面向半异步联邦学习的防御投毒攻击方法研究  

作　　者：吴立钊 汪晓丁[1,3] 徐恬 阙友雄 林晖 WU Lizhao;WANG Xiaoding;XU Tian;QUE Youxiong;LIN Hui(College of Computer and Cyber Security,Fujian Normal University,Fuzhou 350117,China;Engineering Research Center of Cyber Security and Education Information,Fujian Province University,Fuzhou 350117,China;Institute of Tropical Bioscience and Biotechnology,Chinese Academy of Tropical Agricultural Sciences,Haikou 571101,China;Changdu City Economic and Information Technology Bureau,Changdu 854000,China)

机构地区：[1]福建师范大学计算机与网络空间安全学院,福州350117 [2]网络安全与教育信息化福建省高校工程研究中心,福州350117 [3]中国热带农业科学院热带生物技术研究所,海口571101 [4]昌都市经济和信息化局,昌都854000

出　　处：《信息网络安全》2024年第10期1578-1585,共8页Netinfo Security

基　　金：国家自然科学基金海峡联合基金[U1905211];福建省高校产学研重点项目[2024H6008]。

摘　　要：联邦学习由于其分布式特性,容易遭受模型投毒攻击,即恶意客户端通过发送篡改的模型更新来破坏全局模型的准确性。在众多的联邦学习分支方法中,半异步联邦学习由于其对实时性要求较低,使得它在面对投毒攻击时显得尤为脆弱。目前,检测恶意客户端的主要手段是通过分析客户端更新的统计特征来进行区分。然而,这一方法并不适用于半异步联邦学习。由于陈旧更新中包含由延迟产生的噪声,导致现有的检测算法难以区分良性客户端的陈旧更新与攻击者的恶意更新。为了解决半异步联邦学习中的恶意客户端检测问题,文章提出了一种基于预测模型更新的检测方法SAFLD。该方法根据模型的历史更新来预测客户端的过时更新并评估恶意分数,在检测中分数较高的客户端将被标记为恶意更新客户端并移除。文章在两个基准数据集上进行了实验,结果表明,相比于现有的检测算法,SAFLD能够在半异步联邦学习场景中更加准确地检测出多种最先进的模型投毒攻击。Due to its distributed nature,federated learning(FL)is vulnerable to model poisoning attacks,where malicious clients can compromise the accuracy of the global model by sending tampered model updates.Among various FL branches,semi-asynchronous FL,with its lower real-time requirements,is particularly susceptible to such attacks.Currently,the primary means of detecting malicious clients involves analyzing the statistical characteristics of client updates,yet this approach is inadequate for semi-asynchronous FL.The noise introduced by delays in stale updates renders existing detection algorithms unable to distinguish between benign stale updates from clients and malicious updates from attackers.To address the issue of malicious client detection in semi-asynchronous FL,this paper proposed a detection method called SAFLD based on predicting model updates.By leveraging the historical updates of the model,SAFLD predicted stale updates from clients and assesses a maliciousness score,with higher-scoring clients being flagged as malicious and removed.Experimental validation on two benchmark datasets demonstrates that,compared to existing detection algorithms,SAFLD can more accurately detect various state-of-the-art model poisoning attacks in the context of semi-asynchronous FL.

关 键 词：半异步联邦学习 投毒攻击 L-BFGS 恶意客户端检测 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]