A method and device for coping with a covert backdoor attack oriented to distributed computing

By identifying sensitive layers in federated learning and implementing alternating training and parameter pruning, the problem of backdoor models being easily detected in federated learning is solved, achieving a backdoor attack response with high concealment and good performance.

CN122179221APending Publication Date: 2026-06-09BEIJING JIAOTONG UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING JIAOTONG UNIV
Filing Date
2026-03-31
Publication Date
2026-06-09

Smart Images

  • Figure CN122179221A_ABST
    Figure CN122179221A_ABST
Patent Text Reader

Abstract

The application provides a distributed computing-oriented hidden backdoor attack coping method and device, the method comprises the following steps: a client obtains a global model issued by a server, re-trains the model by using clean and backdoor data sets, calculates a sensitivity score of each layer, selects a sensitive layer, and the remaining layers are normal layers; during local training, the normal layers are frozen, the sensitive layer is alternately trained, a loss function containing a backdoor loss and a parameter difference constraint is constructed, and a restricted update is performed; after training, the parameter difference between the normal layers and the global model is calculated and is element by element pruned, the normal layer parameters are updated, and the sensitive layer and the normal layer parameters are uploaded to the server as hidden backdoor parameters. Through layer sensitivity evaluation, constraint training and pruning strategy, the application reduces the difference between the backdoor model and the clean model, improves the attack concealment, and maintains the main task performance.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of distributed computing and federated learning security, specifically a method and apparatus for countering covert backdoor attacks in distributed computing. Background Technology

[0002] Federated learning, as a distributed training paradigm, allows multiple clients to collaboratively train a shared global model on local data while protecting data privacy, and has been widely applied in fields such as healthcare, finance, and the Internet of Things. However, the decentralized nature of federated learning makes it vulnerable to backdoor attacks: malicious clients can inject backdoors into the global model by training on contaminated data, causing the model to produce incorrect predictions as expected by the attacker when encountering specific triggers, while the main task performance remains normal. Based on the different trigger synthesis methods, existing backdoor attacks can be divided into two categories: traditional methods use fixed triggers with significant characteristics; optimization-based methods jointly utilize data characteristics and model attributes to generate triggers, achieving a higher attack success rate. However, both types of methods share a common problem: a significant distance difference exists between the backdoor model and the clean model. This difference is particularly pronounced in the early stages of the attack, making backdoor attacks easily detectable by existing defense mechanisms.

[0003] To address the aforementioned lack of concealment, existing research has attempted to use methods such as projective gradient descent, norm regularization, or scaling constraints to make the updates of the backdoor model as close as possible to the server model, thereby evading detection. However, current methods typically apply poisoning and concealment treatment to all model layers indiscriminately, ignoring the heterogeneous contributions of different layers to the success of backdoor attacks. In fact, some layers in the model are far more sensitive to backdoor tasks than others; indiscriminate treatment not only fails to effectively hide attack traces but may also unnecessarily impair the performance of the main task. Furthermore, existing methods are prone to prematurely introducing significant parameter biases during poisoning training, resulting in the backdoor model still being distinguishable from the clean model under distance metrics. Therefore, in federated learning distributed training scenarios, how to identify the layers most critical to backdoor attacks and implement differentiated concealment updates to systematically reduce the differences between the backdoor model and the clean model while maintaining the performance of the main task has become an urgent technical problem to be solved in this field. Summary of the Invention

[0004] In order to solve the technical problems mentioned in the background art, the present invention proposes a method and device for countering covert backdoor attacks in distributed computing.

[0005] Therefore, the technical solution adopted by the present invention is as follows: A method for countering covert backdoor attacks in distributed computing includes a central server and several clients, with the following specific steps: Step 1: The client obtains the global model issued by the central server; the client contains a local dataset, and the clean dataset and backdoor dataset in the local dataset are used to retrain the global model respectively; the sensitivity score of each layer of the global model is calculated, and the TopK algorithm is used to select the layers with the highest sensitivity scores as the sensitive layer set for backdoor attacks, and the remaining layers are ordinary layers. Step 2: During the local training phase, the client freezes the parameters of the ordinary layer and only performs alternating training on the sensitive layer; a constrained backdoor loss function is constructed, which includes the backdoor task loss and parameter difference constraint terms, and the sensitive layer is updated in a constrained manner using the backdoor dataset; Step 3: After the restricted update is completed, the client calculates the parameter difference between the normal layer and the corresponding layer of the global model, performs element-by-element pruning on the parameter difference, and updates the parameters of the normal layer based on the pruned parameter difference; the updated parameters of the sensitive layer and the pruned parameters of the normal layer are uploaded to the central server as hidden backdoor parameters.

[0006] Furthermore, the global model is a model with an L-layer network structure.

[0007] Furthermore, the client performs N retraining operations on the same global model using a clean dataset and a backdoor dataset respectively. The global model trained based on the clean dataset is the clean model, and the global model trained based on the backdoor dataset is the backdoor model.

[0008] Furthermore, the calculation process for the sensitivity score is as follows: In each cycle, the change in the first parameter of each layer in the clean model compared to the previous cycle is calculated using the following formula: in, For the first In the cycle, the The change in the first parameter of the layer parameters. For the first In the cycle, the The parameters of the layer parameters, For the first In the cycle, the The parameters of the layer parameters, A function for calculating parameter differences. and The parameters to be compared are... The symbol for calculating L1 distance; The change in the second parameter of the backdoor model is calculated using the same method as calculating the change in the first parameter. ; Finish After the retraining cycle of the clean model, the first cycle is calculated. The first average parameter difference of the layers is calculated using the following formula: in, For the clean model The difference in the first average parameter of the layer; The second average parameter difference of the backdoor model is calculated using the method for calculating the first average parameter difference. ; The difference between the first average parameter difference and the second average parameter difference is used as the dynamic evaluation score for each layer. ; The convergence evaluation score at the convergence state is calculated using the following formula: in, For the global model The convergence evaluation score of the layer For the clean model after convergence Layer parameters, For the converged backdoor model, the first Layer parameters; The sensitivity score is obtained by adding the dynamic evaluation score and the convergence evaluation score.

[0009] Furthermore, the client divides the sensitive layer set into... A set of mutually exclusive sensitive layers; The alternating training refers to cyclically activating the sensitive layer subsets in multiple training rounds by performing a modulo operation on the current training round and the number of sensitive layer subsets, and freezing the sensitive layer subsets that have not been activated.

[0010] Furthermore, the constrained backdoor loss function is as follows: in, The loss value. This represents the total number of samples in the backdoor dataset. For the sample features of a single sample in the backdoor dataset, Preset sample labels for a single sample in the backdoor dataset. This is the current parameter set for the backdoor model. This serves as the basic loss function for backdoor attack missions. For sensitive layer indexing, For the sensitive layer subset, For the current training process, the sensitive layer subset Inner Real-time parameters of the layer At the start of the local poisoning training cycle, the global model distributed by the central server... Layer parameters, The constraint weights for parameter differences, The symbol for L2 norm calculation.

[0011] Furthermore, the formula for calculating the parameter difference is as follows: in, For the first The parameter difference of a normal layer For the backdoor model, the first Parameters of a normal layer When the global model is distributed to the central server, the first Parameters of a normal layer; The calculation formula for element-by-element clipping is as follows: in, For the first The parameter difference after clipping a normal layer The preset cropping threshold, This is an element-wise pruning function; The update formula for the parameters of the ordinary layer is as follows: in, For the first The parameters of a normal layer are updated.

[0012] A device for countering covert backdoor attacks in distributed computing includes a central server and several clients. The device comprises: Sensitive Layer Identification Module: The client obtains the global model issued by the central server; the client contains a local dataset, and the clean dataset and backdoor dataset in the local dataset are used to retrain the global model respectively; the sensitivity score of each layer of the global model is calculated, and the TopK algorithm is used to select the layers with the highest sensitivity scores as the sensitive layer set for backdoor attacks, and the remaining layers are ordinary layers. Constrained training module: During the local training phase, the client freezes the parameters of the ordinary layer and performs alternating training only on the sensitive layer; it constructs a constrained backdoor loss function that includes backdoor task loss and parameter difference constraint terms, and uses the backdoor dataset to perform constrained updates on the sensitive layer; Pruning and Uploading Module: After the restricted update is completed, the client calculates the parameter difference between the normal layer and the corresponding layer of the global model, prunes the parameter difference element by element, and updates the parameters of the normal layer based on the pruned parameter difference; the updated parameters of the sensitive layer and the pruned parameters of the normal layer are uploaded to the central server as hidden backdoor parameters.

[0013] Compared with the prior art, the advantages of the present invention are as follows: This invention uses a layer-based sensitivity assessment mechanism to quantify the contribution of each layer to backdoor attacks through dynamic and convergent assessments. It only poisons sensitive layers, avoiding redundant updates to irrelevant layers, thus minimizing model discrepancies while ensuring the effectiveness of the attack.

[0014] This invention combines three complementary methods—constrained backdoor loss, alternating training of sensitive layers, and difference-aware pruning of ordinary layers—to systematically reduce the distance between backdoor models and clean models in three dimensions: update magnitude, training rhythm, and parameter bias, making it difficult to distinguish between backdoor updates and benign updates.

[0015] 3. This invention uses layered differentiation processing to ensure that the accuracy of the model's main task is not significantly affected while implanting a backdoor, so that the behavior of the backdoor model under non-triggered conditions is highly consistent with that of the clean model, further improving the stealth of the attack. Attached Figure Description

[0016] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0017] Figure 1 This is a schematic diagram of the method flow of the present invention; Figure 2 This is a schematic diagram of the device architecture of the present invention; Figure 3 This is a flowchart of the algorithm of the present invention. Detailed Implementation

[0018] To achieve the above objectives, the present invention provides a method and apparatus for countering covert backdoor attacks in distributed computing. Please refer to [link / reference]. Figures 1 to 3 ,include: Step 1: The client obtains the global model issued by the central server; the client contains a local dataset, and the clean dataset and backdoor dataset in the local dataset are used to retrain the global model respectively; the sensitivity score of each layer of the global model is calculated, and the TopK algorithm is used to select the layers with the highest sensitivity scores as the sensitive layer set for backdoor attacks, and the remaining layers are ordinary layers. The global model is an L-layer network structure. The initial model parameters are uniformly generated by a trusted third party using a fixed random seed. The central server uses a fixed loss function, optimizer, and hyperparameters to ensure that the global model distributed to all clients is consistent and that subsequent training and iteration can be carried out effectively.

[0019] The same global model is retrained for N cycles using both a clean dataset and a backdoor dataset. The global model trained on the clean dataset is called the clean model, and the global model trained on the backdoor dataset is called the backdoor model. The dynamic evaluation process is as follows: In each period, the change in the first parameter of each layer in the clean model compared to the previous period is calculated using the following formula: in, For the first In the cycle, the The change in the first parameter of the layer parameters. For the first In the cycle, the The parameters of the layer parameters, For the first In the cycle, the The parameters of the layer parameters, A function for calculating parameter differences. and The parameters to be compared are... The symbol for calculating L1 distance; The change in the second parameter of the backdoor model is calculated using the same method as calculating the change in the first parameter. ; Finish After the nth retraining cycle, the clean model is calculated. The first average parameter difference of the layers is calculated using the following formula: in, For the clean model The difference in the first average parameter of the layer; The second average parameter difference of the backdoor model is calculated using the method for calculating the first average parameter difference. ; The dynamic evaluation score for each layer is obtained by subtracting the average parameter differences between the clean model and the backdoor model at the same layer: in, For the global model Layer dynamic evaluation scores are used to quantify the impact of backdoor attacks on each layer.

[0020] The specific steps for convergence evaluation are as follows: After N epochs of retraining, the clean model and the backdoor model reach convergence. At this point, the convergence evaluation score is calculated using the following formula: in, To converge the evaluation scores, For the clean model after convergence Layer parameters, For the converged backdoor model, the first Layer parameters.

[0021] The formula for calculating the sensitivity score is as follows: in, For the global model Sensitivity score of the layer.

[0022] The sensitivity scores S are sorted in descending order using the TopK algorithm, and the k layers with the highest scores after sorting are selected as the sensitive layers for backdoor attacks. in, For sensitive layer set, It is the TopK algorithm. For the sensitivity score set, The number of sensitive layers to be selected; The core basis for determining the value of k is the total number of layers L of the global model, the balance between the effectiveness and concealment of backdoor attacks, and the optimal value is determined in combination with experimental verification results. If the value of k is too large, it will introduce too many model differences and reduce the stealth, while if the value of k is too small, it will be difficult to guarantee the effectiveness of the backdoor attack.

[0023] In this embodiment, based on the commonly used model layer structure in federated learning and the experimental verification of this invention, the typical value of k is usually taken as 10% to 30% of the total number of layers L in the global model.

[0024] Step 2: During the local training phase, the client freezes the parameters of the ordinary layer and only performs alternating training on the sensitive layer; a constrained backdoor loss function is constructed, which includes the backdoor task loss and parameter difference constraint terms, and the sensitive layer is updated in a constrained manner using the backdoor dataset; Sensitive layer set Divided into A set of mutually disjoint subsets that satisfies: in, For the first A sensitive subset, The union operator for sets. Index from =1 to = All sensitive layer subsets Perform a union operation; And any two distinct subsets satisfy ,in, For the first A sensitive subset, The symbol for the empty set. This is the intersection operator for sets.

[0025] The specific steps for alternating training are as follows: Driven by federated training rounds, the system uses modulo operations to achieve cyclical activation of sensitive layer subsets. Parameters of each sensitive layer subset are updated alternately across multiple training rounds, while the remaining layers are frozen throughout. Specifically, in the federated training round... During the round, the client calculates the index of the sensitive layer subset to be activated in this round using the following formula. : in, The modulo operator is used to calculate the remainder when two integers are divided. Indicates using the current round Divide by the total number of sensitive layer subsets The remainder obtained is used to match the index of the sensitive layer subset to be trained in this round. ,like If it is 0, then the corresponding index ; Select only the corresponding sensitive layer subset Training and parameter updates are performed, while the parameters of all other inactive sensitive layer subsets and all ordinary layers remain frozen and do not participate in this round of training iterations. With federal training rounds The subset of sensitive layers to be activated will be increased in successive rounds. The sequential cyclic rotation is implemented to achieve A subset of sensitive layers is activated alternately and its parameters are updated sequentially in multiple rounds of training, rather than a large-scale centralized update of all sensitive layers in a single round.

[0026] By using this round-driven, alternating training method, the parameter update process of the sensitive layer is dispersed in terms of training rhythm, avoiding large fluctuations in the parameters of the sensitive layer in a single round of training. This reduces the parameter differences between the backdoor model and the server's global model from the root, laying the foundation for improving the stealth of backdoor attacks.

[0027] The constraint backdoor loss function is as follows: in, The loss value. This represents the total number of samples in the backdoor dataset. For the sample features of a single sample in the backdoor dataset, Preset sample labels for a single sample in the backdoor dataset. This is the current parameter set for the backdoor model. This is the basic loss function for backdoor attack tasks, used to measure the deviation of the backdoor model's prediction performance on the backdoor dataset from the preset target. It maintains consistency with the basic loss function type used by the central server to train the global model (such as cross-entropy loss), and is determined by the training rules of the federated learning system. Malicious clients use this type of loss function to ensure consistency in model training. For sensitive layer indexing, This is a subset of sensitive layers selected for training in this round of federated training. For the current training process, the sensitive layer subset Inner Real-time parameters of the layer The initial parameters of layer l in the global model, issued by the central server at the start of the local poisoning training cycle, serve as the baseline values ​​for parameter difference constraints during this round of local training and remain fixed. The constraint weights for parameter differences, The symbol for L2 norm calculation; The constraint weights for parameter differences are manually set hyperparameters, which are scalar values. Their values ​​are positively correlated with the strength of the parameter constraints. They are set according to the structure of the federated learning model and the need to balance the stealth and effectiveness of backdoor attacks. There are no fixed values; the optimal values ​​can be determined through experimental verification. For example: When the total number of sensitive layers is large and the size of a single training subset is large: the efficiency can be appropriately increased. (as if taking) Strengthen constraints to avoid excessively large parameter update amplitudes in a single round; When the backdoor trigger is highly concealed and the backdoor dataset size is small: β can be appropriately reduced (e.g., by taking...). This improves backdoor injection efficiency while maintaining constraints. When a federated learning system has a robust backdoor detection mechanism (such as parameter anomaly detection or model distillation detection): Improvements are needed. (as if taking) Strengthen parameter constraints to reduce the probability of detection; When the primary task has extremely high performance requirements (such as in healthcare and finance scenarios): β needs to be strictly controlled. To avoid excessively strong or weak constraints that could lead to a decrease in the accuracy of the main task.

[0028] The specific steps for restricted updates to the sensitive layer are as follows: The client-side uses the same optimizer, hyperparameters, and training iteration rules as the global model training, with the optimization goal of minimizing the backdoor loss function. It utilizes the backdoor dataset D on a selected subset of sensitive layers. Perform backpropagation and parameter update; In each parameter update iteration, the constrained backdoor loss function simultaneously imposes dual constraints on the backdoor task effect and the magnitude of parameter differences. This ensures that while the parameters of the sensitive layer gradually achieve the preset target of the backdoor attack, the update magnitude is strictly limited, preventing significant deviations from the initial parameters of the server.

[0029] Since the normal layers remain frozen throughout the entire local training phase, their parameters are completely consistent with the global model parameters issued by the server. Therefore, all parameter differences in the model are limited to the sensitive layers, and the parameter differences in the sensitive layers are kept at a low level due to the constraint of the backdoor loss function.

[0030] This restricted update method ensures that the backdoor model maintains good performance on the main task while achieving the backdoor attack objective. It also ensures that the model's prediction results under non-backdoor triggering conditions are highly consistent with those of the clean model, thus avoiding the exposure of backdoor attack behavior due to a decline in main task performance.

[0031] Step 3: After the restricted update is completed, the client calculates the parameter difference between the normal layer and the corresponding layer of the global model, performs element-by-element pruning on the parameter difference, and updates the parameters of the normal layer based on the pruned parameter difference; the updated parameters of the sensitive layer and the pruned parameters of the normal layer are uploaded to the central server as hidden backdoor parameters.

[0032] The formula for calculating the parameter difference is as follows: in, For the first The parameter difference of a normal layer For the backdoor model, the first Parameters of a normal layer When the global model is distributed to the central server, the first Parameters of a normal layer; Since the backdoor model and the global model have the same network layer structure, the layer indices of the sensitive layer and the normal layer determined in step one can be directly applied to the backdoor model.

[0033] The formula for calculating element-by-element clipping is as follows: in, For the first The parameter difference after clipping a normal layer The preset cropping threshold, This is an element-wise pruning function, its purpose is to prune the parameter difference. Each element in the data is independently evaluated and cropped; if the element's value exceeds a preset threshold... Then the element will be clipped to If the element value is less than Then the element will be clipped to If the element value is in Within the range, the original value of the element remains unchanged; The default value of the pruning threshold is 0.05. Its specific value can be adaptively adjusted according to the strictness of backdoor detection in the federated learning system, the overall numerical range of model parameters, and the concealment requirements of backdoor attacks. The smaller the threshold, the stronger the constraint on the deviation of ordinary layer parameters, and the higher the concealment of the backdoor model. This element-by-element clipping operation ensures that the deviation of all parameters in each layer of the normal layer does not exceed the preset threshold, thus strictly controlling the degree of parameter deviation in the normal layer from the element dimension.

[0034] The update formula for the parameters of the normal layer is as follows: in, For the first The parameters of a normal layer are updated.

[0035] After completing the parameter pruning and updating of all ordinary layers, the client integrates all layer parameters of the global model, and sets the sensitive layers after alternating training and restricted updates. All parameters, and the normal layer set after the clipping update. By integrating all the parameters, we obtain the complete backdoor parameters, which are the concealed backdoor parameters that meet the concealment requirements.

[0036] This parameter retains the effectiveness of backdoor attacks while minimizing the parameter differences from the global model on the central server. Furthermore, the performance of the model's main task does not significantly decrease due to parameter constraints and pruning, making it difficult to distinguish between backdoor attacks and benign model parameter updates.

[0037] Finally, the client uploads the integrated hidden backdoor parameters to the central server according to the standard training protocol of federated learning. The central server then performs federated averaging or defense-aware aggregation on these parameters and the local model parameters uploaded by other clients to complete the global model parameter update for this round of federated training.

[0038] A device for countering covert backdoor attacks in distributed computing includes a central server and several clients. The device comprises: Sensitive Layer Identification Module: The client obtains the global model issued by the central server; the client contains a local dataset, and the clean dataset and backdoor dataset in the local dataset are used to retrain the global model respectively; the sensitivity score of each layer of the global model is calculated, and the TopK algorithm is used to select the layers with the highest sensitivity scores as the sensitive layer set for backdoor attacks, and the remaining layers are ordinary layers. Constrained training module: During the local training phase, the client freezes the parameters of the ordinary layer and performs alternating training only on the sensitive layer; it constructs a constrained backdoor loss function that includes backdoor task loss and parameter difference constraint terms, and uses the backdoor dataset to perform constrained updates on the sensitive layer; Pruning and Uploading Module: After the restricted update is completed, the client calculates the parameter difference between the normal layer and the corresponding layer of the global model, prunes the parameter difference element by element, and updates the parameters of the normal layer based on the pruned parameter difference; the updated parameters of the sensitive layer and the pruned parameters of the normal layer are uploaded to the central server as hidden backdoor parameters.

[0039] This invention proposes a method and apparatus for countering covert backdoor attacks in distributed computing. By introducing a layer sensitivity assessment mechanism to identify the most critical sensitive layers for backdoor attacks, and employing constrained backdoor loss to perform restricted alternating training on the sensitive layers while simultaneously performing difference-aware pruning on the ordinary layers, the method systematically reduces the parameter differences between the backdoor model and the clean model. This solves the problem that existing backdoor attacks are easily detected due to significant model differences in federated learning distributed training scenarios, and significantly improves the covertness of attacks while maintaining the performance of the main task.

[0040] In summary, this invention accurately locates the key attack layers through layer sensitivity assessment, avoiding invalid perturbations; it systematically reduces the difference between the backdoor model and the clean model by combining three strategies: constrained backdoor loss, alternating training, and difference-aware pruning; at the same time, it takes into account the performance of the main task, making it difficult to distinguish between backdoor updates and benign updates, thereby improving the stealth of attacks.

[0041] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A method for countering covert backdoor attacks in distributed computing, comprising a central server and several clients, characterized in that, The specific steps are as follows: Step 1: The client obtains the global model issued by the central server; the client contains a local dataset, and the clean dataset and the backdoor dataset in the local dataset are used to retrain the global model respectively; Calculate the sensitivity score of each layer of the global model, and use the TopK algorithm to select the layers with the highest sensitivity scores as the sensitive layer set for backdoor attacks, while the remaining layers are ordinary layers. Step 2: During the local training phase, the client freezes the parameters of the ordinary layer and only performs alternating training on the sensitive layer; a constrained backdoor loss function is constructed, which includes the backdoor task loss and parameter difference constraint terms, and the sensitive layer is updated in a constrained manner using the backdoor dataset; Step 3: After the restricted update is completed, the client calculates the parameter difference between the ordinary layer and the corresponding layer of the global model, performs element-by-element pruning on the parameter difference, and updates the parameters of the ordinary layer based on the pruned parameter difference; The updated sensitive layer parameters and the trimmed ordinary layer parameters are uploaded to the central server as hidden backdoor parameters.

2. The method according to claim 1, characterized in that, The global model is a model with an L-layer network structure.

3. The method according to claim 2, characterized in that, The client performs N retraining operations on the same global model using a clean dataset and a backdoor dataset. The global model trained on the clean dataset is the clean model, and the global model trained on the backdoor dataset is the backdoor model.

4. The method according to claim 3, characterized in that, The calculation process for the sensitivity score is as follows: In each cycle, the change in the first parameter of each layer in the clean model compared to the previous cycle is calculated using the following formula: in, For the first In the cycle, the The change in the first parameter of the layer parameters. For the first In the cycle, the The parameters of the layer parameters, For the first In the cycle, the The parameters of the layer parameters, A function for calculating parameter differences. and The parameters to be compared are... The symbol for calculating L1 distance; The change in the second parameter of the backdoor model is calculated using the same method as calculating the change in the first parameter. ; Finish After the retraining cycle of the clean model, the first cycle is calculated. The first average parameter difference of the layers is calculated using the following formula: in, For the clean model The difference in the first average parameter of the layer; The second average parameter difference of the backdoor model is calculated using the method for calculating the first average parameter difference. ; The difference between the first average parameter difference and the second average parameter difference is used as the dynamic evaluation score for each layer. ; The convergence evaluation score at the convergence state is calculated using the following formula: in, For the global model The convergence evaluation score of the layer For the clean model after convergence Layer parameters, For the converged backdoor model, the first Layer parameters; The sensitivity score is obtained by adding the dynamic evaluation score and the convergence evaluation score.

5. The method according to claim 4, characterized in that, The client divides the sensitive layer set into... A set of mutually exclusive sensitive layers; The alternating training refers to cyclically activating the sensitive layer subsets in multiple training rounds by performing a modulo operation on the current training round and the number of sensitive layer subsets, and freezing the sensitive layer subsets that have not been activated.

6. The method according to claim 5, characterized in that, The constraint backdoor loss function is as follows: in, This is the loss value. This represents the total number of samples in the backdoor dataset. For the sample features of a single sample in the backdoor dataset, Preset sample labels for a single sample in the backdoor dataset. This is the current parameter set for the backdoor model. This serves as the basic loss function for backdoor attack missions. For sensitive layer indexing, For the sensitive layer subset, For the current training process, the sensitive layer subset Inner Real-time parameters of the layer These are the parameters of the l-th layer in the global model, distributed by the central server at the start of the local poisoning training cycle. The constraint weights for parameter differences, The symbol for L2 norm calculation.

7. The method according to claim 6, characterized in that, The formula for calculating the parameter difference is as follows: in, For the first The parameter difference of a normal layer For the backdoor model, the first Parameters of a normal layer When the global model is distributed to the central server, the first Parameters of a normal layer; The calculation formula for element-by-element clipping is as follows: in, For the first The parameter difference after clipping a normal layer The preset cropping threshold, This is an element-wise pruning function; The update formula for the parameters of the ordinary layer is as follows: in, For the first The parameters of a normal layer are updated.

8. A device for countering covert backdoor attacks in distributed computing, comprising a central server and several clients, characterized in that, The device includes: Sensitive Layer Identification Module: The client obtains the global model issued by the central server; the client contains a local dataset, and the clean dataset and backdoor dataset in the local dataset are used to retrain the global model respectively; the sensitivity score of each layer of the global model is calculated, and the TopK algorithm is used to select the layers with the highest sensitivity scores as the sensitive layer set for backdoor attacks, and the remaining layers are ordinary layers. Constrained training module: During the local training phase, the client freezes the parameters of the ordinary layer and performs alternating training only on the sensitive layer; it constructs a constrained backdoor loss function that includes backdoor task loss and parameter difference constraint terms, and uses the backdoor dataset to perform constrained updates on the sensitive layer; Pruning and Uploading Module: After the restricted update is completed, the client calculates the parameter difference between the normal layer and the corresponding layer of the global model, prunes the parameter difference element by element, and updates the parameters of the normal layer based on the pruned parameter difference; the updated parameters of the sensitive layer and the pruned parameters of the normal layer are uploaded to the central server as hidden backdoor parameters.