联邦学习系统攻击与防御技术研究综述  被引量：12

作　　者：高莹 陈晓峰 张一余 王玮 邓煌昊 段培 陈培炫 GAO Ying;CHEN Xiao-Feng;ZHANG Yi-Yu;WANG Wei;DENG Huang-Hao;DUAN Pei;CHEN Pei-Xuan(State Key Laboratory of Public Big Data,Guizhou University,Guiyang 550025;School of Cyber Science and Technology,Beihang University,Beijing 100191;Key Laboratory of Aerospace Network Security,Ministry of Industry and Information Technology,Beijing 100191;Zhongguancun Laboratory,Beijing 100094;Tencent Inc,Shenzhen,Guangdong 518054)

机构地区：[1]贵州大学公共大数据国家重点实验室,贵阳550025 [2]北京航空航天大学网络空间安全学院,北京100191 [3]空天网络安全工业和信息化部重点实验室,北京100191 [4]中关村实验室,北京100094 [5]腾讯公司,广东深圳518054

出　　处：《计算机学报》2023年第9期1781-1805,共25页Chinese Journal of Computers

基　　金：北京市自然科学基金(No.M21033);国家自然科学基金(No.61932011,61972017);腾讯微信犀牛鸟基金资助。

摘　　要：联邦学习作为一种使用分布式训练数据集构建机器学习模型的新兴技术,可有效解决不同数据用户之间因联合建模而导致的本地数据隐私泄露问题,从而被广泛应用于多个领域并得到迅速发展.然而,现有的联邦学习系统已被证实在数据收集阶段、训练阶段和推理阶段都存在潜在威胁,危及数据的隐私性和系统的鲁棒性.本文从安全威胁和隐私威胁两类潜在威胁入手,围绕机密性、完整性和可用性(CIA三元组)给出了联邦学习场景中安全属性的详细定义,并对联邦学习中各类攻击方式和防御手段进行了系统全面综述.首先,本文对横向、纵向联邦学习过程,以及潜在威胁分别进行了概述,并从对抗性攻击和非对抗性攻击两个角度,分析了投毒攻击、对抗样本攻击和推理攻击等常见攻击的基本概念、实施阶段和现有方案.进一步地,依据不同的攻击方式,将防御手段划分为鲁棒性提升方法和隐私性增强技术两类:鲁棒性提升方法主要防御系统遭受的对抗性攻击,包括数据消毒、鲁棒性聚合、异常检测、对抗训练、知识蒸馏和剪枝等,隐私性增强技术主要防御系统遭受的非对抗性攻击,包括同态加密、安全多方计算、差分隐私和区块链等.最后,本文给出了联邦学习中鲁棒性和隐私性方面的未来研究方向.As an emerging technology of building machine learning(ML)model using distributed training data sets,federated learning(FL)can effectively solve the problem of local data privacy disclosure caused by joint modeling between different data owners.Therefore,it is widely used in many fields and has developed rapidly.FL keeps the data of participants local and only uploads model parameters to the server,which effectively protects the privacy of local data.However,the existing FL systems have been proved to have potential threats in the data collection stage,training stage and inference stage,which endanger the privacy of data and the robustness of the system.In the data collection stage and training stage,attackers may poison the training data or the model,thereby endangering the security of the system.In the inference stage,attackers may input samples to add minor malicious perturbations,causing the classifier to incorrectly classify the sample process with a very high probability,which will lead to privacy disclosure.Most of the existing research work describes attack and defense methods in ML,which are not necessarily applicable to FL models,and only focusses on a few attack threats and traditional defenses,lac-king a detailed and comprehensive overview of the cutting-edge defenses.Starting with two kinds of potential threats:security threat and privacy threat,we give a detailed definition of security at-tributes in FL scenarios around confidentiality,integrity and availability(CIA triplet),and sum-marize various attack methods and defense means in FL systematically and comprehensively.Firstly,we summarize the horizontal and vertical federated learning(VFL)process and potential threats respectively,and analyze the basic concepts,implementation stages and existing schemes of common attacks such as poisoning attack,sample attack and inference attack from the perspec-tives of antagonistic attack and non-antagonistic attack.Adversarial attacks include poisoning at-tacks,adversarial sample attacks,free-riding attacks,Sy

关 键 词：联邦学习 安全威胁 隐私威胁 鲁棒性提升方法 隐私性增强技术 

分 类 号：TP181[自动化与计算机技术—控制理论与控制工程]