以上傳部分權重的方法抵抗針對聯邦式學習的後門攻擊

Abstract

聯邦式學習被認為是解決物聯網設備上大規模深層神經網路訓練中的隱私問題的一種前瞻性解決方案，並且具有通信效率。但是，仍然存在被稱為模型反推的技術，可以僅透過模型的權重來恢復敏感的數據。為了因應這些問題，有人提出了安全聚合技術，其中聚合器僅會得知合併的結果，而無法得知個別模型的權重。但是，若採用安全聚合技術，諸如模型中毒攻擊一類的後門攻擊將會成為更大的威脅，因為無法通過異常檢測來防止並排除惡意模型。 因此，在本論文中，我們提出一種嶄新的聯邦式學習方案，並設計了一個名為「上傳部分權重」的方法來減輕模型中毒攻擊，同時仍能保護敏感數據以防止模型反推。我們以標準數據如CIFAR-10和FEMNIST建立圖像分類任務來評估我們的方法。實驗結果表明，對中毒數據的準確性可以大幅降低，並且對正常數據的準確性所造成的波動較小。

Federated Learning is considered as one of the promising solutions to solve the privacy problem for large-scale deep neural network training on Internet of Things (IoT) devices in a communication-efficient manner. However, there is still technique known as model inversion, in which sensitive data can be recovered from model weights alone. In response to those concerns, Secure Aggregation is proposed, in which the aggregator learns only the results of merge, but not the individual model. However, backdoor attacks such as model poisoning attacks become a greater threat when Secure Aggregation is employed since malicious models cannot be prevented by anomaly detection. Therefore in this thesis, we propose an innovative Federated Learning scheme, in which we design a new mechanism called Partial Weights Uploading to mitigate model poisoning attack, and in the mean time sensitive data is still protected against model inversion. We evaluate our method on image classification task using CIFAR-10 and FEMNIST benchmark data. The results of experiments show that the accuracy on poisoned data can be greatly reduced, and the turbulence of the accuracy on normal data is mild.