基于分布式对比学习的遥感场景分类模型后门防御  

作　　者：陈玮彤 任娜[3,4,5] 朱长青 杨弈航[1,2] 张佳乐 CHEN Weitong;REN Na;ZHU Changqing;YANG Yihang;ZHANG Jiale(School of Information Engineering,Yangzhou University,Yangzhou 225009,China;Jiangsu Province Engineering Research Center of Knowledge Management and Intelligent Service,Yangzhou 225127,China;Key Laboratory of Virtual Geographic Environment(Nanjing Normal University),Ministry of Education,Nanjing 210023,China;State Key Laboratory Cultivation Base of Geographical Environment Evolution(Jiangsu Province),Nanjing 210023,China;Jiangsu Center for Collaborative Innovation in Geographical Information Resource Development and Application,Nanjing 210023,China)

机构地区：[1]扬州大学信息工程学院,扬州225127 [2]江苏省知识管理与智能服务工程研究中心,扬州225127 [3]虚拟地理环境教育部重点实验室(南京师范大学),南京210023 [4]江苏省地理环境演化国家重点实验室培育建设点,南京210023 [5]江苏省地理信息资源开发与利用协同创新中心,南京210023

出　　处：《地球信息科学学报》2025年第2期411-423,共13页Journal of Geo-information Science

基　　金：国家自然科学基金项目(42201444、42471440、62206238)。

摘　　要：【目的】高性能遥感场景分类模型的训练需要搜集海量遥感数据样本,不同来源的数据安全性难以管控。为了应对数据集可能被投毒的安全挑战,同时顾及遥感数据集的大规模与大模型复杂计算对分布式训练的需求,本文提出了一种基于分布式对比学习的遥感场景分类模型后门防御方法。【方法】通过将遥感数据集划分至不同的工作节点执行分布式训练,各节点将训练的模型参数,包括特征提取器与预测器的权重,上传至服务器进行参数聚合,迭代这一过程直至模型收敛。在工作节点训练阶段,执行两阶段训练:第一阶段通过增强数据集进行对比学习,用于训练干净的特征提取器;第二阶段,在冻结特征提取器的基础上,使用本地数据与标签训练预测器。在服务器参数聚合阶段,通过计算工作节点上传的预测器权重与上一轮聚合权重的差异,判断该节点是否存在有毒数据,进而标记有毒数据并排除该节点的聚合器权重,从而实现安全聚合。【结果】在EuroSAT、NaSC-TG2和PatternNet遥感数据集,以及ResNet-50、VGG16和GoogleNet模型上的实验表明,本文提出的方法将平均后门攻击成功率从99.77%显著降低至1.36%,有效抑制了BadNets、Blended、SIG、Trojan和WaNet五种后门攻击。【结论】为遥感场景分类模型训练过程中的后门防御提供有效的理论与方法支撑。[Objectives]Training a high-performance remote sensing scene classification model requires a massive amount of remote sensing data samples.However,it is usually challenging to ensure the security of data samples collected from different sources,due the risk of dataset poisoning.Furthermore,remote sensing datasets are often enormous,and there is a growing demand for large remote sensing models that require massive parameters and significant computational resources.As a result,distributed learning is developed for efficient model training.[Methods]On these grounds,this study proposes a backdoor defense method for remote sensing scene classification models through distributed contrastive learning.The remote sensing dataset is partitioned across different worker nodes for distributed training.Each node uploads its trained model parameters,including the weights of the feature extractor and predictor,to a server for parameter aggregation.This iterative process of node training and server aggregation continues until the model converges.During the training phase on worker nodes,a two-stage training process is executed.In the first stage,contrastive learning is performed on two augmented version of local dataset to train two feature extractors.One feature extractor participates in the global aggregation and updates,while the other only updates locally,ensuring that it remains unaffected by any backdoors that may be introduced during global model aggregation.In the second stage,the feature extractor is frozen,and the predictor is trained using local dataset and labels.Considering that,when model training stabilizes,the gradient update directions of aggregator weights show significant differences between nodes using a poisoned dataset and those using a clean dataset.Based on this observation,a server-side secure aggregation method is designed.During the server parameter aggregation phase,the server calculates the similarity between the predictor weights uploaded by each worker node and the aggregated weights from the previo

关 键 词：遥感场景分类模型 后门防御 数据投毒 分布式训练 对比学习 遥感数据集 安全聚合 

分 类 号：TP751[自动化与计算机技术—检测技术与自动化装置] TP309[自动化与计算机技术—控制科学与工程]