反迁移学习的隐私保护联邦学习  

作　　者：许勐璠 李兴华 XU Mengfan;LI Xinghua(School of Computer Science,Shaanxi Normal University,Xi’an,710199,China;School of Cyber Engineering,Xidian University,Xi’an,710071,China)

机构地区：[1]陕西师范大学计算机科学学院,陕西西安710199 [2]西安电子科技大学网络与信息安全学院,陕西西安710071

出　　处：《西安电子科技大学学报》2023年第4期89-99,共11页Journal of Xidian University

基　　金：国家自然科学基金(62125205);陕西省重点研发计划(2023KXJ-190);陕西省自然科学基础研究计划(2022JQ-594)。

摘　　要：模型窃取和梯度泄露两大攻击日益成为限制联邦学习广泛应用的瓶颈。现有基于授权的知识产权保护方案和联邦学习隐私保护方案已针对上述挑战开展了大量研究,但仍存在授权失效和计算开销大的问题。针对上述问题,提出了一种联邦学习下的模型知识产权与隐私保护方法。该方法能够在保护本地梯度隐私的同时,确保聚合后的模型授权不失效。具体来说,设计了一种基于盲化因子的轻量级梯度聚合方法,通过聚合密文盲化因子,大幅度降低加解密过程的计算开销。在此基础上,进一步提出了一种基于反迁移学习的交互式协同训练方法,在训练过程增大辅助域数据的表征向量与阻碍之间的香农互信息,实现在保护本地梯度隐私的同时,确保模型仅能被授权用户在已授权的领域使用。从理论上证明了该方案的安全性和正确性,并在公开数据集上验证了该方案的优越性。结果表明,所提方案确保联邦学习全局模型在未授权领域的性能较现有方案至少降低了约47%,计算复杂度实现了梯度维度级的降低。The model stealing and gradient leakage attacks have increasingly become the bottlenecks that limit the broad application of federated learning.The existing authorization-based intellectual property protection schemes and privacy-preserving federated learning schemes have conducted a lot of research to solve the above challenges.However,there are still issues of authorization invalidation and high computational overhead.To solve the above problems,this paper proposes a model intellectual property and privacy-preserving method in federated learning.This method can protect the privacy of local gradients while ensuring that the aggregated model authorization is not invalidated.Specifically,a lightweight gradient aggregation method based on the blind factor is designed to significantly reduce the computational overhead of the encryption and decryption process by aggregating blinding factors.On this basis,an interactive co-training method based on anti-transfer learning is further proposed to ensure that the model can only be used by authorized users in authorized domains while protecting the privacy of local gradients,where the Shannon mutual information between the representation vector of the auxiliary domain data and the obstacle is increased.The security and correctness of the scheme are theoretically proved,and the system’s superiority is verified on the public data set.It is shown that the performance of the proposed method in the unauthorized domain is at least 47%lower than that of the existing schemes,and the computational complexity is reduced at the level of gradient dimension.

关 键 词：联邦学习 知识产权保护 反迁移学习 隐私保护 公钥密码学 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]