关键词: 联邦学习, 投毒攻击, 异常检测, 四分位距法, 聚类评估

Abstract: Abstract: In order to solve the problem of serious performance loss of global model when there are different numbers and more malicious clients in federated learning, especially in the scenario of Non-Independent and Identically Distributed (Non-IID) distributed data, a federated learning poisoning attack defense algorithm FedCE based on clustering evaluation is proposed. Firstly, the cosine distance and Manhattan distance are used to eliminate the cluster with the smallest sum of mixed distances, and the client information is retained to the greatest extent. Then, the historical aggregation information is evaluated and screened by combining the aggregation parameters of the last round of global model and the aggregation clients to select the optimal clustering results. Finally, the proportion of abnormal gradients of each client is calculated by the Interquartile Range (IQR) method, and the aggregation weight is dynamically adjusted to improve the robustness of the global model. The experimental results show that when the data is Non-Independent and Identically Distributed (Non-IID) and the proportion of malicious clients is high, compared with the LASA algorithm, the model accuracy of FedCE for MinMax, Mimic, LabelFlipping and Neurotoxin on the MNIST dataset is improved by 1.64,0.67,0.03 and 0.54 percentage points respectively, and the model accuracy on the CIFAR10 dataset is improved by 1.28,9.45,1.46 and 4.67 percentage points respectively. Under the independent identically distributed and non-independent identically distributed data partition of the two data sets, in the face of different proportions of malicious clients and types of poisoning attacks, the model accuracy of FedCE has obvious advantages over the five mainstream defense algorithms.

Key words: federated learning, poisoning attack, anomaly detection, interquartile range, cluster evaluation