工业场景下联邦学习中基于模型诊断的后门防御方法  

作　　者：王迅 许方敏[1,2] 赵成林[1,2] 刘宏福 WANG Xun;XU Fangmin;ZHAO Chenglin;LIU Hongfu(School of Information and Communication Engineering,Beijing University of Posts and Telecommunications,Beijing 100876,China;Key Laboratory of Universal Wireless Communications,Ministry of Education,Beijing University of Posts and Telecommunications,Beijing 100876,China)

机构地区：[1]北京邮电大学信息与通信工程学院,北京100876 [2]北京邮电大学泛网无线通信教育部重点实验室,北京100876

出　　处：《计算机科学》2024年第1期335-344,共10页Computer Science

基　　金：国家自然科学基金(U61971050)。

摘　　要：联邦学习作为一种能够解决数据孤岛问题、实现数据资源共享的机器学习方法,其特点与工业设备智能化发展的要求相契合。因此,以联邦学习为代表的人工智能技术在工业互联网中的应用越来越广泛。但是,针对联邦学习架构的攻击手段也在不断更新。后门攻击作为攻击手段的代表之一,有着隐蔽性和破坏性强的特点,而传统的防御方案往往无法在联邦学习架构下发挥作用或者对早期攻击防范能力不足。因此,研究适用于联邦学习架构的后门防御方案具有重大意义。文中提出了一种适用于联邦学习架构的后门诊断方案,能够在无数据情况下利用后门模型的形成特点重构后门触发器,实现准确识别并移除后门模型,从而达到全局模型后门防御的目的。此外,还提出了一种新的检测机制实现对早期模型的后门检测,并在此基础上优化了模型判决算法,通过早退联合判决模式实现了准确率与速度的共同提升。As a machine learning method which can solve the problem of isolated data island and share data resources,the characteristics of federated learning are consistent with the requirements of intelligent development of industrial equipment,so that it has been applied in many industries.However,the attack methods against the federated learning architecture are constantly updated.Backdoor attack,as one of the representatives of attack methods,has the characteristics of concealment and destruction.While traditional defense schemes often fail to play a role in the federated learning framework or have insufficient ability to prevent early backdoor attacks.Therefore,it is of great significance to research the backdoor defense scheme which can be applied to the federated learning architecture.The backdoor diagnosis scheme for federated learning architecture is proposed,which can reconstruct the backdoor trigger by using the characteristics of the backdoor model without data.This scheme can realize accurate identification and removal of the backdoor model,and achieve the goal of global model backdoor defense.In addition,a new detection mecha-nism is proposed to realize the back door detection of early models.On this basis,the model judgment algorithm is optimized,and the accuracy and speed are both improved through the early exiting united judgment mode.

关 键 词：联邦学习 后门防御 早期后门攻击 后门触发器 早退联合判决 

分 类 号：TP181[自动化与计算机技术—控制理论与控制工程]