摘要
随着数据的爆炸式增长以及企业和个人对隐私问题的关注,传统的集中式机器学习已经不能满足现有的需求.联邦学习是一种新兴的分布式机器学习框架,旨在不分享私有数据的前提下利用分散的客户端训练一个全局模型,解决数据隐私和数据孤岛问题.然而,由于联邦学习的分布式和隐私保护特性,其容易受到各种各样的攻击,后门攻击则是联邦学习系统受到的攻击之一.目前,业界已提出大量的鲁邦算法来抵抗联邦学习系统遭受的后门攻击.然而,现有的鲁棒算法大多有较强的假设,例如受到不同客户端数据分布和恶意后门客户端数量的限制.我们的研究表明了现有的鲁棒算法不能解决在非独立同分布场景下,大量后门客户端共同攻击的问题.为解决这一难题,本文提出了一种鲁棒算法Poly.Poly算法包含两部分:一部分利用相似度矩阵和聚类算法进行聚类分析;另一部分则基于余弦相似度选择最优的类去聚合全局模型.由于Poly算法能完全去除恶意后门模型,从而完全避免了后门污染全局模型.为了验证Poly算法的性能,实验利用了MNIST、Fashion-MNIST、CIFAR-10和Reddit四种数据集,考虑了数据不平衡和类别不平衡两种非独立同分布场景以及独立同分布场景.此外,后门客户端的数量以10%为单位从50%递增到90%,以实现大量后门客户端攻击的场景,同时也对Poly算法在后门客户端少于正常客户端的场景进行了测试.实验结果显示,Poly能够完全抵抗不同场景下的后门攻击,后门攻击成功率只有1%左右(在一些场景下为0%)的同时,获得了较好的主任务精度.相较之下,几种现有经典算法则完全失效,大都使得后门攻击成功率为100%,这些表明了Poly算法的优越性.
With the explosion of data and concerns about privacy among businesses and individuals,traditional centralized machine learning is no longer able to satisfy the existing needs.Federated learning(FL)is a burgeoning distributed machine learning framework,in which multiple diverse clients collaboratively train a global model without sharing the private data,so as to solve the data silos and privacy problems.However,existing studies have demonstrated that FL is extremely vulnerable to all kinds of attacks due to its distributed and privacy-preserving inherent characteristics.Backdoor attack is one of the most prominent attacks in the FL system.To defend against the backdoor attacks in the FL system,a large number of algorithms robust aggregation algorithms are proposed.Nevertheless,these robust aggregation algorithms are restricted by some strong assumptions,such as the number of malicious clients and the data distribution across the diverse clients.Our study shows that the existing robust aggregation algorithms fully failed under a large group of malicious backdoor clients or non-independently identically distributed(Non-IID)scenarios.To address this problem,we propose a robust aggregation algorithm called Poly which contains two crucial components:one component uses similarity matrix and clustering algorithm to handle the gradients of all clients;another component selects the optimal clusters containing benign clients to aggregate the global model based on the cosine similarity metric.Our proposed Poly can completely remove all malicious backdoor clients in the aggregation process,thereby avoiding the backdoor inserting into the global model.To test the effectiveness of defending against backdoor attack of our proposed Poly,we leverage MNIST,Fashion-MNIST,CIFAR-10 and Reddit datasets to conduct a series of experiments under both data imbalance and class imbalance Non-IID scenarios,as well as the independently identically distributed scenario.In addition to this,we also consider a large group of malicious backdoor clients scenario in which the number of malicious backdoor clients ranges from 50%to 90%with a step 10%,as well as the scenario where the number of malicious backdoor clients is less than that of benign clients.Our experimental results indicate that our proposed Poly outperforms the existing robust aggregation algorithms,and can also effectively defend against backdoor attacks with only about 1%attack success rate(even 0%attack success rate in some scenarios)under the testing scenarios,even under the data imbalance and class imbalance Non-IID scenarios and a large group of malicious backdoor clients scenario.Beyond that,our proposed Poly can also achieve satisfying primary task accuracy,which indicates that our algorithm Poly does not affect the performance on the primary task that we care about while defending against the backdoor attack.By contrast,the existing robust aggregation algorithms can hardly defend against the backdoor attack under Non-IID scenarios and a large group of malicious backdoor clients,achieving nearly 100%attack success rate.
作者
王永康
翟弟华
夏元清
WANG Yong-Kang;ZHAI Di-Hua;XIA Yuan-Qing(School of Automation,Beijing Institute of Technology,Beijing 100081;Yangtze Delta Region Academy of Beijing Institute of Technology,Jiaxing,Zhejiang 314001)
出处
《计算机学报》
EI
CAS
CSCD
北大核心
2023年第6期1302-1314,共13页
Chinese Journal of Computers
基金
云端赋能机器人高性能多约束控制理论与关键技术研究(62173035)
小米青年学者项目资助。
关键词
联邦学习
后门攻击
鲁棒性
聚类
异构
federated learning
backdoor attacks
robust
clustering
heterogeneous
