Noise-based global model protection federated learning system and noise-based global model protection method for defending against model theft attack in federated learning

What is AI technical title?
AI technical title is built by PatSnap AI team. It summarizes the technical point description of the patent document.
The noise-based global model protection method addresses the vulnerabilities of federated learning by applying controlled noise to model parameters, ensuring security and resource efficiency in defending against model hijacking attacks.

WO2026127286A1PCT designated stage Publication Date: 2026-06-18FOUND OF SOONGSIL UNIV IND COOP

View PDF 0 Cites 0 Cited by

Patent Information

Authority / Receiving Office: WO · WO
Patent Type: Applications
Current Assignee / Owner: FOUND OF SOONGSIL UNIV IND COOP
Filing Date: 2025-09-10
Publication Date: 2026-06-18

Application Information

Patent Timeline

10 Sep 2025

Application

18 Jun 2026

Publication

WO2026127286A1

IPC: G06N3/098; G06N3/0985; G06N3/045; G06N3/094; G06Q10/06

AI Tagging

Application Domain

Biological models Resources

Explore More Agents

Novelty Search
Search existing technologies and assess novelty
↗
FTO
Analyze whether a product may infringe others' patents
↗
Design FTO
Check prior-design risk for exterior design
↗
Drafting
Draft patent application text based on a technical solution
↗
Find Solutions with TRIZ
Generate feasible solution to solve your technical challenge
↗

Similar Technology Patents

Knowledge graph construction method and device, equipment and storage medium
CN119149753BImprove timing analysisImproving performance in directional reasoningBiological models Knowledge representation
QA system and method
US20260162247A1Programme control Image enhancement
Systems and methods for data collection in an industrial environment
US20260161153A1Machine part testing Receivers monitoring
A speech reconstruction method and system based on gating re-estimation and route weighting
CN121983072BSpeech analysis Biological models
Generative model-based pharmaceutical sales support platform program, operating system therefor, operating server and method therefor, program for executing method, and recording medium on which program is recorded
WO2026121676A1Biological models Office automation

Get free access to AI patent search and analysis

Check patentability, review prior art and ask IP Agent with full patent context.

AI Technical Summary

⚠Technical Problem

Existing federated learning systems face challenges in defending against model hijacking attacks, particularly due to the high computational complexity and resource overheads associated with homomorphic encryption, and the limitations of supported operations, which compromise the accuracy and communication efficiency of global models.

⚗Method used

A noise-based global model protection method that intentionally applies noise to the parameters of a global model, creating corrupted models with controlled accuracy, distributed to user terminals, while ensuring the integrity of the aggregated global model through iterative learning.

🎯Benefits of technology

Effectively defends against model hijacking attacks by maintaining the accuracy of the global model shared with user terminals, preserving model usefulness, and optimizing computational, memory, and communication resources.

✦ Generated by Eureka AI based on patent content.

Smart Images

Figure KR2025014090_18062026_PF_FP_ABST

Patent Text Reader

Abstract

The present invention relates to a noise-based global model protection federated learning method for defending against a model theft attack in federated learning, comprising steps in which: a central server generates contaminated first and second models by adding set noise to and subtracting the set noise from each of first and second global models obtained by copying a global model; the central server distributes parameters of the contaminated first and second models to user terminals of first and second groups, respectively; the user terminals of the first and second groups each train a local model on the basis of local data by using parameters of each of the contaminated first and second models, and transmit the parameters to the central server; the central server collects the parameters of each local model and parameters of a client delivery global model in a previous round so as to update the parameter of the client delivery global model; and the central server collects the parameters of each local model so as to update the parameters of the first and second global models.

Need to check novelty before this filing date? Find Prior Art

Description

Noise-based global model protection federated learning system and noise-based global model protection method for defending against model hijacking attacks in federated learning

[0001] The present invention relates to a noise-based global model protection federated learning system and a noise-based global model protection method for defending against model hijacking attacks in federated learning. More specifically, the invention relates to a noise-based global model protection federated learning system and a noise-based global model protection method for defending against model hijacking attacks in federated learning, which can guarantee the accuracy of a global model generated by aggregating local models, instead of degrading the accuracy of a model by applying noise to the parameters of a global model and distributing it to a client.

[0002] Figure 1 is a diagram illustrating an exemplary model hijacking attack in a crowdsourcing-based federated learning process.

[0003] As shown in Figure 1, crowdsourcing-based federated learning is a federated learning system in which a client commissioning model production commissions a federated learning platform operator (production company) to produce a model. It is a new federated learning system in which the client commissions the production of the model, and the federated learning platform operator recruits clients (participants) to learn global models.

[0004] In this process, multiple model transfers occur between the operator of the federated learning platform and the participants. In crowdsourcing-based federated learning, global models are important assets of the client requesting the creation of the model, but there is a constant risk of Model Theft Attacks in which a malicious client steals the model during the process of sharing global models with all clients in every learning round.

[0005] To prevent this, a model protection method using homomorphic encryption has been proposed. Homomorphic encryption is an encryption method that allows computations to be performed even when data is encrypted; it enables the same result to be obtained by directly performing operations on the encrypted data and then decrypting it. Since this allows data to be processed securely even while encrypted, it can reduce the risk of sensitive information or models being exposed.

[0006] Model protection through homomorphic encryption is achieved by the federated learning platform operator encrypting the global model in advance using homomorphic encryption to prevent the model from being directly exposed to the participant in steps (2)-(4) of FIG. 1. First, the platform operator encrypts the entire global model, performs step (2), and delivers the encrypted global model to the participant. The participant learns this with their local data and then delivers the local model, which is in an encrypted state, back to the platform operator. The encrypted local models collected in this way are aggregated by the operator and used to update the global model. By using homomorphic encryption in this process, important information about the model is not exposed to the participant, and the model is safely learned and delivered, thereby preventing malicious model theft attacks.

[0007] However, there are several drawbacks to model training using homomorphic encryption. First, while homomorphic encryption offers powerful security features by enabling model training in an encrypted state, this method involves very high computational complexity, resulting in a significant decrease in processing speed compared to general operations; this issue can become even more severe in federated learning. Additionally, homomorphically encrypted models tend to be much larger than standard models, which can place a heavy burden on memory and storage space.

[0008] Furthermore, the supported operations of homomorphic encryption are limited depending on the type. Partial homomorphic encryption only allows basic operations, such as addition or multiplication, between encrypted data, which presents limitations for complex deep learning models. Fully homomorphic encryption supports all operations, but it suffers from the problem of accumulating errors during computation, requiring a bootstrapping process to resolve them periodically. This makes it very difficult to apply to complex models, particularly deep learning models like CNNs.

[0009] In addition, homomorphic encrypted models significantly increase in data size during the encryption process. This causes a problem where communication costs increase significantly in processes (2) and (4) of Fig. 1 when transmitting the model during federated learning. This increase in communication costs can affect network performance in a large-scale distributed learning environment.

[0010] The technology forming the background of the present invention is disclosed in Korean Registered Patent No. 10-2648588 (published on March 18, 2024).

[0011] The present invention aims to provide a noise-based global model protection federated learning system and a noise-based global model protection method for defending against model hijacking attacks in federated learning, which can guarantee the accuracy of a global model created from aggregated local models while effectively defending against model hijacking attacks by intentionally lowering the accuracy of a global model distributed to user terminals through the application of noise to the parameters of a global model.

[0012] The present invention relates to a noise-based global model protection method in a federated learning system comprising a central server and a plurality of user terminals, wherein the central server generates a first and second corrupted model by adding a set noise to the first global model and subtracting the set noise from the second global model among the first and second global models created by copying the global model; distributes the parameters of the corrupted first and second models to a first group of user terminals and a second group of user terminals, respectively; the user terminals of the first group and the second group of user terminals each learn their local models based on local data using the parameters of the corrupted first model and the parameters of the corrupted second model, respectively, and individually transmit the parameters of each local model upon completion of learning to the central server; the central server updates the parameters of the client-delivered global model by aggregating the parameters of each local model and the parameters of the previous round of the client-delivered global model stored through an average method; and the central server updates the parameters of the first and second global models by aggregating the parameters of each local model through an average method.

[0013] In addition, the above-mentioned setting noise has a mean of 0 and a standard deviation of normal distribution It may be random noise that follows.

[0014] In addition, the step of generating the first and second models, respectively, comprises the parameters of the first convolutional layer of the first global model. The above setting noise Update by adding, and the parameters of the first convolutional layer of the second global model. The above setting noise The above-mentioned contaminated first model and second model can be generated respectively through the method of the mathematical formula below, which updates by subtracting.

[0015]

[0016] In addition, the central server ensures that the accuracy of the first and second global models in each round does not exceed a preset upper limit, the intensity of the noise ( ) can be determined dynamically.

[0017] In addition, the central server manages and updates the client-delivered global model through an embedded server-side client, and can deliver the client-delivered global model, which has completed iterative training for a set number of rounds, to the client side.

[0018] And, the present invention relates to a noise-based global model protection federated learning system, comprising: a central server that generates corrupted first and second models by adding a set noise to the first global model and subtracting the set noise from the second global model among the first and second global models created by copying a global model, and distributes the parameters of the corrupted first and second models to user terminals of a first group and user terminals of a second group, respectively; and a plurality of user terminals that individually transmit the parameters of each local model to the central server, wherein the central server updates the parameters of the client-delivered global model by aggregating the parameters of each local model and the parameters of the previous round of the client-delivered global model stored through an average method, and updates the parameters of the first and second global models by aggregating the parameters of each local model through an average method.

[0019] According to the present invention, model hijacking attacks can be effectively defended against by intentionally lowering the accuracy of a global model distributed to a user terminal by applying noise to the parameters of a global model.

[0020] Furthermore, the accuracy of the global model ultimately delivered to the client is preserved as much as possible to ensure that the model's usefulness is not compromised.

[0021] Figure 1 is a diagram illustrating an exemplary model hijacking attack in a cloud-sourcing-based federated learning process.

[0022] FIG. 2 is a diagram showing the configuration of a noise-based global model protection federated learning system for defending against model hijacking attacks in federated learning according to an embodiment of the present invention.

[0023] FIG. 3 is a diagram illustrating a federated learning process for noise-based global model protection according to an embodiment of the present invention.

[0024] FIG. 4 is a diagram showing an example of applying noise to the parameters of the first convolution layer of a global model in an embodiment of the present invention.

[0025] Then, with reference to the attached drawings, embodiments of the present invention will be described in detail so that those skilled in the art can easily implement the invention. However, the present invention may be embodied in various different forms and is not limited to the embodiments described herein. Furthermore, in order to clearly explain the present invention in the drawings, parts unrelated to the explanation have been omitted, and similar parts throughout the specification have been given similar reference numerals.

[0026] Throughout the specification, when a part is described as being "connected" to another part, this includes not only cases where they are "directly connected," but also cases where they are "electrically connected" with other components interposed between them. Furthermore, when a part is described as "including" a certain component, this means that, unless specifically stated otherwise, it does not exclude other components but may include additional components.

[0027] The present invention proposes a noise-based global model protection federated learning system for defending against model hijacking attacks in federated learning, and a noise-based global model protection technique using the same. By intentionally lowering the accuracy of a global model by applying noise to its parameters on a server and distributing it to a user terminal, the present invention maintains the accuracy of the global model shared with the user terminal at a low level, while simultaneously guaranteeing the high accuracy of the global model generated from aggregated local models.

[0028] Prior to the detailed description of the present invention, the basic principles of Federated Learning are explained as follows.

[0029] Federated learning is a distributed learning method in which multiple participants train using their own local data on local devices, sending only the parameters of their trained local models to a server to aggregate and create a single global model. The biggest advantage of federated learning is that each participant's data is not transmitted to a central server but is processed only on the local device. This ensures data privacy while providing the benefit that participants' data is not directly exposed.

[0030] The specific process of associative learning can be briefly explained as follows.

[0031] First, the server distributes the initial global model to the participants. To start training, the server distributes the global model parameters in their initial state to the participants.

[0032] Next, local training is conducted. Participants train the model using their own local data based on the global model parameters received from the server. During this process, data is not transmitted to a central server, and training takes place only on the local device.

[0033] Subsequently, local model parameters are transmitted. Participants send only the parameters of the trained local model to the server. Since only parameters are transmitted instead of data, personal information is protected.

[0034] Then, the global model is updated. The server updates the global model by aggregating the parameters of the local models received from all participants using a method such as FedAvg (Federated Averaging). FedAvg is an algorithm that creates a new global model by weighted averaging the participants' model parameters.

[0035] Afterward, the above process is repeated. That is, the updated global model is redistributed to the participants, and this process is repeated several times to gradually improve the performance of the global model.

[0036] In conventional federated learning, personal data is not directly transmitted to the server, which is advantageous in terms of privacy protection, but the protection of the model itself is lacking. During the iterative learning process, participants continuously acquire global models with improved performance, and the possibility of using them maliciously remains.

[0037] To address this problem, the proposed noise-based federated learning technique uses a method of adding noise following a normal distribution to the parameters to enhance security against model hijacking attacks. This prevents the accuracy of the global model obtained by participants from becoming excessively high.

[0038] Hereinafter, a noise-based global model protection federated learning system and a noise-based global model protection technique for defending against model hijacking attacks in federated learning according to an embodiment of the present invention will be described in detail.

[0039] FIG. 2 is a diagram showing the configuration of a noise-based global model protection federated learning system for defending against model hijacking attacks in federated learning according to an embodiment of the present invention.

[0040] As shown in FIG. 2, a noise-based global model protection federated learning system for defending against model hijacking attacks in federated learning according to an embodiment of the present invention includes a central server (100) and a plurality of user terminals (200).

[0041] A central server (100) and a plurality of user terminals (200) can be connected to each other via wireless, wired, and wired / wireless networks to transmit and receive information.

[0042] A plurality of user terminals (200) correspond to user devices, i.e., clients, and represent terminals on the side of users (participants) participating in federated learning. Here, the plurality of user terminals (200) may be divided into a first group (Group 1) and a second group (Group 2). Each group may include at least one user terminal.

[0043] The central server (100) duplicates the global model into two to create two first global models and two second global models, and adds noise to the first global model and subtracts noise from the second global model to create the first model and the second model contaminated by noise, respectively.

[0044] The central server (100) can distribute the parameters of the contaminated first model and the contaminated second model to the user terminals of the first group (Group1) and the second group (Group2), respectively. In this way, the central server (100) can divide a plurality of user terminals (200) into a first group (Group1) and a second group (Group2), and deliver the first model with noise added to one group and the second model with noise subtracted to the other group.

[0045] User terminals of Group 1 can train their local models based on local data using the parameters of the contaminated first model, and user terminals of Group 2 can train their local models based on local data using the parameters of the contaminated second model. Additionally, each user terminal (200), including the first and second groups, can individually transmit the parameters of each local model that has been trained to a central server.

[0046] The central server (100) can update the parameters of the client-delivered global model by aggregating the parameters of each local model and the parameters of the previous round of the previously stored client-delivered global model through an average method. Additionally, the central server (100) can simultaneously update the parameters of the first and second global models by aggregating the parameters of each local model through an average method.

[0047] This invention relates to three global models (first global model) , 2nd Global Model , Client-delivered global model Learning can be conducted using ).

[0048] This federated learning process can be repeated as many times as the number of set rounds, and depending on the round repetition, the client-delivered global model can be updated to a certain level of performance within the server-side client and finally delivered to the client. In addition, since the global model is shared with each user terminal (200) with noise applied during the federated learning process, global model hijacking attacks can be effectively defended against.

[0049] FIG. 3 is a diagram illustrating a federated learning process for noise-based global model protection according to an embodiment of the present invention, and FIG. 4 is a diagram showing an example of applying noise to the parameters of the first convolution layer of a global model in an embodiment of the present invention.

[0050] First, the central server (100) copies the existing global model that has been stored into two, creating a first and second global model ( , Makes )(1).

[0051] Next, the central server (100) is the first global model among the two copied models. Adding setting noise to and the second global model In this case, the setting noise is subtracted to create the contaminated first and second models, respectively (2).

[0052] In this case, the set noise has a mean of 0 and a standard deviation of normal distribution It may correspond to random noise that follows.

[0053] Here, as in FIG. 3, the central server (100) is a first global model Parameters of the first convolutional layer random noise Update by adding and the 2nd global model Parameters of the first convolutional layer random noise The first model and the second model can be generated respectively using the method of mathematical formula 1 below, which updates by subtracting.

[0054]

[0055] In this way, the central server (100) is a normal distribution After generating random noise following , as in Equation 1 class Add or subtract this to the parameters of each first convolution layer.

[0056] This process creates minute differences in each model and prevents the provision of a perfect model to the participants. At this time, the amount of noise is dynamically determined based on the accuracy of the global model from the previous round (immediate round) to ensure that the accuracy is below a certain level in each round. To this end, the central server (100) in each round class To ensure that the accuracy does not exceed the preset upper limit, the noise intensity ( ) can be determined dynamically.

[0057] The first global model contaminated with modified parameters (hereinafter, the contaminated first model) and the second global model contaminated with modified parameters (hereinafter, the contaminated second model) are shared between the user terminals of the first group and the user terminals of the second group.

[0058] That is, the central server (100) can distribute the parameters of the contaminated first model to the user terminals of the first group (Group1) and the parameters of the contaminated second model to the user terminals of the second group (Group2) (3).

[0059] Next, the user terminals of the first group and the user terminals of the second group each learn their local models based on local data using the parameters of the contaminated first model and the parameters of the contaminated second model, and individually transmit the parameters of each local model that have been learned to the central server (100) (4).

[0060] In this way, each of the multiple user terminals (200) performs training based on local data using the contaminated model distributed to them, and when training is completed, transmits the parameters of the local model to the central server (100). Then, the central server (100) collects the local models sent by each user terminal (200) (5).

[0061] The central server (100) has parameters for each local model and a previously stored client-transmitted global model. The parameters of the client-delivered global model can be updated by aggregating the parameters of the previous round using the Average Method (6-2).

[0062] In other words, the entire trained local model and the client-delivered global model from the previous round The global model to be delivered to the client, i.e., the client delivery global model, can be updated by participating in the FedAvg algorithm. At this time, the central server (100) can manage and update the client delivery global model through a built-in server-side client.

[0063] Additionally, the central server (100) can update the parameters of the first and second global models by aggregating the parameters of each local model through the Average Method (6-1). That is, a new global model can be created by separately performing the FedAvg algorithm using only the aggregated local models.

[0064] In this way, the newly created global model can return to process 1 and repeat the learning process. Additionally, the central server (100) can deliver the client-delivered global model, which has completed iterative learning for the number of set rounds, to the client.

[0065] Through this method, only global models with low accuracy during the training process are shared with participants, while the global models to be delivered to the client can maintain a certain level of model performance.

[0066] According to the present invention, noise-based federated learning can maintain nearly the same computational speed as conventional federated learning because it uses a method of simply adding or subtracting noise to specific layers of the model. Simply adding noise to parameters does not significantly affect performance during the overall training process and brings about the effect of enhancing security by consistently degrading the accuracy of the global model. In particular, compared to homomorphic encryption-based federated learning, it has a significant advantage in that it avoids the complex computational burden of homomorphic encryption, thereby enabling the efficient use of the limited resources of local devices.

[0067] In addition, the noise-based federated learning according to the present invention can maintain the same efficiency as conventional federated learning in terms of space complexity. Since the addition of noise involves making minute changes to model parameters, it does not increase the burden on memory or storage space. This enables training to proceed without additional memory usage, even when handling large-scale models or datasets.

[0068] Since the noise-based federated learning according to the present invention involves only the process of adding random noise to a specific layer of a model, computation is not limited, and implementation is also very simple compared to existing learning processes. There is no implementation complexity or additional technical requirements that arise when applying homomorphic encryption or complex security algorithms, thereby providing a security mechanism that is easier to apply.

[0069] Furthermore, the noise-based federated learning according to the present invention can maintain the same efficiency as conventional federated learning in terms of communication costs. Since the addition of noise is a simple operation, the size of the model parameters does not increase, which has the advantage of not using additional network resources during the learning process. Therefore, there is no increase in communication costs throughout the entire learning process.

[0070] According to the present invention as described above, model hijacking attacks can be effectively defended against by intentionally lowering the accuracy of the global model distributed to the user terminal by applying noise to the parameters of the global model.

[0071] Furthermore, the accuracy of the global model ultimately delivered to the client is preserved as much as possible to ensure that the model's usefulness is not compromised.

[0072] The present invention has been described with reference to embodiments illustrated in the drawings, but this is merely illustrative, and those skilled in the art will understand that various modifications and equivalent alternative embodiments are possible therefrom. Accordingly, the true technical scope of protection of the present invention should be determined by the technical spirit of the appended claims.

Claims

1. A noise-based global model protection method in a noise-based global model protection federated learning system including a central server and multiple user terminals, The above central server generates contaminated first and second models, respectively, by adding setting noise to the first global model and subtracting the setting noise from the second global model among the first and second global models created by copying the global model; A step of distributing the parameters of the contaminated first and second models to the user terminals of the first group and the user terminals of the second group, respectively; The user terminal of the first group and the user terminal of the second group each learn their local models based on local data using the parameters of the contaminated first model and the parameters of the contaminated second model, and individually transmit the parameters of each local model upon completion of learning to the central server; The above central server performs the step of updating the parameters of the client-delivered global model by aggregating the parameters of each local model and the parameters of the previous round of the previously stored client-delivered global model through an Average Method; and A noise-based global model protection method comprising the step of the central server collecting parameters of each local model through an average method and updating the parameters of the first and second global models.

2. In Claim 1, The above-mentioned setting noise has a mean of 0 and a standard deviation of normal distribution A noise-based global model protection method that follows random noise.

3. In Claim 1, The step of generating the first and second models, respectively, is Parameters of the first convolution layer of the above first global model The above setting noise Update by adding, and the parameters of the first convolutional layer of the second global model. The above setting noise A noise-based global model protection method that generates the aforementioned contaminated first and second models, respectively, through the method of the mathematical formula below, which updates by subtracting: .

4. In Claim 3, The above central server ensures that the accuracy of the above first and second global models does not exceed a preset upper limit in each round, the intensity of the noise ( A noise-based global model protection method that dynamically determines ).

5. In Claim 1, A noise-based global model protection method in which the central server manages and updates the client-delivered global model through an embedded server-side client, and delivers the client-delivered global model, which has completed iterative training for a set number of rounds, to the client side.

6. In a noise-based global model-protected federated learning system, A central server that generates corrupted first and second models by adding setting noise to the first global model and subtracting the setting noise from the second global model among the first and second global models created by copying a global model, and distributes the parameters of the corrupted first and second models to the user terminals of the first group and the user terminals of the second group, respectively; and It includes a first group of user terminals that learn their local models based on local data using the parameters of the contaminated first model, and a second group of user terminals that learn their local models based on local data using the parameters of the contaminated second model, and includes a plurality of user terminals that individually transmit the parameters of each local model to the central server. The above central server is, A federated learning system that updates the parameters of the client-delivered global model by combining the parameters of each local model and the parameters of the previous round of the previously stored client-delivered global model through an average method, and updates the parameters of the first and second global models by combining the parameters of each local model through an average method.