[go: up one dir, main page]

CN118316699B - Malicious client detection method, device, electronic device and storage medium for encrypted federated learning - Google Patents

Malicious client detection method, device, electronic device and storage medium for encrypted federated learning Download PDF

Info

Publication number
CN118316699B
CN118316699B CN202410493166.5A CN202410493166A CN118316699B CN 118316699 B CN118316699 B CN 118316699B CN 202410493166 A CN202410493166 A CN 202410493166A CN 118316699 B CN118316699 B CN 118316699B
Authority
CN
China
Prior art keywords
gradient
client
target
gradients
clients
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410493166.5A
Other languages
Chinese (zh)
Other versions
CN118316699A (en
Inventor
杨明
郭金龙
王鑫
吴晓明
武传涛
刘瑞欣
陈振娅
穆超
贺云鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANDONG ZHONGZHI ELECTRONICS CO Ltd
Qilu University of Technology
National Supercomputing Center in Jinan
Original Assignee
SHANDONG ZHONGZHI ELECTRONICS CO Ltd
Qilu University of Technology
National Supercomputing Center in Jinan
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHANDONG ZHONGZHI ELECTRONICS CO Ltd, Qilu University of Technology, National Supercomputing Center in Jinan filed Critical SHANDONG ZHONGZHI ELECTRONICS CO Ltd
Priority to CN202410493166.5A priority Critical patent/CN118316699B/en
Publication of CN118316699A publication Critical patent/CN118316699A/en
Application granted granted Critical
Publication of CN118316699B publication Critical patent/CN118316699B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/0464Convolutional networks [CNN, ConvNet]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/098Distributed learning, e.g. federated learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Molecular Biology (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • General Physics & Mathematics (AREA)
  • Biomedical Technology (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biophysics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明属于人工智能的技术领域,具体涉及一种面向加密联邦学习的恶意客户端检测方法及装置。该方法包括:基于历史迭代轮次的客户端梯度计算当前迭代轮次的裁剪阈值,并根据裁剪阈值对所有客户端的梯度进行自适应裁剪,得到中间梯度;对中间梯度添加高斯噪声,得到目标梯度并将其上传至服务端;对目标梯度的每一维元素添加索引,并使用线性回归算法计算目标梯度每一维元素的残差,以计算目标梯度每一维元素的置信度,以根据置信度筛选出所有目标梯度中的良性梯度;对良性梯度进行聚合,将得到的全局梯度广播给所有客户端进行梯度更新。本发明解决了联邦学习系统在进行局部训练时,潜在的恶意客户端产生恶意行为影响模型训练的技术问题。

The present invention belongs to the technical field of artificial intelligence, and specifically relates to a malicious client detection method and device for encrypted federated learning. The method includes: calculating the clipping threshold of the current iteration round based on the client gradient of the historical iteration round, and adaptively clipping the gradients of all clients according to the clipping threshold to obtain the intermediate gradient; adding Gaussian noise to the intermediate gradient to obtain the target gradient and upload it to the server; adding an index to each dimensional element of the target gradient, and using a linear regression algorithm to calculate the residual of each dimensional element of the target gradient to calculate the confidence of each dimensional element of the target gradient, so as to screen out the benign gradients in all target gradients according to the confidence; aggregating the benign gradients, and broadcasting the obtained global gradients to all clients for gradient update. The present invention solves the technical problem that when the federated learning system is performing local training, potential malicious clients generate malicious behaviors that affect model training.

Description

面向加密联邦学习的恶意客户端检测方法、装置、电子设备及 存储介质Malicious client detection method, device, electronic device and storage medium for encrypted federated learning

技术领域Technical Field

本发明属于人工智能的技术领域,更具体地,涉及一种面向加密联邦学习的恶意客户端检测方法、装置、电子设备及存储介质。The present invention belongs to the technical field of artificial intelligence, and more specifically, relates to a malicious client detection method, device, electronic device and storage medium for encrypted federated learning.

背景技术Background Art

随着信息时代的到来,机器学习已经逐步改变人们的生活生产方式,在语音、图像和文本识别、语言翻译等方面都取得了巨大的进步。同时,随着人工智能技术的飞速发展,数据隐私和安全已经成为世界范围内的大事件。面对制约人工智能发展的“数据孤岛”现象以及数据隐私和安全问题,联邦学习作为一种新型的分布式机器学习技术应运而生,它无需大规模的数据传输和共享,各数据持有者在本地实现协同建模,提升人工智能模型的效果,是解决上述问题的有效途径,具有重要的研究价值和实际应用意义。With the advent of the information age, machine learning has gradually changed people's way of life and production, and has made great progress in speech, image and text recognition, language translation and other aspects. At the same time, with the rapid development of artificial intelligence technology, data privacy and security have become major issues worldwide. Faced with the "data island" phenomenon that restricts the development of artificial intelligence and data privacy and security issues, federated learning, as a new type of distributed machine learning technology, has emerged. It does not require large-scale data transmission and sharing. Each data holder can achieve collaborative modeling locally to improve the effect of artificial intelligence models. It is an effective way to solve the above problems and has important research value and practical application significance.

然而,在实际应用中,联邦学习也存在一些安全隐患。在训练过程中,可能会存在一部分客户端的行为是恶意的、不诚实的,它们可能会篡改局部模型参数更新,并试图影响全局模型更新方向,从而导致联邦学习性能的下降。在面对这些客户端的恶意行为时,需要采取一些保障模型安全性和鲁棒性的措施,以确保联邦学习系统的稳定性和可靠性。However, in practical applications, federated learning also has some security risks. During the training process, some clients may behave maliciously and dishonestly. They may tamper with local model parameter updates and try to influence the global model update direction, resulting in a decrease in federated learning performance. In the face of these malicious behaviors of clients, some measures need to be taken to ensure the security and robustness of the model to ensure the stability and reliability of the federated learning system.

例如,中国专利文献CN117113413A公开一种基于区块链的鲁棒联邦学习隐私保护系统,通过增加额外较小的通讯开销,使得区块链上梯度在明文状态下实现了隐私保护,对模型性能的影响理论上低于差分隐私,并且能够拓展现有的鲁棒性聚合算法防御恶意客户端的攻击。修改了Krum、Sim和TD三种聚合算法,并提出了一个新的聚合算法SD,将这四种聚合方法应用到系统中。本发明所提的方案具有可动态调整的隐私保护能力,具有对恶意攻击的鲁棒性,以及在考虑隐私保护时,修改后的三种拜占庭聚合方法相比原先有更高的性能。For example, Chinese patent document CN117113413A discloses a robust federated learning privacy protection system based on blockchain. By adding an additional small communication overhead, the gradient on the blockchain is privacy protected in plain text. The impact on model performance is theoretically lower than differential privacy, and it can expand the existing robust aggregation algorithm to defend against attacks from malicious clients. The three aggregation algorithms Krum, Sim and TD are modified, and a new aggregation algorithm SD is proposed to apply these four aggregation methods to the system. The scheme proposed in the present invention has dynamically adjustable privacy protection capabilities, is robust against malicious attacks, and when considering privacy protection, the modified three Byzantine aggregation methods have higher performance than the original ones.

中国专利文献CN117077806A公开一种基于随机选举验证区块链的差分隐私化联邦学习方法。设计方法如下:首先利用了区块链的去中心化,构建了一个基于身份认证区块链的联邦学习系统,其次引用了一种随机选择机制来确定验证领导节点,确保了验证节点出块的公平性,并通过验证节点异常检测机制来防卫恶意节点的攻击保证全局模型准确率,最后通过差分隐私保护本地模型的安全,并根据节点对模型的贡献程度设计了一种激励机制来激励节点训练高质量模型,从而提高全局模型的准确性。Chinese patent document CN117077806A discloses a differential privacy federated learning method based on random election verification blockchain. The design method is as follows: First, the decentralization of blockchain is utilized to build a federated learning system based on identity authentication blockchain. Secondly, a random selection mechanism is used to determine the verification leader node to ensure the fairness of the verification node block generation, and the verification node anomaly detection mechanism is used to defend against malicious node attacks to ensure the accuracy of the global model. Finally, differential privacy is used to protect the security of the local model, and an incentive mechanism is designed according to the degree of contribution of the node to the model to encourage the node to train a high-quality model, thereby improving the accuracy of the global model.

上述方法通过防御恶意客户端的攻击实现了数据的隐私保护,而恶意客户端仍然存在。因此,在联邦学习系统进行局部训练时,对潜在的恶意客户端进行检测和剔除以应对恶意行为带来影响成为亟需解决的问题之一。The above method achieves data privacy protection by defending against attacks from malicious clients, but malicious clients still exist. Therefore, when the federated learning system is locally trained, detecting and eliminating potential malicious clients to deal with the impact of malicious behavior has become one of the urgent issues to be solved.

此外,联邦学习引入了大量梯度交互过程,不仅和集中式训练一样受到模型使用者的威胁,还可能受到来自不可信客户端的攻击。攻击者通过梯度推理出客户端本地数据集中的特定特征或某些统计特性,从而恢复出原始数据,造成数据隐私的泄露。因此,在联邦学习的环境下,对客户端本地训练梯度进行有效保护以应对恶意攻击带来的隐私泄露成为人们广泛关注的问题之一。In addition, federated learning introduces a large number of gradient interactions, which are not only threatened by model users like centralized training, but may also be attacked by untrusted clients. Attackers use gradients to infer specific features or certain statistical characteristics in the client's local data set, thereby restoring the original data and leaking data privacy. Therefore, in the context of federated learning, effectively protecting the client's local training gradients to deal with privacy leaks caused by malicious attacks has become one of the issues that people are widely concerned about.

发明内容Summary of the invention

本发明旨在克服上述现有技术的至少一种缺陷,提供一种面向加密联邦学习的恶意客户端检测方法,目的是检测并剔除联邦学习过程中存在恶意行为的客户端,并保证梯度交互过程的安全性。The present invention aims to overcome at least one defect of the above-mentioned prior art and provide a malicious client detection method for encrypted federated learning, with the purpose of detecting and eliminating clients with malicious behavior in the federated learning process and ensuring the security of the gradient interaction process.

本发明还提供一种实现该面向加密联邦学习的恶意客户端检测方法的装置。The present invention also provides a device for implementing the malicious client detection method for encrypted federated learning.

本发明详细的技术方案如下:The detailed technical scheme of the present invention is as follows:

一种面向加密联邦学习的恶意客户端检测方法,所述方法包括:A malicious client detection method for encrypted federated learning, the method comprising:

S1、基于历史迭代轮次的客户端梯度计算当前迭代轮次的裁剪阈值,并根据当前迭代轮次的裁剪阈值对参与联邦学习的所有客户端的梯度进行自适应裁剪,得到裁剪后的中间梯度;S1. Calculate the clipping threshold of the current iteration round based on the client gradient of the historical iteration round, and adaptively clip the gradients of all clients participating in federated learning according to the clipping threshold of the current iteration round to obtain the clipped intermediate gradient;

S2、引入差分隐私机制,对裁剪后的所述中间梯度添加高斯噪声,得到注入噪声的目标梯度,并将所述目标梯度上传至参与联邦学习的服务端;S2. Introduce a differential privacy mechanism, add Gaussian noise to the clipped intermediate gradient, obtain the target gradient injected with noise, and upload the target gradient to the server participating in federated learning;

S3、对所有客户端的目标梯度的每一维元素添加索引,形成二维点集,并使用Repeated Median线性回归算法计算出目标梯度的每一维元素的残差,根据所述残差计算出目标梯度的每一维元素的置信度,并根据所述置信度计算每一维元素的梯度评分,根据每个客户端目标梯度的所有元素的评分总和,筛选出所有目标梯度中的良性梯度;S3, adding an index to each dimension element of the target gradient of all clients to form a two-dimensional point set, and using the Repeated Median linear regression algorithm to calculate the residual of each dimension element of the target gradient, and calculating the confidence of each dimension element of the target gradient according to the residual, and calculating the gradient score of each dimension element according to the confidence, and screening out the benign gradients in all target gradients according to the sum of the scores of all elements of the target gradient of each client;

S4、对筛选出的所述良性梯度进行聚合,得到全局梯度,并将所述全局梯度广播给所有客户端进行梯度更新。S4. Aggregate the selected benign gradients to obtain a global gradient, and broadcast the global gradient to all clients for gradient update.

根据本发明优选的,所述步骤S1中,计算t轮迭代中每个客户端梯度的L2范数,选取历史梯度L2范数的p百分位数,作为当前迭代轮次中的裁剪阈值,即:Preferably, in step S1, the L2 norm of each client gradient in t rounds of iteration is calculated, and the p percentile of the historical gradient L2 norm is selected as the clipping threshold in the current iteration round, that is:

式(1)中,Ct表示第t轮迭代中的裁剪阈值,表示在第t轮迭代中所计算的第i轮历史客户端梯度的L2范数,p为裁剪阈值选取百分比,且0≤p≤1。In formula (1), Ct represents the clipping threshold in the tth iteration, represents the L2 norm of the i-th historical client gradient calculated in the t-th iteration, p is the percentage of the clipping threshold selection, and 0≤p≤1.

根据本发明优选的,所述步骤S1中,根据当前迭代轮次中的裁剪阈值对所有客户端的梯度进行裁剪,得到裁剪后的中间梯度为:Preferably, according to the present invention, in step S1, the gradients of all clients are clipped according to the clipping threshold in the current iteration round, and the clipped intermediate gradient is:

式(2)中,表示第t轮迭代中第i个客户端裁剪后的中间梯度。In formula (2), Represents the intermediate gradient after clipping of the i-th client in the t-th iteration.

根据本发明优选的,所述步骤S2中,对裁剪后的所述中间梯度添加高斯噪声,得到注入噪声的目标梯度为:Preferably, according to the present invention, in step S2, Gaussian noise is added to the clipped intermediate gradient to obtain a target gradient of injected noise:

式(3)中,表示第t轮迭代中第i个客户端注入噪声的目标梯度,表示服从均值为零,方差为σ2Ct 2的高斯噪声,其中,表示高斯分布,σ2表示方差,I是单位矩阵。In formula (3), represents the target gradient of the noise injected by the i-th client in the t-th iteration, represents Gaussian noise with a mean of zero and a variance of σ 2 C t 2 , where represents Gaussian distribution, σ 2 represents variance, and I is the identity matrix.

根据本发明优选的,所述步骤S3中,使用Repeated Median线性回归算法计算出目标梯度的每一维元素的残差,具体包括:Preferably, in step S3, the residual of each dimensional element of the target gradient is calculated using a Repeated Median linear regression algorithm, which specifically includes:

基于二维点集生成线性回归方程y=κ+ξx;Generate a linear regression equation y=κ+ξx based on a two-dimensional point set;

使用Repeated Median线性回归算法估计线性回归方程的斜率ξ和截距κ,即:The Repeated Median linear regression algorithm is used to estimate the slope ξ and intercept κ of the linear regression equation, namely:

式(4)、(5)中,分别表示第j个客户端和第i个客户端的目标梯度的第n维元素,分别表示第j个客户端和第i个客户端的目标梯度的第n维元素的索引,其中i,j∈{1,2,…,m},m为客户端的数量;In formula (4) and (5), denote the n-th dimension element of the target gradient of the j-th client and the i-th client respectively, denotes the index of the n-th dimension element of the target gradient of the j-th client and the i-th client, respectively, where i,j∈{1,2,…,m}, m is the number of clients;

计算所有客户端目标梯度的每一维元素的残差,对于第n维元素,其残差为:Calculate the residual of each dimension element of all client target gradients. For the n-th dimension element, the residual is:

rn←yn-κ-ξxn (6);r n ←y n -κ-ξx n (6);

式(6)中,rn表示客户端目标梯度的第n维元素的残差。In formula (6), r n represents the residual of the n-th dimension element of the client objective gradient.

根据本发明优选的,所述步骤S3中,根据所述残差计算出目标梯度的每一维元素的置信度,并根据所述置信度计算每一维元素的梯度评分,根据每个客户端目标梯度的所有元素的评分总和,筛选出所有目标梯度中的良性梯度,具体包括:Preferably, in step S3, the confidence of each dimensional element of the target gradient is calculated according to the residual, and the gradient score of each dimensional element is calculated according to the confidence, and the benign gradients in all target gradients are screened out according to the sum of the scores of all elements of the target gradient of each client, which specifically includes:

对所有客户端目标梯度的每一维元素的残差进行归一化,取客户端目标梯度的每一维元素的残差的绝对值并计算其中位数梯度,对于第n维元素,表示为 Normalize the residuals of each dimension element of all client target gradients, take the absolute value of the residuals of each dimension element of the client target gradient and calculate the median gradient, for the n-th dimension element, expressed as

式(7)中,表示客户端目标梯度的第n维元素的残差绝对值的中位数梯度;In formula (7), The median gradient of the absolute value of the residual of the n-th dimension element of the client objective gradient;

使用常数γ与客户端的数量m缩放中位数梯度缩放结果表示为:The median gradient is scaled by a constant γ with the number of clients m The scaling result is expressed as:

式(8)中,a为调节常数,且a=5;In formula (8), a is the adjustment constant, and a=5;

对残差rn进行归一化,将残差rn除以缩放结果τn,即:Normalize the residual r n and divide the residual r n by the scaling result τ n , that is:

式(9)中,en表示客户端目标梯度的第n维元素的残差归一化结果;In formula (9), en represents the residual normalization result of the n-th dimension element of the client target gradient;

根据客户端目标梯度的每一维元素的残差归一化结果,计算其每一维元素的置信度:According to the residual normalization result of each dimension element of the client target gradient, the confidence of each dimension element is calculated:

式(10)中,wn表示客户端目标梯度的第n维元素的置信度,Hn表示客户端目标梯度的第n维元素的索引xn的投影矩阵,diag(Hn)表示投影矩阵Hn的对角线元素组成的向量,Ψ表示置信区间,且Ψ(x)=max(-Z,min(Z,x)),λ为超参数;In formula (10), w n represents the confidence of the n-th dimension element of the client target gradient, H n represents the projection matrix of the index x n of the n-th dimension element of the client target gradient, diag(H n ) represents the vector composed of the diagonal elements of the projection matrix H n , Ψ represents the confidence interval, and Ψ(x)=max(-Z,min(Z,x)), λ is a hyperparameter;

根据客户端目标梯度的每一维元素的置信度,计算其每一维元素的评分:According to the confidence of each dimension element of the client target gradient, the score of each dimension element is calculated:

式(11)中,表示客户端目标梯度的第n维元素的评分,σ(wn)表示客户端目标梯度的第n维元素的置信度的标准差;In formula (11), represents the score of the n-th dimension element of the client target gradient, σ( wn ) represents the standard deviation of the confidence of the n-th dimension element of the client target gradient;

基于客户端目标梯度的每一维元素的评分,计算每个客户端的目标梯度所有元素的评分总和:Based on the score of each dimension element of the client's target gradient, the sum of the scores of all elements of each client's target gradient is calculated:

式(12)中,W(k)表示第k个客户端的目标梯度所有元素的评分总和,N表示第k个客户端的目标梯度的所有元素数量;In formula (12), W (k) represents the sum of the scores of all elements of the target gradient of the kth client, and N represents the number of all elements of the target gradient of the kth client;

根据每个客户端目标梯度的所有元素的评分总和,筛选出所有目标梯度中的良性梯度。According to the sum of the scores of all elements of each client's target gradient, the benign gradients among all target gradients are screened out.

根据本发明优选的,所述步骤S4中,对筛选出的所述良性梯度进行聚合,得到全局梯度为:Preferably, according to the present invention, in step S4, the selected benign gradients are aggregated to obtain a global gradient as follows:

式(13)中,表示第t轮迭代中得到的全局梯度,m为客户端的数量,f为恶意客户端的数量;In formula (13), represents the global gradient obtained in the tth iteration, m is the number of clients, and f is the number of malicious clients;

将所述全局梯度广播给所有客户端进行梯度更新,即:The global gradient is broadcast to all clients for gradient update, that is:

式(14)中,gt+1表示第t+1轮的客户端梯度,η为学习率。In formula (14), g t+1 represents the client gradient of the t+1th round, and η is the learning rate.

在本发明的另一个方面当中,提供一种实现面向加密联邦学习的恶意客户端检测方法的装置,所述装置包括:In another aspect of the present invention, a device for implementing a malicious client detection method for encrypted federated learning is provided, the device comprising:

裁剪模块,用于基于历史迭代轮次的客户端梯度计算当前迭代轮次的裁剪阈值,并根据当前迭代轮次的裁剪阈值对参与联邦学习的所有客户端的梯度进行自适应裁剪,得到裁剪后的中间梯度;The clipping module is used to calculate the clipping threshold of the current iteration round based on the client gradient of the historical iteration round, and adaptively clip the gradients of all clients participating in the federated learning according to the clipping threshold of the current iteration round to obtain the clipped intermediate gradient;

噪声注入模块,用于对裁剪后的所述中间客户端梯度添加高斯噪声,得到注入噪声的目标客户端梯度,并将所述目标客户端梯度上传至参与联邦学习的服务端;A noise injection module is used to add Gaussian noise to the clipped intermediate client gradient to obtain a target client gradient injected with noise, and upload the target client gradient to a server participating in federated learning;

计算模块,用于对所有目标客户端梯度的每一维元素添加索引,形成二维点集,并使用Repeated Median线性回归算法计算出目标客户端梯度的每一维元素的残差,根据所述残差计算出目标客户端梯度的每一维元素的置信度,并根据所述置信度计算每一维元素的梯度评分,根据每个客户端目标梯度的所有元素的评分总和,筛选出所有目标梯度中的良性梯度;A calculation module, used to add an index to each dimensional element of all target client gradients to form a two-dimensional point set, and use the Repeated Median linear regression algorithm to calculate the residual of each dimensional element of the target client gradient, calculate the confidence of each dimensional element of the target client gradient based on the residual, and calculate the gradient score of each dimensional element based on the confidence, and screen out the benign gradients in all target gradients based on the sum of the scores of all elements of each client target gradient;

聚合模块,用于对筛选出的所述良性客户端梯度进行聚合,得到全局梯度,并将所述全局梯度广播给所有客户端进行梯度更新。The aggregation module is used to aggregate the selected benign client gradients to obtain a global gradient, and broadcast the global gradient to all clients for gradient update.

在本发明的另一个方面当中,还提供了一种电子设备,包括:In another aspect of the present invention, there is also provided an electronic device, comprising:

至少一个处理器;以及at least one processor; and

存储器,所述存储器存储指令,当所述指令被所述至少一个处理器执行时,使得所述至少一个处理器执行如上所述的面向加密联邦学习的恶意客户端检测方法。A memory storing instructions, which, when executed by the at least one processor, causes the at least one processor to execute the malicious client detection method for encrypted federated learning as described above.

在本发明的另一个方面当中,还提供了一种机器可读存储介质,其存储有可执行指令,所述指令当被执行时使得所述机器执行如上所述的面向加密联邦学习的恶意客户端检测方法。In another aspect of the present invention, a machine-readable storage medium is provided, which stores executable instructions, and when the instructions are executed, the machine executes the malicious client detection method for encrypted federated learning as described above.

与现有技术相比,本发明的有益效果为:Compared with the prior art, the present invention has the following beneficial effects:

本发明提供的一种面向加密联邦学习的恶意客户端检测方法,通过对客户端梯度添加满足差分隐私机制的高斯噪声,使恶意攻击者无法推理出原始数据的相关信息,从而保护数据隐私;同时,为检测训练过程中客户端的恶意行为,提高联邦学习系统的可靠性,本发明采用一种Repeated Median线性回归算法,计算相应梯度的残差与置信度,进而根据计算结果对各个客户端梯度进行评分,将评分数值较低的部分梯度判定为恶意梯度并剔除,剩余良性梯度参与聚合计,保证梯度交互过程的安全性。The present invention provides a malicious client detection method for encrypted federated learning. By adding Gaussian noise that satisfies the differential privacy mechanism to the client gradient, malicious attackers cannot infer relevant information of the original data, thereby protecting data privacy. At the same time, in order to detect malicious behavior of the client during training and improve the reliability of the federated learning system, the present invention adopts a Repeated Median linear regression algorithm to calculate the residual and confidence of the corresponding gradient, and then scores each client gradient according to the calculation result, and judges the gradients with lower scoring values as malicious gradients and eliminates them. The remaining benign gradients participate in the aggregation calculation to ensure the security of the gradient interaction process.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本发明所述面向加密联邦学习的恶意客户端检测方法的流程图。FIG1 is a flow chart of a malicious client detection method for encrypted federated learning according to the present invention.

图2是联邦学习系统的拓扑图。Figure 2 is a topological diagram of the federated learning system.

图3是本发明方法的测试准确率随训练轮数变化的示意图。FIG3 is a schematic diagram showing how the test accuracy of the method of the present invention varies with the number of training rounds.

图4是本发明方法的测试准确率随恶意客户端数量变化的示意图。FIG. 4 is a schematic diagram showing how the test accuracy of the method of the present invention varies with the number of malicious clients.

具体实施方式DETAILED DESCRIPTION

下面结合附图与实施例对本公开做进一步说明。The present disclosure is further described below in conjunction with the accompanying drawings and embodiments.

应该指出,以下详细说明都是示例性的,旨在对本公开提供进一步的说明。除非另有指明,本文使用的所有技术和科学术语具有与本公开所属技术领域的普通技术人员通常理解的相同含义。It should be noted that the following detailed descriptions are exemplary and are intended to provide further explanation of the present disclosure. Unless otherwise specified, all technical and scientific terms used herein have the same meanings as those commonly understood by those skilled in the art to which the present disclosure belongs.

需要注意的是,这里所使用的术语仅是为了描述具体实施方式,而非意图限制根据本公开的示例性实施方式。如在这里所使用的,除非上下文另外明确指出,否则单数形式也意图包括复数形式,此外,还应当理解的是,当在本说明书中使用术语“包含”和/或“包括”时,其指明存在特征、步骤、操作、器件、组件和/或它们的组合。It should be noted that the terms used herein are only for describing specific embodiments and are not intended to limit the exemplary embodiments according to the present disclosure. As used herein, unless the context clearly indicates otherwise, the singular form is also intended to include the plural form. In addition, it should be understood that when the terms "comprising" and/or "including" are used in this specification, it indicates the presence of features, steps, operations, devices, components and/or combinations thereof.

在不冲突的情况下,本公开中的实施例及实施例中的特征可以相互组合。In the absence of conflict, the embodiments in the present disclosure and the features in the embodiments may be combined with each other.

针对现有技术中存在的问题,本发明提供一种面向加密联邦学习的恶意客户端检测方法,目的是检测并剔除联邦学习过程中存在恶意行为的客户端,并保证梯度交互过程的安全性。In view of the problems existing in the prior art, the present invention provides a malicious client detection method for encrypted federated learning, which aims to detect and eliminate clients with malicious behaviors in the federated learning process and ensure the security of the gradient interaction process.

恶意客户端会严重影响数据安全和模型性能,为降低数据隐私泄露风险,本发明对客户端梯度添加满足差分隐私机制的高斯噪声,使恶意攻击者无法推理出原始数据的相关信息,从而保护数据隐私;为检测训练过程中客户端的恶意行为,提高联邦学习系统的可靠性,本发明采用一种Repeated Median线性回归算法,计算相应梯度的残差与置信度,进而根据计算结果对各个客户端梯度进行评分,将评分数值较低的部分梯度判定为恶意梯度并剔除,剩余良性梯度参与聚合计算。Malicious clients can seriously affect data security and model performance. To reduce the risk of data privacy leakage, the present invention adds Gaussian noise that satisfies the differential privacy mechanism to the client gradient, so that malicious attackers cannot infer relevant information of the original data, thereby protecting data privacy. To detect malicious behavior of the client during training and improve the reliability of the federated learning system, the present invention adopts a Repeated Median linear regression algorithm to calculate the residual and confidence of the corresponding gradient, and then scores the gradients of each client according to the calculation results. The gradients with lower scoring values are judged as malicious gradients and eliminated, and the remaining benign gradients participate in the aggregation calculation.

以下结合具体实施例对本发明的面向加密联邦学习的恶意客户端检测方法及装置作详细说明。The malicious client detection method and device for encrypted federated learning of the present invention are described in detail below in conjunction with specific embodiments.

实施例1、Embodiment 1,

参图1,本实施例提供一种面向加密联邦学习的恶意客户端检测方法,应用于联邦学习系统。参图2,该联邦学习系统包括客户端(Client)和服务端(Server)两类实体,且多个客户端与单个服务端通信。Referring to Figure 1, this embodiment provides a malicious client detection method for encrypted federated learning, which is applied to a federated learning system. Referring to Figure 2, the federated learning system includes two types of entities, a client and a server, and multiple clients communicate with a single server.

所述方法包括:The method comprises:

S1、基于历史迭代轮次的客户端梯度计算当前迭代轮次的裁剪阈值,并根据当前迭代轮次的裁剪阈值对参与联邦学习的所有客户端的梯度进行自适应裁剪,得到裁剪后的中间梯度。S1. Calculate the clipping threshold of the current iteration round based on the client gradient of the historical iteration round, and adaptively clip the gradients of all clients participating in federated learning according to the clipping threshold of the current iteration round to obtain the clipped intermediate gradient.

本实施例设计一种自适应梯度裁剪方法,将所有客户端的梯度大小自适应地裁剪在一个合理的阈值内,从而防止任何单个本地更新过度影响全局模型更新,造成梯度爆炸问题。This embodiment designs an adaptive gradient clipping method to adaptively clip the gradient sizes of all clients within a reasonable threshold, thereby preventing any single local update from excessively affecting the global model update and causing a gradient explosion problem.

具体地,假设联邦学习系统有m个客户端(P1,P2,…,Pm),对应m个本地训练数据集Di(i=1,2,…,m)。假设存在f个恶意客户端,它们试图上传无意义或恶意的客户端梯度以阻止全局模型的正确收敛。Specifically, assume that the federated learning system has m clients (P 1 ,P 2 ,…,P m ), corresponding to m local training datasets D i (i=1,2,…,m). Assume that there are f malicious clients, which attempt to upload meaningless or malicious client gradients to prevent the correct convergence of the global model.

首先,客户端Pi接收来自服务端上一轮的全局梯度使用其本地数据集Di训练其局部模型,得到其第t轮的客户端梯度其中,每个客户端梯度均包含n个元素(即向量)。First, the client Pi receives the global gradient from the server in the previous round Use its local dataset Di to train its local model and obtain its client gradient for round t Each client gradient contains n elements (ie, a vector).

在差分隐私机制中,梯度裁剪至关重要。若梯度裁剪阈值设置过大,则会引入过多不必要的噪声,从而影响模型性能;若梯度裁剪阈值设置过小,则会有暴露过多梯度信息的风险。In the differential privacy mechanism, gradient clipping is crucial. If the gradient clipping threshold is set too large, it will introduce too much unnecessary noise, thus affecting the model performance; if the gradient clipping threshold is set too small, there is a risk of exposing too much gradient information.

基于此,本实施例方法采用一种自适应方法对梯度进行裁剪。具体过程如下。Based on this, the method of this embodiment adopts an adaptive method to clip the gradient. The specific process is as follows.

首先计算t轮迭代中每个客户端梯度的L2范数,选取历史梯度L2范数的p百分位数,作为当前迭代的裁剪阈值,即:First, calculate the L2 norm of each client gradient in t rounds of iterations, and select the p percentile of the historical gradient L2 norm as the clipping threshold of the current iteration, that is:

式(1)中,Ct表示第t轮迭代中的裁剪阈值,表示在第t轮迭代中所计算的第i轮历史客户端梯度的L2范数,p为裁剪阈值选取百分比,且0≤p≤1。In formula (1), Ct represents the clipping threshold in the tth iteration, represents the L2 norm of the i-th historical client gradient calculated in the t-th iteration, p is the percentage of the clipping threshold selection, and 0≤p≤1.

然后根据所得到的裁剪阈值Ct对所有客户端的梯度进行裁剪,得到客户端裁剪后的中间梯度为:Then, the gradients of all clients are clipped according to the obtained clipping threshold Ct , and the intermediate gradient after client clipping is obtained as:

式(2)中,表示第t轮迭代中第i个客户端裁剪后的中间梯度。In formula (2), Represents the intermediate gradient after clipping of the i-th client in the t-th iteration.

通过上述自适应裁剪方法,能够根据客户端历史梯度的变化趋势,来预测当前迭代中的梯度的变化,并据此确定合适的梯度裁剪阈值,可以有效防止部分梯度过大对模型更新造成的影响。并且这种方法只需要指定裁剪的百分比,不会暴露原始梯度信息,从而更好地保护隐私。The above adaptive clipping method can predict the change of the gradient in the current iteration according to the change trend of the client's historical gradient, and determine the appropriate gradient clipping threshold accordingly, which can effectively prevent the impact of excessive gradients on model updates. In addition, this method only needs to specify the clipping percentage and will not expose the original gradient information, thereby better protecting privacy.

S2、引入差分隐私机制,对裁剪后的所述中间梯度添加高斯噪声,得到注入噪声的目标梯度,并将所述目标梯度上传至参与联邦学习的服务端。S2. Introduce a differential privacy mechanism, add Gaussian noise to the clipped intermediate gradient, obtain the target gradient injected with noise, and upload the target gradient to the server participating in federated learning.

为了防止本地隐私数据泄露,在客户端将自己本地训练得到的梯度上传至服务端之前,需要采取安全措施对梯度进行有效保护。In order to prevent the leakage of local privacy data, security measures need to be taken to effectively protect the gradients before the client uploads the gradients obtained from its local training to the server.

本实施例方法引入差分隐私机制,对客户端裁剪后的中间梯度添加高斯噪声,得到注入噪声的目标梯度为:The method in this embodiment introduces a differential privacy mechanism to the intermediate gradient after the client is clipped Adding Gaussian noise, the target gradient of injected noise is:

式(3)中,表示第t轮迭代中第i个客户端注入噪声的目标梯度,表示服从均值为零,方差为σ2Ct 2的高斯噪声,其中,表示高斯分布,σ2表示方差,I是单位矩阵。In formula (3), represents the target gradient of the noise injected by the i-th client in the t-th iteration, represents Gaussian noise with a mean of zero and a variance of σ 2 C t 2 , where represents Gaussian distribution, σ 2 represents variance, and I is the identity matrix.

然后将注入噪声的目标梯度上传到服务端进行安全聚合。Then inject the noise into the target gradient Upload to the server for secure aggregation.

通过对裁剪后的客户端梯度添加高斯噪声,保证客户端梯度在通信迭代过程中免受推理攻击的影响,有效地保护了客户端梯度及本地数据,降低隐私泄露风险。By adding Gaussian noise to the clipped client gradient, the client gradient is protected from inference attacks during the communication iteration process, effectively protecting the client gradient and local data and reducing the risk of privacy leakage.

S3、对所有客户端的目标梯度的每一维元素添加索引,形成二维点集,并使用Repeated Median线性回归算法计算出目标梯度的每一维元素的残差,根据所述残差计算出目标梯度的每一维元素的置信度,并根据所述置信度计算每一维元素的梯度评分,根据每个客户端目标梯度的所有元素的评分总和,筛选出所有目标梯度中的良性梯度。S3. Add an index to each dimensional element of the target gradient of all clients to form a two-dimensional point set, and use the Repeated Median linear regression algorithm to calculate the residual of each dimensional element of the target gradient, calculate the confidence of each dimensional element of the target gradient based on the residual, and calculate the gradient score of each dimensional element based on the confidence, and screen out the benign gradients in all target gradients based on the sum of the scores of all elements of the target gradient of each client.

本实施例中,为了识别训练过程中的恶意行为,检测并剔除恶意客户端,在差分隐私机制保护下,设计了一种基于Repeated Median线性回归的恶意客户端检测和剔除方法。具体过程如下。In this embodiment, in order to identify malicious behaviors during training, detect and remove malicious clients, a malicious client detection and removal method based on Repeated Median linear regression is designed under the protection of differential privacy mechanism. The specific process is as follows.

首先,服务端对接收的所有客户端的目标梯度的每一维元素进行排序,排序方式包括升序排序或降序排序或顺序排序等,此处优选按照升序方式排序。其中第i个客户端的目标梯度的第n维元素表示为 First, the server sorts each dimension element of the target gradient of all received clients in ascending order, descending order, or sequential order, etc. Here, ascending order is preferred. The nth dimension element of the target gradient of the i-th client is represented as

然后对排好序的所有客户端的目标梯度的每一维元素添加索引最终形成二维点集(xn,yn)。在本实施例中,索引可以设置为1~N的正整数。Then add an index to each dimension element of the target gradient of all sorted clients Finally, a two-dimensional point set (x n , y n ) is formed. In this embodiment, the index can be set to a positive integer from 1 to N.

示范性地,假设有3个客户端,每个客户端的目标梯度包含2个元素,即:客户端1,元素n1=[2.5,3.1];客户端2,元素n2=[1.7,4.2];客户端3,元素n3=[0.9,2.8]。Exemplarily, assume that there are 3 clients, and the target gradient of each client contains 2 elements, namely: client 1, element n1 = [2.5, 3.1]; client 2, element n2 = [1.7, 4.2]; client 3, element n3 = [0.9, 2.8].

对所有客户端的目标梯度的每一维元素进行升序排序,得到排序后的第一维元素为[0.9,1.7,2.5],第二维元素为[2.8,3.1,4.2]。The elements of each dimension of the target gradients of all clients are sorted in ascending order, and the elements of the first dimension after sorting are [0.9, 1.7, 2.5], and the elements of the second dimension are [2.8, 3.1, 4.2].

对排好序的所有客户端的目标梯度的每一维元素添加索引,设置每一维元素的索引为:[1,2,3],则形成的二维点集为{(1,0.9),(2,1.7),(3,2.5),(1,2.8),(2,3.1),(3,4.2)}。Add an index to each dimension element of the target gradient of all sorted clients, and set the index of each dimension element to: [1, 2, 3]. The resulting two-dimensional point set is {(1, 0.9), (2, 1.7), (3, 2.5), (1, 2.8), (2, 3.1), (3, 4.2)}.

基于上述得到的二维点集(xn,yn),生成线性回归方程y=κ+ξx。然后服务端使用Repeated Median线性回归算法来估计线性回归方程的斜率ξ和截距κ,即:Based on the two-dimensional point set ( xn , yn ) obtained above, a linear regression equation y=κ+ξx is generated. Then the server uses the Repeated Median linear regression algorithm to estimate the slope ξ and intercept κ of the linear regression equation, namely:

式(4)、(5)中,分别表示第j个客户端和第i个客户端的目标梯度的第n维元素,分别表示第j个客户端和第i个客户端的目标梯度的第n维元素的索引,其中i,j∈{1,2,…,m},m为客户端的数量。In formula (4) and (5), denote the n-th dimension element of the target gradient of the j-th client and the i-th client respectively, denotes the index of the n-th dimension element of the target gradient of the j-th client and the i-th client, respectively, where i,j∈{1,2,…,m}, m is the number of clients.

之后,计算出所有客户端目标梯度的每一维元素的残差,对于第n维元素,其残差为:After that, the residual of each dimension element of all client target gradients is calculated. For the n-th dimension element, the residual is:

rn←yn-κ-ξxn (6);r n ←y n -κ-ξx n (6);

式(6)中,rn表示客户端目标梯度的第n维元素的残差。In formula (6), r n represents the residual of the n-th dimension element of the client objective gradient.

本实施例中,根据所述残差计算出目标梯度的每一维元素的置信度,并根据所述置信度计算每一维元素的梯度评分,根据每个客户端目标梯度的所有元素的评分总和,筛选出所有目标梯度中的良性梯度,具体包括:In this embodiment, the confidence of each dimensional element of the target gradient is calculated according to the residual, and the gradient score of each dimensional element is calculated according to the confidence. According to the sum of the scores of all elements of the target gradient of each client, the benign gradients in all target gradients are screened out, specifically including:

首先对客户端目标梯度的每一维元素的残差进行归一化。First, the residual of each dimension of the client target gradient is normalized.

由于不同元素的残差不便于比较,因此需要将残差归一化。取客户端目标梯度的每一维元素的残差的绝对值并计算其中位数梯度,对于第n维元素,表示为 Since the residuals of different elements are not easy to compare, the residuals need to be normalized. Take the absolute value of the residual of each dimension element of the client target gradient and calculate its median gradient. For the n-th dimension element, it is expressed as

式(7)中,表示客户端目标梯度的第n维元素的残差绝对值的中位数梯度。In formula (7), Represents the median gradient of the absolute value of the residual of the n-th dimension element of the client objective gradient.

使用常数γ与客户端的数量m缩放中位数梯度缩放结果表示为:The median gradient is scaled by a constant γ with the number of clients m The scaling result is expressed as:

式(8)中,a为调节常数,且a=5,该调节常数可设定。In formula (8), a is an adjustment constant, and a=5, and the adjustment constant can be set.

对残差rn进行归一化,将残差rn除以缩放结果τn,即:Normalize the residual r n and divide the residual r n by the scaling result τ n , that is:

式(9)中,en表示客户端目标梯度的第n维元素的残差归一化结果。In formula (9), en represents the residual normalization result of the n-th dimension element of the client target gradient.

通过上述过程得到所有客户端目标梯度的每一维元素的残差归一化结果,确保残差根据其典型幅度和比例因子进行调整,从而使它们在不同元素之间更具有可比性。The above process obtains the residual normalization results of each dimensional element of all client target gradients, ensuring that the residuals are adjusted according to their typical amplitudes and scale factors, making them more comparable between different elements.

然后,服务端根据每个客户端目标梯度的每一维元素的残差归一化结果,计算其每一维元素的置信度:Then, the server calculates the confidence of each dimension of each client's target gradient based on the residual normalization result of each dimension of the element:

式(10)中,wn表示客户端目标梯度的第n维元素的置信度,Hn表示客户端目标梯度的第n维元素的索引xn的投影矩阵,diag(Hn)表示投影矩阵Hn的对角线元素组成的向量,Ψ表示置信区间,且Ψ(x)=max(-Z,min(Z,x)),λ为超参数。In formula (10), w n represents the confidence of the n-th dimension element of the client target gradient, H n represents the projection matrix of the index x n of the n-th dimension element of the client target gradient, diag(H n ) represents the vector composed of the diagonal elements of the projection matrix H n , Ψ represents the confidence interval, and Ψ(x)=max(-Z,min(Z,x)), λ is a hyperparameter.

之后根据客户端目标梯度的每一维元素的置信度,计算其每一维元素的评分:Then, according to the confidence of each dimension element of the client target gradient, the score of each dimension element is calculated:

式(11)中,表示客户端目标梯度的第n维元素的评分,σ(·)表示客户端目标梯度的第n维元素的置信度的标准差。In formula (11), represents the score of the n-th element of the client objective gradient, and σ(·) represents the standard deviation of the confidence of the n-th element of the client objective gradient.

基于客户端目标梯度的每一维元素的评分,计算每个客户端的目标梯度所有元素的评分总和:Based on the score of each dimension element of the client's target gradient, the sum of the scores of all elements of each client's target gradient is calculated:

式(12)中,W(k)表示第k个客户端的目标梯度所有元素的评分总和,N表示第k个客户端的目标梯度的所有元素数量。In formula (12), W (k) represents the sum of the scores of all elements of the target gradient of the kth client, and N represents the number of all elements of the target gradient of the kth client.

最后根据所有的m个客户端的目标梯度的所有元素的评分总和,按照升序的方式对所有客户端进行排序,将前面评分较低的f个客户端作为恶意客户端并将其剔除,保留剩余的m-f个客户端作为良性客户端,且该良性客户端的目标梯度将作为良性梯度参与聚合计算。Finally, all clients are sorted in ascending order according to the sum of the scores of all elements of the target gradients of all m clients. The first f clients with lower scores are regarded as malicious clients and eliminated. The remaining m-f clients are retained as benign clients, and the target gradients of the benign clients will be used as benign gradients in the aggregation calculation.

S4、对筛选出的所述良性梯度进行聚合,得到全局梯度,并将所述全局梯度广播给所有客户端进行梯度更新。S4. Aggregate the selected benign gradients to obtain a global gradient, and broadcast the global gradient to all clients for gradient update.

即将评分较高的m-f个良性客户端的目标梯度作为良性梯度进行最终聚合,得到全局梯度:That is, the target gradients of m-f benign clients with higher scores are finally aggregated as benign gradients to obtain the global gradient:

式(13)中,表示第t轮迭代中得到的全局梯度。In formula (13), Represents the global gradient obtained in the tth iteration.

最后将得到的全局梯度广播给所有客户端进行局部模型梯度更新:Finally, the global gradient Broadcast to all clients to update local model gradients:

式(14)中,gt+1表示第t+1轮的客户端梯度,η为学习率。In formula (14), g t+1 represents the client gradient of the t+1th round, and η is the learning rate.

本实施例中使用mnist数据集,采用卷积神经网络模型CNN,在标签翻转攻击下测试的测试准确率,结果如图3和图4所示。In this embodiment, the MNIST dataset is used, and the convolutional neural network model CNN is adopted to test the test accuracy under the label flipping attack. The results are shown in Figures 3 and 4.

图3示出了本实施例方法测试准确率随训练轮次变化的示意图,可以看出本方法在攻击下仍然有较高的测试准确率,说明本方法已将恶意的客户端检测并剔除,验证了本方法的有效性。FIG3 is a schematic diagram showing how the test accuracy of the method of this embodiment varies with the number of training rounds. It can be seen that the method still has a high test accuracy under attack, indicating that the method has detected and removed malicious clients, verifying the effectiveness of the method.

图4示出了本实施例方法测试准确率随恶意客户端数量变化的示意图,可以看出随着攻击者数量的增多,测试准确率仍保持较高的一个标准,说明本方法当恶意客户端数量增多的时候也具有较好的性能。FIG4 is a schematic diagram showing how the test accuracy of the method of this embodiment varies with the number of malicious clients. It can be seen that as the number of attackers increases, the test accuracy remains at a relatively high standard, indicating that the method has better performance when the number of malicious clients increases.

实施例2、Embodiment 2,

本实施例提供一种实现面向加密联邦学习的恶意客户端检测方法的装置,所述装置包括:This embodiment provides a device for implementing a malicious client detection method for encrypted federated learning, the device comprising:

裁剪模块,用于基于历史迭代轮次的客户端梯度计算当前迭代轮次的裁剪阈值,并根据当前迭代轮次的裁剪阈值对参与联邦学习的所有客户端的梯度进行自适应裁剪,得到裁剪后的中间梯度;The clipping module is used to calculate the clipping threshold of the current iteration round based on the client gradient of the historical iteration round, and adaptively clip the gradients of all clients participating in the federated learning according to the clipping threshold of the current iteration round to obtain the clipped intermediate gradient;

噪声注入模块,用于对裁剪后的所述中间客户端梯度添加高斯噪声,得到注入噪声的目标客户端梯度,并将所述目标客户端梯度上传至参与联邦学习的服务端;A noise injection module is used to add Gaussian noise to the clipped intermediate client gradient to obtain a target client gradient injected with noise, and upload the target client gradient to a server participating in federated learning;

计算模块,用于对所有目标客户端梯度的每一维元素添加索引,形成二维点集,并使用Repeated Median线性回归算法计算出目标客户端梯度的每一维元素的残差,根据所述残差计算出目标客户端梯度的每一维元素的置信度,并根据所述置信度计算每一维元素的梯度评分,根据每个客户端目标梯度的所有元素的评分总和,筛选出所有目标梯度中的良性梯度;A calculation module, used to add an index to each dimensional element of all target client gradients to form a two-dimensional point set, and use the Repeated Median linear regression algorithm to calculate the residual of each dimensional element of the target client gradient, calculate the confidence of each dimensional element of the target client gradient based on the residual, and calculate the gradient score of each dimensional element based on the confidence, and screen out the benign gradients in all target gradients based on the sum of the scores of all elements of each client target gradient;

聚合模块,用于对筛选出的所述良性客户端梯度进行聚合,得到全局梯度,并将所述全局梯度广播给所有客户端进行梯度更新。The aggregation module is used to aggregate the selected benign client gradients to obtain a global gradient, and broadcast the global gradient to all clients for gradient update.

实施例3、Embodiment 3,

本实施例还提供一种电子设备,包括:This embodiment also provides an electronic device, including:

至少一个处理器;以及at least one processor; and

存储器,所述存储器存储指令,当所述指令被所述至少一个处理器执行时,使得所述至少一个处理器执行如上所述的面向加密联邦学习的恶意客户端检测方法。A memory storing instructions, which, when executed by the at least one processor, causes the at least one processor to execute the malicious client detection method for encrypted federated learning as described above.

在本实施例中,电子设备可以包括但不限于:个人计算机、服务器计算机、工作站、桌面型计算机、膝上型计算机、笔记本计算机、移动计算设备、智能电话、平板计算机、蜂窝电话、个人数字助理(PDA)、手持装置、消息收发设备、可佩戴计算设备、消费电子设备等等。In this embodiment, the electronic device may include, but is not limited to: personal computers, server computers, workstations, desktop computers, laptop computers, notebook computers, mobile computing devices, smart phones, tablet computers, cellular phones, personal digital assistants (PDAs), handheld devices, messaging devices, wearable computing devices, consumer electronic devices, and the like.

实施例4、Embodiment 4,

本实施例还提供了一种机器可读存储介质,其存储有可执行指令,所述指令当被执行时使得所述机器执行如上所述的面向加密联邦学习的恶意客户端检测方法。This embodiment also provides a machine-readable storage medium storing executable instructions, which, when executed, enable the machine to execute the malicious client detection method for encrypted federated learning as described above.

具体地,可以提供配有可读存储介质的系统或者装置,在该可读存储介质上存储着实现上述实施例中任一实施例的功能的软件程序代码,且使该系统或者装置的计算机或处理器读出并执行存储在该可读存储介质中的指令。Specifically, a system or device equipped with a readable storage medium can be provided, on which software program codes that implement the functions of any of the above-mentioned embodiments are stored, and a computer or processor of the system or device can read and execute instructions stored in the readable storage medium.

在这种情况下,从可读介质读取的程序代码本身可实现上述实施例中任何一项实施例的功能,因此机器可读代码和存储机器可读代码的可读存储介质构成了本说明书的一部分。In this case, the program code itself read from the machine-readable medium can realize the function of any one of the above embodiments, and thus the machine-readable code and the machine-readable storage medium storing the machine-readable code constitute part of this specification.

可读存储介质的实施例包括软盘、硬盘、磁光盘、光盘(如CD-ROM、CD-R、CD-RW、DVD-ROM、DVD-RAM、DVD-RW、DVD-RW)、磁带、非易失性存储卡和ROM。可选择地,可以由通信网络从服务器计算机上或云上下载程序代码。Examples of readable storage media include floppy disks, hard disks, magneto-optical disks, optical disks (such as CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD-RW), magnetic tapes, non-volatile memory cards, and ROMs. Alternatively, the program code may be downloaded from a server computer or a cloud via a communication network.

本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to the flowchart and/or block diagram of the method, device (system), and computer program product according to the embodiment of the present invention. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the process and/or box in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

显然,本发明的上述实施例仅仅是为清楚地说明本发明技术方案所作的举例,而并非是对本发明的具体实施方式的限定。凡在本发明权利要求书的精神和原则之内所做的任何修改、等同替换和改进等,均应包含在本发明权利要求的保护范围之内。Obviously, the above embodiments of the present invention are merely examples for clearly illustrating the technical solution of the present invention, and are not intended to limit the specific implementation methods of the present invention. Any modifications, equivalent substitutions, and improvements made within the spirit and principles of the claims of the present invention shall be included in the protection scope of the claims of the present invention.

Claims (8)

1. A malicious client detection method for encryption federal learning, the method comprising:
S1, calculating a clipping threshold value of a current iteration round based on client gradients of historical iteration rounds, and adaptively clipping gradients of all clients participating in federal learning according to the clipping threshold value of the current iteration round to obtain clipped intermediate gradients;
the client gradient calculation method based on the historical iteration round comprises the following steps of:
Calculating the L 2 norm of each client gradient in the t-round iteration, and selecting the p percentile of the L 2 norm of the historical gradient as a clipping threshold in the current iteration round, namely:
In equation (1), C t represents the clipping threshold in the t-th round of iteration, The L 2 norm of the gradient of the history client of the ith round calculated in the iteration of the t round is represented, p is the clipping threshold selection percentage, and p is more than or equal to 0 and less than or equal to 1;
cutting the gradients of all the clients according to the cutting threshold value in the current iteration round, and obtaining the intermediate gradient after cutting as follows:
in the formula (2), the amino acid sequence of the compound, Representing the intermediate gradient of the ith client after clipping in the t-th iteration;
s2, introducing a differential privacy mechanism, adding Gaussian noise to the cut intermediate gradient to obtain a target gradient of injected noise, and uploading the target gradient to a server participating in federal learning;
S3, adding indexes to each dimension element of the target gradient of all clients to form a two-dimensional point set, calculating residual errors of each dimension element of the target gradient by using REPEATED MEDIAN linear regression algorithm, calculating confidence coefficient of each dimension element of the target gradient according to the residual errors, calculating gradient scores of each dimension element according to the confidence coefficient, and screening benign gradients in all target gradients according to the total scores of all elements of the target gradient of each client;
S4, aggregating the screened benign gradients to obtain global gradients, and broadcasting the global gradients to all clients for gradient updating.
2. The malicious client detection method for encrypted federal learning according to claim 1, wherein in the step S2, gaussian noise is added to the intermediate gradient after clipping, and a target gradient of injected noise is obtained as follows:
In the formula (3), the amino acid sequence of the compound, Representing the target gradient of noise injected by the ith client in the t-th iteration,Representing gaussian noise subject to zero mean, σ 2Ct 2 variance, where,Representing gaussian distribution, σ 2 representing variance, I being the identity matrix.
3. The method for detecting malicious clients facing encrypted federal learning according to claim 1, wherein in the step S3, a REPEATED MEDIAN linear regression algorithm is used to calculate a residual error of each dimension element of the target gradient, and the method specifically comprises:
generating a linear regression equation y=k+ζx based on the two-dimensional point set;
The slope ζ and intercept K of the linear regression equation are estimated using REPEATED MEDIAN linear regression algorithm, namely:
In the formulas (4) and (5), An nth dimension element representing a target gradient of the jth client and the ith client respectively, Index of the n-th dimension element representing the target gradient of the j-th client and the i-th client, respectively, where i, j e {1, 2..m }, m being the number of clients;
calculating the residual error of each dimension element of all client target gradients, wherein for the nth dimension element, the residual error is as follows:
rn←yn-κ-ξxn (6);
In equation (6), r n represents the residual of the n-th dimension element of the client target gradient.
4. The method for detecting malicious clients facing encrypted federal learning according to claim 1, wherein in the step S3, a confidence level of each dimension element of the target gradient is calculated according to the residual error, a gradient score of each dimension element is calculated according to the confidence level, and benign gradients in all target gradients are screened out according to a total score of all elements of each client target gradient, specifically comprising:
Normalizing the residual error of each dimension element of all client-side target gradients, taking the absolute value of the residual error of each dimension element of the client-side target gradients and calculating the median gradient, and for the nth dimension element, representing as
In the formula (7), the amino acid sequence of the compound,A median gradient representing the residual absolute value of the n-th dimension element of the client target gradient;
scaling a median gradient with a constant gamma and the number of clients m The scaling result is expressed as:
in formula (8), a is an adjustment constant, and a=5;
The residual r n is normalized, and the residual r n is divided by the scaling result τ n, namely:
In the formula (9), e n represents the residual normalization result of the n-th dimension element of the client target gradient;
Calculating the confidence coefficient of each dimension element of the client target gradient according to the residual error normalization result of each dimension element:
In formula (10), w n represents the confidence level of the n-th dimensional element of the client target gradient, H n represents the projection matrix of index x n of the n-th dimensional element of the client target gradient, diag (H n) represents the vector composed of diagonal elements of projection matrix H n, ψ represents the confidence interval, and Lambda is a super parameter;
According to the confidence degree of each dimension element of the client target gradient, calculating the score of each dimension element:
In the formula (11), the amino acid sequence of the compound, A score representing the n-th dimension element of the client target gradient, σ (w n) representing the standard deviation of the confidence of the n-th dimension element of the client target gradient;
Calculating a scoring sum of all elements of the target gradient of each client based on the scoring of each dimension element of the target gradient of the client:
in the formula (12), W (k) represents the sum of scores of all elements of the target gradient of the kth client, and N represents the number of all elements of the target gradient of the kth client;
and screening out benign gradients in all target gradients according to the scoring sum of all elements of the target gradients of each client.
5. The method for detecting malicious clients facing encrypted federal learning according to claim 1, wherein in the step S4, the screened benign gradients are aggregated to obtain a global gradient as follows:
In the formula (13), the amino acid sequence of the compound, Representing global gradient obtained in the t-th iteration, wherein m is the number of clients, and f is the number of malicious clients;
Broadcasting the global gradient to all clients for gradient update, namely:
In the formula (14), g t+1 represents the client gradient of the t+1st round, and η is the learning rate.
6. An apparatus for implementing an encryption federal learning oriented malicious client detection method, the apparatus comprising:
The clipping module is used for calculating clipping thresholds of the current iteration rounds based on client gradients of the historical iteration rounds, and adaptively clipping gradients of all clients participating in federal learning according to the clipping thresholds of the current iteration rounds to obtain clipped intermediate gradients;
the client gradient calculation method based on the historical iteration round comprises the following steps of:
Calculating the L 2 norm of each client gradient in the t-round iteration, and selecting the p percentile of the L 2 norm of the historical gradient as a clipping threshold in the current iteration round, namely:
In equation (1), C t represents the clipping threshold in the t-th round of iteration, The L 2 norm of the gradient of the history client of the ith round calculated in the iteration of the t round is represented, p is the clipping threshold selection percentage, and p is more than or equal to 0 and less than or equal to 1;
cutting the gradients of all the clients according to the cutting threshold value in the current iteration round, and obtaining the intermediate gradient after cutting as follows:
in the formula (2), the amino acid sequence of the compound, Representing the intermediate gradient of the ith client after clipping in the t-th iteration;
The noise injection module is used for adding Gaussian noise to the cut intermediate gradient to obtain a target gradient of injected noise, and uploading the target gradient to a server participating in federal learning;
The computing module is used for adding indexes to each one-dimensional element of the target gradient of all clients to form a two-dimensional point set, calculating residual errors of each one-dimensional element of the target gradient by using REPEATED MEDIAN linear regression algorithm, calculating the confidence coefficient of each one-dimensional element of the target gradient according to the residual errors, calculating the gradient score of each one-dimensional element according to the confidence coefficient, and screening out benign gradients in all target gradients according to the total score of all elements of the target gradient of each client;
And the aggregation module is used for aggregating the screened benign gradients to obtain global gradients, and broadcasting the global gradients to all clients for gradient updating.
7. An electronic device, comprising:
at least one processor; and
A memory storing instructions that, when executed by the at least one processor, cause the at least one processor to perform the encryption federal learning oriented malicious client detection method of any one of claims 1 to 5.
8. A machine-readable storage medium storing executable instructions that, when executed, cause the machine to perform the encryption federal learning oriented malicious client detection method of any one of claims 1 to 5.
CN202410493166.5A 2024-04-23 2024-04-23 Malicious client detection method, device, electronic device and storage medium for encrypted federated learning Active CN118316699B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410493166.5A CN118316699B (en) 2024-04-23 2024-04-23 Malicious client detection method, device, electronic device and storage medium for encrypted federated learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410493166.5A CN118316699B (en) 2024-04-23 2024-04-23 Malicious client detection method, device, electronic device and storage medium for encrypted federated learning

Publications (2)

Publication Number Publication Date
CN118316699A CN118316699A (en) 2024-07-09
CN118316699B true CN118316699B (en) 2024-09-06

Family

ID=91721909

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410493166.5A Active CN118316699B (en) 2024-04-23 2024-04-23 Malicious client detection method, device, electronic device and storage medium for encrypted federated learning

Country Status (1)

Country Link
CN (1) CN118316699B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118606634B (en) * 2024-08-08 2024-10-22 齐鲁工业大学(山东省科学院) Self-adaptive privacy-preserving distributed learning method and device based on noise disturbance attenuation

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116739114A (en) * 2023-08-09 2023-09-12 山东省计算中心(国家超级计算济南中心) Robust federal learning aggregation method and device for resisting model poisoning attack
CN117574421A (en) * 2023-10-26 2024-02-20 河海大学 Federated data analysis system and method based on gradient dynamic clipping

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12147879B2 (en) * 2021-02-22 2024-11-19 International Business Machines Corporation Federated learning with dataset sketch commitment based malicious participant identification
US20240070286A1 (en) * 2022-08-31 2024-02-29 International Business Machines Corporation Supervised anomaly detection in federated learning

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116739114A (en) * 2023-08-09 2023-09-12 山东省计算中心(国家超级计算济南中心) Robust federal learning aggregation method and device for resisting model poisoning attack
CN117574421A (en) * 2023-10-26 2024-02-20 河海大学 Federated data analysis system and method based on gradient dynamic clipping

Also Published As

Publication number Publication date
CN118316699A (en) 2024-07-09

Similar Documents

Publication Publication Date Title
US12182895B2 (en) Neural network based identification document processing system
Mahloujifar et al. Property inference from poisoning
Feng et al. Learning fair representations via an adversarial framework
US11816223B1 (en) Apparatus and method for updating cyber security support based on real-time changes
CN112668044B (en) Privacy protection method and device for federated learning
Sommer et al. Athena: Probabilistic verification of machine unlearning
CN111209398B (en) A text classification method and system based on graph convolutional neural network
CN107368752A (en) A kind of depth difference method for secret protection based on production confrontation network
Wan et al. Shielding federated learning: A new attack approach and its defense
CN113269228A (en) Method, device and system for training graph network classification model and electronic equipment
US20250148111A1 (en) Method and apparatus for protecting data, and device and medium
CN116192538B (en) Network security assessment method, device, equipment and medium based on machine learning
Abbahaddou et al. Bounding the expected robustness of graph neural networks subject to node feature attacks
Chen et al. Certifiably-robust federated adversarial learning via randomized smoothing
CN118316699B (en) Malicious client detection method, device, electronic device and storage medium for encrypted federated learning
Altowim et al. ProgressER: adaptive progressive approach to relational entity resolution
Tao et al. User behavior threat detection based on adaptive sliding window gan
CN117972691A (en) Backdoor defense method and system for interpretable graph recommendation system based on forgetting learning
Leysen Exploring unlearning methods to ensure the privacy, security, and usability of recommender systems
US11573986B1 (en) Apparatuses and methods for the collection and storage of user identifiers
Meng et al. Active forgetting via influence estimation for neural networks
CN116361759B (en) An intelligent compliance control method based on quantitative authority guidance
CN118468281A (en) Deep learning backdoor attack defense method based on anti-learning and attention
WO2025081741A1 (en) Joint risk control method and system based on blockchain and generative adversarial network
CN118504659A (en) Federated hierarchical learning method based on differential privacy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant