Historical subspace-based federated learning backdoor defense processing method and system
By maintaining a historical benign update library and generating a low-rank subspace in the federated learning system, calculating projection energy and conformal p-values to determine malicious updates, the problem of backdoor attack identification in Non-IID scenarios of the federated learning system is solved, achieving a defense effect with low false positive and low false negative rates.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING UNIV OF POSTS & TELECOMM
- Filing Date
- 2026-02-10
- Publication Date
- 2026-06-16
AI Technical Summary
Existing federated learning systems struggle to effectively identify and defend against backdoor attacks in Non-IID scenarios. Existing defense methods suffer from high false positive rates, reliance on additional data that is difficult to obtain, and improper threshold settings that lead to false positives or false negatives and loss of control.
By maintaining a historical benign update library on the server side, a low-rank subspace orthogonal basis is generated. The projection energy and suspicion index of the model update vector are calculated. The benign or malicious nature of the model update vector is determined by combining the conformal p-value. The historical library is updated in a queue form to adapt to changes in data distribution.
It effectively reduces false alarm rates under Non-IID conditions, adapts to changes in data distribution, requires no additional verification dataset, is easy to integrate and deploy, and reduces computational and communication overhead.
Smart Images

Figure CN122226327A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of federated learning security technology, specifically relating to a method and system for defending against backdoors in federated learning based on historical subspace. Background Technology
[0002] Federated learning is a distributed, privacy-preserving machine learning paradigm. After training the model locally, the client only uploads the updated model parameters to the server for global model aggregation, achieving privacy-preserving training without leaving the local machine. However, the distributed architecture of federated learning is vulnerable to backdoor attacks. Malicious clients can implant backdoor triggers in the uploaded model updates, causing the global model to produce incorrect outputs for inputs containing specific trigger patterns. These attacks are highly stealthy; the numerical scale of malicious updates is similar to that of benign updates, making it difficult for the server to identify them using simple statistical indicators.
[0003] Existing federated learning backdoor defense methods include robust aggregation-based defenses that filter out outlier updates using rules such as the Krum algorithm and median truncation. However, in non-independent identically distributed (Non-IID) scenarios, benign updates themselves vary significantly, easily leading to high false positive rates. Attackers can also adjust the statistical characteristics of malicious updates to evade detection. Defenses based on additional validation sets require the server to have a clean validation set, identifying backdoors by testing the impact of updates on the validation set's performance. However, obtaining a validation set representing the data distribution of each client is difficult in practice, and false positives or false negatives are prone to occur in Non-IID scenarios. Defenses based on update statistical features extract features such as the norm and cosine similarity of the update vector to detect anomalies, but malicious updates can scalable their norm to evade detection. Directional indicators have low reliability in Non-IID scenarios, and the lack of strict probability control mechanisms, coupled with threshold settings relying on experience, easily leads to uncontrolled false positives or false negatives. Summary of the Invention
[0004] Therefore, the present invention provides a federated learning backdoor defense processing method and system based on historical subspace to solve or partially solve the problems mentioned in the background art.
[0005] To achieve the above objectives, the present invention provides the following technical solution: A first aspect provides a federated learning backdoor defense method based on historical subspace, comprising the following steps:
[0006] The server receives the model update vector uploaded by the client; The server maintains a historical benign update library and uses the benign update vectors stored in the historical benign update library to generate a low-rank subspace orthogonal basis. The server calculates the projection energy of each model update vector inside and outside the low-rank subspace, generates a suspicion index based on the projection energy, and constructs a multidimensional update feature vector by combining statistical features. The server constructs a calibration set based on the historical benign update library, calculates the inconsistency score of the multidimensional updated feature vector using an inconsistency metric function, and then calculates the conformal feature vector based on the inconsistency score. p value; The server will use the conformal p The value is compared with a preset significance level threshold, and the model update vector is judged to be benign or malicious based on the comparison result. The server rejects malicious model update vectors, performs model aggregation using benign model update vectors, and adds the benign model update vectors to the historical benign update library, thus completing the update of the historical benign update library.
[0007] As a preferred solution for the backdoor defense processing method of federated learning based on historical subspace, the historical benign update library is maintained in the form of a queue, storing benign update vectors that have passed the detection within a specified time period. When the capacity of the historical benign update library exceeds a preset value, the oldest benign update vector is removed. The orthogonal basis of the low-rank subspace is obtained by performing singular value decomposition on the vectors in the historical benign update library, and the change pattern of benign model update is captured by the orthogonal basis of the low-rank subspace.
[0008] As a preferred solution for federated learning backdoor defense based on historical subspace, during the server's calculation of the projection energy of each model update vector inside and outside the low-rank subspace, the projection component of the model update vector within the low-rank subspace... The calculation formula is:
[0009] The orthogonal residual components of the model update vector outside the low-rank subspace The calculation formula is:
[0010] In the formula, For the first Model update vectors uploaded by each client. It is an orthogonal basis matrix of a low-rank subspace.
[0011] As a preferred solution for federated learning backdoor defense processing methods based on historical subspaces, the projected energy includes energy within the subspace and energy outside the subspace. The formula for calculating the energy within the subspace is as follows:
[0012] The formula for calculating the energy outside the subspace is:
[0013] In the formula, measure The magnitude of energy in the subspace of historical benign behavior. measure Abnormal energy that deviates from the historical normal subspace.
[0014] As a preferred solution for federated learning backdoor defense processing methods based on historical subspace, in the process of generating a suspicion index based on the projected energy, the suspicion index is a geometric energy ratio, and the calculation formula is:
[0015] In the formula, To avoid local minima with a denominator of zero, Used to measure the degree to which the current update deviates from the historical normal behavior pattern; In the process of constructing a multidimensional updated feature vector by combining statistical features, the multidimensional updated feature vector is: or Any one of them; where, Update vectors for the model The norm of .
[0016] As a preferred solution for federated learning backdoor defense based on historical subspace, the server constructs a calibration set based on the historical benign update library. During the calculation of the inconsistency score of the multidimensional updated feature vector using an inconsistency metric function, the function value of the inconsistency metric function is the geometric energy ratio. or energy outside the subspace The larger the function value of the inconsistency metric function, the more suspicious the model update vector is.
[0017] As a preferred approach to federated learning backdoor defense based on historical subspace, conformal calculation is performed based on the inconsistency score. p During the value process, the conformal p value The calculation formula is:
[0018] In the formula, For the first Conformal corresponding to each client model update vector p value; The first in the historical benign update library Each updated feature vector; It is the set of feature vectors of historical benign updates, which consists of the feature vectors corresponding to all benign updates in the historical benign update library, and serves as the calibration set for conformal calibration; It is a non-consistency metric function, whose function value is used to characterize the degree of abnormality of the input feature vector deviating from the benign distribution; Historical benign feature vector The corresponding inconsistency metric; Update the feature vector for the current client under test The corresponding inconsistency metric; A collection of historical positive characteristics In the mean, the inconsistency metric is greater than or equal to The number of eigenvectors; A collection of historical positive characteristics The total number of feature vectors contained therein.
[0019] As a preferred solution for federated learning backdoor defense methods based on historical subspaces, the server will use the conformal... p The specific rules for determining whether the model update vector is benign or malicious are as follows: The value is compared with a preset significance level threshold. If the conformal p If the value is less than the preset significance level threshold, the corresponding model update vector is determined to be malicious; if the conformal... p If the value is not less than the preset significance level threshold, the corresponding model update vector is determined to be benign.
[0020] As a preferred solution for backdoor defense in federated learning based on historical subspaces, after the historical benign update library is updated, the server recalculates the orthogonal basis of the low-rank subspace based on the updated historical benign update library before the next round of detection.
[0021] Secondly, the present invention provides a federated learning backdoor defense processing system based on historical subspace, employing the federated learning backdoor defense processing method based on historical subspace of the first aspect or any possible implementation thereof, including: The model update receiving module is used by the server to receive model update vectors uploaded by the client; The historical subspace modeling module is used by the server to maintain a historical benign update library and to generate a low-rank subspace orthogonal basis using the benign update vectors stored in the historical benign update library. The geometric energy calculation module is used by the server to calculate the projection energy of each model update vector inside and outside the low-rank subspace, generate a suspicion index based on the projection energy, and construct a multi-dimensional update feature vector by combining statistical features. conformal p The value calculation module is used by the server to construct a calibration set based on the historical benign update library, calculate the non-consistency score of the multidimensional updated feature vector through a non-consistency metric function, and then calculate the conformal feature vector based on the non-consistency score. p value; The conformal calibration decision module is used by the server to determine the conformal calibration decision. p The value is compared with a preset significance level threshold, and the model update vector is judged to be benign or malicious based on the comparison result. The model aggregation and library update module is used by the server to reject malicious model update vectors, perform model aggregation using benign model update vectors, and add the benign model update vectors to the historical benign update library to complete the update of the historical benign update library.
[0022] Thirdly, the present invention provides an electronic device including a processor, a memory, and a program or instructions stored in the memory and executable on the processor, wherein the processor, when executing the program or instructions, implements the first aspect or any possible implementation thereof, a federated learning backdoor defense processing method based on historical subspace.
[0023] Fourthly, the present invention provides a computer-readable storage medium storing a program or instructions that, when executed by a processor, implement the steps of the historical subspace-based federated learning backdoor defense processing method of the first aspect or any possible implementation thereof.
[0024] The present invention has the following advantages: This invention builds a detection benchmark based on a historically updated, benign database, eliminating the need for servers to prepare clean verification datasets. This feature overcomes the limitations of data collection and sharing in privacy-sensitive scenarios, significantly reducing deployment costs and compliance risks.
[0025] This invention captures the main change patterns of benign updates through historical subspace modeling and achieves statistical significance determination by combining conformal calibration. This method effectively distinguishes between normal update differences and abnormal patterns of backdoor attacks under Non-IID conditions, and can strictly control the false positive rate by setting a preset significance threshold, thus solving the problem of high false positive rates in traditional defense methods under Non-IID scenarios.
[0026] All detection and decision logic in this invention is completed on the server side, without requiring modification to the client's training process and communication protocol. This feature allows for seamless integration into existing federated learning systems without increasing client-side computational and communication overhead, facilitating large-scale deployment.
[0027] This invention integrates the directional characteristics and conformal features of geometric energy ratio. p By comprehensively judging the statistical characteristics of the values, attackers find it difficult to evade detection by adjusting the scale or statistical characteristics of maliciously updated values. This method can effectively reduce the injection success rate of backdoor attacks while maintaining the normal accuracy of the global model.
[0028] This invention employs a queue-based dynamic update mechanism for its historical benign data repository, which eliminates outdated data and replenishes it with new benign samples during training rounds. This mechanism enables the subspace model to adapt to changes in data distribution, ensuring the effectiveness and reliability of the defense system during long-term operation. Attached Figure Description
[0029] To more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description are merely exemplary, and those skilled in the art can derive other embodiments based on the provided drawings without creative effort.
[0030] The structures, proportions, sizes, etc. illustrated in this specification are only for the purpose of assisting those skilled in the art in understanding and reading the content disclosed herein, and are not intended to limit the conditions under which the present invention can be implemented. Therefore, they have no substantial technical significance. Any modifications to the structure, changes in the proportions, or adjustments to the size, without affecting the effects and objectives that the present invention can produce, should still fall within the scope of the technical content disclosed in the present invention.
[0031] Figure 1 This is a schematic diagram of the backdoor defense processing method based on historical subspace provided in an embodiment of the present invention; Figure 2 This is a schematic diagram of the technical route for the federated learning backdoor defense processing method based on historical subspace provided in the embodiments of the present invention; Figure 3 This is a schematic diagram of energy decomposition in the federated learning backdoor defense processing method based on historical subspace provided in the embodiments of the present invention; Figure 4 This is a schematic diagram of threshold decision in the federated learning backdoor defense processing method based on historical subspace provided in the embodiments of the present invention; Figure 5 This is a schematic diagram of the architecture of a federated learning backdoor defense processing system based on historical subspace provided in an embodiment of the present invention; Figure 6 This is an electronic device architecture diagram provided in an embodiment of the present invention. Detailed Implementation
[0032] The following specific embodiments illustrate the implementation of the present invention. Those skilled in the art can easily understand other advantages and effects of the present invention from the content disclosed in this specification. Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0033] Federated learning, as a distributed, privacy-preserving machine learning paradigm, allows multiple clients to collaboratively train a global model without sharing their local private data. The core process is as follows: clients train their models using local data, uploading only the updated model parameters to the server; the server aggregates these parameter updates from each client, iteratively optimizing the global model. This characteristic of keeping data within the client's local storage makes it highly valuable in fields with stringent data privacy requirements, such as finance, healthcare, and the Internet of Things.
[0034] However, the distributed architecture and decentralized training mode of federated learning make it highly vulnerable to backdoor attacks. Backdoor attackers typically masquerade as legitimate clients during training, aiming to implant hidden backdoor triggers while maintaining the global model's prediction performance on normal inputs. When the input data contains this specific trigger, the global model outputs a false result pre-set by the attacker. Backdoor attacks are highly stealthy; model updates uploaded by malicious clients are highly similar to those from benign clients in terms of numerical scale and statistical characteristics, making it difficult for the server to identify malicious updates through simple threshold filtering or statistical verification. Once a backdoor attack succeeds, it poses a serious threat to the reliability and security of the global model, leading to a series of problems such as privacy breaches and flawed decision-making.
[0035] To counter the threat of backdoor attacks in federated learning, existing defense methods mainly fall into three categories, all of which have significant limitations: First, there are defense methods based on robust aggregation. These methods reduce the impact of anomalous parameter updates on the global model by improving model aggregation rules, such as the Krum algorithm and median truncation algorithm. The core idea is to calculate the distance or similarity between client updates and filter out outliers with significant deviations. However, in non-independent identically distributed (Non-IID) scenarios, due to differences in local data distribution among different clients, benign updates themselves exhibit significant differences. This can cause robust aggregation methods to mistakenly classify many normal updates as anomalous updates, resulting in a high false positive rate. Furthermore, attackers can evade detection by adjusting the numerical characteristics of malicious updates to simulate the statistical patterns of benign updates.
[0036] Second, defense methods based on additional validation sets. These methods require the server to possess a trusted, clean validation dataset. By testing the impact of updates from each client on the model's performance on the validation set, it can be determined whether the updates contain backdoors. However, in practical applications, obtaining a clean validation set that represents the data distribution of each client is extremely difficult, especially in privacy-sensitive scenarios where data collection and sharing face compliance obstacles. Furthermore, under Non-IID conditions, updates from some benign clients may cause a decline in model performance due to a mismatch with the validation set distribution, leading to misjudgments as malicious updates; attackers can then exploit blind spots in the validation set distribution to easily bypass detection.
[0037] Third, defense methods based on updated statistical features. These methods directly extract statistical features of the model update vector, such as norm size and cosine similarity, and identify malicious updates by the degree of feature anomalies. However, this method has significant drawbacks: malicious updates can be scaled to a norm size similar to benign updates, rendering amplitude detection ineffective; in Non-IID scenarios, the directional differences of benign updates are large, significantly reducing the reliability of directional indicators such as cosine similarity. Furthermore, most of these methods lack strict probability control mechanisms, and threshold setting relies on human experience; inappropriate threshold selection can lead to uncontrolled false positive or false negative rates.
[0038] In summary, existing federated learning backdoor defense methods generally suffer from problems such as reliance on additional data, high false positive rates, and difficulty adapting to Non-IID data distributions. Therefore, this invention provides a federated learning backdoor defense method and system based on historical subspaces. It accurately identifies and rejects backdoor updates before aggregation, even without external clean data; achieves a low false positive rate under Non-IID conditions, and provides statistical guarantees of controllable significance / false positives; it is implemented only on the server side, with low computational and communication overhead, no client-side modifications, and is easy to deploy. The following are the specific details of the embodiments of this invention.
[0039] See Figure 1 As shown in Figure 2, this embodiment of the invention provides a federated learning backdoor defense method based on historical subspace, including the following steps: S1. The server receives the model update vector uploaded by the client; S2. The server maintains a historical benign update library and uses the benign update vectors stored in the historical benign update library to generate a low-rank subspace orthogonal basis.
[0040] S3. The server calculates the projection energy of each model update vector inside and outside the low-rank subspace, generates a suspicion index based on the projection energy, and constructs a multi-dimensional update feature vector by combining statistical features. S4. The server constructs a calibration set based on the historical benign update library, calculates the non-consistency score of the multidimensional updated feature vector using a non-consistency metric function, and then calculates the conformal feature vector based on the non-consistency score. p value; S5, The server will specify the conformal... p The value is compared with a preset significance level threshold, and the model update vector is judged to be benign or malicious based on the comparison result. Servers S6 and S6-1 reject malicious model update vectors; S6-1 performs model aggregation using benign model update vectors and adds the benign model update vectors to the historical benign update library, thus completing the update of the historical benign update library.
[0041] In this embodiment, in step S1, at the beginning of each federated learning training round, the server broadcasts the latest global model parameters to the selected clients; each client performs a round of model training locally using its own private data and updates the trained model parameters (denoted as...). Δw The local model update vector (the difference between the local model and the global model) is sent back to the server. The server collects the model update vectors from multiple clients in this round. (where k is the client index) is used as the object to be detected.
[0042] In this embodiment, in step S2, the historical benign update library is maintained in the form of a queue, storing benign update vectors that have passed the detection within a specified time period. When the capacity of the historical benign update library exceeds a preset value, the oldest benign update vector is removed. The orthogonal basis of the low-rank subspace is obtained by performing singular value decomposition on the vectors in the historical benign update library, and the change pattern of benign model update is captured by the orthogonal basis of the low-rank subspace.
[0043] See Figure 3 The server maintains a historical, benign update repository. H This is used to store client update vectors that were deemed benign in previous rounds. This historical benign update repository reflects the distribution characteristics of recent normal updates and can be stored in a queue. Updates that pass the test (if the capacity is exceeded, the oldest data is removed to ensure that new samples in the library can reflect the distribution that may change as training progresses).
[0044] At the start of each round of detection, the benign updates received in the previous round are added to the history database. Then, a low-rank subspace is calculated using Singular Value Decomposition (SVD) on all vectors in the database. This subspace is then selected from the previous round's data. The principal component vectors are used as the base. , forming a An orthogonal subspace of dimensionality. This subspace aims to capture the main variation patterns of benign model updates. If the client's task and data distribution are relatively stable, normal updates tend to vary more significantly in certain directions of the parameter space (e.g., parameter directions related to a common learning task) and less significantly in others. Therefore, most benign updates can be approximated using a lower dimensionality. When an attacker injects a backdoor, their updates may contain new direction vectors inconsistent with historical benign behavior due to anomalous optimization objectives. The subspace extracted through 2. Historical benign pool maintenance and low-rank subspace estimation is described. The server obtains a basic reference for distinguishing between normal and abnormal updates.
[0045] In this embodiment, during step S3, when the server calculates the projection energy of each model update vector inside and outside the low-rank subspace, the projection component of the model update vector within the low-rank subspace... The calculation formula is:
[0046] In the formula, the matrix Transpose and update vector Multiplication is a coordinate transformation that projects a high-dimensional vector onto a low-dimensional subspace; then multiplication by a matrix. The low-dimensional coordinates are restored to the high-dimensional space, and the components in the subspace with the same dimension as the original vector are obtained. This is used to quantify and update the part of the vector that fits the historical benign pattern.
[0047] The orthogonal residual components of the model update vector outside the low-rank subspace The calculation formula is:
[0048] In the formula, For the first Model update vectors uploaded by each client. Let be the orthogonal basis matrix of the low-rank subspace. The orthogonal residual component is the difference between the original update vector and the projected component in the subspace, representing the portion that cannot be explained by the historical benign pattern. Changes in backdoor-related parameters caused by malicious updates are usually concentrated in this residual component.
[0049] In this embodiment, in step S3, the projected energy includes energy within the subspace and energy outside the subspace, and the formula for calculating the energy within the subspace is:
[0050] This formula calculates the squared norm of the projected components. The magnitude of the squared norm represents the energy intensity of the vector in the corresponding subspace. The greater the energy in the subspace, the more consistent the current updated vector is with the change pattern of historical benign updates, and the higher the probability of it being a normal update.
[0051] The formula for calculating the energy outside the subspace is:
[0052] In the formula, measure The magnitude of energy in the subspace of historical benign behavior. measure Abnormal energy deviating from the historical normal subspace. This formula calculates the norm square of the residual components, and its magnitude directly reflects the degree to which the update vector deviates from the historical benign pattern. Malicious updates, due to the inclusion of anomalous parameter change directions, will have significantly higher energy outside the subspace than normal updates, thus distinguishing between benign and malicious updates.
[0053] In this embodiment, during step S3, when generating a suspicion index based on the projected energy, the suspicion index is the geometric energy ratio, and the calculation formula is:
[0054] In the formula, To avoid local minima with a denominator of zero, This is used to measure the degree to which the current update deviates from the historical normal behavior pattern. The geometric energy ratio is a normalization of the energy inside and outside the subspace; it quantifies the degree of suspicion of the update by the ratio of anomalous energy outside the subspace to normal energy inside the subspace. A minimum constant is introduced. To avoid the extreme case of a denominator of zero, the formula calculation is kept stable. The larger the ratio, the higher the degree of abnormality in the update, and the more likely it is to be a malicious update.
[0055] In the process of constructing a multidimensional updated feature vector by combining statistical features, the multidimensional updated feature vector is: or Any one of them; where, Update vectors for the model The norm of the geometric energy ratio. A single geometric energy ratio index may not be able to fully cover the updated features; constructing multidimensional feature vectors can characterize the updated attributes from multiple dimensions. It directly preserves the energy information inside and outside the subspace. This approach combines the suspicion level and the overall magnitude of the update vector. Both combinations can improve the accuracy of subsequent inconsistency measurements and reduce the false positive rate in Non-IID scenarios.
[0056] In this embodiment, in step S4, during the process of the server constructing a calibration set based on the historical benign update library and calculating the inconsistency score of the multidimensional updated feature vector using an inconsistency metric function, the function value of the inconsistency metric function is the geometric energy ratio. or energy outside the subspace The larger the function value of the inconsistency metric function, the more suspicious the model update vector is.
[0057] In this embodiment, in step S4, conformal calculation is performed based on the non-conformity score. p During the value process, the conformal p value The calculation formula is:
[0058] In the formula, For the first Conformal corresponding to each client model update vector p value; The first in the historical benign update library Each updated feature vector; It is the set of feature vectors of historical benign updates, which consists of the feature vectors corresponding to all benign updates in the historical benign update library, and serves as the calibration set for conformal calibration; It is a non-consistency metric function, whose function value is used to characterize the degree of abnormality of the input feature vector deviating from the benign distribution; Historical benign feature vector The corresponding inconsistency metric; Update the feature vector for the current client under test The corresponding inconsistency metric; A collection of historical positive characteristics In the mean, the inconsistency metric is greater than or equal to The number of eigenvectors; A collection of historical positive characteristics The total number of feature vectors contained therein.
[0059] Specifically, the server introduces the concept of conformal prediction, performing statistical calibration on each updated feature to determine its anomalous significance. The specific process is as follows: Update the historical database in a positive way. H The update in the middle is calculated in the same way to obtain the set of feature vectors. (or the corresponding suspiciousness index) A set. These historical features can be considered to represent a distribution of typical benign updates, serving as a calibration set for conformal predictions. Define a function. To measure a given updated feature The "abnormality" relative to a benign distribution (also known as an inconsistency index or non-compliance score). For simplicity, the aforementioned geometric skepticism can actually be used directly, for example, let (when Contains (time) or Values that monotonically reflect abnormal risks. The principle is... A larger value indicates a more suspicious update. For multidimensional features, this invention can also use a distance metric as... For example, based on historical characteristics The distance between the new sample and the distribution is calculated as the anomaly score.
[0060] For the current client update characteristics Calculate its non-consistency score Then based on the calibration set Compute conformal Value: Conformal p value The calculation formula indicates what percentage of updates appear more suspicious than the current update among historically benign samples. If... The higher the anomaly level in the historical benign set (i.e., only a very small number of benign updates), the better. If the value is not lower than it, then The smaller the value, the less likely the current update is to conform to a benign distribution pattern.
[0061] In this embodiment, in step S5, the server will... p The specific rules for determining whether the model update vector is benign or malicious are as follows: The value is compared with a preset significance level threshold. If the conformal p If the value is less than the preset significance level threshold, the corresponding model update vector is determined to be malicious; if the conformal... p If the value is not less than the preset significance level threshold, the corresponding model update vector is determined to be benign.
[0062] See Figure 4 Specifically, the server sets a significance level threshold. (For example, 0.05 or 0.01). If the calculated value is... Less than the threshold This means at least The confidence level can be considered as If it does not originate from a normal distribution, then the degree of this update anomaly is statistically significant. Conversely, if... If the update does not significantly deviate from the normal pattern, it is considered a benign update and allowed to participate in subsequent model aggregation. Through this conformal calibration decision, this invention can guarantee a preset false positive limit under limited sample conditions, for example... This means that if all client updates are benign and independent samples, the probability of mistakenly rejecting a normal update is no more than 5%. This unified guarantee makes the defense system more interpretable and reliable in actual deployment.
[0063] In one possible embodiment, after the historical benign update library is updated in step S6, before the next round of detection, the server recalculates the orthogonal basis of the low-rank subspace based on the updated historical benign update library.
[0064] Specifically, after completing the detection and judgment, the server will process updates deemed malicious. Perform rejection handling: This means the update will not be included in this round of global model aggregation. Further measures can be taken to reduce its replacement to zero updates (equivalent to ignoring the client) or to log the client for future investigation. After removing suspicious updates, the server performs model aggregation using the remaining set of benign updates that passed the checks. After this round of aggregation is complete, the server updates the historical benign update library: accepted client updates can be added to the historical benign update library. H This enriches the pool with positive samples; rejected updates are not added to the historical database. Thus, the historical database continuously accumulates updated positive behavior data with each round, while discarding outdated samples to ensure the timeliness of the estimated subspace and calibration distribution. At the start of the next training round, the server again adjusts the data based on the updated data. Recalculate the subspace basis The detection process described above is repeated. By operating in this loop, the present invention can continuously adapt to changes in data distribution during model training and effectively intercept backdoor attack attempts that occur in each round.
[0065] The application scenarios of this invention are as follows: Healthcare Federated Learning System: The medical field contains a large amount of privacy-sensitive data scattered across different hospitals, such as electronic medical records, imaging data, and genetic data. Due to privacy regulations, this type of data cannot be directly shared across institutions; therefore, federated learning is often used to collaboratively train disease diagnostic models. This invention can be deployed on a central server for healthcare federated learning to detect and intercept malicious hospital uploads of model updates containing backdoors, preventing attackers from tampering with diagnostic results by implanting backdoors and ensuring the security and reliability of medical diagnostic models.
[0066] A Federated Learning Platform for Financial Risk Control: Financial institutions such as banks, securities firms, and insurance companies need to jointly build risk control models for anti-fraud and credit assessment. However, the user data of each institution is considered core business secrets and private information. Federated learning enables collaborative modeling where the data of each institution is "usable but not visible." This invention can defend against the risk of attackers manipulating risk control models by implanting backdoors, such as circumventing fraud detection or tampering with credit scores, ensuring the stability of financial risk control models and maintaining the security of the financial system.
[0067] Smart City IoT Federated Learning Network: Smart cities generate massive amounts of heterogeneous, distributed data from devices such as traffic cameras, environmental monitoring sensors, and smart meters. These devices collaboratively train models for traffic flow prediction and environmental quality monitoring through federated learning. Due to the large number and wide distribution of device nodes, they are vulnerable to attack and malicious model updates. This invention can be deployed on the edge server of IoT federated learning without modifying the training logic of terminal devices, effectively blocking backdoor attacks and ensuring the normal operation of smart city-related models.
[0068] Industrial Internet Federated Learning System: In industrial scenarios, equipment operation data from different factories and production lines is scattered and varies in format, representing typical Non-IID data. By training equipment fault diagnosis and production quality optimization models through federated learning, industrial production efficiency can be improved. This invention can be deployed on cloud servers in the industrial internet to detect backdoor updates uploaded by malicious nodes, preventing attackers from tampering with fault diagnosis results by implanting backdoors and avoiding industrial production accidents.
[0069] A federated learning and collaboration platform for government data: Different government departments, such as public security, taxation, and civil affairs, possess varying dimensions of citizen privacy data. Based on federated learning, models for population management and public safety early warning can be built, improving the efficiency of government services. This invention can defend against backdoor attacks and prevent malicious manipulation of models without relying on additional verification data or modifying the client-side software of each department, ensuring the security and compliance of collaborative modeling of government data.
[0070] It should be noted that the method of this embodiment can also be applied to a distributed scenario, where multiple devices cooperate to complete the task. In such a distributed scenario, one of these devices may execute only one or more steps of the method in this embodiment, and the multiple devices will interact with each other to complete the described backdoor defense processing method based on historical subspace federated learning.
[0071] It should be noted that the above description describes some embodiments of this disclosure. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recorded in the claims can be performed in a different order than that shown in the above embodiments and still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require a specific or sequential order to achieve the desired result. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
[0072] See Figure 5This invention also provides a federated learning backdoor defense system based on historical subspaces, and a federated learning backdoor defense method based on historical subspaces, employing the above embodiments or any possible implementation thereof, including: The model update receiving module 100 is used for the server to receive the model update vector uploaded by the client; The historical subspace modeling module 200 is used for the server to maintain a historical benign update library and to generate a low-rank subspace orthogonal basis using the benign update vectors stored in the historical benign update library. The geometric energy calculation module 300 is used by the server to calculate the projection energy of each model update vector inside and outside the low-rank subspace, generate a suspicion index based on the projection energy, and construct a multi-dimensional update feature vector by combining statistical features. conformal p The value calculation module 400 is used by the server to construct a calibration set based on the historical benign update library, calculate the non-consistency score of the multidimensional updated feature vector through a non-consistency metric function, and then calculate the conformal feature vector based on the non-consistency score. p value; Conformal calibration decision module 500, used by the server to determine the conformal calibration decision. p The value is compared with a preset significance level threshold, and the model update vector is judged to be benign or malicious based on the comparison result. The model aggregation and library update module 600 is used to reject malicious model update vectors, perform model aggregation using benign model update vectors, and add the benign model update vectors to the historical benign update library to complete the update of the historical benign update library.
[0073] The system described in the above embodiments is used to implement the federated learning backdoor defense processing method based on historical subspace in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiments, which will not be repeated here.
[0074] Based on the same inventive concept, corresponding to the methods of any of the above embodiments, the present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, it implements the federated learning backdoor defense processing method based on historical subspace described in any of the above embodiments.
[0075] Figure 6This embodiment illustrates a more specific hardware structure of an electronic device, which may include a processor 710, a memory 720, an input / output interface 730, a communication interface 740, and a bus 750. The processor 710, memory 720, input / output interface 730, and communication interface 740 are interconnected internally via the bus 750.
[0076] The processor 710 can be implemented using a general-purpose CPU (Central Processing Unit), microprocessor, application-specific integrated circuit (ASIC), or one or more integrated circuits, and is used to execute relevant programs to implement the technical solutions provided in the embodiments of this specification.
[0077] The memory 720 can be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory), static storage device, dynamic storage device, etc. The memory 720 can store the operating system and other application programs. When the technical solutions provided in the embodiments of this specification are implemented by software or firmware, the relevant program code is stored in the memory 720 and is called and executed by the processor 710.
[0078] The input / output interface 730 is used to connect input / output modules to enable information input and output. Input / output modules can be configured as components within the device (not shown in the figure) or externally connected to the device to provide corresponding functions. Input devices may include keyboards, mice, touchscreens, microphones, various sensors, etc., while output devices may include displays, speakers, vibrators, indicator lights, etc.
[0079] The communication interface 740 is used to connect a communication module (not shown in the figure) to enable communication between this device and other devices. The communication module can communicate via wired means (such as USB, Ethernet cable, etc.) or wireless means (such as mobile network, WIFI, Bluetooth, etc.).
[0080] Bus 750 includes a pathway for transmitting information between various components of the device, such as processor 710, memory 720, input / output interface 730, and communication interface 740.
[0081] It should be noted that although the above-described device only shows the processor 710, memory 720, input / output interface 730, communication interface 740, and bus 750, in specific implementations, the device may also include other components necessary for normal operation. Furthermore, those skilled in the art will understand that the above-described device may only include the components necessary for implementing the embodiments of this specification, and not necessarily all the components shown in the figures.
[0082] The electronic devices described above are used to implement the federated learning backdoor defense processing method based on historical subspace in any of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which will not be repeated here.
[0083] Based on the same inventive concept, corresponding to the methods of any of the above embodiments, the present invention also provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to execute the federated learning backdoor defense processing method based on historical subspace as described in any of the above embodiments.
[0084] The computer-readable medium of this embodiment includes permanent and non-permanent, removable and non-removable media, and information storage can be implemented by any method or technology. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transfer medium that can be used to store information accessible by a computing device.
[0085] The computer instructions stored in the storage medium of the above embodiments are used to cause the computer to execute the federated learning backdoor defense processing method based on historical subspace as described in any of the above embodiments, and have the beneficial effects of the corresponding method embodiments, which will not be repeated here.
[0086] Those skilled in the art should understand that the discussion of any of the above embodiments is merely exemplary and is not intended to imply that the scope of the invention is limited to these examples; within the framework of the invention, the technical features of the above embodiments or different embodiments can also be combined, the steps can be implemented in any order, and there are many other variations of the different aspects of the embodiments of the invention as described above, which are not provided in detail for the sake of brevity.
[0087] Additionally, to simplify the description and discussion, and to avoid obscuring the embodiments of the invention, the well-known power / ground connections to integrated circuit (IC) chips and other components may or may not be shown in the provided drawings. Furthermore, the apparatus may be shown in block diagram form to avoid obscuring the embodiments of the invention, and this also takes into account the fact that the details of implementation of these block diagram apparatuses are highly dependent on the platform on which the embodiments of the invention will be implemented (i.e., these details should be fully understood by those skilled in the art). While specific details (e.g., circuits) have been set forth to describe exemplary embodiments of the invention, it will be apparent to those skilled in the art that the embodiments of the invention may be implemented without these specific details or with variations thereof. Therefore, these descriptions should be considered illustrative rather than restrictive.
[0088] Although the invention has been described in conjunction with specific embodiments thereof, many substitutions, modifications, and variations of these embodiments will be apparent to those skilled in the art from the foregoing description. For example, other memory architectures (e.g., DRAM) may use the embodiments discussed.
[0089] The embodiments of this invention are intended to cover all such substitutions, modifications, and variations falling within the scope of the claims. Therefore, any omissions, modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the embodiments of this invention should be included within the scope of protection of this invention.
Claims
1. A backdoor defense method based on historical subspace federated learning, characterized in that, Includes the following steps: The server receives the model update vector uploaded by the client; The server maintains a historical benign update library and uses the benign update vectors stored in the historical benign update library to generate a low-rank subspace orthogonal basis. The server calculates the projection energy of each model update vector inside and outside the low-rank subspace, generates a suspicion index based on the projection energy, and constructs a multidimensional update feature vector by combining statistical features. The server constructs a calibration set based on the historical benign update library, calculates the inconsistency score of the multidimensional updated feature vector using an inconsistency metric function, and then calculates the conformal feature vector based on the inconsistency score. p value; The server will use the conformal p The value is compared with a preset significance level threshold, and the model update vector is judged to be benign or malicious based on the comparison result. The server rejects malicious model update vectors, performs model aggregation using benign model update vectors, and adds the benign model update vectors to the historical benign update library, thus completing the update of the historical benign update library.
2. The backdoor defense method based on historical subspace according to claim 1, characterized in that, The historical benign update library is maintained in the form of a queue, storing benign update vectors that have passed the detection within a specified time period. When the capacity of the historical benign update library exceeds a preset value, the oldest benign update vector is removed. The orthogonal basis of the low-rank subspace is obtained by performing singular value decomposition on the vectors in the historical benign update library, and the change pattern of benign model update is captured by the orthogonal basis of the low-rank subspace.
3. The backdoor defense method based on historical subspace according to claim 1, characterized in that, During the server's calculation of the projection energy of each model update vector within and outside the low-rank subspace, the projection component of the model update vector within the low-rank subspace... The calculation formula is: ; The orthogonal residual components of the model update vector outside the low-rank subspace The calculation formula is: ; In the formula, For the first Model update vectors uploaded by each client. It is an orthogonal basis matrix of a low-rank subspace.
4. The backdoor defense method based on historical subspace according to claim 3, characterized in that, The projected energy includes energy within the subspace and energy outside the subspace. The formula for calculating the energy within the subspace is as follows: ; The formula for calculating the energy outside the subspace is: ; In the formula, measure The magnitude of energy in the subspace of historical benign behavior. measure Abnormal energy that deviates from the historical normal subspace.
5. The backdoor defense method based on historical subspace according to claim 4, characterized in that, In the process of generating a suspicion index based on the projected energy, the suspicion index is the geometric energy ratio, and the calculation formula is: ; In the formula, To avoid local minima with a denominator of zero, Used to measure the degree to which the current update deviates from the historical normal behavior pattern; In the process of constructing a multidimensional updated feature vector by combining statistical features, the multidimensional updated feature vector is: or Any one of them; where, Update vectors for the model The norm of .
6. The backdoor defense method based on historical subspace according to claim 5, characterized in that, The server constructs a calibration set based on the historical benign update library. During the process of calculating the inconsistency score of the multidimensional updated feature vector using an inconsistency metric function, the function value of the inconsistency metric function is the geometric energy ratio. or energy outside the subspace The larger the function value of the inconsistency metric function, the more suspicious the model update vector is.
7. The backdoor defense method based on historical subspace according to claim 6, characterized in that, Calculate conformal features based on the non-consistency scores. p During the value process, the conformal p value The calculation formula is: ; In the formula, For the first Conformal corresponding to each client model update vector p value; The first in the historical benign update library Each updated feature vector; It is the set of feature vectors of historical benign updates, which consists of the feature vectors corresponding to all benign updates in the historical benign update library, and serves as the calibration set for conformal calibration; It is a non-consistency metric function, whose function value is used to characterize the degree of abnormality of the input feature vector deviating from the benign distribution; Historical benign feature vector The corresponding inconsistency metric; Update the feature vector for the current client under test The corresponding inconsistency metric; A collection of historical positive characteristics In the mean, the inconsistency metric is greater than or equal to The number of eigenvectors; A collection of historical positive characteristics The total number of feature vectors contained therein.
8. The backdoor defense method based on historical subspace according to claim 1, characterized in that, The server will use the conformal p The specific rules for determining whether the model update vector is benign or malicious are as follows: The value is compared with a preset significance level threshold. If the conformal p If the value is less than the preset significance level threshold, the corresponding model update vector is determined to be malicious; if the conformal... p If the value is not less than the preset significance level threshold, the corresponding model update vector is determined to be benign.
9. The backdoor defense method based on historical subspace according to claim 1, characterized in that, After the historical benign update library is updated, before the next round of detection, the server recalculates the orthogonal basis of the low-rank subspace based on the updated historical benign update library.
10. A federated learning backdoor defense processing system based on historical subspace, employing the federated learning backdoor defense processing method based on historical subspace as described in any one of claims 1 to 9, characterized in that, include: The model update receiving module is used by the server to receive model update vectors uploaded by the client; The historical subspace modeling module is used by the server to maintain a historical benign update library and to generate a low-rank subspace orthogonal basis using the benign update vectors stored in the historical benign update library. The geometric energy calculation module is used by the server to calculate the projection energy of each model update vector inside and outside the low-rank subspace, generate a suspicion index based on the projection energy, and construct a multi-dimensional update feature vector by combining statistical features. conformal p The value calculation module is used by the server to construct a calibration set based on the historical benign update library, calculate the non-consistency score of the multidimensional updated feature vector through a non-consistency metric function, and then calculate the conformal feature vector based on the non-consistency score. p value; The conformal calibration decision module is used by the server to determine the conformal calibration decision. p The value is compared with a preset significance level threshold, and the model update vector is judged to be benign or malicious based on the comparison result. The model aggregation and library update module is used by the server to reject malicious model update vectors, perform model aggregation using benign model update vectors, and add the benign model update vectors to the historical benign update library to complete the update of the historical benign update library.