《计算机应用》唯一官方网站 ›› 2023, Vol. 43 ›› Issue (12): 3790-3798.DOI: 10.11772/j.issn.1001-9081.2022121831
收稿日期:
2022-12-13
修回日期:
2023-05-09
接受日期:
2023-05-10
发布日期:
2023-05-25
出版日期:
2023-12-10
通讯作者:
王子龙
作者简介:
陈谦(1993—),男,陕西西安人,博士研究生,主要研究方向:隐私保护、机器学习、联邦学习基金资助:
Qian CHEN, Zheng CHAI, Zilong WANG(), Jiawei CHEN
Received:
2022-12-13
Revised:
2023-05-09
Accepted:
2023-05-10
Online:
2023-05-25
Published:
2023-12-10
Contact:
Zilong WANG
About author:
CHEN Qian, born in 1993, Ph. D. candidate. His research interests include privacy preservation, machine learning, federated learning.Supported by:
摘要:
联邦学习(FL)是一种新兴的隐私保护机器学习(ML)范式,然而它的分布式的训练结构更易受到投毒攻击的威胁:攻击者通过向中央服务器上传投毒模型以污染全局模型,减缓全局模型收敛并降低全局模型精确度。针对上述问题,提出一种基于生成对抗网络(GAN)的投毒攻击检测方案。首先,将良性本地模型输入GAN产生检测样本;其次,使用生成的检测样本检测客户端上传的本地模型;最后,根据检测指标剔除投毒模型。同时,所提方案定义了F1值损失和精确度损失这两项检测指标检测投毒模型,将检测范围从单一类型的投毒攻击扩展至全部两种类型的投毒攻击;设计阈值判定方法处理误判问题,确保误判鲁棒性。实验结果表明,在MNIST和Fashion-MNIST数据集上,所提方案能够生成高质量检测样本,并有效检测与剔除投毒模型;与使用收集测试数据和使用生成测试数据但仅使用精确度作为检测指标的两种检测方案相比,所提方案的全局模型精确度提升了2.7~12.2个百分点。
中图分类号:
陈谦, 柴政, 王子龙, 陈嘉伟. 基于生成对抗网络的联邦学习中投毒攻击检测方案[J]. 计算机应用, 2023, 43(12): 3790-3798.
Qian CHEN, Zheng CHAI, Zilong WANG, Jiawei CHEN. Poisoning attack detection scheme based on generative adversarial network for federated learning[J]. Journal of Computer Applications, 2023, 43(12): 3790-3798.
方案 | 全局模型损失值 | 全局模型 精确度/% | 曲线下面积 | |||
---|---|---|---|---|---|---|
随机 攻击 | 有目标攻击 | 随机攻击 | 有目标攻击 | 随机 攻击 | 有目标攻击 | |
无攻击 | 0.058 6 | 98.2 | 0.959 0 | |||
无抵御机制 | 0.654 1 | 0.112 1 | 74.3 | 94.6 | 0.891 6 | 0.946 6 |
本文方案 | 0.062 5 | 0.060 9 | 97.4 | 98.0 | 0.949 9 | 0.954 7 |
表1 不同方案对MNIST数据集的全局模型性能
Tab.1 Global model performance of different schemes on MNIST dataset
方案 | 全局模型损失值 | 全局模型 精确度/% | 曲线下面积 | |||
---|---|---|---|---|---|---|
随机 攻击 | 有目标攻击 | 随机攻击 | 有目标攻击 | 随机 攻击 | 有目标攻击 | |
无攻击 | 0.058 6 | 98.2 | 0.959 0 | |||
无抵御机制 | 0.654 1 | 0.112 1 | 74.3 | 94.6 | 0.891 6 | 0.946 6 |
本文方案 | 0.062 5 | 0.060 9 | 97.4 | 98.0 | 0.949 9 | 0.954 7 |
方案 | 全局模型损失值 | 全局模型精确度/% | ||
---|---|---|---|---|
随机 攻击 | 有目标 攻击 | 随机 攻击 | 有目标攻击 | |
无攻击 | 0.296 8 | 90.3 | ||
无抵御机制 | 2.029 8 | 0.411 0 | 52.1 | 84.9 |
本文方案 | 0.376 8 | 0.317 6 | 87.7 | 89.4 |
收集检测数据方案[ | 0.736 2 | 0.412 0 | 75.5 | 84.9 |
精确度方案[ | 0.549 2 | 0.388 1 | 82.7 | 86.7 |
表2 Fashion-MNIST数据集上不同方案的全局模型性能
Tab.2 Global model performance on Fashion-MNIST dataset ofdifferent schemes
方案 | 全局模型损失值 | 全局模型精确度/% | ||
---|---|---|---|---|
随机 攻击 | 有目标 攻击 | 随机 攻击 | 有目标攻击 | |
无攻击 | 0.296 8 | 90.3 | ||
无抵御机制 | 2.029 8 | 0.411 0 | 52.1 | 84.9 |
本文方案 | 0.376 8 | 0.317 6 | 87.7 | 89.4 |
收集检测数据方案[ | 0.736 2 | 0.412 0 | 75.5 | 84.9 |
精确度方案[ | 0.549 2 | 0.388 1 | 82.7 | 86.7 |
1 | JORDAN M I, MITCHELL T M. Machine learning: trends, perspectives, and prospects[J]. Science, 2015, 349(6245): 255-260. 10.1126/science.aaa8415 |
2 | VOIGT P, VON DEM BUSSCHE A. The EU General Data Protection Regulation (GDPR) [S]. Cham: Springer, 2017. 10.1007/978-3-319-57959-7 |
3 | MCMAHAN H B, MOORE E, RAMAGE D, et al. Communication-efficient learning of deep networks from decentralized data[C]// Proceedings of the 20th International Conference on Artificial Intelligence and Statistics. Brookline: Microtome Publishing, 2017: 1273-1282. |
4 | XU J, GLICKSBERG B S, SU C, et al. Federated learning for healthcare informatics[J]. Journal of Healthcare Informatics Research, 2021, 5(1): 1-19. 10.1007/s41666-020-00082-4 |
5 | CHEN Q, WANG Z L, LIN X D. PPT: a privacy-preserving global model training protocol for federated learning in P2P networks [J]. Computers & Security, 2023, 124: 102966. 10.1016/j.cose.2022.102966 |
6 | TIAN Z, CUI L, LIANG J, et al. A comprehensive survey on poisoning attacks and countermeasures in machine learning[J]. ACM Computing Surveys, 2022, 55(8): 1-35. 10.1145/3551636 |
7 | KAIROUZ P, MCMAHAN H B, AVENT B, et al. Advances and open problems in federated learning [J]. Foundations and Trends® in Machine Learning, 2021, 14(1/2): 1-210. 10.1561/2200000083 |
8 | TOLPEGIN V, TRUEX S, GURSOY M E, et al. Data poisoning attacks against federated learning systems [C]// Proceedings of the 25th European Symposium on Research in Computer Security. Cham: Springer, 2020: 480-501. 10.1007/978-3-030-58951-6_24 |
9 | FANG M H, CAO X Y, JIA J Y, et al. Local model poisoning attacks to Byzantine-robust federated learning [C]// Proceedings of the 29th USENIX Security Symposium. Berkeley: USENIX Association, 2020: 1605-1622. |
10 | TAHMASEBIAN F, XIONG L, SOTOODEH M, et al. Crowdsourcing under data poisoning attacks: a comparative study[C]// Proceedings of the 2020 IFIP Annual Conference on Data and Applications Security and Privacy. Cham: Springer, 2020: 310-332. 10.1007/978-3-030-49669-2_18 |
11 | YIN D, CHEN Y, KANNAN R, Byzantine-robust distributed learning: towards optimal statistical rates [C]// Proceedings of the 35th International Conference on Machine Learning. San Diego: JMLR, 2018: 5650-5659. |
12 | BLANCHARD P, MHAMDI E M EL, GUERRAOUI R, et al. Machine learning with adversaries: byzantine tolerant gradient descent [C]// Proceedings of the 31st International Conference on Neural Information Proceedings Systems. La Jolla: NIPS, 2017: 118-128. |
13 | MUÑOZ-GONZÁLEZ L, CO K T, LUPU E C. Byzantine-robust federated machine learning through adaptive model averaging [EB/OL]. (2019-09-11) [2022-04-25]. . |
14 | 陈宛桢, 张恩, 秦磊勇, 等 .边缘计算下基于区块链的隐私保护联邦学习算法[J]. 计算机应用,2023, 43(7): 2209-2216. |
CHEN W Z, ZHANG E, QIN L Y,et al. Privacy-preserving federated learning algorithm based on block chain in edge computing [J]. Journal of Computer Applications, 2023, 43(7): 2209-2216. | |
15 | JAGIELSKI M, OPREA A, BIGGIO B, et al. Manipulating machine learning: poisoning attacks and countermeasures for regression learning [C]// Proceedings of the 39th IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2018: 19-35. 10.1109/sp.2018.00057 |
16 | ZHAO Y, CHEN J, ZHANG J, et al. Detecting and mitigating poisoning attacks in federated learning using generative adversarial networks[J]. Concurrency and Computation: Practice and Experience, 2020, 34(7): e5906. 10.1002/cpe.5906 |
17 | FENG J, XU H, MANNOR S, et al. Robust logistic regression and classification[C]// Proceedings of the 27th International Conference on Neural Information Proceeding Systems. La Jolla: NIPS, 2014: 253-261. |
18 | GOODFELLOW I, POUGET-ABADIE J, MIRZA M, et al. Generative adversarial nets[J] Communications of the ACM, 2020, 63(11): 139-144. 10.1145/3422622 |
19 | BHAGOJI A N, CHAKRABORTY S, MITTAL P, et al. Analyzing federated learning through an adversarial lens[C]// Proceedings of the 36th International Conference on Machine Learning. San Diego: JMLR, 2019: 634-643. |
20 | SHEJWALKAR V, HOUMANSADR A. Manipulating the byzantine: optimizing model poisoning attacks and defenses for federated learning [C]// Proceedings of 28th Annual Network and Distributed System Security Symposium. Reston: Internet Society, 2021: 1-19. 10.14722/ndss.2021.24498 |
21 | ALKHUNAIZI N, KAMZOLOV D, TAKÁČ M, et al. Suppressing poisoning attacks on federated learning for medical imaging [C]// Proceedings of the 2022 International Conference on Medical Image Computing and Computer-Assisted Intervention, LNCS 13438. Cham: Springer, 2022: 673-683. |
22 | SUN J, LI A, DIVALENTIN L, et al. FL-WBC: enhancing robustness against model poisoning attacks in federated learning from a client perspective [C]// Proceedings of the 2021 Advances in Neural Information Proceedings Systems 34. La Jolla: NIPS, 2021:12613-12624. |
23 | NGUYEN T D, RIEGER P, MIETTINEN M, et al. Poisoning attacks on federated learning-based IoT intrusion detection system[C]// Proceedings of the 2020 Decentralized IoT Systems and Security Workshop. Washington: Internet Society, 2020: 1-7. 10.14722/diss.2020.23003 |
24 | GUERRAOUI R, ROUAULT S. The hidden vulnerability of distributed learning in Byzantium[C]// Proceedings of the 35th International Conference on Machine Learning. San Diego: JMLR, 2018: 3521-3530. |
25 | STEINHARDT J, KOH P W, LIANG P. Certified defenses for data poisoning attacks[C]// Proceedings of the 31st International Conference on Neural Information Proceedings Systems. La Jolla: NIPS, 2017: 3520-3532. |
26 | LEDIG C, THEIS L, HUSZÁR F, et al. Photo-realistic single image super-resolution using a generative adversarial network [C]// Proceedings of the 2017 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2017: 4681-4690. 10.1109/cvpr.2017.19 |
27 | CHEN Z, ZHU T, XIONG P, et al. Privacy preservation for image data: a GAN‐based method [J]. International Journal of Intelligent Systems, 2021, 36(4): 1668-1685. 10.1002/int.22356 |
28 | WANG Z, SONG M, ZHANG Z, et al. Beyond inferring class representatives: user-level privacy leakage from federated learning[C]// Proceedings of the 2019 IEEE Conference on Computer Communications. Piscataway: IEEE, 2019: 2512-2520. 10.1109/infocom.2019.8737416 |
29 | TRUEX S, BARACALDO N, ANWAR A, et al. A hybrid approach to privacy-preserving federated learning[C]// Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security. New York: ACM, 2019: 1-11. 10.1145/3338501.3357370 |
30 | TOLPEGIN V, TRUEX S, GURSOY M E, et al. Data poisoning attacks against federated learning systems [C]// Proceedings of the 2020 European Symposium on Research in Computer Security, LNCS 12308. Cham: Springer, 2022: 480-501. |
31 | LeCUN Y, BOTTOU L, BENGIO Y, et al. Gradient-based learning applied to document recognition [J]. Proceedings of the IEEE, 1998, 86(11): 2278-2324. 10.1109/5.726791 |
32 | XIAO H, RASUL K, VOLLGRAF R. Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms [EB/OL]. [2022-10-28].. |
[1] | 陈少权, 蔡剑平, 孙岚. 动态梯度阈值裁剪的差分隐私生成对抗网络算法[J]. 《计算机应用》唯一官方网站, 2023, 43(7): 2065-2072. |
[2] | 蓝梦婕, 蔡剑平, 孙岚. 非独立同分布数据下的自正则化联邦学习优化方法[J]. 《计算机应用》唯一官方网站, 2023, 43(7): 2073-2081. |
[3] | 陈宛桢, 张恩, 秦磊勇, 洪双喜. 边缘计算下基于区块链的隐私保护联邦学习算法[J]. 《计算机应用》唯一官方网站, 2023, 43(7): 2209-2216. |
[4] | 刘安阳, 赵怀慈, 蔡文龙, 许泽超, 解瑞灯. 基于主动判别机制的自适应生成对抗网络图像去模糊算法[J]. 《计算机应用》唯一官方网站, 2023, 43(7): 2288-2294. |
[5] | 林尚静, 马冀, 庄琲, 李月颖, 李子怡, 李铁, 田锦. 基于联邦学习的无线通信流量预测[J]. 《计算机应用》唯一官方网站, 2023, 43(6): 1900-1909. |
[6] | 靳鑫, 刘仰川, 朱叶晨, 张子健, 高欣. 基于残差编解码-生成对抗网络的正弦图修复的稀疏角度锥束CT图像重建[J]. 《计算机应用》唯一官方网站, 2023, 43(6): 1950-1957. |
[7] | 金柯君, 于洪涛, 吴翼腾, 李邵梅, 张建朋, 郑洪浩. 改进的基于奇异值分解的图卷积网络防御方法[J]. 《计算机应用》唯一官方网站, 2023, 43(5): 1511-1517. |
[8] | 郭劲文, 马兴华, 骆功宁, 王玮, 曹阳, 王宽全. 基于Transformer的结构强化IVOCT导丝伪影去除方法[J]. 《计算机应用》唯一官方网站, 2023, 43(5): 1596-1605. |
[9] | 吴家皋, 章仕稳, 蒋宇栋, 刘林峰. 基于状态精细化长短期记忆和注意力机制的社交生成对抗网络用于行人轨迹预测[J]. 《计算机应用》唯一官方网站, 2023, 43(5): 1565-1570. |
[10] | 樊小宇, 蔺素珍, 王彦博, 刘峰, 李大威. 基于残差图卷积神经网络的高倍欠采样核磁共振图像重建算法[J]. 《计算机应用》唯一官方网站, 2023, 43(4): 1261-1268. |
[11] | 郝劭辰, 卫孜钻, 马垚, 于丹, 陈永乐. 基于高效联邦学习算法的网络入侵检测模型[J]. 《计算机应用》唯一官方网站, 2023, 43(4): 1169-1175. |
[12] | 尹春勇, 屈锐. 基于个性化差分隐私的联邦学习算法[J]. 《计算机应用》唯一官方网站, 2023, 43(4): 1160-1168. |
[13] | 王昊, 王子成, 张超, 马韵升. 基于生成对抗网络的数据不确定性量化方法[J]. 《计算机应用》唯一官方网站, 2023, 43(4): 1094-1101. |
[14] | 尹春勇, 周立文. 基于再编码的无监督时间序列异常检测模型[J]. 《计算机应用》唯一官方网站, 2023, 43(3): 804-811. |
[15] | 梁捷, 郝晓燕, 陈永乐. 面向视觉分类模型的投毒攻击[J]. 《计算机应用》唯一官方网站, 2023, 43(2): 467-473. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||