[go: up one dir, main page]

CN114266361B - Federated learning free-rider defense method and device based on model weight iteration - Google Patents

Federated learning free-rider defense method and device based on model weight iteration Download PDF

Info

Publication number
CN114266361B
CN114266361B CN202111657295.6A CN202111657295A CN114266361B CN 114266361 B CN114266361 B CN 114266361B CN 202111657295 A CN202111657295 A CN 202111657295A CN 114266361 B CN114266361 B CN 114266361B
Authority
CN
China
Prior art keywords
model
weight
training
client
local
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111657295.6A
Other languages
Chinese (zh)
Other versions
CN114266361A (en
Inventor
陈晋音
李明俊
刘涛
李荣昌
黄国瀚
赵云波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Technology ZJUT
Original Assignee
Zhejiang University of Technology ZJUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Technology ZJUT filed Critical Zhejiang University of Technology ZJUT
Priority to CN202111657295.6A priority Critical patent/CN114266361B/en
Publication of CN114266361A publication Critical patent/CN114266361A/en
Application granted granted Critical
Publication of CN114266361B publication Critical patent/CN114266361B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a federal learning and taking defense method and device based on model weight alternation, which comprises the steps of initializing a federal learning training environment, sending an initial global model to each client side by a server to start federal learning training, storing model parameters and calculating an updated change frequency F matrix after training is finished by each client side, uploading the model parameters and the weight change frequency matrix to a server side by each client side, obtaining the global model by the server side through an aggregation algorithm, calculating Euclidean distance between each client side and calculating average change frequency of each weight, marking the clients with abnormal Euclidean distance and average frequency, sending the updated global model to each client side by the server side, repeatedly carrying out primary screening on the parameters when the client side is marked for 3 times by the abnormality, and taking the client side as a taking attacker to take the federal learning training.

Description

Federal learning and taking car defense method and device based on model weight alternation
Technical Field
The invention belongs to the field of federal learning, and particularly relates to a method and a device for defending a ride vehicle based on model weight alternation.
Background
With the rise of the internet of things and edge computing, big data are often not limited to a single whole, but distributed in many aspects, and how to safely and effectively update and share models among multiple places is a new challenge faced by various computing methods. To solve the problem of data islanding and user privacy, federal learning has emerged as a very potential solution, with the main innovation of providing a distributed machine learning framework with privacy preserving features, and being able to iterate training in a distributed manner for thousands of participants for a particular machine learning model. Each participant does not share data, so that privacy safety is greatly protected, and meanwhile, the training effect is better than that of centralized learning.
At present, the application field of federal learning is more and more widespread, but in the federal learning environment, how to ensure fairness is a big problem, because the finally aggregated model has high commercial value, which increases the risk that malicious clients want to obtain the aggregated model without data locally, or reduces the cost and overhead of local training. The malicious client is commonly called a pick-up attacker, has no data locally or only contains a small amount of data, and can obtain a better model through federal learning, so that the unfair phenomenon that the low-contribution client obtains the same model as the high-contribution client exists. This greatly compromises the benefits of other normal clients.
In the current pick-up attacks, there are some common attack methods, namely, a pick-up attack trained by a normal client is simulated by adding specific noise, and by utilizing a global model received by each round, instead of only generating a random update matrix with the same dimension as the global model, more complex false gradient updates can be constructed, and the false gradient updates are generated by subtracting the two global models received before. The second type of ride-on attack is stronger and is called incremental weight attack. Aiming at the current attack method, the defending and taking mechanism in the current federal learning is mainly based on an isolated point detection mechanism and used for detecting malicious attackers providing abnormal update, and based on verification of a verification data set, the contribution value of each client is determined, and taking behavior is prevented according to the contribution value. These methods have certain drawbacks, firstly, the protection effect of the methods is not ideal in the case of facing a plurality of attack on the ride. Second, the premise of the federal learning framework to verify the data set is not in itself well suited for the data sharing of federal learning.
When facing a camouflage pick-up attack and a plurality of pick-up attacks, how to better ensure fairness and privacy safety of federal learning has become an important point of attention.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a method and a device for defending a ride-on vehicle based on model weight alternation.
In order to achieve the aim of the invention, the technical scheme of the invention is as follows, namely a federal learning and taking vehicle defense method based on model weight alternation, which specifically comprises the following steps:
(1) Initializing a federal learning training environment;
(2) The server transmits the initial global model to each client to start federal learning training;
(3) Each client performs federal training, generates a local model, stores model parameters after the local training is finished, and calculates an updated change frequency F matrix of the weight W of the penultimate layer of the local model during each training;
(4) The server obtains a global model through an aggregation algorithm, calculates Euclidean distances among the clients and calculates average change frequencies of the weights, and marks the clients with abnormal Euclidean distances and average frequencies;
(5) The server side issues the updated global model to each client side and continues federal learning training;
(6) Repeating the steps (2) - (5), wherein the client performs screening once every time the client uploads the parameters, and when a certain client is marked 3 times by abnormality, the client is considered as a pick-up attacker and kicks the client out of the federal learning training.
Further, each client in the step (3) performs federal training, generates a local model, and obtains model parameters specifically as follows:
and the normal client side participating in the training performs each round of training, and the updated model parameters of the local training are as follows:
wherein (x, y) are the data and labels in the D k dataset, respectively, L is used to calculate the cross entropy loss function of the predicted outcome and the real outcome, After training for localThe weight parameters of the model are used to determine,The method is a local model of the issued client;
the malicious client participating in training, the previous three rounds of normal training, after three rounds, the global model M j issued by the current server and the global model M j-1 issued by the previous round of server are added for parameter difference, and the update parameters G f of the pick-up attack client model are obtained as follows:
Gf=Mj-Mj-1
Adding the updated parameters into the model issued by the round server to disguise, and generating a new local model The formula is as follows:
Further, the step of calculating the updated change frequency F matrix of the weight W of the penultimate layer of the local model during each training specifically includes:
Firstly, selecting the weight of the penultimate layer of the local model, initializing a matrix with the value of 0 according to the weight number, and recording the frequency of weight change in each local model training;
Then, each round of local training records the absolute value of the update parameter of each weight in each round of training;
Counting the change frequency of each weight, adding 1 to the change frequency of the weight in the round if the weight change value is larger than the threshold value, and updating the frequency matrix if the weight change frequency is smaller than the threshold value;
and finally updating the overall frequency matrix of the local weight change, wherein the weight change frequency matrix of the ith round is equal to the sum of the weight change frequency matrices of the previous i rounds.
Further, the model aggregation formula in the step (4) is as follows:
Wherein G t+1 is an aggregation model after server-side aggregation, G t is an aggregation model after previous round training aggregation, In order to train the model locally,Scaling the model weights.
Further, in the step (4), the euclidean distance d between the clients and the average change frequency f avg of the weights are calculated, and the specific formula is as follows:
wherein x and y are two different client weight change frequency matrices;
Wherein F i is the number of changes of each weight in the matrix, and n is the number of weights.
The invention provides a federal learning and taking vehicle defense device based on model weight alternation, which comprises one or more processors and is used for realizing the federal learning and taking vehicle defense method based on model weight alternation.
The present invention provides a computer-readable storage medium having stored thereon a program which, when executed by a processor, is configured to implement the federal learning ride-on defense method based on model weight alternation described above.
The invention has the technical conception that model weight alternation is an effective defense means starting from the training process of a normal client and a riding client, and a riding attacker can well simulate the result of the model parameter change of the normal client, but because the riding client is trained without data, the model weight alternation of the normal client is difficult to simulate in the training process, which is the most essential difference. The model weight updating frequency is to use the information of the record model in the training process to defend the riding vehicle. And when the weight updating frequency is uploaded to the server side every time, the server side can carry out one-time screening, and the weight updating frequency is accumulated in each round, so that the difference between the normal client side and the abnormal client side is larger and larger. The frequency of the change of the different weights also indirectly indicates that the model is being trained. The model contains sensitive neurons and insensitive neurons, so that the weight update of some sensitive neurons on the input data characteristics in each round of training is larger than the parameter change of the insensitive neurons, the difference is not generated, the client of the excrement taking vehicle has no data locally, the sensitive neurons and the insensitive neurons are difficult to distinguish without training, even if the sensitive neurons and the insensitive neurons are found, the weight change frequency and the weight average change frequency of a normal client are difficult to simulate, and the defending effect is obvious and a single or a plurality of malicious clients can be defended effectively based on the method.
The method has the advantages that 1) the model weight change frequency is utilized to defend the toilet, a data set is not required to be verified, only the change frequency of the penultimate layer weight is required to be uploaded by each client, simplicity and high efficiency are achieved, the cost is low, 2) the method has high defending accuracy, and malicious clients are searched through calculating two indexes of the Euclidean distance of the model weight change frequency of each client and the average change frequency of the weight of each client, so that the accuracy is high. 3) In the case of a car-ride containing a small amount of data or a plurality of car-ride attackers, the defending effect is still remarkable. The attacker wants to bypass this defense method, which is very difficult.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of the full stage of the process of the present invention;
FIG. 2 is a flow chart of the method of the present invention;
fig. 3 is a schematic view of the device of the present invention.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the invention. Rather, they are merely examples of apparatus and methods consistent with aspects of the invention as detailed in the accompanying claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the detailed description is presented by way of example only and is not intended to limit the scope of the invention.
Referring to fig. 1-2, the invention provides a method for defending a ride vehicle based on model weight alternation, which comprises the following steps:
(1) Initializing a federal learning training environment;
the initialization is specifically that an integral training round E, local data D and integral equipment number k participating in federal learning are set, the number of normal clients participating in training in each round is k1, and the number of malicious clients participating in training in each round is k2.
(2) The server transmits the initial global model to each client to start federal learning training.
(3) And each client performs federal training, generates a local model, stores model parameters after the local training is finished, and calculates an updated change frequency F matrix of the weight W of the penultimate layer of the local model during each training. The method specifically comprises the following substeps:
(3.1) each client performs federal training and generates a local model, specifically comprising the following sub-steps:
(3.1.1) normal clients involved in training, normally performing each round of training, and generating a local model And meanwhile, the updating frequency of the weight of the penultimate layer of the model is counted in each round of training process. The locally trained model parameters are updated as:
wherein (x, y) are the data and labels in the D k dataset, respectively, L is used to calculate the cross entropy loss function of the predicted outcome and the real outcome, After training for localThe weight parameters of the model are used to determine,Is the issued client local model.
(3.1.2) Taking into account high-aggressiveness camouflage and taking a stool, wherein the local client has a small amount of data consistent with other clients, three rounds of normal training are performed before, and camouflage is performed by adding a global model M j issued by a current server and a global model M j-1 issued by a previous round of server after three rounds of normal training. And meanwhile, counting the updating frequency of the weight of the last layer of the model each time. The update parameters G f of the pick-up attack client model are:
Gf=Mj-Mj-1;
And adding the updated parameters into the model issued by the round server to disguise. Generating a new local model
(3.2) Calculating an updated change frequency F matrix of the weight W of the second last layer of the local model during each training, wherein the method specifically comprises the following substeps:
(3.2.1) selecting the weight of the penultimate layer of the local model, and initializing a matrix with the value of 0 according to the weight number to record the frequency of weight change during each local model training.
(3.2.2) Local training each round records the absolute value of the update parameters for each weight in each round of training. The change in the weight frequency is based on a dynamic threshold TV. The absolute values of all weight update parameters are summed and divided by the number of weights to calculate the dynamic threshold TV. The formula is as follows:
where n is the number of weights in the layer, and w i is the parameter size of the i-th weight update.
And (3.2.3) counting the change frequency of each weight, wherein the change frequency of the weight is increased by 1 in the round if the weight change value is larger than the threshold value, and the change frequency of the weight is unchanged in the round if the weight change value is smaller than the threshold value. Thereby updating the frequency matrix.
(3.2.4) Updating the overall frequency matrix of the local weight change, as follows:
Wherein the weight change frequency matrix of the ith round is equal to the sum of the weight change frequency matrices of the previous i round.
(4) After the local training of each client is finished, uploading the local model parameters and the weight change frequency matrix to a server, and correspondingly processing the server by the server, wherein the method specifically comprises the following steps of:
The server side obtains a global model through an aggregation algorithm according to model parameters uploaded by each terminal device, and identifies the user according to the uploaded weight change frequency matrix information to defend the user.
(4.1) Aggregating the uploaded models, wherein the aggregation formula is as follows:
Wherein G t+1 is an aggregation model after server-side aggregation, G t is an aggregation model after previous round training aggregation, The generated local model is updated for a model trained locally by a normal client or masquerading by a malicious client,Scaling the model weights.
(4.2) Calculating the Euclidean distance d between the clients and the average change frequency f avg of the weights according to the weight change frequency matrix counted by the clients, wherein the formula is as follows:
where x and y are two different client weight change frequency matrices.
Wherein F i is the number of changes of each weight in the matrix, and n is the number of weights.
i The number of changes of each weight in the matrix is n, which is the number of weights.
And (4.3) the server marks the clients with abnormal Euclidean distance and average frequency.
(5) And the server side issues the updated global model to each client side and continues federal learning training.
(6) Repeating the steps (2) - (5), wherein the server performs screening once every time the client uploads the parameters, and when a certain client is marked 3 times by abnormality, the client is considered as a pick-up attacker and kicks the client out of the federal learning training.
In the embodiment of the invention, four attack means are considered for testing the defending method of the invention:
in the first mode, the user does not contain data, and specific random noise is added by simulating normal client training;
In the second mode, the lap-top contains no data, and the attacker adds the parameter difference between the currently issued global model M j and the global model M j-1 issued in the previous round to disguise.
In the third mode, the user of the lap contains a small amount of data, the front three rounds of normal training are performed, and the attacker adds the parameter difference between the currently issued global model M j and the global model M j-1 issued in the previous round to disguise.
In a fourth aspect, a scenario is provided in which a plurality of ride-on attackers are included.
Through the test of the four kinds of attack on the riding and the riding, the experimental result shows that the frequency matrix of the camouflage riding and the frequency matrix of the fair client are very different, and the Euclidean distance is abnormal. Meanwhile, the average frequency of the riding vehicles is smaller than that of the fair clients as a whole. When the server performs exception screening, the server can easily identify the malicious client according to the two indexes, and the defending effect is obvious.
Corresponding to the embodiment of the federal learning ride-on defense method based on model weight alternation, the invention also provides the embodiment of the federal learning ride-on defense device based on model weight alternation.
Referring to fig. 3, the federal learning and taking vehicle defense device based on model weight alternation provided by the embodiment of the invention comprises one or more processors for implementing the federal learning and taking vehicle defense method based on model weight alternation in the above embodiment.
The embodiment of the federal learning and taking vehicle defense device based on model weight alternation can be applied to any device with data processing capability, and the device with data processing capability can be a device or a device such as a computer. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. Taking software implementation as an example, the device in a logic sense is formed by reading corresponding computer program instructions in a nonvolatile memory into a memory by a processor of any device with data processing capability. In terms of hardware, as shown in fig. 3, a hardware structure diagram of an apparatus with optional data processing capability where the federal learning and taking vehicle defense device based on model weight replacement of the present invention is located is shown in fig. 3, and in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3, the optional apparatus with data processing capability in the embodiment generally includes other hardware according to the actual function of the optional apparatus with data processing capability, which is not described herein again.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present invention. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The embodiment of the invention also provides a computer readable storage medium, on which a program is stored, which when executed by a processor, implements the federal learning ride-on defense method based on model weight alternation in the above embodiment.
The computer readable storage medium may be an internal storage unit, such as a hard disk or a memory, of any of the data processing enabled devices described in any of the previous embodiments. The computer readable storage medium may also be any device having data processing capabilities, such as a plug-in hard disk, a smart memory card (SMART MEDIA CARD, SMC), an SD card, a flash memory card (FLASH CARD), or the like, provided on the device. Further, the computer readable storage medium may include both internal storage units and external storage devices of any data processing device. The computer readable storage medium is used for storing the computer program and other programs and data required by the arbitrary data processing apparatus, and may also be used for temporarily storing data that has been output or is to be output.
In summary, the federal learning and taking vehicle defense method based on model weight alternation provided by the invention utilizes the information of model weight update frequency to defend taking vehicle attack, which is an effective defense means starting from the model training process. The ride attacker can well simulate the result of the change of the model parameters of the normal client, but can hardly simulate the change of the model parameters of the normal client in the training process. The frequency of updating the model weights is that the local client side performs frequency updating by recording whether the parameter change of the ownership weights of the penultimate layer exceeds a set dynamic threshold value, so as to defend the excrement taking vehicle. The defending method can carry out abnormal client screening once when the client uploads information every time, and meanwhile, the model weight updating frequency difference between the normal client and the abnormal client is larger and larger under the environment of a user with a convenience. The defending effect is remarkable, and single or multiple malicious pick-up clients can be effectively defended.
The foregoing detailed description of the preferred embodiments and advantages of the invention will be appreciated that the foregoing description is merely illustrative of the presently preferred embodiments of the invention, and that no changes, additions, substitutions and equivalents of those embodiments are intended to be included within the scope of the invention.

Claims (5)

1.一种基于模型权重更迭的联邦学习搭便车防御方法,其特征在于,具体包括以下步骤:1. A federated learning free-rider defense method based on model weight iteration, characterized by comprising the following steps: (1)初始化联邦学习训练环境;(1) Initialize the federated learning training environment; (2)服务器将初始的全局模型下发给各个客户端,开始联邦学习训练;(2) The server sends the initial global model to each client and starts federated learning training; (3)各个客户端进行联邦训练,并生成本地模型,在本地训练结束后,保存模型参数并计算本地模型倒数第二层的权重W在每次训练时的更新变化频率F矩阵;(3) Each client performs federated training and generates a local model. After the local training is completed, the model parameters are saved and the update change frequency F matrix of the weight W of the second-to-last layer of the local model during each training is calculated; 步骤(3)中各个客户端进行联邦训练,并生成本地模型,得到模型参数的步骤具体为:In step (3), each client performs federated training and generates a local model. The specific steps for obtaining model parameters are as follows: 参与训练的正常客户端,进行每轮训练,得到更新的本地训练的模型参数为:Normal clients participating in the training perform each round of training and obtain updated local training model parameters as follows: 其中,(x,y)分别是Dk数据集中的数据和标签,L用来计算预测结果与真实结果的交叉熵损失函数,为本地训练后模型的权重参数,为下发的后的客户端本地模型;Among them, (x, y) are the data and labels in the D k dataset, and L is used to calculate the cross entropy loss function between the predicted results and the true results. After local training The weight parameters of the model, The client local model after being sent; 参与训练的恶意客户端,前三轮正常的训练,三轮后通过添加当前服务器下发的全局模型Mj和上一轮服务器下发的全局模型Mj-1参数差;得到搭便车攻击客户端模型的更新参数Gf为:The malicious client participating in the training has normal training in the first three rounds. After three rounds, the updated parameter Gf of the free-rider attack client model is obtained by adding the global model Mj sent by the current server and the global model Mj-1 sent by the server in the previous round: Gf=Mj-Mj-1 GfMj - Mj-1 将更新参数添加到本轮服务器下发的模型中进行伪装;生成新的本地模型公式如下:Add the updated parameters to the model sent by the server in this round for disguise; generate a new local model The formula is as follows: 所述计算本地模型倒数第二层的权重W在每次训练时的更新变化频率F矩阵的步骤具体为:The step of calculating the update change frequency F matrix of the weight W of the penultimate layer of the local model during each training is specifically as follows: 首先选取本地模型倒数第二层的权重,根据权重数量初始化一个数值全为0的矩阵用来记录每次本地模型训练时的权重变化频率次数;First, select the weights of the second-to-last layer of the local model, and initialize a matrix with all values of 0 according to the number of weights to record the frequency of weight changes during each local model training; 然后本地训练每一轮记录每个权重在每轮训练中的更新参数的绝对值;对所有权重更新参数的绝对值求和并除以权重个数来计算动态阈值TV;Then, in each round of local training, the absolute value of the updated parameters of each weight in each round of training is recorded; the absolute values of all weight update parameters are summed and divided by the number of weights to calculate the dynamic threshold TV; 再统计每个权重的变化频率,权重变化数值大于阈值则本轮该权重变化频次加1,小于阈值则本轮该权重变化频次不变,以此更新频率矩阵;Then count the change frequency of each weight. If the weight change value is greater than the threshold, the weight change frequency of this round is increased by 1. If it is less than the threshold, the weight change frequency of this round remains unchanged, and the frequency matrix is updated accordingly. 最后更新本地权重变化的总体频率矩阵,第i轮的权重变化频率矩阵等于前i轮的权重变化频率矩阵的总和;Finally, the overall frequency matrix of local weight changes is updated. The frequency matrix of weight changes in the i-th round is equal to the sum of the frequency matrices of weight changes in the previous i rounds. (4)各个客户端本地训练完成后将本地模型参数和权重变化频率矩阵上传至服务端;服务端通过聚合算法得到全局模型,并计算各个客户端间的欧式距离和计算各自权重的平均变化频率,并对欧式距离和平均频率异常的客户端进行标记;(4) After each client completes local training, it uploads the local model parameters and weight change frequency matrix to the server. The server obtains the global model through an aggregation algorithm, calculates the Euclidean distance between each client and the average change frequency of each weight, and marks clients with abnormal Euclidean distance and average frequency. (5)服务端下发给各个客户端更新后的全局模型,继续进行联邦学习训练;(5) The server sends the updated global model to each client and continues the federated learning training; (6)重复上述步骤(2)~(5),客户端每上传一次参数,服务端进行一次筛查,当某客户端被异常标记3次,则认为其是搭便车攻击者,将其踢出联邦学习训练。(6) Repeat steps (2) to (5) above. Each time the client uploads parameters, the server performs a screening. When a client is marked as abnormal three times, it is considered to be a free-rider attacker and is kicked out of the federated learning training. 2.根据权利要求1所述的基于模型权重更迭的联邦学习搭便车防御方法,其特征在于,步骤(4)中所述的模型聚合公式如下:2. The federated learning free-rider defense method based on model weight iteration according to claim 1 is characterized in that the model aggregation formula described in step (4) is as follows: 其中,Gt+1为服务器端聚合后的聚合模型,Gt为上一轮训练聚合后的聚合模型,为本地训练模型,为模型权重缩放。Among them, Gt+1 is the aggregated model after the server-side aggregation, Gt is the aggregated model after the previous round of training aggregation, To train the model locally, Scale the model weights. 3.根据权利要求1所述的基于模型权重更迭的联邦学习搭便车防御方法,其特征在于,所述步骤(4)中计算各个客户端间的欧式距离d和计算各自权重的平均变化频率favg,具体公式如下:3. The federated learning free-rider defense method based on model weight iteration according to claim 1 is characterized in that the Euclidean distance d between each client and the average change frequency f avg of each weight are calculated in step (4), and the specific formula is as follows: 其中,x和y是两个不同的客户端权重变化频率矩阵;Among them, x and y are two different client weight change frequency matrices; 其中,Fi是矩阵中每一个权重的变化次数,n为权重的个数。Among them, Fi is the number of changes of each weight in the matrix, and n is the number of weights. 4.一种基于模型权重更迭的联邦学习搭便车防御装置,其特征在于,包括一个或多个处理器,用于实现权利要求1-3中任一项所述的基于模型权重更迭的联邦学习搭便车防御方法。4. A federated learning free-rider defense device based on model weight iteration, characterized in that it comprises one or more processors for implementing the federated learning free-rider defense method based on model weight iteration as described in any one of claims 1-3. 5.一种计算机可读存储介质,其上存储有程序,其特征在于,该程序被处理器执行时,用于实现权利要求1-3中任一项所述的基于模型权重更迭的联邦学习搭便车防御方法。5. A computer-readable storage medium having a program stored thereon, characterized in that when the program is executed by a processor, it is used to implement the federated learning free-rider defense method based on model weight iteration as described in any one of claims 1-3.
CN202111657295.6A 2021-12-30 2021-12-30 Federated learning free-rider defense method and device based on model weight iteration Active CN114266361B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111657295.6A CN114266361B (en) 2021-12-30 2021-12-30 Federated learning free-rider defense method and device based on model weight iteration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111657295.6A CN114266361B (en) 2021-12-30 2021-12-30 Federated learning free-rider defense method and device based on model weight iteration

Publications (2)

Publication Number Publication Date
CN114266361A CN114266361A (en) 2022-04-01
CN114266361B true CN114266361B (en) 2024-12-13

Family

ID=80832037

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111657295.6A Active CN114266361B (en) 2021-12-30 2021-12-30 Federated learning free-rider defense method and device based on model weight iteration

Country Status (1)

Country Link
CN (1) CN114266361B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114900343B (en) * 2022-04-25 2023-01-24 西安电子科技大学 Abnormal traffic detection method of IoT devices based on clustering federated learning
CN114882573B (en) * 2022-06-06 2025-04-08 浙江工业大学 A facial recognition method and device based on personalized federated learning
CN115062775B (en) * 2022-06-27 2025-02-18 南京理工大学 A method for assigning user weights in federated learning based on explainable machine learning
CN115081002B (en) * 2022-06-28 2024-05-14 西安电子科技大学 Aggregation server selection method for decentralised federal learning
CN115329885B (en) * 2022-08-23 2025-07-29 浙江工业大学 Personalized federal learning method and device based on privacy protection
CN115408377A (en) * 2022-08-29 2022-11-29 北京智源人工智能研究院 A method and device for constructing a large medical imaging model based on federated learning
CN115907029B (en) * 2022-11-08 2023-07-21 北京交通大学 Defense method and system for federated learning poisoning attack
CN116028933A (en) * 2022-12-30 2023-04-28 浙江工业大学 A federated learning poisoning defense method and device based on feature training
CN117094410B (en) * 2023-07-10 2024-02-13 西安电子科技大学 A model repair method for poisoning-damaged federated learning
CN117077192B (en) * 2023-07-28 2024-07-05 浙江大学 Method and device for defending attack of taking and riding in federal study with privacy protection
CN117252234B (en) * 2023-11-16 2024-03-01 之江实验室 A strategy generation method and device based on non-cooperative game
CN120031108B (en) * 2025-04-21 2025-07-22 湖南科技大学 Robust federal learning method for image classification

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112668726A (en) * 2020-12-25 2021-04-16 中山大学 Personalized federal learning method with efficient communication and privacy protection
CN113411329A (en) * 2021-06-17 2021-09-17 浙江工业大学 DAGMM-based federated learning backdoor attack defense method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111768008B (en) * 2020-06-30 2023-06-16 平安科技(深圳)有限公司 Federal learning method, apparatus, device, and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112668726A (en) * 2020-12-25 2021-04-16 中山大学 Personalized federal learning method with efficient communication and privacy protection
CN113411329A (en) * 2021-06-17 2021-09-17 浙江工业大学 DAGMM-based federated learning backdoor attack defense method

Also Published As

Publication number Publication date
CN114266361A (en) 2022-04-01

Similar Documents

Publication Publication Date Title
CN114266361B (en) Federated learning free-rider defense method and device based on model weight iteration
CN108243191B (en) Risk behavior recognition methods, storage medium, equipment and system
CN113901405B (en) Watermark detection method and system based on federal learning model and electronic equipment
CN113157434B (en) Method and system for exciting user nodes of transverse federal learning system
CN107070940B (en) A method and device for judging malicious login IP addresses from streaming login logs
Zheng et al. WMDefense: Using watermark to defense byzantine attacks in federated learning
CN107563798A (en) Prize-winning data processing method and device
CN118734213A (en) A privacy-preserving graph federation node anomaly detection method
CN116861994A (en) A privacy-preserving federated learning method that resists Byzantine attacks
CN116049816B (en) A Verifiable and Secure Federated Learning Method Based on Blockchain
CN117151210A (en) A method, system, equipment and medium for building a robust federated learning model
CN118940821A (en) Privacy-preserving federated learning method based on the principle of least privilege
CN107070954B (en) Anonymous-based trust evaluation method
CN116028933A (en) A federated learning poisoning defense method and device based on feature training
CN114417394A (en) Blockchain-based data storage method, device, device and readable storage medium
CN114036566A (en) Verifiable Federated Learning Method and Device Based on Blockchain and Lightweight Commitment
CN112100628A (en) Method and device for protecting neural network model security
CN115310137B (en) Secrecy method and related device of intelligent settlement system
CN110830809A (en) Video content heat determination method, electronic device and storage medium
CN113051177B (en) Test method and device
CN104092564B (en) A kind of cloud storage service credit assessment method
CN114553517A (en) Nonlinear weighted network security assessment method, device, equipment and storage medium
CN114155017A (en) Method, device, medium and equipment for identifying update user
CN113297054A (en) Method and device for acquiring test flow set and storage medium
CN106228452B (en) Social network information propagation history ordering method based on causal inference

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant