering a backdoor attack in federal learning. In this scenario, all clients share the same feature extractor, and an attacker injects back door triggers into the training set during the local training process, and then submits a feature extraction model for learning back door features, which is expanded by a certain multiple, to the server to enhance the attack effect. The contaminated model is issued to a benign client, and before a personalized local classifier is trained, the benign client firstly perturbs the backdoor feature weight existing in the feature extractor to obtain a clean model, and then further trains on local data to obtain a personalized model.
The specific implementation process of the robust personalized federal learning method facing back door attack is shown in fig. 2, and comprises the following steps:
step 1, 2: the transverse federal learning system of the client-server architecture is constructed, fig. 3 shows a structural division manner of a feature extractor and a local classifier, the first two layers of convolution layers are shared by all clients as the feature extractor and are used for obtaining general features of all data, each client can select classifiers with different structures as personalized layers according to own computing resources and network bandwidths, and models 1, 2 and 3 have different numbers of flattening layers, full-connection layers and activation functions. The feature extractor may employ a pre-trained model and use Xavier initialization to adjust the initial distribution of weights for the local classifier.
Step 3: the feature extractor parameters are issued to the randomly selected clients. The server randomly selects client end composition with proportion of C in each roundParticipate in the device set and extract global featuresBroadcast to each client, where +.>Is a model structure->Is the corresponding feature extraction parameter.
Step 4: after each client receives the global feature extraction parameters, freezing heterogeneous local classifier parameters, and training the feature extraction parameters through a random gradient descent algorithm:wherein eta t Is the learning rate of the feature extraction parameters during the t-th training round,>is the loss function L of the kth client k Gradient with respect to feature extraction parameter θ +.>Is the initial weight of the round training local classifier, +.>Is a batch of data samples selected by the client k when the client k performs the ith training locally.
Step 5: calculating the accumulated difference of the t-th round of back door attack on the global characteristic parameter theta: wherein->Representing the set of wheel-engaging devices->With malicious client device set->Through the updated formula of the feature extractor in the step 4, the estimated back door weight vector is obtained by using the first-order taylor approximation and the chain ruleWherein->Is a Hessian matrix of the loss function relative to the global feature extractor theta, namely a square matrix formed by the second partial derivative of the loss function relative to theta, I is a homotypic identity matrix, p k The weight occupied by the kth client.
Before personalized training is performed in combination with a local classifier, noise is added to a Hessian matrix corresponding to the received feature extraction parameters to exclude the back gate weight vector from the kernel space, and then the introduced back gate features can be eliminated through local iteration. To reduce computational complexity, selectElements with smaller absolute values on the diagonal add noise to realize the disturbance to the nuclear space.
Specifically, a gaussian distribution is added to the obtained feature parameter vectorIs a random noise vector g:wherein, as follows, the symbol ". Aldrich indicates the Hadamard product operator, b is a binary vector with element values of 0 or 1, and the n-th element is defined as follows:
wherein the method comprises the steps ofRepresenting the amount of change in the feature extraction parameter θ during the local ith iteration.
Step 6: the server aggregates the feature extraction parameters of the selected clients: wherein |D k I is the data volume of the kth client, I D is the total data volume of the clients participating in the round training, I is the total iteration number of the local training, S t A set of clients selected for the t-th round of servers.
Step 7: after each client freezes the feature extraction layer, the linear classification layer is trained by using local data: the local personalized knowledge in the local data can be further integrated into the heterogeneous local model, so that the personalized degree of the heterogeneous local model is improved. Wherein->Is the loss function L of the kth client k With respect to the local classifier parameters w k Is a gradient of (a).
Step 8, 9: judging whether a given training round is reached, if so, combining the global feature extractor and the heterogeneous local classifier into a complete personalized model by each client, otherwise, returning to the step 3 to perform the iterative training of the next round.
Through the process, the personalized model suitable for local data can be trained under the scene of the non-independent and same-distribution of the data, the possibly-introduced back door weight is eliminated, and the performance of federal learning under the scene of the non-independent and same-distribution and the resistance to back door attacks are obviously improved.
Claims (2)
1. A robust personalized federal learning method for back door attacks, comprising the steps of:
step 1: building a federal learning environment;
constructing a federal learning system comprising a central server and N clients, all sharing the same feature extractorThe kth client designs a local classifier with different structures with other clients according to own computing resources and data distribution>θ is a feature extraction parameter trained in the federal learning process, w k Local training parameters specific to the client;
step 2: initializing model parameters;
for the feature extraction layer, a model pre-trained on a large dataset can be used for initialization, providing a good starting point for federal learning; for the local classifier layer, a standard random initialization method is used, and initial distribution of weights is adjusted according to the number of input units and output units so as to avoid gradient disappearance or explosion in the initial stage of training;
step 3: issuing global feature extraction parameters;
before the t-th round training starts, the server checks the availability of all clients and selects a number of K=C.N clients from the available client sets to form a participating device set to participate in the training by using a random sampling method, wherein C E (0, 1) is the proportion of the clients selected by the current round, and the server broadcasts the feature extractor parameters obtained by the previous round of aggregationθ t-1 To the selected client;
step 4: training a feature extractor;
if the current round is round 1, each client trains a complete model directly on local data by a random gradient descent method, otherwise, after each client receives the global feature extraction parameters, freezing heterogeneous local classifier parameters, and training by a random gradient descent algorithm to obtain the next feature extraction parameters Learning general features of cross-device data to improve generalization performance of a model, wherein eta t Is the learning rate of the feature extraction parameters during the t-th training round,>is the loss function L of the kth client k Gradient with respect to feature extraction parameter θ +.>Is a batch of data samples selected by client k when the ith training is performed locally,/for the client k>Is the initial weight of the training local classifier of the wheel;
step 5: disturbing the weight of the back door;
aiming at the back gate feature weights possibly introduced in the step 4, the overfitting capacity of the back gate neurons to the trigger is reduced by adding Gaussian noise to the small amplitude elements on the Hessian matrix of the loss function about the feature extractor;
step 6: an aggregate feature extractor;
after all clients finish the back door weight disturbance operation, the server can perform feature extraction parameters on the selected clientsRow aggregation:wherein |D k I is the data volume of the kth client, D is the total data volume of the clients participating in the round training, I is the total number of iterations of the local training, and +.>A client set selected for the t-th round of servers;
step 7: training a local classifier;
the client-side fixes the characteristic extraction layer parameters, and updates the heterogeneous local classifier by using random gradient descent:personalized knowledge in the local data can be further integrated into the heterogeneous local model, so that the personalized degree of the heterogeneous local model is improved; wherein->Is the loss function L of the kth client k With respect to the local classifier parameters w k Is a gradient of (2);
step 8: generating a personalized model;
judging whether a given training round is reached, if so, combining the global feature extractor and the heterogeneous local classifier into a complete personalized model by each client The method comprises the steps of combining a feature extraction layer and a local classifier; otherwise, returning to the step 3 to perform the iterative training of the next round.
2. The robust personalized federal learning method for back door attack according to claim 1, wherein the perturbing the back door weight in step 5 comprises the steps of:
(1) Calculating the accumulated difference of the t-th round of back door attack on the global characteristic parameter theta: wherein the method comprises the steps ofRepresenting the set of wheel-engaging devices->With malicious client device set->Through the updated formula of the feature extractor in the step 4, the estimated back door weight vector is calculated by using the first-order taylor approximation and the chain ruleWherein->Is a Hessian matrix of the loss function relative to the global feature extractor theta, namely a square matrix formed by the second partial derivative of the loss function relative to theta, I is a homotypic identity matrix, p k The weight occupied by the kth client;
(2) Adding noise to the Hessian matrix corresponding to the received feature extraction parameters, excluding the back gate weight vector from the kernel space, and then eliminating the introduced back gate feature through local iteration; to reduce computational complexity, selectElement addition with smaller absolute value on diagonalAdding noise to realize disturbance to the nuclear space;
(3) Generating a gaussian-compliant distributionAdding disturbance to the element with smaller fluctuation in the local feature extraction parameters obtained in the step 4: />Wherein, as follows, the symbol ". Aldrich indicates the Hadamard product operator, b is a binary vector with element values of 0 or 1, and the n-th element is defined as follows:
wherein the method comprises the steps ofRepresenting the amount of change in the feature extraction parameter θ during the local ith iteration.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410043699.3A CN117807597A (en) | 2024-01-11 | 2024-01-11 | Robust personalized federal learning method facing back door attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410043699.3A CN117807597A (en) | 2024-01-11 | 2024-01-11 | Robust personalized federal learning method facing back door attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117807597A true CN117807597A (en) | 2024-04-02 |
Family
ID=90434675
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410043699.3A Pending CN117807597A (en) | 2024-01-11 | 2024-01-11 | Robust personalized federal learning method facing back door attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117807597A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118114750A (en) * | 2024-04-30 | 2024-05-31 | 齐鲁工业大学(山东省科学院) | Federal learning method and device based on bi-component second-order aggregation and re-optimization classifier part and computer readable storage medium |
-
2024
- 2024-01-11 CN CN202410043699.3A patent/CN117807597A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118114750A (en) * | 2024-04-30 | 2024-05-31 | 齐鲁工业大学(山东省科学院) | Federal learning method and device based on bi-component second-order aggregation and re-optimization classifier part and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111460443B (en) | Security defense method for data manipulation attack in federated learning | |
| Zhang et al. | Exploiting defenses against gan-based feature inference attacks in federated learning | |
| Xin et al. | Private fl-gan: Differential privacy synthetic data generation based on federated learning | |
| CN117807597A (en) | Robust personalized federal learning method facing back door attack | |
| CN115310121B (en) | Real-time reinforced federal learning data privacy security method based on MePC-F model in Internet of vehicles | |
| CN115333825B (en) | Defense method for federal learning neuron gradient attack | |
| CN112286051A (en) | Neural network quantitative control method based on adaptive event trigger mechanism under complex network attack | |
| CN114757351B (en) | Defense method for resisting attack by deep reinforcement learning model | |
| CN111625820A (en) | Federal defense method based on AIoT-oriented security | |
| CN115481431A (en) | Dual-disturbance-based privacy protection method for federated learning counterreasoning attack | |
| CN116861239A (en) | Federal learning method and system | |
| Ding et al. | Defending against adversarial attacks using random forest | |
| CN111881439A (en) | Recognition model design method based on antagonism regularization | |
| CN117574429A (en) | Federal deep learning method for privacy enhancement in edge computing network | |
| CN115481441A (en) | Difference privacy protection method and device for federal learning | |
| CN113132398B (en) | Array honeypot system defense strategy prediction method based on Q learning | |
| Shwetha et al. | Artificial neural network based channel equalization using battle royale optimization algorithm with different initialization strategies | |
| CN116778544B (en) | Face recognition privacy protection-oriented antagonism feature generation method | |
| CN113709152A (en) | Antagonistic domain name generation model with high-resistance detection capability | |
| Zhao et al. | Deep leakage from model in federated learning | |
| CN116708042A (en) | Strategy space exploration method for network defense game decision | |
| CN117294469A (en) | Privacy protection method for federal learning | |
| Gad et al. | Joint Knowledge Distillation and Local Differential Privacy for Communication-Efficient Federated Learning in Heterogeneous Systems | |
| CN114666107A (en) | Advanced persistent threat defense method in mobile fog computing | |
| Wei et al. | Client-side gradient inversion against federated learning from poisoning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |