《计算机应用》唯一官方网站 ›› 2024, Vol. 44 ›› Issue (1): 223-232.DOI: 10.11772/j.issn.1001-9081.2023010088

• 网络空间安全 • 上一篇    

基于生成对抗网络的联邦学习深度影子防御方案

周辉1,2, 陈玉玲1,2(), 王学伟3, 张洋文1,2, 何建江1,2   

  1. 1.省部共建公共大数据国家重点实验室(贵州大学), 贵阳 550025
    2.贵州大学 计算机科学与技术学院, 贵阳 550025
    3.潍坊科技学院 计算机学院, 山东 寿光 262700
  • 收稿日期:2023-02-06 修回日期:2023-05-15 接受日期:2023-05-16 发布日期:2023-06-06 出版日期:2024-01-10
  • 通讯作者: 陈玉玲
  • 作者简介:周辉(1999—),男,湖南衡阳人,硕士研究生,CCF会员,主要研究方向:联邦学习、人工智能安全;
    王学伟(1973—),男,山东青州人,教授,博士,主要研究方向:图像处理、目标检测;
    张洋文(2000—),男,福建龙岩人,硕士研究生,主要研究方向:机器学习、数据挖掘、图像隐写术、图像隐写分析;
    何建江(1997—),男(回族),贵州六盘水人,硕士研究生,主要研究方向:区块链、智能合约、椭圆曲线密码。
    第一联系人:陈玉玲(1983—),女,山东寿光人,教授,博士,主要研究方向:联邦学习、密码学、区块链;
  • 基金资助:
    国家自然科学基金资助项目(62202118);贵州省教育厅自然科学研究科技拔尖人才项目(黔教技[2022]073号)

Deep shadow defense scheme of federated learning based on generative adversarial network

Hui ZHOU1,2, Yuling CHEN1,2(), Xuewei WANG3, Yangwen ZHANG1,2, Jianjiang HE1,2   

  1. 1.State Key Laboratory of Public Big Data (Guizhou University),Guiyang Guizhou 550025,China
    2.School of Computer Science and Technology,Guizhou University,Guiyang Guizhou 550025,China
    3.Computer College,Weifang University of Science and Technology,Shouguang Shandong 262700,China
  • Received:2023-02-06 Revised:2023-05-15 Accepted:2023-05-16 Online:2023-06-06 Published:2024-01-10
  • Contact: Yuling CHEN
  • About author:ZHOU Hui, born in 1999, M. S. candidate. His research interests include federated learning, artificial intelligence security.
    WANG Xuewei, born in 1973, Ph. D., professor. His research interests include image processing, object detection.
    ZHANG Yangwen, born in 2000, M. S. candidate. His research interests include machine learning, data mining, image steganography, image steganalysis.
    HE Jianjiang, born in 1997, M. S. candidate. His research interests include blockchain, smart contracts, elliptic curve ciphers.
  • Supported by:
    National Natural Science Foundation of China(62202118);Science and Technology Top Talent Project for Natural Science Research of Guizhou Provincial Education Department(Qianjiaoji[2022]073)

摘要:

联邦学习(FL)可以使用户在不直接上传原始数据的条件下完成多方数据共享和交互,有效降低隐私泄露风险。然而,现有的研究表明敌手仍可以通过共享的梯度信息重构出原始数据。为进一步保护联邦学习隐私,基于生成对抗网络(GAN)提出一种联邦学习深度影子防御方案。首先,通过生成对抗网络学习原始真实数据分布特征,并生成可替代的影子数据;然后,通过影子数据训练影子模型替代原始模型,敌手无法直接获取真实数据训练过的原始模型;最后,利用影子数据在影子模型中产生的影子梯度替代真实梯度,使敌手无法获取真实梯度。在CIFAR10和CIFAR100数据集上进行了实验:与添加噪声、梯度裁剪、梯度压缩、表征扰动和局部正则化稀疏化五种防御方案相比,在CIFAR10数据集上所提方案的均方误差(MSE)是对比方案的1.18~5.34倍,特征均方误差(FMSE)是对比方案的4.46~1.03×107倍,峰值信噪比(PSNR)是对比方案的49.9%~90.8%;在CIFAR100数据集上的MSE是对比方案的1.04~1.06倍,FMSE是对比方案的5.93~4.24×103倍,PSNR是对比方案的96.0%~97.6%。相较于深度影子防御方法,所提方案考虑了敌手的实际攻击能力和影子模型训练存在的问题,设计了威胁模型和影子模型生成算法,在理论分析和实验方面表现更好,而且能够在保证准确率的前提下有效降低联邦学习隐私泄露风险。

关键词: 联邦学习, 生成对抗网络, 梯度反演, 隐私保护, 防御方案

Abstract:

Federated Learning (FL) allows users to share and interact with multiple parties without directly uploading the original data, effectively reducing the risk of privacy leaks. However, existing research suggests that the adversary can still reconstruct raw data through shared gradient information. To further protect the privacy of federated learning, a deep shadow defense scheme of federated learning based on Generative Adversarial Network (GAN) was proposed. The original real data distribution features were learned by GAN and replaceable shadow data was generated. Then, the original model trained on real data was replaced by a shadow model trained on shadow data and was not directly accessible to the adversary. Finally, the real gradient was replaced by the shadow gradient generated by the shadow data in the shadow model and was not accessible to the adversary. Experiments were conducted on CIFAR10 and CIFAR100 datasets for comparison of the proposed scheme with the five defense schemes of adding noise, gradient clipping, gradient compression, representation perturbation and local regularization and sparsification. On CIFAR10 dataset, the Mean Square Error (MSE) and the Feature Mean Square Error (FMSE) of the proposed scheme were 1.18-5.34 and 4.46-1.03×107 times, and the Peak Signal-to-Noise Ratio (PSNR) of the proposed scheme was 49.9%-90.8%. On CIFAR100 dataset, the MSE and the FMSE of the proposed scheme were 1.04-1.06 and 5.93-4.24×103 times, and the PSNR of the proposed scheme was 96.0%-97.6%. Compared with the deep shadow defense method, the proposed scheme takes into account the actual attack capability of the adversary and the problems in shadow model training, and designs threat models and shadow model generation algorithms. It performs better in theory analysis and experiment result that of the comparsion schemes, and it can effectively reduce the risk of federated learning privacy leaks while ensuring accuracy.

Key words: Federated Learning (FL), Generative Adversarial Network (GAN), gradient inversion, privacy protection, defense scheme

中图分类号: