GAN attack detection method and device, parameter sharing method and device
By detecting malicious attack behavior of computing nodes on the parameter server side, and utilizing lift and historical learning rate, the problems of resource consumption and subjective ambiguity in judgment in existing technologies are solved, achieving more accurate GAN attack detection and protection of model training effects.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM CORP LTD
- Filing Date
- 2023-06-14
- Publication Date
- 2026-06-09
Smart Images

Figure CN116866006B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of communication technology, and in particular to GAN attack detection methods, apparatus, parameter sharing methods, apparatus, electronic devices, and computer-readable storage media. Background Technology
[0002] In distributed deep learning model training, parameter servers and computing nodes collaborate to complete the distributed model training. Malicious computing nodes construct a local model based on updated shared parameters provided by the parameter server, acting as a GAN (Generative Adversarial Network) attack discriminator. This model is then combined with malicious attack classification labels negotiated between the computing nodes and the shared parameters to construct a local GAN attack network, creating realistic training samples. Subsequently, the malicious computing node labels these realistic samples with false classification labels, trains its local model, and then submits malicious shared parameters to interfere with the training of the distributed deep learning model. In existing technologies, the parameter server labels the shared parameters with binary classification labels, constructing a classifier to identify the likelihood of malicious information in the subsequently updated shared parameters from each computing node, thereby detecting attacks from malicious computing nodes.
[0003] However, existing GAN attack detection methods have at least the following drawbacks: they require building and training a GAN classifier on the parameter server side, which consumes the parameter server's resources; the judgment of GAN attack behavior is based on whether the historical trend curve of the shared parameters of a certain computing node deviates more from that of other computing nodes, and the analysis conclusions are relatively subjective and vague.
[0004] It is evident that existing GAN attack detection methods still require improvement. Summary of the Invention
[0005] This application provides a GAN attack detection method, apparatus, and electronic device that can solve one or more of the above-mentioned problems.
[0006] In a first aspect, embodiments of this application disclose a GAN attack detection method applied to a parameter server of a distributed learning model, wherein the distributed learning model further includes: multiple computing nodes, and the method includes:
[0007] Obtain the current malicious attack classification label and the lift of the current shared parameter group shared by the computing nodes to be analyzed;
[0008] In response to the lift degree being equal to a preset lift degree threshold, it is determined that the computing node to be analyzed exhibits attack behavior.
[0009] In response to the lift degree not being equal to the preset lift degree threshold, attack behavior detection is performed on the computing node to be analyzed based on the historical learning rate of each computing node.
[0010] Secondly, embodiments of this application disclose a GAN attack detection device applied to a parameter server of a distributed learning model, wherein the distributed learning model further includes: multiple computing nodes, and the device includes:
[0011] The lift acquisition module is used to acquire the lift of the current malicious attack classification label and the current shared parameter group shared by the computing nodes to be analyzed.
[0012] The first attack detection module is used to determine that the computing node to be analyzed has an attack behavior in response to the lift degree being equal to a preset lift degree threshold.
[0013] The second attack detection module is used to detect attack behavior of the computing node to be analyzed based on the historical learning rate of each computing node when the lift is not equal to the preset lift threshold.
[0014] Thirdly, this application discloses a parameter sharing method applied to computing nodes in a distributed learning model, wherein the distributed learning model further includes a parameter server, and the method includes:
[0015] Based on the parameter protection notification information broadcast by the parameter server, perform parameter search on the local model to obtain the target parameters;
[0016] The target parameters are abstracted to obtain the first abstract parameter;
[0017] Abstract the shared parameters (excluding the target parameter) in the first abstract parameter and the shared parameter group of the local model to obtain the abstract parameter group;
[0018] The abstract parameter group is used as a shared parameter group and shared with the parameter server.
[0019] Fourthly, embodiments of this application disclose a parameter sharing device applied to computing nodes in a distributed learning model, wherein the distributed learning model further includes a parameter server, and the device includes:
[0020] The parameter search module is used to perform parameter search on the local model based on the parameter protection notification information broadcast by the parameter server, and obtain the target parameters.
[0021] The parameter abstraction module is used to abstract the target parameters to obtain the first abstract parameter;
[0022] The parameter abstraction module is also used to abstract the shared parameters other than the target parameter in the shared parameter group of the first abstract parameter and the local model to obtain the abstract parameter group;
[0023] The parameter sharing module is used to share the abstract parameter group as a shared parameter group to the parameter server.
[0024] Fifthly, embodiments of this application also disclose an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, it implements the GAN attack detection method and / or parameter sharing method described in embodiments of this application.
[0025] Sixthly, embodiments of this application disclose a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, contains the steps of the GAN attack detection method and / or the parameter sharing method disclosed in embodiments of this application.
[0026] The GAN attack detection method disclosed in this application is applied to the parameter server of a distributed learning model. The distributed learning model further includes multiple computing nodes. The method obtains the current malicious attack classification label and the lift of the current shared parameter group shared by the computing nodes to be analyzed. In response to the lift equaling a preset lift threshold, it determines that the computing node to be analyzed exhibits attack behavior. In response to the lift not equaling the preset lift threshold, it detects attack behavior of the computing node to be analyzed based on the historical learning rate of each computing node. This eliminates the need to build and train a GAN classifier on the parameter server side, saving parameter server resources. Furthermore, using the historical learning rate of computing nodes as the basis for judging GAN attack behavior is more objective than the prior art that uses the deviation of the historical trend curve of a computing node's shared parameters from other computing nodes as the basis for judging GAN attack behavior, thus helping to improve the accuracy of attack behavior detection.
[0027] The above description is only an overview of the technical solution of this application. In order to better understand the technical means of this application and to implement it in accordance with the contents of the specification, and to make the above and other objects, features and advantages of this application more obvious and understandable, the following are specific embodiments of this application. Attached Figure Description
[0028] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0029] Figure 1 This is one of the flowcharts of the GAN attack detection method disclosed in the embodiments of this application;
[0030] Figure 2 This is one of the flowcharts of attack detection steps based on learning rate disclosed in the embodiments of this application;
[0031] Figure 3 This is one of the schematic diagrams of the learning rate curve obtained in the GAN attack detection method disclosed in the embodiments of this application;
[0032] Figure 4 This is the second schematic diagram of the learning rate curve obtained in the GAN attack detection method disclosed in the embodiments of this application;
[0033] Figure 5 This is the second flowchart of the attack detection steps based on the learning rate disclosed in the embodiments of this application;
[0034] Figure 6 This is the second flowchart of the GAN attack detection method disclosed in the embodiments of this application;
[0035] Figure 7 This is a flowchart of the parameter sharing method disclosed in the embodiments of this application;
[0036] Figure 8 This is a schematic diagram of the parameter abstraction process in the parameter sharing method disclosed in the embodiments of this application;
[0037] Figure 9 This is a schematic diagram of the interaction between the parameter server and the computing node in an application scenario of the GAN attack detection method and parameter sharing method disclosed in the embodiments of this application;
[0038] Figure 10 This is a schematic diagram of the structure of the GAN attack detection device disclosed in the embodiments of this application;
[0039] Figure 11 This is a schematic diagram of the parameter sharing device structure disclosed in the embodiments of this application;
[0040] Figure 12 A block diagram schematically illustrates an electronic device for performing the method according to this application; and
[0041] Figure 13 A storage unit for holding or carrying program code implementing the method according to this application is illustrated schematically. Detailed Implementation
[0042] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0043] In existing technologies, during the training of a distributed deep learning model (referred to as the learning model), a parameter server constructs a GAN attack classifier to assess attack behavior. Each computing node constructs a local model (i.e., an adversarial network) according to the same standards, forming a distributed attack detection system. Data security is also ensured by ensuring that training samples do not leave the local machine between computing nodes. However, malicious learning computing nodes within the learning model can generate realistic samples through a local adversarial network using malicious attack classification labels (referred to as "classification labels") negotiated between computing nodes and shared parameters. These samples are then labeled with correct or incorrect false malicious attack classification labels (referred to as "false classification labels") and uploaded to the parameter server through their local models, inducing other computing nodes to submit correct shared parameters to improve the realistic samples. This type of attack, which uses a GAN network to infer the training samples of other computing nodes, is called a "GAN attack," and its target is not limited to a specific computing node.
[0044] Malicious computing nodes construct a local model as a GAN attack discriminator based on updated shared parameters provided by the parameter server. This model is then combined with malicious sample classification labels negotiated between the computing nodes and the shared parameters to build a local GAN attack network, creating realistic training samples. Subsequently, the malicious computing nodes label the realistic samples with false classification labels, train their local models, and submit malicious shared parameters.
[0045] Correct false classification labels are relevant to the learning objectives of each computation node in the learning model, while incorrect false classification labels are irrelevant to the learning objectives and will affect the training performance of the distributed deep learning model, such as leading to a decrease in model accuracy. Therefore, the parameter server needs to identify malicious computation nodes.
[0046] The GAN attack detection method disclosed in this application includes a distributed learning model comprising a parameter server and multiple computing nodes. The method is applied to the parameter server, such as... Figure 1 As shown, the method includes steps 110 to 130.
[0047] In cloud-network convergence scenarios, parameter servers and multiple computing nodes can be different network elements.
[0048] Step 110: Obtain the current malicious attack classification label and the current shared parameter group improvement degree shared by the computing nodes to be analyzed.
[0049] In the embodiments of this application, in order to reduce the load on the parameter server side, the improvement analysis of malicious attack classification labels and model shared parameters is performed on the parameter server side instead of building a GAN attack classifier locally on the parameter server.
[0050] The computing node to be analyzed is one of the plurality of computing nodes.
[0051] Optionally, obtain the current malicious attack classification label and the lift of the current shared parameter group shared by the computing nodes to be analyzed, including: sub-step 1101, sub-step 1102 and sub-step 1103.
[0052] Sub-step 1101: Calculate the lift corresponding to the combination of historical malicious attack classification labels and historical shared parameter groups based on the historical malicious attack classification labels and historical shared parameter groups shared by each computing node.
[0053] Specifically, the historical malicious attack classification labels and historical shared parameter groups are obtained from historical data uploaded to the parameter server by each computing node based on a sharing protocol. For example, the historical malicious attack classification labels and historical shared parameter groups can be: malicious attack classification labels and shared parameter groups obtained from historical data stored locally on the parameter server.
[0054] Optionally, based on the historical malicious attack classification labels and historical shared parameter groups shared by each computing node, the lift corresponding to the combination of historical malicious attack classification labels and historical shared parameter groups is calculated, including: determining the lift of historical malicious attack classification labels and historical shared parameter groups based on the ratio of the probability of historical malicious attack classification labels and historical shared parameter groups appearing simultaneously to the probability of historical shared parameter groups appearing.
[0055] For example, the lift of historical malicious attack classification label i and historical shared parameter group j can be calculated using the following formula:
[0056] L ij (Label i ->SharedPara j ) = P(Label i |SharedPara j ) / P(SharedPara j );
[0057] Among them, Labeli The tag i represents the category of historical malicious attacks, SharedPara j Represents the shared parameter group j, P(SharedPara j P(Label) represents the probability of occurrence of historical shared parameter group j determined based on historical data. i |SharedPara j L represents the probability that historical malicious attack classification label i and historical shared parameter group j, determined based on historical data, occur simultaneously. ij (Label i ->SharedPara j ) represents the lift of historical malicious attack category label i and historical shared parameter group j.
[0058] If the lift of the malicious attack classification label i and the shared parameter group j is greater than a preset lift threshold (e.g., 1), it indicates a strong correlation between the malicious attack classification label i and the shared parameter group; if the lift of the malicious attack classification label i and the shared parameter group j is less than the preset lift threshold, it indicates that the malicious attack classification label i and the shared parameter group j are invalid strong correlation rules and can be considered as weak correlation; if the lift of the malicious attack classification label i and the shared parameter group j is equal to the preset lift threshold, it indicates that there is no correlation between the malicious attack classification label i and the shared parameter group j.
[0059] Sub-step 1102: Match the current malicious attack classification label and current shared parameter group of the node to be analyzed with the historical malicious attack classification label and historical shared parameter group with the improvement degree to obtain the matching result.
[0060] Sub-step 1103: Based on the matching results, determine the current malicious attack classification label and the current shared parameter group.
[0061] Among them, the current malicious attack classification label refers to the current malicious attack classification label of the computing node to be analyzed obtained by the parameter server, and the current shared parameter group refers to the current shared parameter group of the computing node to be analyzed obtained by the parameter server.
[0062] Next, for each compute node, the parameter server matches the node's current malicious attack classification label and current shared parameter combination with combinations of historical malicious attack classification labels and historical shared parameter groups that have lift. If a historical malicious attack classification label and historical shared parameter group are successfully matched, the lift value corresponding to the successfully matched historical malicious attack classification label and historical shared parameter group is used as the lift of the current malicious attack classification label.
[0063] If no combination of historical malicious attack category labels and historical shared parameter groups is found, it can be assumed that there is no correlation between the current malicious attack category labels and shared parameter groups. In this case, the lift can be set to equal the preset lift threshold.
[0064] Step 120: In response to the lift degree being equal to a preset lift degree threshold, it is determined that the computing node to be analyzed exhibits attack behavior.
[0065] Step 130: In response to the lift degree not being equal to the preset lift degree threshold, attack behavior detection is performed on the computing node to be analyzed based on the historical learning rate of each computing node.
[0066] When the lift of the current malicious attack classification label and the current shared parameter group submitted by a computing node falls in the L=1 interval, or there is no matching classification label or shared parameter group on the parameter server side (in which case the lift is set to 1), it can be directly determined that the computing node that submitted the malicious attack label is using a false label to mark a realistic sample, which constitutes an attack and is identified as a malicious computing node.
[0067] The attack detection process will be described below with a preset lift threshold of 1.
[0068] When the lift of the current malicious attack classification label and the current shared parameter group submitted by a computing node falls in the L<1 or L>1 interval, the relationship between the current malicious attack classification label and the current shared parameter group is weakly or strongly correlated, and further investigation is needed to determine whether the malicious computing node is using the correct false label.
[0069] Optional, such as Figure 2 As shown, attack behavior detection is performed on each computing node based on the historical learning rate of each computing node, including: sub-step 1301, sub-step 1302, sub-step 1303 and sub-step 1304.
[0070] Sub-step 1301: Obtain the historical learning rate of each computing node.
[0071] In deep learning model training, the learning rate is a hyperparameter that guides how to adjust network weights using the gradient of the loss function. A lower learning rate results in a slower rate of change in the loss function. During distributed training, each computing node can upload its local model's historical learning rate along with the shared parameter set to the parameter server. The parameter server stores the historical learning rates of each computing node for later use. The parameter server can also actively retrieve the historical learning rates of each computing node's local model. This application does not limit the specific implementation method for obtaining the historical learning rates of each computing node.
[0072] Sub-step 1302: Obtain the learning rate ratio curve of the computing node to be analyzed based on the historical learning rate of each computing node.
[0073] When attack behavior detection is required, the parameter server needs to perform attack behavior detection on each computing node to be detected based on its learning rate. The following example illustrates a specific implementation method for the parameter server to perform attack behavior detection on the computing nodes to be analyzed based on historical learning rates.
[0074] First, the parameter server needs to calculate the learning rate ratio curve of the computing nodes to be analyzed.
[0075] Optionally, obtaining the learning rate ratio curve of the computing node to be analyzed based on the historical learning rate of each computing node includes: calculating the average historical learning rate of the computing nodes other than the computing node to be analyzed among the plurality of computing nodes; and obtaining the learning rate ratio curve of the computing node to be analyzed based on the ratio of the historical learning rate of the computing node to be analyzed to the average value.
[0076] During the training process of the distributed learning model, the learning rate of the local model on each computing node changes dynamically at different times. Under normal circumstances, the learning rate of each computing node remains basically consistent. In the embodiments of this application, by constructing a Cartesian coordinate system with the average historical learning rate of computing nodes other than the computing node to be analyzed as the horizontal axis and the historical learning rate of the computing node to be analyzed as the vertical axis, and plotting the ratio corresponding to each average value, the learning rate ratio curve of the computing node to be analyzed can be obtained.
[0077] Taking a distributed learning model training process involving four computing nodes as an example, the historical learning rates of each computing node obtained by the parameter server can be represented as η1, η2, η3, and η4, respectively. When obtaining the learning rate ratio curve of computing node 1 (i.e., the computing node to be analyzed is computing node 1), we can first calculate the average value η of the historical learning rates η2, η3, and η4 of computing nodes 2, 3, and 4 at different training time points. avg , where η avg = (η2 + η3 + η4) / 3, where each average value η avg This corresponds to a specific training time point. Then, the historical learning rate η1 of computation node 1 at each of these training time points is calculated, along with the average learning rate η at the corresponding training time point. avg The learning rate ratio η1 / η avgFinally, in the Cartesian coordinate system established using the aforementioned method, the coordinate points corresponding to each learning rate ratio are plotted to obtain the learning rate ratio curve. The x-coordinate of each learning rate ratio point represents the historical average learning rate at a given training time t for computation nodes 2, 3, and 4, and the y-coordinate represents the historical learning rate value at the corresponding training time t for computation node 1. Connecting the coordinate points corresponding to multiple learning rate ratios forms the learning rate ratio curve for computation node 1.
[0078] In some embodiments of this application, the average value η of the historical learning rates η2, η3, and η4 of computing nodes 2, 3, and 4 can also be used. avg In ascending order, the coordinate points corresponding to the ratios of each average value are plotted sequentially in the aforementioned Cartesian coordinate system. The coordinate points corresponding to multiple learning rate ratios are connected to form the learning rate ratio curve of computing node 1.
[0079] Following the method described above, the learning rate ratio curve for computation node 1 is obtained as follows: Figure 3 As shown.
[0080] When obtaining the learning rate ratio curve for computing node 2 (i.e., when the computing node to be analyzed is computing node 2), we can first calculate the average historical learning rates η1, η3, and η4 of computing nodes 1, 3, and 4 at different training time points. avg , where η avg = (η1 + η3 + η4) / 3; Then, calculate the historical learning rate η2 of computing node 2 at each of the above training time points and the average value η at the corresponding training time points. avg The learning rate ratio η² / η avg Finally, the coordinates corresponding to each learning rate ratio are plotted using the method described above to obtain the learning rate ratio curve for node 2.
[0081] Following the method described above, the learning rate ratio curve for computation node 2 can be obtained as follows: Figure 4 As shown.
[0082] Sub-step 1303: Based on the specified curve boundary, perform curve boundary analysis on the learning rate ratio curve of the node to be analyzed and obtain the analysis results.
[0083] The parameter server obtains the learning rate ratio curve of each computing node according to the above method. Then, based on the specified curve boundary, it performs curve boundary analysis on the learning rate ratio curve of each computing node to obtain the analysis results.
[0084] Optionally, the specified curve boundary is the boundary of the value region where the average value is less than or equal to 1 and the historical learning rate of the node to be analyzed is less than or equal to 1. The step of performing curve boundary analysis on the learning rate ratio curve of the node to be analyzed based on the specified curve boundary to obtain the analysis result includes: in response to the learning rate ratio curve of the node to be analyzed exceeding the boundary, obtaining an analysis result indicating that the learning rate ratio curve exceeds the specified curve boundary.
[0085] As can be seen from the calculation process of the learning rate ratio curve, when the learning rate ratio curve of a certain computing node exceeds the boundary formed by the horizontal axis value = 1 and the vertical axis value = 1, the gradient change of the parameters adjusted by the computing node according to the loss function exceeds the average value of the other computing nodes. It can be considered that the computing node has the behavior of carrying out GAN attack through correct false labels. Accordingly, the analysis result indicating that the learning rate ratio curve exceeds the specified curve boundary can be obtained.
[0086] Taking computing node 1 as an example, as follows: Figure 3 As shown, the learning rate ratio curve for node 1 exceeds the boundary formed by the x-axis value = 1 and the y-axis value = 1, as follows: Figure 3 If the gradient change of the parameters adjusted by computing node 1 according to the loss function exceeds the average value of computing nodes 2, 3, and 4, then computing node 1 can be considered to be carrying out GAN attacks through correct false labels. Accordingly, the analysis result indicating that the learning rate ratio curve of computing node 1 exceeds the specified curve boundary can be obtained.
[0087] Taking computing node 2 as an example, as shown below Figure 4 As shown, the learning rate ratio curve of computing node 2 does not exceed the boundary formed by the horizontal axis value = 1 and the vertical axis value = 1, indicating that the gradient change of computing node 2 in adjusting the parameters according to the loss function does not exceed the average value of computing nodes 1, 3, and 4. Therefore, it can be considered that computing node 2 does not engage in GAN attacks through correct false labels. Accordingly, the analysis result indicating that the learning rate ratio curve of computing node 2 does not exceed the specified curve boundary can be obtained.
[0088] Sub-step 1304: In response to the analysis result indicating that the learning rate ratio curve exceeds the specified curve boundary, it is determined that the computing node to be analyzed has an attack behavior.
[0089] Furthermore, when the analysis results indicate that the learning rate ratio curve exceeds the boundary of the specified curve (such as the learning rate ratio curve of computing node 1), it is determined that the computing node to be analyzed (such as computing node 1) has an attack behavior.
[0090] Optionally, the method further includes: in response to the analysis result indicating that the learning rate ratio curve has not exceeded the specified curve boundary, determining that the computing node to be analyzed does not exhibit any attack behavior.
[0091] When the analysis results indicate that the learning rate ratio curve does not exceed the specified curve boundary (such as the learning rate ratio curve of computing node 2), it is determined that the computing node to be analyzed (such as computing node 2) does not have any attack behavior.
[0092] When the lift rate cannot directly indicate that the node to be analyzed is engaging in attack behavior, the parameter server further performs attack behavior detection based on the learning rate to determine whether the node to be analyzed is engaging in attack behavior.
[0093] During the training of a distributed learning model, the purpose of detecting attack behavior is to notify each normal computing node (i.e., the computing node without attack behavior) to take parameter protection measures locally. Therefore, the parameter server needs to synchronize the attack behavior detection results to each normal computing node.
[0094] Optional, such as Figure 5 As shown, after the analysis result indicates that the learning rate ratio curve exceeds the specified curve boundary and it is determined that the computing node to be analyzed has an attack behavior, the method further includes: sub-step 1305 and sub-step 1306.
[0095] Sub-step 1305: Set the preset learning rate marker as the target marker value, which is used to indicate that the computing node to be analyzed has attack behavior.
[0096] Sub-step 1306: Broadcast the target label values of the lift and the preset learning rate to the target computing node to notify the target computing node to implement parameter protection, wherein the target computing node includes: computing nodes other than the computing node to be analyzed among the plurality of computing nodes.
[0097] Once the analysis of the learning rate curve determines that the node being analyzed is exhibiting attack behavior, the parameter server first sets the preset learning rate marker value to be equal to the target marker value. The target marker value is used to indicate that the node being analyzed is exhibiting attack behavior. For example, the target marker value can be 1.
[0098] Afterwards, the parameter server will broadcast the lift value L and the preset learning rate flag to other computing nodes (i.e., computing nodes other than the computing nodes to be analyzed that are identified as having attack behavior), informing other computing nodes to implement local protection measures for shared parameters during the parameter sharing process.
[0099] Optional, such as Figure 6As shown, after determining that the computing node to be analyzed has an attack behavior, the method further includes: step 125.
[0100] Step 125: Broadcast the acquired lift to the target computing node to notify the target computing node to implement parameter protection. The target computing node includes computing nodes other than the computing node to be analyzed among the plurality of computing nodes.
[0101] Once the parameter server identifies a malicious computing node (i.e. a computing node exhibiting attack behavior), it broadcasts the elevation degree L value to other computing nodes, notifying them to implement local protection measures for shared parameters during the parameter sharing process.
[0102] The GAN attack detection method disclosed in this application is applied to the parameter server of a distributed learning model. The distributed learning model further includes multiple computing nodes. The method obtains the current malicious attack classification label and the lift of the current shared parameter group shared by the computing nodes to be analyzed. In response to the lift equaling a preset lift threshold, it determines that the computing node to be analyzed exhibits attack behavior. In response to the lift not equaling the preset lift threshold, it detects attack behavior of the computing node to be analyzed based on the historical learning rate of each computing node. This eliminates the need to build and train a GAN classifier on the parameter server side, saving parameter server resources. Furthermore, using the historical learning rate of computing nodes as the basis for judging GAN attack behavior is more objective than the prior art that uses the deviation of the historical trend curve of a computing node's shared parameters from other computing nodes as the basis for judging GAN attack behavior, thus helping to improve the accuracy of attack behavior detection.
[0103] This application also discloses a parameter sharing method applied to computing nodes in a distributed learning model, wherein the distributed learning model further includes a parameter server. Figure 7 As shown, the method includes steps 710 to 740.
[0104] Step 710: Based on the parameter protection notification information broadcast by the parameter server, perform parameter search on the local model to obtain the target parameters.
[0105] The parameter protection notification information includes: lift degree, or includes: lift degree and preset learning rate flag, and the parameter protection notification information is broadcast by the parameter server after performing the steps of the aforementioned GAN attack detection method.
[0106] For details on how the parameter server broadcasts the parameter protection notification information, please refer to the previous text, and it will not be repeated here.
[0107] As mentioned above, when the computing node to be analyzed exhibits attack behavior, the parameter server broadcasts the lift of the computing node to be analyzed (when the lift is not equal to the preset lift threshold) and the target label value of the preset learning rate label to other computing nodes, or broadcasts the lift of the computing node to be analyzed (when the lift is equal to the preset lift threshold) to other computing nodes.
[0108] The following text will be explained with a preset lift threshold of 1.
[0109] When a normal computing node in a distributed learning model receives the lift broadcast by the parameter server, or receives the target label value of the lift and the preset learning rate, it will use the received lift or the received lift and the target label value of the preset learning rate as parameter protection notification information sent by the parameter server to implement parameter protection locally.
[0110] Different attack behaviors of malicious computing nodes (such as computing nodes whose attack behavior has been detected) will lead to different behavior detection results. For example, a malicious computing node can set incorrect false classification labels, causing the classification labels to be unrelated to the shared parameter set, which is reflected in the detection result as a lift of 1. Another example is that a malicious computing node can share incorrect parameter weights to learn the changes in true negative, false negative, true positive, and false positive indices in the classification results of a local model after a computing node receives incorrect parameters. This will cause its historical learning rate ratio curve to exceed the preset curve boundary, which is reflected in the detection result as a lift of 1 and the preset learning rate label being the target label value. In the embodiments of this application, normal computing nodes analyze the behavior of malicious computing nodes based on the specific content and value of the parameter protection notification information broadcast by the parameter server, and perform parameter search based on the impact of the malicious computing node's behavior on the local model.
[0111] Optionally, the parameter search method can be random search or grid search.
[0112] Optionally, the step of performing parameter search on the local model to obtain the target parameters based on the parameter protection notification information broadcast by the parameter server includes: sub-step 7101 or sub-step 7102.
[0113] Sub-step 7101: In response to the elevation degree in the parameter protection notification information being equal to a preset elevation degree threshold, the target parameter that causes the change in the true negative and true positive indicators of the local model prediction results is searched in the shared parameter group shared by the computing nodes.
[0114] The other computing nodes refer to computing nodes in the distributed learning model other than the local model.
[0115] When the lift L=1, the labels of malicious computing nodes (such as computing node 1) differ significantly from those of normal computing nodes. The erroneous parameters received by the local model (such as computing node 2) will cause changes in the true positive and true negative indices in the local classification prediction results. In this case, when the local model performs parameter search, it will select key parameters that cause changes in the number of TN-TP (i.e., true positive and true negative) groups as target parameters. For example, these can be denoted as "wcorrectedt1" and "wcorrectedt2".
[0116] Optionally, the key screening parameter can be a preset number (e.g., two) of parameters that have the greatest impact on the change in the number of TN-TP (i.e., true positive and true negative) groups.
[0117] Sub-step 7102: In response to the parameter protection notification information that the lift is not equal to the preset lift threshold and the preset learning rate flag is a target flag value, the target parameter that causes changes in the true negative, false negative, true positive and false positive indices of the local model prediction results is searched in the shared parameter group shared by the protocol between computing nodes. The target flag value is used to indicate that there are computing nodes with attack behavior in the other computing nodes.
[0118] When the lift L! = 1 and the preset learning rate label is the target label value, for example, the learning rate η ratio curve going out of bounds is labeled as 1. If the learning rate ratio curve of computing node 1 exceeds the specified curve boundary, it will cause changes in true / false positives and true / false negatives. At this time, when the local model performs parameter search, it will select the key parameters that cause changes in the TN-TP-FN-FP (i.e., true / false positives and true / false negatives) group indicators as target parameters, for example, they can be denoted as "wcorrectedft1" and "wcorrectedft2".
[0119] Step 720: The target parameters are abstracted to obtain the first abstract parameters.
[0120] After identifying the target parameters for attacks targeting malicious computing nodes, these parameters are abstracted into abstract values. Optionally, dimensionality reduction methods such as Principal Component Analysis (PCA) or Linear Discriminant Analysis (LDA) can be used to perform principal component analysis on the target parameters, extracting their principal component features as the first abstract parameter.
[0121] To restore the attack behavior classification accuracy before the shared parameters were updated, while ensuring the privacy of key shared parameters and other model parameters, the local model (such as compute node 2) first performs principal component analysis on the key shared parameters that cause changes in the number of TN-TP (i.e., true positive and true negative) groups, or performs principal component analysis on the key shared parameters that cause an increase in the indicators of TN-TP-FN-FP (i.e., true / false positive and true / false negative) groups, before uploading the shared parameters trained on local samples, to obtain the corresponding abstract parameters composed of principal component features.
[0122] For example, after performing PCA processing on the target parameters wft1 and wft2 obtained from the search, the first abstract parameter is obtained, for example, denoted as "wft". As another example, after performing PCA processing on the target parameters wt1 and wt2 obtained from the search, the first abstract parameter is obtained, for example, denoted as "wt".
[0123] Taking the type of maximizing variance as an example, after a malicious computing node obtains the processed parameters, it cannot be mapped to specific shared parameters, but can only be mapped to the principal component features of abstract key parameters, making the realistic samples of the malicious computing node incomplete.
[0124] In the embodiments of this application, when the target parameters are abstracted to obtain the first abstract parameters, the principal component features of the key parameters minimize the performance impact on other computing nodes in the distributed learning model.
[0125] Step 730: Abstract the shared parameters other than the target parameter in the shared parameter group of the first abstract parameter and the local model to obtain the abstract parameter group.
[0126] Furthermore, the first abstract parameter is further abstracted along with other parameters (i.e., parameters other than the target parameter) in the shared parameters shared by the local model and other computing node protocols to obtain an abstract parameter group, which is then shared with other computing nodes.
[0127] Optionally, the shared parameters other than the target parameter in the shared parameter group of the first abstract parameter and the local model are abstracted to obtain an abstract parameter group, including: sub-step 7301, sub-step 7302 and sub-step 7303.
[0128] Sub-step 7301: Abstract the first shared parameter in the shared parameter group of the local model to obtain the second abstract parameter.
[0129] The first shared parameter is a subset of the parameters in the shared parameter group, excluding the target parameter.
[0130] Among them, the first shared parameter can be determined according to the preferred classification result obtained by classifying according to the principal components. For example, the shared parameters with large variances of different principal components can be classified into one category, and then one of the categories is selected as the first shared parameter.
[0131] After abstracting the target parameter, further, the local model performs abstraction on other parameters except the target parameter in the shared parameters shared with other computing nodes through protocols. For example, the local model classifies other parameters except the target parameter according to the principle of maximizing the principal component variance, and abstracts each category of parameters separately. Taking the classification into two categories as an example, one of the categories can be selected as the first shared parameter, and the other category as the second shared parameter.
[0132] After that, principal component analysis is performed on the first shared parameter to obtain principal component features as the second abstract parameter, for example, denoted as "w纠p1".
[0133] Sub-step 7302: Abstract the second shared parameter and the first abstract parameter in the shared parameter group to obtain a third abstract parameter.
[0134] Among them, the second shared parameter is the parameter in the shared parameter group except the target parameter and the first shared parameter.
[0135] Next, the second shared parameter and the first abstract parameter w纠ft or w纠t are taken as a group of parameters to perform principal component analysis to obtain principal component features as the third abstract parameter, for example, denoted as "w纠p2".
[0136] Sub-step 7303: Obtain an abstract parameter group according to the second abstract parameter and the third abstract parameter.
[0137] Optionally, the second abstract parameter w纠p1 and the third abstract parameter w纠p2 can be used as the shared parameter group shared by the local model to other computing nodes.
[0138] Step 740: Share the abstract parameter group to the parameter server as the shared parameter group.
[0139] The parameter server shares the second abstract parameter w纠p1 and the third abstract parameter w纠p2 as the shared parameter group to the parameter server.
[0140] Such as Figure 8As shown in the figure, it is assumed that the shared parameters shared by each computing node protocol in the distributed learning model include n. For the local models of the computing nodes, they are respectively denoted as w纠1, w纠2, …, w纠H, …, w纠K, …, w纠n, where 2 < H < K < n. After performing principal component-based abstraction processing, the shared parameters are transformed into parameters w纠p1 and w纠p2 composed of principal component features. Although the malicious computing node obtains the principal component features w纠p1 and w纠p2 of the shared parameters, they are abstract values and cannot generate specific samples of other computing nodes locally. The scope of influence of the constructed attack will be greatly reduced. In addition, other computing nodes in the distributed learning model still obtain sufficient shared parameter features, and the overall classification accuracy is not affected.
[0141] In the prior art, a method of selectively sharing the parameters of the local model is adopted. In the prior art, the attacker uses false labels to mark realistic samples, and the attacker's local model feeds back wrong parameters w错1, w错2....w错n-1, w错n to the parameter server. After the other computing node local models download the wrong parameters, the prediction accuracy decreases. Before submitting the parameter group of w纠1, w纠2, …, w纠H, …, w纠K, …, w纠n again after retraining with samples in the prior art, first select M shared parameters with the highest absolute value of change in (1 - R%) part of the parameters according to the given compression rate R% (R < 100) and upload them truthfully to the parameter server, and the remaining shared parameters are cleared or not uploaded. The parameter sharing method adopted in the prior art has a single selection condition for shared parameters, sacrifices other parameter characteristics to ensure the privacy of shared parameters of each computing node, loses more parameter characteristics, and cannot provide customized protection according to different types of false labels provided by the attacker.
[0142] The parameter sharing method disclosed in the embodiments of the present application, during the training process of the distributed learning model, the local model of the computing node performs parameter search on the local model according to the parameter protection notification information broadcast by the parameter server to obtain the target parameter, and then performs abstraction processing on the target parameter to obtain the first abstract parameter; further abstracts the first abstract parameter and the shared parameters in the shared parameter group of the local model except the target parameter to obtain an abstract parameter group; finally, uses the abstract parameter group as the shared parameter group and shares it to the parameter server, so that the malicious computing node cannot construct a perfect realistic sample based on the shared parameters, and at the same time, the local models of other computing nodes still maintain the original accuracy because the loss of shared parameter features is reduced.
[0143] Next, in combination with Figure 9 the application scenario described above, the specific implementation manners of the GAN attack detection and parameter sharing method in the training process of the distributed learning model disclosed in the embodiments of the present application are further illustrated by examples.
[0144] As Figure 9 As shown, the distributed learning model includes multiple computing nodes and a parameter server. These computing nodes include malicious and normal computing nodes, which can be edge devices. They are connected to the parameter server in the cloud-network converged system to form a distributed deep learning system for training and identifying malicious attack behaviors. They uniformly download initial shared parameters w0 through the parameter server and construct local models A to D using the same standards and malicious attack classification labels. Each computing node downloads subsequent weight parameters sequentially and uploads learning rate parameters after training. This process iterates multiple times until the average accuracy of the entire distributed learning system reaches a preset prediction accuracy (e.g., above 80%). During this process, in addition to constructing local model A, the malicious computing node also constructs a GAN network using the malicious attack classification labels agreed upon by each computing node to generate realistic samples. The intention is to refine these realistic samples through multiple iterations to make them consistent with the local samples of other computing nodes in the distributed learning system, thereby constructing an attack model to bypass the malicious attack detection mechanism within the cloud-network system and ultimately achieve indiscriminate attacks against other computing nodes. The malicious computing node labels realistic samples classified as "malicious" by model A as the correct false label "normal". Whether a realistic sample is complete can be determined by the accuracy of the local model A on the malicious computing node. When the accuracy reaches the average level of the distributed learning system, it means that the realistic sample is complete.
[0145] The parameter server aggregates the malicious attack classification labels from each computing node in each training cycle and the shared parameters submitted by each computing node locally on the parameter server, calculating the lift value L between the two. This lift value is then divided into three intervals: L = 1, L < 1, and L > 1. The detection mechanism of this method is performed by the parameter server. When the lift value L is 1, only the L value is sent to normal computing nodes. When L > 1 or L < 1, the lift value L and the preset learning rate label are sent to normal computing nodes. Based on the calculation results, the "normal" classification label currently submitted by computing node 1 falls within the L > 1 interval. Analysis of the correlation between the classification label and the shared parameter groups submitted by each computing node, such as "normal -> {w1, w2, w3, w4}", shows a strong correlation, meaning that the labels submitted by other computing nodes also fall within the L < 1 or L > 1 intervals.
[0146] The parameter server then further analyzes whether the learning rate ratio curves of each computing node exceed the limits, and sets the value of the preset learning rate marker based on the analysis results. For example... Figure 3 As shown, the historical values related to the learning rate η1 submitted by computing node 1 are compared with the average η of the learning rates η2, η3, and η4 of computing nodes 2 to 4. avg The ratio curves formed by the relevant historical values exceed η1=1 and η avg=1 forms the boundary region, therefore computing node 1 exhibits the behavior of using correctly false labels to tag realistic samples to carry out GAN attacks, and the parameter server identifies computing node 1 as a malicious computing node (e.g. Figure 9 A malicious computing node (node 1) is identified, and its preset learning rate flag is set to 1. The preset learning rate flags for the other computing nodes (nodes 2, 3, and 4) are set to 0. The curves formed by the historical values of the learning rates η2, η3, and η4 of computing nodes 2, 3, and 4 and the average learning rate of other computing nodes in the distributed learning system do not exceed the preset curve boundaries. The parameter server then broadcasts the L value and the preset learning rate flag value of computing node 1 to computing nodes 2, 3, and 4.
[0147] Based on the lift value L and the preset learning rate label, ordinary computing nodes 2, 3, and 4 perform protection of local key parameters. Since the classification labels of ordinary computing nodes 2, 3, and 4 fall within the interval L! = 1, and the preset learning rate label of computing node 1 is 1, each ordinary computing node focuses on searching for parameters that cause changes in the local model classification evaluation metrics TP, TN, FP, and FN. Taking ordinary computing node 2 as an example, the parameter search results performed locally by computing node 2 are wcorrectedft1 and wcorrectedft2 in the shared parameter set. Ordinary computing node 2 then abstracts these two key parameters to generate the first abstract parameter wcorrectedft. Ordinary computing node 2 further combines the first abstract parameter wcorrectedft with other local shared parameters besides wcorrectedft1 and wcorrectedft2 to obtain an abstract parameter set including wcorrectedp1 and wcorrectedp2. Finally, ordinary computing node 2 shares the obtained abstract parameter set as shared parameters to the parameter server.
[0148] Subsequently, the parameter server distributes the weight parameters shared by ordinary computing node 2. Malicious computing node 1, ordinary computing node 3, and ordinary computing node 4 can download abstract parameters wp1 and wp2 containing the principal component features of the local model 2 of ordinary computing node 2 from the parameter server, ensuring that the average accuracy within the distributed learning model remains unaffected. Simultaneously, although malicious computing node 1 obtains the shared parameters representing the main features of the local model of ordinary computing node 2, the key parameters wft1 and wft2 trained by the local model of ordinary computing node 2 to correct abnormal changes in local TP, TN, FP, and FN indicators do not leave the local model, preventing malicious computing node 1 from reconstructing the local samples of ordinary computing node 2 through the GAN network. Similarly, ordinary computing nodes 3 and 4, through the search and abstraction of key weight parameters, prevent malicious computing node 1 from reconstructing their local training samples, while the overall accuracy of the entire distributed learning system remains unchanged.
[0149] Accordingly, this application also discloses a GAN attack detection device applied to a parameter server of a distributed learning model, wherein the distributed learning model further includes multiple computing nodes. Figure 10 As shown, the device includes:
[0150] The lift acquisition module 1010 is used to acquire the lift of the current malicious attack classification label and the current shared parameter group shared by the computing nodes to be analyzed;
[0151] The first attack detection module 1020 is used to determine that the computing node to be analyzed has an attack behavior in response to the lift degree being equal to 1.
[0152] The second attack detection module 1030 is used to detect attack behavior of the computing node to be analyzed based on the historical learning rate of each computing node in response to the lift degree not being equal to 1.
[0153] Optionally, the second attack detection module 1030 is further used for:
[0154] Obtain the historical learning rate for each computing node;
[0155] Based on the historical learning rates of each computing node, obtain the learning rate ratio curve of the computing node to be analyzed;
[0156] Based on the specified curve boundary, the learning rate ratio curve of the node to be analyzed is subjected to curve boundary analysis to obtain the analysis results;
[0157] In response to the analysis results indicating that the learning rate ratio curve exceeds the specified curve boundary, it is determined that the computing node to be analyzed exhibits attack behavior.
[0158] In response to the analysis results indicating that the learning rate ratio curve has not exceeded the specified curve boundary, it is determined that the computing node to be analyzed does not exhibit any attack behavior.
[0159] Optionally, obtaining the learning rate ratio curve of the computing node to be analyzed based on the historical learning rate of each computing node includes:
[0160] Calculate the average historical learning rate of the computing nodes other than the computing node to be analyzed among the plurality of computing nodes;
[0161] The learning rate ratio curve of the node to be analyzed is obtained by comparing the historical learning rate with the average value.
[0162] Optionally, the specified curve boundary is the boundary of the region where the average value is less than or equal to 1 and the historical learning rate of the node to be analyzed is less than or equal to 1. Based on the specified curve boundary, the analysis of the learning rate ratio curve of the node to be analyzed is performed to obtain the analysis results, including:
[0163] In response to the learning rate ratio curve of the computing node to be analyzed exceeding the boundary, an analysis result indicating that the learning rate ratio curve exceeds the specified curve boundary is obtained.
[0164] Optionally, after the analysis result indicates that the learning rate ratio curve exceeds the specified curve boundary and it is determined that the node to be analyzed has engaged in attack behavior, the method further includes:
[0165] A preset learning rate is set as the target label value, which is used to indicate that the computing node to be analyzed has attack behavior;
[0166] The target computing node is broadcast the lift and the target tag value of the preset learning rate to the target computing node to notify the target computing node to implement parameter protection, wherein the target computing node includes computing nodes other than the computing node to be analyzed among the plurality of computing nodes.
[0167] Optionally, after determining that the computing node to be analyzed exhibits attack behavior, the device further includes:
[0168] The parameter protection notification information broadcasting module is used to broadcast the acquired lift to the target computing node to notify the target computing node to implement parameter protection. The target computing node includes computing nodes other than the computing node to be analyzed among the plurality of computing nodes.
[0169] The GAN attack detection device disclosed in this application is used to implement the GAN attack detection method described in this application. The specific implementation methods of each module of the device will not be repeated here, but can be found in the specific implementation methods of the corresponding steps in the method embodiments.
[0170] This application discloses a GAN attack detection device applied to a parameter server of a distributed learning model. The distributed learning model further includes multiple computing nodes. The device acquires the current malicious attack classification label and the lift of the current shared parameter group shared by the computing nodes to be analyzed. In response to the lift equaling 1, it determines that the computing node to be analyzed exhibits attack behavior. In response to the lift not equaling 1, it detects attack behavior of the computing node to be analyzed based on the historical learning rate of each computing node. This eliminates the need to build and train a GAN classifier on the parameter server side, saving parameter server resources. Furthermore, using the historical learning rate of computing nodes as the basis for judging GAN attack behavior is more objective than the prior art that uses the deviation of the historical trend curve of a computing node's shared parameters from other computing nodes as the basis for judging GAN attack behavior, thus helping to improve the accuracy of attack behavior detection.
[0171] Accordingly, this application also discloses a parameter sharing device applied to computing nodes in a distributed learning model, wherein the distributed learning model further includes a parameter server. Figure 11 As shown, the device includes:
[0172] The parameter search module 1110 is used to perform parameter search on the local model based on the parameter protection notification information broadcast by the parameter server to obtain the target parameters;
[0173] The parameter abstraction module 1120 is used to abstract the target parameter to obtain the first abstract parameter;
[0174] The parameter abstraction module 1120 is further used to abstract the shared parameters other than the target parameter in the shared parameter group of the first abstract parameter and the local model to obtain an abstract parameter group;
[0175] The parameter sharing module 1130 is used to share the abstract parameter group as a shared parameter group to the parameter server.
[0176] The parameter protection notification information includes: lift degree, or includes: lift degree and preset learning rate flag, and the parameter protection notification information is broadcast by the parameter server after performing the steps of the aforementioned GAN attack detection method.
[0177] Optionally, the parameter search module 1110 is further configured to:
[0178] In response to the lift degree being equal to a preset lift degree threshold in the parameter protection notification information, the target parameter that causes the change in the true negative and true positive indices of the local model prediction results is searched in the shared parameter group shared by the protocol between computing nodes.
[0179] In response to the parameter protection notification information that the lift is not equal to the preset lift threshold and the preset learning rate flag is set to a target flag value, the target parameter that causes changes in the true negative, false negative, true positive and false positive indices of the local model prediction results is searched in the shared parameter group shared by the protocol between computing nodes. The target flag value is used to indicate that there are computing nodes with attack behavior among the other computing nodes.
[0180] Optionally, the abstraction of shared parameters other than the target parameter in the shared parameter group of the first abstract parameter and the local model to obtain an abstract parameter group includes:
[0181] The first shared parameters in the shared parameter group of the local model are abstracted to obtain the second abstract parameters, wherein the first shared parameters are: some parameters in the shared parameter group other than the target parameters;
[0182] The second shared parameter and the first abstract parameter in the shared parameter group are abstracted to obtain the third abstract parameter, wherein the second shared parameter is: the parameter in the shared parameter group other than the target parameter and the first shared parameter;
[0183] Based on the second and third abstract parameters, the abstract parameter set is obtained.
[0184] The parameter sharing device disclosed in this application is used to implement the parameter sharing method described in this application. The specific implementation methods of each module of the device will not be repeated here, but can be found in the specific implementation methods of the corresponding steps in the method embodiments.
[0185] This application discloses a parameter sharing device. During the training of a distributed learning model, the local model of a computing node performs parameter search based on parameter protection notification information broadcast by the parameter server to obtain target parameters. The target parameters are then abstracted to obtain first abstract parameters. Further, the first abstract parameters and shared parameters (excluding the target parameters) in the shared parameter group of the local model are abstracted to obtain an abstract parameter group. Finally, the abstract parameter group is shared with the parameter server as a shared parameter group. This prevents malicious computing nodes from constructing complete and realistic samples based on the shared parameters, while the local models of other computing nodes maintain their original accuracy due to reduced feature loss from the shared parameters.
[0186] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the apparatus embodiments, since they are fundamentally similar to the method embodiments, the description is relatively simple; relevant parts can be referred to the descriptions in the method embodiments.
[0187] The foregoing has provided a detailed description of the GAN attack detection method and apparatus, and the parameter sharing method and apparatus provided in this application. Specific examples have been used to illustrate the principles and implementation methods of this application. The description of the above embodiments is only for the purpose of helping to understand the method of this application and its core idea. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the idea of this application. Therefore, the content of this specification should not be construed as a limitation of this application.
[0188] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0189] The various component embodiments of this application can be implemented in hardware, or as software modules running on one or more processors, or a combination thereof. Those skilled in the art will understand that microprocessors or digital signal processors (DSPs) can be used in practice to implement some or all of the functions of some or all of the components in the electronic device according to the embodiments of this application. This application can also be implemented as a device or apparatus program (e.g., a computer program and computer program product) for performing part or all of the methods described herein. Such a program implementing this application can be stored on a computer-readable medium, or can be in the form of one or more signals. Such signals can be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
[0190] For example, Figure 12An electronic device is shown that can implement the methods according to this application. The electronic device may be a PC, mobile terminal, personal digital assistant, tablet computer, etc. The electronic device conventionally includes a processor 1210 and a memory 1220, and program code 1230 stored in the memory 1220 and executable on the processor 1210. When the processor 1210 executes the program code 1230, it implements the methods described in the above embodiments. The memory 1220 may be a computer program product or a computer-readable medium. The memory 1220 may be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read-Only Memory), EPROM, hard disk, or ROM. The memory 1220 has a storage space 12201 for the program code 1230 of a computer program for performing any of the method steps described above. For example, the storage space 12201 for the program code 1230 may include various computer programs for implementing the various steps in the above methods. The program code 1230 is computer-readable code. These computer programs can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact discs (CDs), memory cards, or floppy disks. The computer program includes computer-readable code that, when executed on an electronic device, causes the electronic device to perform the methods according to the embodiments described above.
[0191] This application also discloses a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements the steps of the GAN attack detection method and / or parameter sharing method as described in this application.
[0192] Such a computer program product can be a computer-readable storage medium, which can have the same characteristics as... Figure 12 The memory 1220 in the illustrated electronic device is similarly arranged with storage segments, storage spaces, etc. Program code can be stored, for example, in a compressed form on the computer-readable storage medium. The computer-readable storage medium is typically as shown in the reference... Figure 13 The portable or fixed storage unit is described above. Typically, the storage unit includes computer-readable code 1230', which is code read by a processor. When executed by the processor, this code implements the various steps in the method described above.
[0193] The terms "an embodiment," "embodiment," or "one or more embodiments" as used herein mean that a particular feature, structure, or characteristic described in connection with an embodiment is included in at least one embodiment of this application. Furthermore, please note that the examples of the phrase "in one embodiment" do not necessarily all refer to the same embodiment.
[0194] Numerous specific details are set forth in the specification provided herein. However, it will be understood that embodiments of this application may be practiced without these specific details. In some instances, well-known methods, structures, and techniques have not been shown in detail so as not to obscure the understanding of this specification.
[0195] In the claims, any reference signs placed between parentheses should not be construed as limiting the claims. The word "comprising" does not exclude the presence of elements or steps not listed in the claims. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. This application can be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means may be embodied by the same item of hardware. The use of the words first, second, and third, etc., does not indicate any order. These words can be interpreted as names.
[0196] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.
Claims
1. A GAN attack detection method, applied to a parameter server of a distributed learning model, wherein the distributed learning model further includes: Multiple computing nodes, characterized in that the method includes: Obtain the current malicious attack classification label and the lift of the current shared parameter group shared by the computing nodes to be analyzed; In response to the lift degree being equal to a preset lift degree threshold, it is determined that the computing node to be analyzed exhibits attack behavior. In response to the fact that the lift is not equal to the preset lift threshold, attack behavior detection is performed on the computing node to be analyzed based on the historical learning rate of each computing node. After determining that the computing node to be analyzed is exhibiting attack behavior, a parameter protection notification message is broadcast. The process of obtaining the lift of the current malicious attack classification label and the current shared parameter group shared by the computing nodes to be analyzed includes: Based on the historical malicious attack classification labels and historical shared parameter groups shared by each computing node, calculate the lift corresponding to the combination of historical malicious attack classification labels and historical shared parameter groups. The current malicious attack classification label and current shared parameter group of the node to be analyzed are matched with the historical malicious attack classification label and historical shared parameter group with lift. If the match is successful, the lift value corresponding to the matched historical malicious attack classification label and historical shared parameter group is used as the lift of the current malicious attack classification label and current shared parameter group. If the match fails, the preset lift threshold will be used as the lift of the current malicious attack classification label and the current shared parameter group. The step of detecting attack behavior on the computing nodes to be analyzed based on the historical learning rates of each computing node includes: Obtain the historical learning rate for each computing node; Based on the historical learning rates of each computing node, obtain the learning rate ratio curve of the computing node to be analyzed; Based on the specified curve boundary, the learning rate ratio curve of the node to be analyzed is subjected to curve boundary analysis to obtain the analysis results; In response to the analysis results indicating that the learning rate ratio curve exceeds the specified curve boundary, it is determined that the computing node to be analyzed exhibits attack behavior. In response to the analysis results indicating that the learning rate ratio curve has not exceeded the specified curve boundary, it is determined that the computing node to be analyzed does not exhibit any attack behavior.
2. The method according to claim 1, characterized in that, The step of obtaining the learning rate ratio curve of the computing node to be analyzed based on the historical learning rate of each computing node includes: Calculate the average historical learning rate of the computing nodes other than the computing node to be analyzed among the plurality of computing nodes; The learning rate ratio curve of the node to be analyzed is obtained by comparing the historical learning rate with the average value.
3. The method according to claim 2, characterized in that, The specified curve boundary is the boundary of the region where the average value is less than or equal to 1 and the historical learning rate of the node to be analyzed is less than or equal to 1. Based on the specified curve boundary, the learning rate ratio curve of the node to be analyzed is subjected to curve boundary analysis to obtain the analysis results, including: In response to the learning rate ratio curve of the computing node to be analyzed exceeding the boundary, an analysis result indicating that the learning rate ratio curve exceeds the specified curve boundary is obtained.
4. The method according to claim 1, characterized in that, After the analysis result indicates that the learning rate ratio curve exceeds the specified curve boundary, and it is determined that the node to be analyzed has engaged in attack behavior, the method further includes: A preset learning rate is set as the target label value, which is used to indicate that the computing node to be analyzed has attack behavior; The target computing node is broadcast the lift and the target tag value of the preset learning rate to the target computing node to notify the target computing node to implement parameter protection, wherein the target computing node includes computing nodes other than the computing node to be analyzed among the plurality of computing nodes.
5. The method according to claim 1, characterized in that, After determining that the computing node to be analyzed exhibits attack behavior, the process further includes: The acquired lift is broadcast to the target computing node to notify the target computing node to implement parameter protection. The target computing node includes computing nodes other than the computing node to be analyzed among the plurality of computing nodes.
6. A parameter sharing method applied to computing nodes in a distributed learning model, wherein the distributed learning model further includes: Parameter server, characterized in that the method includes: Based on the parameter protection notification information broadcast by the parameter server, parameter search is performed on the local model to obtain the target parameters; wherein, the parameter protection notification information is generated by the parameter server through the following steps: obtaining the current malicious attack classification label and the lift of the current shared parameter group shared by the computing nodes to be analyzed; in response to the lift equaling a preset lift threshold, determining that the computing nodes to be analyzed have attack behavior; in response to the lift not equaling the preset lift threshold, detecting attack behavior of the computing nodes to be analyzed based on the historical learning rate of each computing node; after determining that the computing nodes to be analyzed have attack behavior, broadcasting the parameter protection notification information; The step of obtaining the lift of the current malicious attack classification label and the current shared parameter group shared by the computing nodes to be analyzed includes: calculating the lift corresponding to the combination of historical malicious attack classification labels and historical shared parameter groups based on the historical malicious attack classification labels and historical shared parameter groups shared by each computing node; matching the current malicious attack classification label and the current shared parameter group of the computing node to be analyzed with the historical malicious attack classification labels and historical shared parameter groups with lift; if the match is successful, the lift value corresponding to the matched historical malicious attack classification label and historical shared parameter group is used as the lift of the current malicious attack classification label and the current shared parameter group; if the match is unsuccessful, a preset lift threshold is used as the lift of the current malicious attack classification label and the current shared parameter group. The step of detecting attack behavior on the computing node to be analyzed based on the historical learning rate of each computing node includes: The process involves: obtaining the historical learning rate of each computing node; obtaining the learning rate ratio curve of the computing node to be analyzed based on the historical learning rate of each computing node; performing curve boundary analysis on the learning rate ratio curve of the computing node to be analyzed based on a specified curve boundary to obtain the analysis result; determining that the computing node to be analyzed exhibits attack behavior if the analysis result indicates that the learning rate ratio curve exceeds the specified curve boundary; and determining that the computing node to be analyzed does not exhibit attack behavior if the analysis result indicates that the learning rate ratio curve does not exceed the specified curve boundary. The target parameters are abstracted to obtain the first abstract parameter; Abstract the shared parameters (excluding the target parameter) in the first abstract parameter and the shared parameter group of the local model to obtain the abstract parameter group; The abstract parameter group is used as a shared parameter group and shared with the parameter server.
7. The method according to claim 6, characterized in that, The step of performing parameter search on the local model based on the parameter protection notification information broadcast by the parameter server to obtain the target parameters includes: In response to the lift degree being equal to a preset lift degree threshold in the parameter protection notification information, the target parameter that causes the change in the true negative and true positive indices of the local model prediction results is searched in the shared parameter group shared by the protocol between computing nodes. In response to the parameter protection notification information that the lift is not equal to the preset lift threshold and the preset learning rate flag is set to a target flag value, the target parameter that causes changes in the true negative, false negative, true positive and false positive indices of the local model prediction results is searched in the shared parameter group shared by the protocol between computing nodes. The target flag value is used to indicate that there are computing nodes with attack behavior in other computing nodes.
8. The method according to claim 6, characterized in that, The abstraction of shared parameters other than the target parameter in the shared parameter group of the first abstract parameter and the local model, resulting in an abstract parameter group, includes: The first shared parameters in the shared parameter group of the local model are abstracted to obtain the second abstract parameters, wherein the first shared parameters are: some parameters in the shared parameter group other than the target parameters; The second shared parameter and the first abstract parameter in the shared parameter group are abstracted to obtain the third abstract parameter, wherein the second shared parameter is: the parameter in the shared parameter group other than the target parameter and the first shared parameter; Based on the second and third abstract parameters, the abstract parameter set is obtained.
9. A GAN attack detection device, applied to a parameter server of a distributed learning model, wherein the distributed learning model further includes: Multiple computing nodes, characterized in that the device comprises: The lift acquisition module is used to acquire the lift of the current malicious attack classification label and the current shared parameter group shared by the computing nodes to be analyzed. The first attack detection module is used to determine that the computing node to be analyzed has an attack behavior in response to the lift degree being equal to a preset lift degree threshold. The second attack detection module is used to detect attack behavior of the computing node to be analyzed based on the historical learning rate of each computing node when the lift is not equal to the preset lift threshold. A module for broadcasting parameter protection notification information after determining that the computing node to be analyzed has engaged in attack behavior; The lift acquisition module is further used for: Based on the historical malicious attack classification labels and historical shared parameter groups shared by each computing node, calculate the lift corresponding to the combination of historical malicious attack classification labels and historical shared parameter groups. The current malicious attack classification label and current shared parameter group of the node to be analyzed are matched with the historical malicious attack classification label and historical shared parameter group with lift. If the match is successful, the lift value corresponding to the matched historical malicious attack classification label and historical shared parameter group is used as the lift of the current malicious attack classification label and current shared parameter group. If the match fails, the preset lift threshold will be used as the lift of the current malicious attack classification label and the current shared parameter group. The second attack detection module is further used for: Obtain the historical learning rate for each computing node; Based on the historical learning rates of each computing node, obtain the learning rate ratio curve of the computing node to be analyzed; Based on the specified curve boundary, the learning rate ratio curve of the node to be analyzed is subjected to curve boundary analysis to obtain the analysis results; In response to the analysis results indicating that the learning rate ratio curve exceeds the specified curve boundary, it is determined that the computing node to be analyzed exhibits attack behavior. In response to the analysis results indicating that the learning rate ratio curve has not exceeded the specified curve boundary, it is determined that the computing node to be analyzed does not exhibit any attack behavior.
10. A parameter sharing device, applied to a computing node in a distributed learning model, the distributed learning model further comprising: Parameter server, characterized in that the device comprises: The parameter search module is used to perform parameter search on the local model based on the parameter protection notification information broadcast by the parameter server to obtain target parameters. The parameter protection notification information is generated by the parameter server through the following steps: obtaining the current malicious attack classification label and the lift of the current shared parameter group shared by the computing nodes to be analyzed; determining that the computing nodes to be analyzed exhibit attack behavior in response to the lift being equal to a preset lift threshold; detecting attack behavior of the computing nodes to be analyzed based on the historical learning rate of each computing node in response to the lift being equal to the preset lift threshold; and broadcasting the parameter protection notification information after determining that the computing nodes to be analyzed exhibit attack behavior. The step of obtaining the lift of the current malicious attack classification label and the current shared parameter group shared by the computing nodes to be analyzed includes: calculating the lift corresponding to the combination of historical malicious attack classification labels and historical shared parameter groups based on the historical malicious attack classification labels and historical shared parameter groups shared by each computing node; matching the current malicious attack classification label and the current shared parameter group of the computing node to be analyzed with the historical malicious attack classification labels and historical shared parameter groups with lift; if the match is successful, the lift value corresponding to the matched historical malicious attack classification label and historical shared parameter group is used as the lift of the current malicious attack classification label and the current shared parameter group; if the match is unsuccessful, a preset lift threshold is used as the lift of the current malicious attack classification label and the current shared parameter group. The step of detecting attack behavior on the computing node to be analyzed based on the historical learning rate of each computing node includes: The process involves: obtaining the historical learning rate of each computing node; obtaining the learning rate ratio curve of the computing node to be analyzed based on the historical learning rate of each computing node; performing curve boundary analysis on the learning rate ratio curve of the computing node to be analyzed based on a specified curve boundary to obtain the analysis result; determining that the computing node to be analyzed exhibits attack behavior if the analysis result indicates that the learning rate ratio curve exceeds the specified curve boundary; and determining that the computing node to be analyzed does not exhibit attack behavior if the analysis result indicates that the learning rate ratio curve does not exceed the specified curve boundary. The parameter abstraction module is used to abstract the target parameters to obtain the first abstract parameter; The parameter abstraction module is also used to abstract the shared parameters other than the target parameter in the shared parameter group of the first abstract parameter and the local model to obtain the abstract parameter group; The parameter sharing module is used to share the abstract parameter group as a shared parameter group to the parameter server.
11. An electronic device, comprising a memory, a processor, and program code stored in the memory and executable on the processor, characterized in that, When the processor executes the program code, it implements the GAN attack detection method according to any one of claims 1 to 5 and / or the parameter sharing method according to any one of claims 6 to 8.
12. A computer-readable storage medium having program code stored thereon, characterized in that, When the program code is executed by the processor, it implements the steps of the GAN attack detection method according to any one of claims 1 to 5 and / or the steps of the parameter sharing method according to any one of claims 6 to 8.