A federated learning method for defending data poisoning attacks

What is AI technical title?
AI technical title is built by PatSnap AI team. It summarizes the technical point description of the patent document.
By constructing models F and G, detecting client-side data poisoning and model attacks, and performing weighted aggregation on the server, the problems of non-independent and identically distributed data and attacks in federated learning are solved, thus improving the model training effect.

CN116402126BActive Publication Date: 2026-06-12BEIJING UNIV OF POSTS & TELECOMM +1

View PDF 2 Cites 0 Cited by

Patent Information

Authority / Receiving Office: CN · China
Patent Type: Patents(China)
Current Assignee / Owner: BEIJING UNIV OF POSTS & TELECOMM
Filing Date: 2023-04-12
Publication Date: 2026-06-12

Application Information

Patent Timeline

12 Apr 2023

Application

12 Jun 2026

Publication

CN116402126B

IPC: H04L9/40; G06N3/098; G06F18/2321

CPC: G06N3/098; G06F18/2321; H04L63/1416

AI Tagging

Application Domain

Biological models Securing communication

Technical Efficacy Phrases

Solve non-independent and identically distributed problemsfit closely

Explore More Agents

Novelty Search
Search existing technologies and assess novelty
↗
FTO
Analyze whether a product may infringe others' patents
↗
Design FTO
Check prior-design risk for exterior design
↗
Drafting
Draft patent application text based on a technical solution
↗
Find Solutions with TRIZ
Generate feasible solution to solve your technical challenge
↗

Similar Technology Patents

Measuring device and measuring method for out-of-roundness of a boiler pressure vessel shell
CN116448003BRealize out-of-roundness measurementGuaranteed rotational stability
Key type shoulder alarm with high protection
CN224367820UImprove the protective effectImprove waterproof and dustproof performanceTransmission
Turnover vehicle for electric appliance circuit board
CN224348952UStable pick-and-place installationNot prone to vibration and shakingHand carts with multiple axes Hand cart accessories
Adjustable size glass bottle blowing mold
CN224350561UAchieve collapsefit closelyBlowing machine gearingsBlowing moulds
Method for predicting service life of sealing ring of ethylene-propylene-diene rubber for cooling system of converter valve
CN115688409BAging data is reliablefit closelyDesign optimisation/simulation Neural architectures

Get free access to AI patent search and analysis

Check patentability, review prior art and ask IP Agent with full patent context.

AI Technical Summary

⚠Technical Problem

Federated learning suffers from problems such as non-independent and identically distributed data, data poisoning, and model parameter attacks. Existing solutions have failed to effectively address these issues, especially when client data is untrustworthy, which affects the training performance of the global model.

⚗Method used

By constructing models F and G, the relationship between client data features and target vectors is learned, and vector differences are calculated to detect data poisoning and model attacks. The server performs weighted aggregation to mitigate the impact of attacks.

🎯Benefits of technology

It effectively detects and mitigates data poisoning and model parameter attacks, improves the model training accuracy and robustness of federated learning, and adapts to client data that is not independent and identically distributed.

✦ Generated by Eureka AI based on patent content.

Smart Images

Figure CN116402126B_ABST

Patent Text Reader

Abstract

The present application provides a kind of federal learning method of defending data poison attack, comprising, obtaining the shared dataset comprising the total feature distribution of data in client;Model F is trained according to the local dataset of client, wherein model F is used to learn the relationship between sample feature and target vector in local dataset;Model G is pre-trained according to the local dataset of client, and model G' is pre-trained according to shared dataset, wherein model G and G' are used to learn the relationship between model F personalized layer parameter and vector c;The local data amount of client, vector c, model F parameter and the personalized layer parameter output by model F are obtained, and the output V of model G is passed through;Personalized layer parameter is used as the input of model G', and output V' is obtained, L is calculated as ||V'-V||, whether there is data poison attack or gradient attack in client is judged according to L, and the influence of data poison attack and attack to model parameter is reduced by server to malicious client model parameter is given lower weight.

Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of data security. Background Technology

[0002] A key challenge of federated learning is the non-independent, identically distributed (i.i.d.) data among the clients, which significantly impacts the accuracy of federated learning algorithms (such as the classic FedAvg algorithm). Because the distribution of each client's local dataset differs greatly from the global distribution, the local model update objectives of each client are inconsistent with the global optimum. Therefore, during the local model training phase, each model updates towards its own local optimum, which can be significantly different from the global optimum. Even assuming a simple averaging of client models on the server side using the FedAvg algorithm, the averaged result may still be far from the global optimum, especially when local updates are large (e.g., when the number of epochs required for local updates is large). Ultimately, the accuracy of converging the global model is much worse than in an i.i.d. setting.

[0003] Due to the importance of user data privacy, federated learning allows data to reside on the client side (data holder), with only the model parameters shared with the central server. Specifically, there is no centralized data manager to collect and validate the aggregated dataset. Instead, each client is responsible for training on its local data and then sending the model parameter values to the central server, which creates a global model by aggregating updates from all clients. Therefore, a global model can be trained on the data of all clients without any client needing to share their private raw data. However, this mechanism also introduces a significant vulnerability into federated learning algorithms. Consider a scenario where, during federated learning training, some clients are assumed to be malicious or manipulated by adversaries. This could lead these clients to add poisoned samples to their local training data or upload malicious model updates. Due to data privacy, the central server cannot verify the data, allowing these malicious clients to poison the trained global model and negatively impact its performance.

[0004] Federated learning algorithms require each client to train the model using its own local data. However, in practice, each client inevitably makes some mistakes when collecting local data, such as misclassifying sample labels or uploading sample feature data incorrectly. Also, due to the privacy of federated learning algorithms, these errors cannot be directly detected by the central server, which will also affect the performance of the global model.

[0005] Current technologies almost exclusively focus on addressing one of the following issues in federated learning: data non-independent and identically distributed (i.i.d.), data poisoning, and attacks on model parameters. There is no comprehensive solution. However, in practical applications, federated learning often encounters several of these problems simultaneously. Therefore, when considering applications of federated learning, it is essential to address how to solve these problems concurrently.

[0006] Existing solutions for defending against data poisoning and attacks targeting model parameters are based on the assumption of independent and identically distributed client data. They do not take into account that in reality, the data of each client is almost always non-independent and identically distributed. As a result, the model parameters trained on each client's dataset will differ significantly from the model parameters uploaded by other clients, even if the local data is correct. Moreover, since the distribution of data varies from client to client, there is no uniform threshold to determine how large a difference is considered normal. In other words, it is impossible to determine whether the client is engaging in data poisoning or attacks targeting model parameters based on the differences. Summary of the Invention

[0007] The present invention aims to at least partially solve one of the technical problems in the related art.

[0008] Therefore, the purpose of this invention is to propose a federated learning method for defending against data poisoning attacks, which is used to determine whether the client is poisoning data and attacking the model parameters.

[0009] To achieve the above objectives, a first aspect of the present invention proposes a federated learning method for defending against data poisoning attacks, comprising:

[0010] Obtain a shared dataset containing the distribution of all features of the data in the client;

[0011] Construct model F, initialize model F parameters, and train model F based on the client's local dataset, wherein model F is used to learn the relationship between sample features and target vectors in the local dataset;

[0012] Models G and G′ are constructed. Model G is pre-trained based on the local dataset of the client, and model G′ is pre-trained based on the shared dataset. Models G and G′ are used to learn the relationship between the personalized layer parameters of model F and vector c.

[0013] The local data volume n, vector c, model F parameters, and personalized layer parameters output by model F are obtained through the output V of model G.

[0014] The personalized layer parameters are used as input to the model G′ to obtain the output V′. L = ||V′ - V|| is calculated. Based on L, it is determined whether the client is subject to data poisoning attacks or gradient attacks. The server assigns lower weights to the model parameters of malicious clients to mitigate the impact of data poisoning attacks and attacks targeting model parameters.

[0015] In addition, a federated learning method for defending against data poisoning attacks according to the above embodiments of the present invention may also have the following additional technical features:

[0016] Furthermore, in one embodiment of the present invention, obtaining the shared dataset on the server side and the local dataset on the client side further includes:

[0017] The local dataset was preprocessed using the DBSCAN clustering algorithm.

[0018] Furthermore, in one embodiment of the present invention, the model G is used to learn W. p The relationship between vector c and vector p is that vector c is obtained by expanding the covariance matrix Conv calculated from N vectors p:

[0019] ,

[0020] Where N is the number of samples, and E(x) is the number of samples from N vectors p i The mean of i = 1, 2, ..., n.

[0021] Furthermore, in one embodiment of the present invention, determining whether the client is subject to a data poisoning attack or a gradient attack based on L includes:

[0022] First, run the experiment 10 times to obtain 10 sets of data, calculate the mean of L, and use the mean as the threshold. L If L exceeds the threshold L This indicates that the client is vulnerable to data poisoning or gradient attacks.

[0023] Furthermore, in one embodiment of the present invention, it further includes:

[0024] Define the subset of data for each client in the shared dataset as SD. i (i = 1, 2, ... N), SD i As input to model F, it is transformed into N through the base layer. i A vector p = {p1, p2, ..., p...} n Based on this, the covariance matrix Conv is calculated. i Conv i Expand to get c′ i={Cov 11 ,Cov 12 ,...,Cov nn}, which can be calculated from the local data of client i. i With c′ i The magnitude of the difference vector Δc i =||c i -c′ i ||, take Δc from ten experiments i The mean value is used as the threshold. If Δc i Exceed Then it is determined that client i is subject to a data poisoning attack.

[0025] Furthermore, in one embodiment of the present invention, it further includes:

[0026] By calculating Δc i The difference between L and ΔL i To determine if the client is simultaneously subjected to data poisoning attacks and attacks targeting the model gradient, ΔL is taken from ten experiments. i The mean is used as the threshold. i If ΔL i Exceeding the threshold i This allows us to determine whether the client is simultaneously subjected to data poisoning attacks and attacks targeting the model gradient.

[0027] To achieve the above objectives, a second aspect of the present invention provides a federated learning device for defending against data poisoning attacks, comprising the following modules:

[0028] The first acquisition module is used to acquire a shared dataset containing the distribution of all features of the data in the client.

[0029] The first training module is used to construct model F, initialize the parameters of model F, and train model F based on the local dataset of the client, wherein model F is used to learn the relationship between sample features and target vectors in the local dataset;

[0030] The second training module is used to construct models G and G′, pre-train model G based on the client's local dataset, and pre-train model G′ based on the shared dataset, wherein models G and G′ are used to learn the relationship between the personalized layer parameters of model F and vector c;

[0031] The second acquisition module is used to acquire the local data volume n, vector c, model F parameters, and personalized layer parameters output by model F through the output V of model G of the client.

[0032] The judgment module is used to take the personalized layer parameters as input to the model G′, obtain the output V′, calculate L=||V′-V||, and determine whether the client has a data poisoning attack or gradient attack based on L. The server assigns lower weights to the model parameters of the malicious clients to mitigate the impact of data poisoning attacks and attacks targeting model parameters.

[0033] Furthermore, in one embodiment of the present invention, the determining module is further configured to:

[0034] First, run the experiment 10 times to obtain 10 sets of data, calculate the mean of L, and use the mean as the threshold. L If L exceeds the threshold L This indicates that the client is susceptible to data poisoning or gradient attacks.

[0035] Define the subset of data for each client in the shared dataset as SD. i (i = 1, 2, ... N), SD i As input to model F, it is transformed into N through the base layer. i A vector p = {p1, p2, ..., p...} n Based on this, the covariance matrix Conv is calculated. i Conv i Expand to get c′ i ={Cov 11 ,Cov 12 ,...,Cov nn}, which can be calculated from the local data of client i. i With c′ i The magnitude of the difference vector Δc i =||c i -c′ i ||, take Δc from ten experiments i The mean value is used as the threshold. If Δc i Exceed Then it is determined that client i is subject to a data poisoning attack.

[0036] By calculating Δc i The difference between L and ΔL i To determine if the client is simultaneously subjected to data poisoning attacks and attacks targeting the model gradient, ΔL is taken from ten experiments. i The mean is used as the threshold. i If ΔL i Exceeding the threshold i This allows us to determine whether the client is simultaneously subjected to data poisoning attacks and attacks targeting the model gradient.

[0037] To achieve the above objectives, a third aspect of the present invention provides a computer device, characterized in that it includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the computer program, it implements a federated learning method for defending against data poisoning attacks as described above.

[0038] To achieve the above objectives, a fourth aspect of the present invention provides a computer-readable storage medium having a computer program stored thereon, characterized in that the computer program, when executed by a processor, implements a federated learning method for defending against data poisoning attacks as described above.

[0039] The federated learning method for defending against data poisoning attacks proposed in this invention, on the one hand, designs a personalized layer M p The model F is designed to better fit the local, non-independent, identically distributed data of each client, effectively addressing the problem of non-independent, identically distributed data in federated learning. On the other hand, this scheme calculates the feature vector p = {p1, p2, ... p...} extracted from the local dataset. n The covariance matrix Conv between} is given by the vector c obtained by expanding Conv. i ={Cov 11 ,Cov 12 ,...,Cov nn} represents the characteristic distribution of the data, thus allowing comparison with the distribution calculated from the client dataset.

[0040] ′

[0041] The magnitude Δc of the difference between the quantity c and the vector c′ calculated by model G on the server side i =||c i -c i This is used to detect whether there is data poisoning or attacks targeting model parameters on the client side. When the server aggregates client models, it uses the size of the L value to perform weighted aggregation of client models (i.e., assigning lower weights to malicious clients that are attacking) to mitigate the impact of data poisoning attacks and attacks targeting model parameters. Attached Figure Description

[0042] The above and / or additional aspects and advantages of the present invention will become apparent and readily understood from the following description of the embodiments taken in conjunction with the accompanying drawings, wherein:

[0043] Figure 1 This is a flowchart illustrating a federated learning method for defending against data poisoning attacks, provided in an embodiment of the present invention.

[0044] Figure 2 This is a schematic diagram of a model F provided in an embodiment of the present invention.

[0045] Figure 3 This is a schematic diagram of the federated learning process provided in an embodiment of the present invention.

[0046] Figure 4 This is a flowchart illustrating a federated learning device for defending against data poisoning attacks, provided in an embodiment of the present invention. Detailed Implementation

[0047] Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and intended to explain the present invention, and should not be construed as limiting the present invention.

[0048] The federated learning method for defending against data poisoning attacks according to an embodiment of the present invention is described below with reference to the accompanying drawings.

[0049] Figure 1 This is a flowchart illustrating a federated learning method for defending against data poisoning attacks, provided in an embodiment of the present invention.

[0050] like Figure 1 As shown, the federated learning method for defending against data poisoning attacks includes the following steps:

[0051] S101: Obtain a shared dataset containing the distribution of all features of the data in the client;

[0052] S102: Construct model F, initialize model F parameters, and train model F based on the client's local dataset, where model F is used to learn the relationship between sample features and target vectors in the local dataset;

[0053] S103: Construct models G and G′. Pre-train model G based on the client's local dataset and pre-train model G′ based on the shared dataset. Models G and G′ are used to learn the relationship between the parameters of the personalized layer of model F and the vector c.

[0054] S104: Obtain the client's local data volume n, vector c, model F parameters, and personalized layer parameters output by model F through the output V of model G;

[0055] S105: Use the personalized layer parameters as input to model G′ to obtain output V′, calculate L=||V′-V||, and determine whether the client is subject to data poisoning attack or gradient attack based on L. The server assigns lower weights to the model parameters of malicious clients to mitigate the impact of data poisoning attack and attack on model parameters.

[0056] Furthermore, in one embodiment of the present invention, obtaining the shared dataset from the server further includes:

[0057] The DBSCAN clustering algorithm was used to preprocess the client's local dataset.

[0058] Specifically, the DBSCAN clustering algorithm is used on local client data, assuming the local sample feature set is D = {x1, x2, ..., x...} m}, assuming neighborhood parameters (ε, MinPts), and determine the core object (if |N ε (x j Given a set Ω (where x ≥ MinPts), randomly select a core object from Ω as a seed, and find objects whose density is directly reachable from it (density directly reachable: if x ≥ MinPts). j Located at x i In the ε-neighborhood of x, and i If it is a core object, then it is called x. j By x i Density reaches directly. Density can be reached: for x i With x j If there exists a sample sequence {p1, p2, ..., p...} n}, where p1 = x i p n =x j , and p i+1 By p i Direct access is called x j By x i All samples with a density of (reachable) form the first cluster C1. The core objects in C1 are then removed from Ω, and this process is repeated until Ω is empty. Data not included in any cluster is considered outlier. This method can identify and remove erroneous data from the client's local dataset, thus improving the model's training performance.

[0059] like Figure 2 As shown, model F is divided into a basic layer M. b and personalization layer M p M b This can be viewed as a feature extraction layer. For example, when the input data is an image of size m×m pixels, an M-layer matrix can be designed. b Transform it into a vector p = {p1, p2, ..., p} n When the input is vector data v = {v1, v2, ..., v}, k At that time, it can also be done through M. b Transform it into p = {p1, p2, ..., p} n}, M pThis involves updating parameters on the client side based on local non-independent and identically distributed data, such as updating the personalization layer parameter W based on the image and its corresponding category or vector data and its corresponding function value. p After training the model F, inputting images or vector data will yield the classification of the images or the predicted values of the vector data.

[0060] Furthermore, in one embodiment of the present invention, the model G is used to learn W. p The relationship between vector c and vector p is that vector c is obtained by expanding the covariance matrix Conv calculated from N vectors p:

[0061] ,

[0062] Where N is the number of samples, and E(x) is the number of samples from N vectors p i The mean of i = 1, 2, ..., n.

[0063] The server divides the shared dataset into a training set and a test set in an 8:2 ratio. Batch gradient descent is used to update the parameters of model F′ on the training set. Once the model converges and performs well on the test set, the personalized layer parameters W in F′ are obtained. p And based on the shared dataset, via c′={Cov 11 ,Cov 12 ,...,Cov nn}, with W p ′ is used as the sample feature, and c is used as the sample target vector for pre-training model G′. On the client side, the local dataset is divided into training and test sets in an 8:2 ratio. Batch gradient descent is used to update the parameters of model F on the training set. When the model converges and performs well on the test set, the personalized layer parameters W in F are obtained. p And based on the shared dataset via M b The output calculation vector c = {Cov 11 ,Cov 12 ,...,Cov nn}, with W p As a sample feature, c is used as the sample target vector for pre-training model G.

[0064] Furthermore, in one embodiment of the present invention, determining whether the client is subject to a data poisoning attack or a gradient attack based on L includes:

[0065] First, run the experiment 10 times to obtain 10 sets of data, calculate the mean of L, and use the mean as the threshold. L If L exceeds the threshold L This indicates that the client is vulnerable to data poisoning or gradient attacks.

[0066] Furthermore, in one embodiment of the present invention, it further includes:

[0067] Define the subset of data for each client in the shared dataset as SD. i (i = 1, 2, ... N), SD i As input to model F, it is transformed into N through the base layer. i A vector p = {p1, p2, ..., p...} n Based on this, the covariance matrix Conv is calculated. i Conv i Expand to get c′ i ={Cov 11 ,Cov 12 ,...,Cov nn}, which can be calculated from the local data of client i. i With c′ i The magnitude of the difference vector Δc i =||c i -c′ i ||, take Δc from ten experiments i The mean value is used as the threshold. If Δc i Exceed Then it is determined that client i is subject to a data poisoning attack.

[0068] Furthermore, in one embodiment of the present invention, it further includes:

[0069] By calculating Δc i The difference between L and ΔL i To determine if the client is simultaneously subjected to data poisoning attacks and attacks targeting the model gradient, ΔL is taken from ten experiments. i The mean is used as the threshold. i If ΔL i Exceeding the threshold i This allows us to determine whether the client is simultaneously subjected to data poisoning attacks and attacks targeting the model gradient.

[0070] Specifically, the server takes the personalized layer parameters of model F uploaded by the client as the input of model G′, obtains the output V′, calculates L=||V′-V|| (calculate the modulus of the difference vector between V′ and V), and assigns a corresponding credibility to each client. This yields the weights corresponding to the weighted client-side model. (If V′ differs significantly from V, it is assigned a lower weight; the mean of L can be calculated by running 10 experiments to obtain 10 sets of data, and this mean can be used as the threshold.) L If L exceeds the thresholdL This suggests that the client may be experiencing a data poisoning attack or a gradient attack. Assume that the subset of data corresponding to each client in the shared dataset is SD. i (i = 1, 2, ... N), similarly, SD i As input to model F, it can be transformed into N through the base layer. i (SD i (Number of samples) vectors p = {p1, p2, ..., p...} n The covariance matrix Conv can be calculated from this. i Conv i Expand to get c′ i ={Cov 11 ,Cov 12 ,...,Cov nn}, which can be calculated from the local data of client i. i With c′ i The magnitude of the difference vector Δc i =||c i -c′ i ||, take Δc from ten experiments i The mean value is used as the threshold. If Δc i Exceed This also indicates that client i is under a data poisoning attack; assuming no data poisoning attack exists, then when L exceeds the threshold... L If the attack is positive, it is considered that the client is attacking the model gradient; assuming both data poisoning and attacks targeting the model gradient exist simultaneously, Δc can be calculated. i The difference between L and ΔL i Take ΔL from ten experiments i The mean is used as the threshold. i If ΔL i Exceeding the threshold i This method can determine whether a client is simultaneously engaging in data poisoning attacks and attacks targeting model gradients. This requires the server to run model G′ training ten times. Afterwards, the server performs weighted aggregation of the base layer parameters in model F (the personalized layers are not included in the aggregation). Performing weighted aggregation on the server side results in lower weights for the detected malicious client model parameters, which can mitigate the impact of malicious clients on model training to some extent. Figure 3 This is a flowchart of the federated learning process.

[0071] To achieve the above embodiments, the present invention also proposes a federated learning device for defending against data poisoning attacks.

[0072] Figure 4This is a schematic diagram of a federated learning device for defending against data poisoning attacks, provided as an embodiment of the present invention.

[0073] like Figure 4 As shown, the federated learning device for defending against data poisoning attacks includes: a first acquisition module 100, a first training module 200, a second training module 300, a second acquisition module 400, and a judgment module 500, wherein...

[0074] The first acquisition module is used to acquire a shared dataset containing the distribution of all features of the data in the client.

[0075] The first training module is used to construct model F, initialize the parameters of model F, and train model F based on the local dataset of the client, wherein model F is used to learn the relationship between sample features and target vectors in the local dataset;

[0076] The second training module is used to construct models G and G′, pre-train model G based on the client's local dataset, and pre-train model G′ based on the shared dataset, wherein models G and G′ are used to learn the relationship between the personalized layer parameters of model F and vector c;

[0077] The second acquisition module is used to acquire the local data volume n, vector c, model F parameters, and personalized layer parameters output by model F through the output V of model G of the client.

[0078] The judgment module is used to take the personalized layer parameters as input to the model G′, obtain the output V′, calculate L=||V′-V||, and determine whether the client has a data poisoning attack or gradient attack based on L. The server assigns lower weights to the model parameters of the malicious clients to mitigate the impact of data poisoning attacks and attacks targeting model parameters.

[0079] To achieve the above objectives, a third aspect of the present invention provides a computer device, characterized in that it includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the computer program, it implements the federated learning method for defending against data poisoning attacks as described above.

[0080] To achieve the above objectives, a fourth aspect of the present invention provides a computer-readable storage medium having a computer program stored thereon, characterized in that the computer program, when executed by a processor, implements the federated learning method for defending against data poisoning attacks as described above.

[0081] In the description of this specification, the references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Moreover, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of different embodiments or examples.

[0082] Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of that feature. In the description of this invention, "a plurality of" means at least two, such as two, three, etc., unless otherwise explicitly specified.

[0083] Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention. Those skilled in the art can make changes, modifications, substitutions and variations to the above embodiments within the scope of the present invention.

Claims

1. A federated learning method for defending data poisoning attacks, characterized in that, Includes the following steps: Obtain a shared dataset containing the distribution of all features of the data in the client; Construct model F, initialize model F parameters, and train model F based on the client's local dataset, wherein model F is used to learn the relationship between sample features and target vectors in the local dataset, and model F includes a base layer and a personalized layer; Building Model and The model is based on the client's local dataset. Pre-training is performed on the model based on the shared dataset. Pre-training is performed on the model. and Used to learn the relationship between the personalized layer parameters of the model F and the vector c; The local data volume n, vector c, model F parameters, and personalized layer parameters output by model F are obtained from the client through the model. The output V, wherein the vector c is obtained by expanding the covariance matrix Conv calculated from N vectors p, and the vector p is obtained by transforming the local dataset or the shared dataset through the base layer of the model F; The personalization layer parameters are used as the model. The input is used to obtain the output. ,calculate Based on L, it is determined whether the client is subject to data poisoning attacks or gradient attacks. The server assigns lower weights to the model parameters of malicious clients to mitigate the impact of data poisoning attacks and attacks targeting model parameters.

2. The method according to claim 1, characterized in that, The process of obtaining a shared dataset containing the distribution of all features of the data in the client also includes: The DBSCAN clustering algorithm is used to preprocess the client's local dataset.

3. The method according to claim 1, characterized in that, The model For learning sum vector Relationships between vectors It is to combine N vectors Calculated covariance matrix The expanded vector is: Where N is the number of samples, For N vectors , The mean.

4. The method according to claim 1, characterized in that, The step of determining whether the client is subject to a data poisoning attack or a gradient attack based on L includes: First, run the experiment 10 times to obtain 10 sets of data, calculate the mean of L, and use the mean as the threshold. If L exceeds This indicates that the client is vulnerable to data poisoning or gradient attacks.

5. The method according to claim 1, characterized in that, Also includes: Define the subset of data for each client in the shared dataset as follows: ,Will As input to model F, it is transformed through the base layer. vectors Based on this, the covariance matrix is calculated. ,Will Expand to get It can calculate the result derived from local data on client i. and The magnitude of the difference vector Take ten experiments The mean value is used as the threshold. ,like Exceed Then determine the client Data poisoning attacks exist.

6. The method according to claim 1, characterized in that, Also includes: Through calculation The difference between L and To determine if the client is simultaneously subjected to data poisoning attacks and attacks targeting the model gradient, ten experiments were conducted. The mean value is used as the threshold. ,like Exceed This allows us to determine whether the client is simultaneously subjected to data poisoning attacks and attacks targeting the model gradient.

7. A federated learning device for defending against data poisoning attacks, characterized in that, Includes the following modules: The first acquisition module is used to acquire a shared dataset containing the distribution of all features of the data in the client. The first training module is used to construct model F, initialize the parameters of model F, and train model F based on the local dataset of the client. The model F is used to learn the relationship between sample features and target vectors in the local dataset. The model F includes a base layer and a personalized layer. The second training module is used to build the model. and The model is based on the client's local dataset. Pre-training is performed on the model based on the shared dataset. Pre-training is performed on the model. and Used to learn the relationship between the personalized layer parameters of the model F and the vector c; The second acquisition module is used to acquire the client's local data volume n, vector c, model F parameters, and personalized layer parameters output by model F through the model. The output V, wherein the vector c is obtained by expanding the covariance matrix Conv calculated from N vectors p, and the vector p is obtained by transforming the local dataset or the shared dataset through the base layer of the model F; The judgment module is used to use the personalized layer parameters as the model. The input is used to obtain the output. ,calculate Based on L, it is determined whether the client is subject to data poisoning attacks or gradient attacks. The server assigns lower weights to the model parameters of malicious clients to mitigate the impact of data poisoning attacks and attacks targeting model parameters.

8. The apparatus according to claim 7, characterized in that, The judgment module is also used for: First, run the experiment 10 times to obtain 10 sets of data, calculate the mean of L, and use the mean as the threshold. If L exceeds This indicates that the client is susceptible to data poisoning or gradient attacks. Define the subset of data for each client in the shared dataset as follows: ,Will As input to model F, it is transformed through the base layer. vectors Based on this, the covariance matrix is calculated. ,Will Expand to get It can calculate the result derived from local data on client i. and The magnitude of the difference vector Take ten experiments The mean value is used as the threshold. ,like Exceed Then determine the client Data poisoning attacks exist; Through calculation The difference between L and To determine if the client is simultaneously subjected to data poisoning attacks and attacks targeting the model gradient, ten experiments were conducted. The mean value is used as the threshold. ,like Exceed This allows us to determine whether the client is simultaneously subjected to data poisoning attacks and attacks targeting the model gradient.

9. A computer device, characterized in that, It includes a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the federated learning method for defending against data poisoning attacks as described in any one of claims 1-6.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the federated learning method for defending against data poisoning attacks as described in any one of claims 1-6.