Poisoning attack risk assessment method for federated learning secure aggregation strategy
By generating and optimizing malicious gradients based on historical gradient prediction and real-time feedback, the problems of dependence on additional knowledge and insufficient robustness in existing technologies are solved, and stable attack effects are achieved under different defense strategies.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- XIDIAN UNIV
- Filing Date
- 2025-01-22
- Publication Date
- 2026-06-23
AI Technical Summary
Existing federated learning model poisoning attack methods rely on additional attack knowledge, resulting in low attack robustness and difficulty in maintaining stable stealth and attack strength under different defense strategies.
By predicting the global gradient based on historical global gradients and global weights, the L-BFGS algorithm is used to predict the global gradient of the current iteration. Perturbations are added to generate initial malicious gradients and sacrifice gradients. The perturbation factor is adaptively adjusted through real-time poisoning feedback to ensure that the malicious gradient maintains its stealth and attack strength in different scenarios.
It achieves a low-threshold model poisoning attack that requires no additional knowledge. Malicious clients can stably interfere with the global model in diverse federated scenarios, reducing the attack threshold and improving the robustness and stealth of model poisoning attacks.
Smart Images

Figure CN120074876B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of communication technology, and specifically to a poisoning attack method for an adaptive federated learning model based on gradient prediction. Background Technology
[0002] Federated learning is an emerging distributed machine learning paradigm that facilitates collaborative optimization of a global model by numerous clients without sharing sensitive local data. Due to its privacy-preserving characteristics, federated learning is widely popular in academia and industry, particularly in fields such as medical image analysis, facial recognition, and personalized recommendation systems. However, the invisibility of local data and the difficulty in verifying model gradients in its distributed aggregation make federated learning highly vulnerable to model poisoning attacks. Malicious clients carefully create and upload malicious gradients that resemble benign gradient distributions, using the perturbations added to these malicious gradients to interfere with the aggregation of the global model, causing it to update in the wrong direction, thus degrading its performance and ultimately leading to incorrect decisions. While model poisoning attacks have already demonstrated significant impact on classic federated learning algorithms such as FedAvg, the development and updating of robust aggregation defense strategies capable of filtering out malicious clients present a major challenge in model poisoning attack research: ensuring the stealth of model poisoning attacks under different defense strategies and improving the model's robustness in various scenarios.
[0003] In their paper "Local Model Poisoning Attacks to Byzantine-Robust Federated Learning (USENIX 2020)," Fang et al. proposed that malicious clients utilize benign gradients provided by colluding clients as initial values for malicious perturbations, and ensure the stealth of these malicious gradients by adding adaptive perturbations. For different defense strategies, the malicious client performs aggregation simulations on its local client to test whether the malicious gradients with added perturbations are sufficiently stealthy to evade the defense strategy. The stealth of the malicious gradients is enhanced by continuously decreasing the size of the perturbation factor until all malicious gradients can evade the defense strategy and participate in model aggregation. Finally, the stealth-enhanced malicious gradients are uploaded to interfere with global model aggregation. The shortcomings of this method are: firstly, local datasets and model gradients are valuable data resources for the client and are protected in federated learning; secondly, colluding with a specified number of colluding clients in large-scale federated learning is impractical; and thirdly, specific malicious gradients designed for specific defense strategies struggle to maintain stable stealth and attack strength when facing defense strategies based on other mechanisms.
[0004] In their paper "Manipulating the Byzantine: Optimizing Model Poisoning Attacks and Defenses for Federated Learning (NDSS2021)," Shejwalkar et al. optimized the adaptive model poisoning attack proposed by Fang. First, the malicious client ensures the stealth of the malicious gradient by controlling the minimum distance between the malicious and benign gradients to always be less than the maximum distance between benign gradients. This weakens the limitation that the created malicious gradient is only applicable to specific defense strategies. Simultaneously, the attack strength of the malicious gradient is enhanced by finding the maximum perturbation factor that satisfies this stealth condition. The shortcomings of this method are: firstly, it still relies on additional attack knowledge such as benign gradients and colluding clients; secondly, it lacks actual poisoning feedback and does not evaluate the stealth and attack strength of the malicious gradient in real-world attack scenarios, making it difficult to specifically improve and optimize the malicious gradient for real-time environments. Furthermore, the method's effectiveness is also difficult to guarantee when facing defense strategies with different mechanisms.
[0005] In summary, existing model poisoning attack methods in federated learning scenarios still suffer from problems such as strong reliance on additional attack knowledge and low attack robustness. Therefore, there is an urgent need for an adaptive federated model poisoning attack method that does not require additional knowledge, while ensuring the attack's robustness against different defense strategies in different scenarios, and guaranteeing stable attack concealment and attack strength. Summary of the Invention
[0006] To address the aforementioned problems in existing technologies, this invention provides a poisoning attack method for adaptive federated learning models based on gradient prediction, specifically including:
[0007] In a first aspect, the present invention provides a method for poisoning attacks on adaptive federated learning models based on gradient prediction, comprising:
[0008] Based on the historical global gradient and historical global weights, the set of changes in the historical global gradient, ΔG, is obtained. (t) The set of historical global weight changes ΔW (t) ;
[0009] Using the set of historical global gradient change values ΔG (t) The set of historical global weight changes ΔW (t) And the global gradient g from the previous iteration. (t-1) With global weight w (t-1) Based on the L-BFGS algorithm, predict the global gradient of the current iteration.
[0010] With the predicted global gradient As a baseline for malicious perturbation, a perturbation is added to the baseline for malicious perturbation to obtain the initial hidden malicious gradient and the initial sacrifice gradient;
[0011] Using the global gradient g obtained from the previous iteration (t-1) Calculate real-time poisoning feedback (CS) (t-1) ;
[0012] Based on real-time poisoning feedback CS (t-1) The perturbation factor γ of the malicious gradient is adaptively adjusted.
[0013] Based on the perturbation factor γ of the updated malicious gradient, adjust the initial covert malicious gradient and the initial sacrifice gradient to obtain the target covert malicious gradient. With target sacrifice gradient It is then uploaded to the central server to attack the federated learning model.
[0014] In a second aspect, the present invention also provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus.
[0015] Memory, used to store computer programs;
[0016] The processor, when executing a program stored in memory, implements any of the methods provided in the first aspect.
[0017] Thirdly, the present invention provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements any of the methods provided in the first aspect.
[0018] Fourthly, the present invention provides a program product comprising computer program instructions that, when executed, can implement any of the methods provided in the first aspect.
[0019] The beneficial effects of this invention are:
[0020] The present invention provides a method for poisoning attacks on adaptive federated learning models based on gradient prediction, which includes obtaining a set of historical global gradient change values ΔG based on historical global gradients and historical global weights. (t) The set of historical global weight changes ΔW (t) ;Utilizing the set of historical global gradient change values ΔG (t) The set of historical global weight changes ΔW (t) And the global gradient g from the previous iteration. (t-1) With global weight w(t-1) Based on the L-BFGS algorithm, predict the global gradient of the current iteration. With the predicted global gradient As a baseline for malicious perturbation, a perturbation is added to the baseline to obtain the initial hidden malicious gradient and the initial sacrifice gradient; the global gradient g obtained from the previous iteration is then used. (t-1) Calculate real-time poisoning feedback (CS) (t-1) Based on real-time poisoning feedback CS (t-1) The perturbation factor γ of the malicious gradient is adaptively adjusted; based on the updated perturbation factor γ of the malicious gradient, the initial hidden malicious gradient and the initial sacrifice gradient are adjusted to obtain the target hidden malicious gradient. With target sacrifice gradient The malicious client only needs to receive the global gradient broadcast by the central server to create a malicious gradient with sufficient stealth and attack strength. This allows for a low-threshold, knowledge-free model poisoning attack. Without any accomplices, the malicious gradient is uploaded to the server via a fake client, interfering with global model aggregation and reducing global model performance. Simultaneously, this invention uses the deviation of the attacked global gradient from the malicious gradient as real-time poisoning feedback to analyze attack stealth and adaptively adjust the size of the malicious perturbation factor. This optimizes the malicious gradient without requiring additional knowledge, ensuring stable stealth and attack strength across diverse federated scenarios with different datasets and defense strategies.
[0021] The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. Attached Figure Description
[0022] Figure 1 This is a flowchart illustrating the poisoning attack method for the adaptive federated learning model based on gradient prediction provided by the present invention. Detailed Implementation
[0023] The present invention will be further described in detail below with reference to specific embodiments, but the implementation of the present invention is not limited thereto.
[0024] In federated learning, malicious clients exploit the invisibility of local data and the difficulty in verifying model gradients to upload carefully crafted malicious gradients to poison the global federated model. To counter robust federated aggregation defense strategies that can filter out malicious clients, malicious clients improve the concealment of model poisoning attacks by narrowing the distribution distance between malicious and benign gradients, thereby escaping the detection of defense strategies. However, the privacy of benign client local data and model gradients, the differences in data under different scenarios, and the diversity of defense strategies make it difficult to ensure the concealment and improve the robustness of model poisoning attacks in practical application scenarios. Existing technologies have the following disadvantages: (1) Existing technologies rely on additional attack knowledge assumptions such as local datasets, benign gradients, and a certain number of colluding clients, which are not feasible in federated learning where privacy data is protected; (2) Existing technologies lack real-time poisoning feedback for malicious gradients, making it difficult to ensure sufficient concealment and achieve stable attack effects under different datasets and different defense strategies, resulting in poor robustness.
[0025] To address the aforementioned shortcomings, this invention constructively designs an adaptive federated learning model poisoning attack method based on gradient prediction. By predicting the global gradient and optimizing the adaptive malicious gradient perturbation based on poisoning feedback, the attack threshold is lowered and the robustness of the model poisoning attack is improved. Compared to existing methods, this invention, on the one hand, predicts the latest global gradient based on historical global gradients and uses it as a fitting estimate of benign gradients. By using historical global gradients to predict the current global gradient to approximate benign gradients, it eliminates the pre-attack knowledge assumptions of model poisoning attacks regarding local datasets and local model gradients, and removes the additional dependence of attacks on colluding clients and client privacy data. It can determine the baseline direction of malicious gradients without additional knowledge, ensuring the initial concealment of malicious gradients. On the other hand, this invention uses the deviation of the global gradient after poisoning from the malicious gradient as poisoning feedback to evaluate the real-time concealment of malicious gradients. Based on this, it adaptively adjusts the perturbation factor of malicious gradients to enhance concealment or incentivize attacks, enabling malicious gradients to have specific real-time optimizations for different defense strategies on different datasets. This improves the robustness of model poisoning attacks and ensures the concealment and stable attack strength of model poisoning attacks in different scenarios.
[0026] This invention can be applied to scenarios such as smart mobile devices, finance, healthcare, and advertising recommendation systems. It evaluates the framework design for the security of federated learning systems under model poisoning attacks, providing researchers with a systematic method to analyze attack threats and verify the effectiveness of defense mechanisms. For example, in the financial field, due to privacy protection requirements, customer asset data cannot be shared. To analyze users' loan repayment ability and creditworthiness, different banks or financial institutions, acting as clients, can train local models using customer asset data (such as deposits, real estate), historical consumption records, and historical credit scores. They then upload the local model gradients to a central server. A malicious client impersonates a fake institution and uploads carefully crafted malicious gradients. The central server aggregates the model gradients uploaded by each financial institution to obtain the global gradient, and then sends the global gradient to different financial institutions for iterative training. Influenced by the malicious gradient, the global gradient updates in the wrong direction, and the global model ultimately makes incorrect decisions. Since this invention does not require additional attack knowledge such as local datasets or colluding clients, it can launch attacks using fake clients acting only as federated participants, lowering the attack threshold in practical application scenarios. Before formal federated model training and deployment, this invention can be used to evaluate and select robust aggregation defense strategies for the central server. Based on the attack success rate of this invention, the defense strategy with the strongest detection capability and highest resistance to attacks is selected. This invention aims to promote the updating and improvement of defense strategies by verifying their effectiveness.
[0027] Figure 1 This invention provides a flowchart of an adaptive federated learning model poisoning attack method based on gradient prediction. This method can be used in the simulation of federated learning model poisoning attacks, specifically for simulating malicious clients.
[0028] like Figure 1 As shown, the method includes:
[0029] S101. Based on the historical global gradient and historical global weight, obtain the set of changes in the historical global gradient and the set of changes in the historical global weight.
[0030] Specifically, based on the historical global gradient and historical global weights, the set of changes in the historical global gradient, ΔG, is obtained. (t) The set of historical global weight changes ΔW (t) .
[0031] In one possible implementation, the set of changes in the historical global gradient, ΔG, is obtained based on the historical global gradient and historical global weights. (t) The set of historical global weight changes ΔW (t) This includes: receiving the global gradient g from the central server. (t)And update the model weights w (t) Calculate the changes in global gradient and global weight from round t-2 to round t-1, and store them in the historical global gradient change set ΔG. (t) The set of historical global weight changes ΔW (t) In, it is represented as:
[0032] ΔG (t) :{Δg (t-N) …Δg (t-1)},
[0033] ΔW (t) :{Δw (t-N) …Δw (t-1)},
[0034] Wherein, Δg (t-1) Let g represent the global gradient from round t-2. (t-2) The global gradient g up to round t-1 (t-1) The change value, Δw (t-1) This represents the global weight w from round t-2. (t-2) The global weight w up to round t-1 (t-1) The lengths of the sets of historical global gradient changes and the sets of historical global weight changes are both N.
[0035] S102. Using the set of historical global gradient changes and the set of historical global weight changes, as well as the global gradient and global weights of the previous iteration, predict the global gradient of the current iteration based on the L-BFGS algorithm.
[0036] Specifically, it involves using the historical global gradient change value set ΔG. (t) The set of historical global weight changes ΔW (t) And the global gradient g from the previous iteration. (t-1) With global weight w (t-1) Based on the L-BFGS algorithm, predict the global gradient of the current iteration.
[0037] In one possible implementation, the set of historical global gradient change values ΔG is utilized. (t) The set of historical global weight changes ΔW (t) And the global gradient g from the previous iteration. (t-1) With global weight w (t-1) Based on the L-BFGS algorithm, predict the global gradient of the current iteration. Represented as:
[0038] W W =ΔW (t)T·ΔW (t) W G =ΔW (t)T ·ΔG (t) ,
[0039] L(W G ) = W G -U(W G ),
[0040] ξ=Δg (t-1)T Δw (t-1) / Δw (t-1)T Δw (t-1) ,
[0041]
[0042]
[0043] Where U(G) represents W G The upper triangular matrix, D(·) denotes the diagonal matrix, D(D(W G )) indicates W G A diagonal matrix, where the superscript T denotes transpose. This represents the change in the global gradient in the current iteration.
[0044] This invention utilizes the L-BFGS algorithm to predict the global gradient of subsequent iterations in advance by broadcasting historical global gradients. Based on this, the malicious gradient is located, ensuring the initial concealment of the attack.
[0045] S103. Using the predicted global gradient as the baseline value of the malicious perturbation, add perturbation to the baseline value of the malicious perturbation to obtain the initial hidden malicious gradient and the initial sacrifice gradient.
[0046] Specifically, it refers to: using the predicted global gradient As a baseline for malicious perturbation, a perturbation is added to the baseline to obtain the initial hidden malicious gradient and the initial sacrifice gradient.
[0047] In one possible implementation, the predicted global gradient is used. As a baseline for malicious perturbation, adding a perturbation to the baseline for malicious perturbation yields the initial hidden malicious gradient and the initial sacrifice gradient, representing:
[0048]
[0049]
[0050]
[0051]
[0052] in, Let {j1,j2,j...} represent the perturbation unit vector, ||·|| represent the vector's L2 norm, Δp represent the baseline value of the malicious perturbation, and {j1,j2,j...} represent the vector's base vector. c} represents the predicted global gradient. The dimensions corresponding to the top c absolute values of each dimension, sorted from largest to smallest, are given by j, where j represents the predicted global gradient. Mid-dimensional indexes, Let represent the initial hidden malicious gradient, and γ represent the perturbation factor of the malicious gradient. Let K represent the initial sacrificial gradient, and K represent the perturbation amplification factor of the sacrificial gradient.
[0053] Specifically, calculate and predict the global gradient. Change value The unit vector is used as the perturbation unit vector. For the predicted global gradient Sort the absolute values of each dimension and record the top c dimensions with the largest values, denoted as {j1, j2, ..., jc}. c},reserve Corresponding to {j1,j2…j c The value of dimension} is set, and the values of the other dimensions are set to 0, which serves as the final base perturbation Δp, i.e., the baseline value of the malicious perturbation.
[0054] It should be noted that dimensions with larger absolute values have a greater impact on the objective optimization of the model task and are more prone to changing their output under small perturbations. Therefore, this invention adds perturbations to dimensions with larger absolute values to maximize the impact of attacks on the global model while reducing the distribution differences between malicious and benign gradients.
[0055] Furthermore, according to An initial covert malicious gradient is determined, where γ is a perturbation factor of the malicious gradient, initially set by the malicious client and subsequently optimized through adaptive adjustment during the attack. A smaller γ results in stronger covertness but weaker attack effectiveness, while a smaller γ weakens covertness but enhances attack effectiveness. To ensure that the malicious gradient has a distribution similar to the benign gradient while possessing sufficient distributional difference, an additional large perturbation is added to the baseline value, and a sacrificial gradient is created in reverse.
[0056] S104. Calculate the real-time poisoning feedback using the global gradient obtained from the previous iteration.
[0057] Specifically, it involves using the global gradient g obtained from the previous iteration. (t-1) Calculate real-time poisoning feedback (CS) (t-1) .
[0058] In one possible implementation, the global gradient g from the previous iteration is used. (t-1) Calculate real-time poisoning feedback (CS) (t-1) This includes: using cosine similarity as the calculation index for poisoning feedback, and calculating the global gradient g of the previous iteration. (t-1) The mean of the malicious gradients used in the attack compared to the previous iteration. The cosine similarity between them was used to determine the poisoning feedback CS. (t-1) , represented as:
[0059]
[0060] Since the attack objective is to deviate the global gradient towards the direction of the malicious gradient, thereby causing the model to update incorrectly, the poisoning feedback cs obtained using the above method is used. (t-1) The larger the value, the greater the deviation of the global gradient from the direction of the malicious gradient.
[0061] This method analyzes the stealth of attacks by calculating real-time poisoning feedback. It analyzes the degree of deviation of the global gradient after the attack from the malicious gradient by calculating the cosine similarity between the mean and the mean of the malicious gradient that launched the attack. Based on the comparison between the real-time poisoning feedback and the expected minimum threshold, it determines whether the attack maintains the stealth of the evasion defense strategy detection.
[0062] S105. Based on real-time poisoning feedback, the perturbation factor of the malicious gradient is adaptively adjusted.
[0063] Specifically: based on real-time poisoning feedback CS ( t-1 The perturbation factor γ of the malicious gradient is adaptively adjusted.
[0064] Because the stealth and attack strength of malicious gradients change with variations in the gradients of the client's local model across diverse federated scenarios with different datasets and defense strategies, the stealth of malicious gradients may disappear or the attack strength may weaken, leading to attack failure. Therefore, this invention designs a malicious gradient perturbation adaptive adjustment mechanism based on real-time poisoning feedback, enabling malicious gradients to maintain stable stealth and attack strength even in changing scenarios. By analyzing real-time attack feedback, it adaptively adjusts the magnitude of the malicious perturbation factor, thereby adjusting the perturbation amplitude of the malicious gradient, increasing its attack impact while maintaining sufficient stealth.
[0065] In one possible implementation, it is based on real-time poisoning feedback (CS). (t-1) Adaptive adjustment of the perturbation factor γ of the malicious gradient, including: when real-time poisoning feedback cs (t-1) The poisoning feedback threshold CS is lower than the preset minimum threshold.min When reducing the value of the perturbation factor γ of the malicious gradient; when real-time poisoning feedback cs (t-1) The threshold CS for poisoning feedback is higher than the preset minimum threshold. min At that time, increase the value of the perturbation factor γ of the malicious gradient.
[0066] Specifically, initially, the malicious client sets a minimum threshold (CS) for poisoning feedback. min By comparing real-time poisoning feedback CS (t-1) Minimum Threshold for Poisoning Feedback (CS) min The following analysis and adjustments were made to the concealment of the malicious gradient perturbation factor γ and the attack strength:
[0067] 1) Enhanced stealth: When real-time poisoning feedback is received, the CS (counter-strike) system is improved (t-1) CS below the expected threshold min When the result is negative, it indicates that the malicious gradient lacks sufficient concealment and fails to evade detection by the defense mechanism. Therefore, to improve the concealment of the malicious gradient, the value of the perturbation factor γ of the malicious gradient should be reduced, thereby reducing the perturbation amplitude of the gradient and making the malicious gradient closer to the benign gradient.
[0068] 2) Attack incentive: When feedback CS (t-1) Exceeding the expected threshold CS min At this point, it indicates that the global gradient has successfully moved in the direction of the desired malicious gradient, which is now hidden and undetected by the defense strategy. In this case, increasing the value of the perturbation factor γ further amplifies the magnitude of the perturbation, thus enhancing the attack's impact while maintaining the malicious gradient's stealth.
[0069] Optionally, it also includes: setting a lower bound γ corresponding to the perturbation factor γ of the malicious gradient. min and upper limit γ max Correspondingly, based on real-time poisoning feedback CS ( t-1 When adaptively adjusting the perturbation factor γ of the malicious gradient, the perturbation factor γ of the malicious gradient is always controlled within the lower limit γ. min and upper limit γ max The changes between them.
[0070] Specifically, for the perturbation factor γ of the malicious gradient, two limits need to be established, namely the lower limit γ. min and upper limit γ max Lower limit γ min This prevents perturbations from becoming too small, ensuring that malicious gradients do not become too close to benign gradients, thus minimizing their impact on the global model. Simultaneously, to prevent triggering the defense mechanism, an upper bound γ is established. max This is to ensure that during the adjustment of the perturbation factor γ of the malicious gradient, the perturbation will not exceed the threshold due to excessive attack incentives, thereby compromising the stealth of the malicious gradient.
[0071] S106. Based on the perturbation factor of the updated malicious gradient, adjust the initial hidden malicious gradient and the initial sacrifice gradient to obtain the target hidden malicious gradient and the target sacrifice gradient, and upload them to the central server to attack the federated learning model.
[0072] Specifically, based on the perturbation factor γ of the updated malicious gradient, the initial covert malicious gradient and the initial sacrifice gradient are adjusted to obtain the target covert malicious gradient. With target sacrifice gradient It is then uploaded to the central server to attack the federated learning model.
[0073] It should be noted that, since this invention does not require any additional federal privacy knowledge or collaborators, it receives global gradients and uploads malicious model gradients by creating malicious clients (such as Sybil attacks, Android emulators, etc.). Assuming the number of malicious clients is m, each malicious client uploads a total of (m-1) hidden gradients and one sacrifice gradient.
[0074] The present invention provides a method for poisoning attacks on adaptive federated learning models based on gradient prediction, which includes obtaining a set of historical global gradient change values ΔG based on historical global gradients and historical global weights. (t) The set of historical global weight changes ΔW (t) ;Utilizing the set of historical global gradient change values ΔG (t) The set of historical global weight changes ΔW (t) And the global gradient g from the previous iteration. (t-1) With global weight w (t-1) Based on the L-BFGS algorithm, predict the global gradient of the current iteration. With the predicted global gradient As a baseline for malicious perturbation, a perturbation is added to the baseline to obtain the initial hidden malicious gradient and the initial sacrifice gradient; the global gradient g( from the previous iteration) is then used... t-1 ), calculate real-time poisoning feedback cs( t-1 ); Based on real-time poisoning feedback CS ( t-1 The perturbation factor γ of the malicious gradient is adaptively adjusted; based on the updated perturbation factor γ of the malicious gradient, the initial hidden malicious gradient and the initial sacrifice gradient are adjusted to obtain the target hidden malicious gradient. With target sacrifice gradient The malicious client only needs to receive the global gradient broadcast by the central server to create a malicious gradient with sufficient stealth and attack strength. This allows for a low-threshold, knowledge-free model poisoning attack. Without any accomplices, the malicious gradient is uploaded to the server via a fake client, interfering with global model aggregation and reducing global model performance. Simultaneously, this invention uses the deviation of the attacked global gradient from the malicious gradient as real-time poisoning feedback to analyze attack stealth and adaptively adjust the size of the malicious perturbation factor. This optimizes the malicious gradient without requiring additional knowledge, ensuring stable stealth and attack strength across diverse federated scenarios with different datasets and defense strategies.
[0075] The present invention also provides an electronic device structure, including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus.
[0076] Memory, used to store computer programs;
[0077] When a processor executes a program stored in memory, it implements the steps provided in the above method embodiments.
[0078] The communication interface is used for communication between the aforementioned electronic devices and other devices.
[0079] The method provided in this invention can be applied to electronic devices. Specifically, the electronic device can be a desktop computer, a portable computer, a smart mobile terminal, a server, etc. No limitation is made herein; any electronic device that can implement this invention falls within the protection scope of this invention.
[0080] The present invention also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps provided in the above-described method embodiments.
[0081] The present invention also provides a program product, which includes program instructions that, when executed by a processor, implement the steps provided in the above method embodiments.
[0082] For embodiments of electronic devices / storage media / program products, since they are basically similar to the method embodiments, the description is relatively simple. For specific details and beneficial effects, please refer to the description of the method embodiments.
[0083] The terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of this invention, "a plurality of" means two or more, unless otherwise explicitly specified.
[0084] The above description, in conjunction with specific preferred embodiments, provides a further detailed explanation of the present invention. It should not be construed that the specific implementation of the present invention is limited to these descriptions. For those skilled in the art, various simple deductions or substitutions can be made without departing from the concept of the present invention, and all such modifications and substitutions should be considered within the scope of protection of the present invention.
Claims
1. A method for assessing the risk of poisoning attacks based on a federated learning security aggregation strategy, characterized in that, include: Before formal training and deployment of the federated model, the poisoning attack process of the federated learning model is simulated using a simulated malicious client. Based on the obtained attack success rate, the robust aggregation defense strategy of the central server is verified in order to select the defense strategy with the strongest detection capability and the highest resistance to attack. The simulation involves a malicious client attacking a federated learning model, including the following processes: Based on the historical global gradient and historical global weights, we obtain the set of changes in the historical global gradient. Set of historical global weight changes ; Using the set of historical global gradient change values The set of changes in the historical global weights and the global gradient of the previous iteration. With global weight Based on the L-BFGS algorithm, predict the global gradient of the current iteration. ; With the predicted global gradient As a baseline value for malicious perturbation, a perturbation is added to the baseline value to obtain the initial concealed malicious gradient and the initial sacrifice gradient; Using the global gradient obtained from the previous iteration Calculate real-time poisoning feedback ; Based on the real-time poisoning feedback The perturbation factor of the malicious gradient Perform adaptive adjustments; Based on the perturbation factor of the updated malicious gradient Adjusting the initial covert malicious gradient and the initial sacrifice gradient, the target covert malicious gradient is obtained. With target sacrifice gradient It is then uploaded to the central server to attack the federated learning model.
2. The method according to claim 1, characterized in that, Based on the historical global gradient and historical global weights, we obtain the set of changes in the historical global gradient. Set of historical global weight changes ,include: Receive the global gradient sent by the central server and update the model weights. ; Calculate the first one respectively Global gradient and global weights of round 1 to the 1st round The changes in the global gradient and global weights of each round are stored in the set of historical global gradient changes. The set of historical global weight change values In, it is represented as: , , in, Indicates from the first Global gradient of the wheel To the Global gradient of the wheel The change value, Indicates from the first Global weight of the wheel To the Global weight of the wheel The changes in the historical global gradient and the changes in the historical global weight are both of length. .
3. The method according to claim 2, characterized in that, Using the set of historical global gradient change values The set of changes in the historical global weights and the global gradient of the previous iteration. With global weight Based on the L-BFGS algorithm, predict the global gradient of the current iteration. , represented as: , , , , , , in, express an upper triangular matrix, This indicates taking the diagonal matrix. express A diagonal matrix, with superscript Indicates transpose. This represents the change in the global gradient in the current iteration.
4. The method according to claim 3, characterized in that, With the predicted global gradient As a baseline value for malicious perturbation, a perturbation is added to the baseline value to obtain the initial concealed malicious gradient and the initial sacrifice gradient, which are represented as follows: , , , , in, This represents the perturbation unit vector. The L2 norm of a vector. The baseline value representing malicious disturbance. Represents the predicted global gradient The absolute values of each dimension are sorted from largest to smallest. The dimension corresponding to each absolute value Represents the predicted global gradient Mid-dimensional indexes, This represents the initial hidden malicious gradient. The perturbation factor representing the malicious gradient. Indicates the initial sacrifice gradient. This represents the perturbation amplification factor of the sacrifice gradient.
5. The method according to claim 4, characterized in that, Using the global gradient obtained from the previous iteration Calculate real-time poisoning feedback ,include: Cosine similarity is used as the metric for calculating the poisoning feedback, and the global gradient of the previous iteration is calculated. The mean of the malicious gradients used in the attack compared to the previous iteration. The cosine similarity between them is used to determine the poisoning feedback. , represented as: 。 6. The method according to claim 5, characterized in that, Based on the real-time poisoning feedback The perturbation factor of the malicious gradient Adaptive adjustments are made, including: Real-time poisoning feedback Below the preset minimum threshold for poisoning feedback At the same time, reduce the perturbation factor of the malicious gradient. The value; Real-time poisoning feedback The threshold for feedback on poisoning is higher than the preset minimum threshold. At that time, increase the perturbation factor of the malicious gradient. The value of .
7. The method according to claim 6, characterized in that, Also includes: Set the perturbation factor of the malicious gradient. Corresponding lower limit and upper limit ; Accordingly, based on the real-time poisoning feedback The perturbation factor of the malicious gradient During adaptive adjustment, the perturbation factor of the malicious gradient is always controlled. At the lower limit and the upper limit The changes between them.
8. An electronic device, characterized in that, It includes a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus; Memory, used to store computer programs; A processor, when executing a program stored in memory, implements the method described in any one of claims 1-7.
9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the method described in any one of claims 1-7.
10. A program product, characterized in that, The program product includes computer program instructions that, when executed by a processor, enable the implementation of the method as described in any one of claims 1-7.