通過分群和異常檢測在聯邦式學習中檢測並移除後門攻擊者

Abstract

本論文提出對於聯邦式學習可能潛在的後門攻擊進行過濾與防禦的方法，此方法基於非監督式學習中的分群以及異常檢測，嘗試分辨一般參與訓練的正常客戶端與試圖埋藏後門的惡意客戶端。

在我們的實驗中使用了四種不同的資料集進行聯邦式學習訓練，其中包含了兩個圖像資料集與一個文本資料集。模型的部分圖像辨識的模型我們採用的是較為輕量、疊層較少的卷積神經網絡模型，而文本分類則採用現今較多人使用的「基於變換器的雙向編碼器表示技術」模型（依然選擇較小的預訓練模型），並在訓練過程中埋入後門、再嘗試用我們的方法將有埋入後門的客戶端進行排除。只要客戶端上傳的模型同時被分群分類在較小的群組且異常檢測偵測為異常，就會被排除在這次的模型聚合之外；然而也可以根據客戶端的數量來調整是否要擴增、複製客戶端所上傳的模型之後再進行分類。

我們對這些模型與資料做了許多不同的實驗，包含調整參與訓練的客戶端、惡意攻擊者的比例、資料集埋入後門的比例等，盡量讓我們的方法能夠在多種情況下依然能夠有效地排除攻擊者，並保留相當程度的模型表現；而使用較輕量的模型是為了減少收斂的時間、讓我們的方法能更快的展示出成果。

This paper proposes a method for filtering and defending potential backdoor attacks in federated learning. The method is based on unsupervised learning techniques such as clustering and anomaly detection, and it aims to distinguish normal clients participating in the training process from malicious clients attempting to embed backdoors.

In the experiments conducted in this paper, three different datasets were used for federated learning training, including two image datasets and one text datasets. For the image recognition model, a lightweight convolutional neural network with fewer layers was used, while for the text classification model, a transformer-based bidirectional encoder representation from transformers (BERT) model was used. Backdoors were embedded in some of the client models during training, and the proposed method was used to exclude these models during model aggregation. If a client's uploaded model is classified into a smaller cluster and detected as an anomaly during anomaly detection, it will be excluded from model aggregation. However, the number of client models can also be adjusted to decide whether to augment or duplicate the uploaded models before clustering.

Various experiments were conducted to evaluate the effectiveness of the proposed method under different conditions, such as adjusting the ratio of participating clients, the ratio of backdoor embedding, and the proportion of malicious attackers. The use of lightweight models was intended to reduce convergence time and demonstrate the results of the proposed method more quickly while preserving a reasonable level of model performance.