基于触发差异优化的联邦学习持久后门攻击  

作　　者：蒋雨霏 田育龙 赵彦超[1] JIANG Yufei;TIAN Yulong;ZHAO Yanchao(School of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106,China)

机构地区：[1]南京航空航天大学计算机科学与技术学院,南京211106

出　　处：《计算机科学》2025年第4期343-351,共9页Computer Science

基　　金：国家自然科学基金(62172215);国家自然科学基金A3国际项目(62061146002)。

摘　　要：联邦学习分布式的特性使其允许各客户端在保持数据独立性的同时进行模型训练,但这也使得攻击者可以控制或模仿部分客户端来发起后门攻击,通过植入精心设计的固定触发器操纵模型输出。触发器的有效性和持久性是衡量攻击效果的重要标准,有效性即攻击成功率,持久性即停止攻击后维持高攻击成功率的能力。目前针对有效性的研究已经相对深入,但如何维持触发器的持久性仍然是一个有挑战性的问题。为延长触发器的持久性,提出了一种基于动态优化触发器的后门攻击方法。首先,在联邦学习动态更新时同步优化触发器,将触发器特征在攻击时模型与攻击后模型的潜在表示的差异最小化,以此训练全局模型对触发器特征的记忆能力。其次,使用冗余神经元作为植入后门是否成功的指标,通过自适应添加噪声来增强攻击的有效性。在MNIST,CIFAR-10和CIFAR-100数据集上进行广泛实验,结果表明,所提方案有效延长了联邦学习环境下触发器的持久性。在具有代表性的5种防御体系下攻击成功率高于98%,特别是在针对CIFAR-10数据集的攻击停止超过600轮后,攻击成功率仍然高于90%。The distributed nature of federated learning allows each client to train the model while maintaining data independence,but this also allows attackers to control or mimic some clients to launch backdoor attacks by implanting carefully designed fixed triggers to manipulate the model output.The effectiveness and persistence of triggers are important criteria for measuring attack effectiveness.Effectiveness pertains to the rate of successful breaches,while persistence embodies the capability to sustain a high success rate even after the cessation of the attack.At present,research on effectiveness has been relatively in-depth,but maintaining the persistence of triggers remains a challenging issue.A backdoor attack method based on dynamic optimization triggers is proposed to extend the persistence of triggers.Firstly,during dynamic updates in federated learning,triggers are synchronously optimized to minimize the difference between the potential representations of trigger features during and after attacks,thereby training the global model's ability to remember trigger features.Secondly,using redundant neurons as an indicator of the success of implanting backdoors to adaptively add noise and enhance the effectiveness of attacks.Extensive experiments on the MNIST,CIFAR-10,and CIFAR-100 datasets have shown that the proposed scheme effectively extends the persistence of triggers in fede-rated learning environments.Under five kind of representative defense systems,the success rate of attacks is higher than 98%,especially after more than 600 rounds of attacks on the CIFAR-10,the success rate of attacks still exceeds 90%.

关 键 词：联邦学习 后门攻击 动态触发器 攻击持久性 模型安全 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]