一种抗标签翻转攻击的联邦学习方法

信息安全研究 ›› 2025, Vol. 11 ›› Issue (3): 205-.

一种抗标签翻转攻击的联邦学习方法

周景贤1韩威1张德栋2李志平1

1(中国民航大学计算机科学与技术学院天津300300)
2(中国铁道科学研究院集团有限公司电子计算技术研究所北京100081)

出版日期:2025-03-18 发布日期:2025-03-30
通讯作者: 韩威硕士研究生.主要研究方向为联邦学习、网络安全. 89503906@qq.com
作者简介:周景贤博士，副研究员.主要研究方向为数据安全、民航信息系统安全. jxzhou@cauc.edu.cn 韩威硕士研究生.主要研究方向为联邦学习、网络安全. 89503906@qq.com 张德栋博士，高级工程师.主要研究方向为网络安全、计算机应用技术. zhangdedong@rails.cn 李志平硕士，实验师.主要研究方向为网络与信息安全. 18322731101@126.com

A Federated Learning Method Resistant to Label Flip Attack

Zhou Jingxian1, Han Wei1, Zhang Dedong2, and Li Zhiping1

1(School of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300)
2(Institute of Electronic Computing Technology, China Academy of Railway Sciences Group Co., Ltd., Beijing 100081)

Online:2025-03-18 Published:2025-03-30

摘要/Abstract

摘要： 由于联邦学习参与训练的用户自主性较高且身份难以辨别，从而易遭受标签翻转攻击，使模型从错误的标签中学习到错误的规律，降低模型整体性能.为有效抵抗标签翻转攻击，提出了一种多阶段训练模型的稀释防护联邦学习方法.该方法通过对训练数据集进行随机划分，采用稀释防护联邦学习算法将部分数据分发给参与训练的客户端，以限制客户端所拥有的数据量，避免拥有大量数据的恶意参与者对模型造成较大影响.在每次训练结束后，对该阶段中所有训练轮次的梯度通过降维算法进行梯度聚类，以便识别潜在的恶意参与者，并在下一阶段中限制其训练.同时，在每个阶段训练结束后保存全局模型参数，确保每个阶段的训练都基于上一个阶段的模型基础.在数据集上的实验结果表明，该方法在降低攻击影响的同时不损害模型准确率，并且模型收敛速度平均提升了25.2%~32.3%.

关键词: 联邦学习, 数据安全, 恶意行为, 标签翻转攻击, 防御

Abstract: Since users participating in federated learning training have high autonomy and their identities are difficult to identify, they are vulnerable to label flip attacks, causing the model to learn wrong rules from wrong labels and reducing the overall performance of the model. In order to effectively resist label flip attacks, a dilutionprotected federated learning method for multistage training models is proposed. This method randomly divides the training data set and uses a dilution protection federated learning algorithm to distribute part of the data to clients participating in the training to limit the amount of data owned by the client and avoid malicious participants with large amounts of data from causing major damage to the model. After each training session, the gradients of all training epochs in that phase are gradient clustered by a dimensionality reduction algorithm in order to identify potentially malicious actors and restrict their training in the next phase. At the same time, the global model parameters are saved after each stage of training to ensure that the training of each stage is based on the model foundation of the previous stage. Experimental results on the data set show that this method reduces the impact of attacks without damaging the model accuracy, and helps improve the convergence speed of the model.

Key words: federated learning, data security, malicious behavior, label flip attack, defense

中图分类号:

TP309.2

周景贤, 韩威, 张德栋, 李志平, . 一种抗标签翻转攻击的联邦学习方法[J]. 信息安全研究, 2025, 11(3): 205-.

参考文献

［1］McMahan B, Moore E, Ramage D, et al. Communicationefficient learning of deep networks from decentralized data［COL］ Proc of Int Conf on Artificial Intelligence and Statistics. PMLR, 2017 ［20240513］. https:proceedings.mlr.pressv54mcmahan17a.html［2］Wang Wenxin, Liu Caiyun, Yue Ziyan. Industrial Internet structure optimization based on federated learning［J］. Industry Information Security, 2022 (1): 103107［3］Bagdasaryan E, Veit A, Hua Y, et al. How to backdoor federated learning［COL］ Proc of Int Conf on Artificial Intelligence and Statistics. PMLR, 2020 ［20240513］. https:proceedings.mlr.pressv108bagdasaryan20a.html［4］Blanchard P, ElMhamdi E M, Guerraoui R, et al. Machine learning with adversaries: Byzantine tolerant gradient descent［JOL］. Advances in Neural Information Processing Systems, 2017 ［20240513］. https:papers.nips.ccpaper_filespaper2017hashf4b9ec30ad9f68f89b29639786cb62efAbstract.html［5］Fung C, Yoon C J M, Beschastnikh I. Mitigating sybils in federated learning poisoning［J］. arXiv preprint, arXiv:1808.04866, 2018［6］Fang M, Cao X, Jia J, et al. Local model poisoning attacks to {ByzantineRobust} federated learning［C］ Proc of the 29th USENIX Security Symposium (USENIX Security 20). Berkeley, CA: USENIX Association, 2020: 16051622［7］Awan S, Luo B, Li F. Contra: Defending against poisoning attacks in federated learning［C］ Proc of the 26th European Symp on Research in Computer Security(ESORICS 2021). Berlin: Springer, 2021: 455475［8］Uprety A, Rawat D B. Mitigating poisoning attack in federated learning［C］ Proc of the 2021 IEEE Symp Series on Computational Intelligence (SSCI). Piscataway, NJ: IEEE, 2021: 17［9］Hallaji E, RazaviFar R, Saif M, et al. Label noise analysis meets adversarial training: A defense against label poisoning in federated learning［J］. KnowledgeBased Systems, 2023, 266: 110384［10］Ovi P R, Gangopadhyay A, Erbacher R F, et al. Confident federated learning to tackle label flipped data poisoning attacks［C］ Proc of the Artificial Intelligence and Machine Learning for MultiDomain Operations Applications. Bellingham, WA: SPIE, 2023: 263272［11］Tolpegin V, Truex S, Gursoy M E, et al. Data poisoning attacks against federated learning systems［C］ Proc of the 25th European Symp on Research in Computer Security (ESORICS 2020). Berlin: Springer, 2020: 480501［12］Anowar F, Sadaoui S, Selim B. Conceptual and empirical comparison of dimensionality reduction algorithms (pca, kpca, lda, mds, svd, lle, isomap, le, ica, tsne)［J］. Computer Science Review, 2021, 40: 100378［13］Schlkopf B, Smola A, Müller K R. Kernel principal component analysis［C］ Proc of Int Conf on Artificial Neural Networks. Berlin: Springer, 1997: 583588［14］Fung C, Yoon C J M, Beschastnikh I. The limitations of federated learning in sybil settings［C］ Proc of the 23rd Int Symp on Research in Attacks, Intrusions and Defenses (RAID 2020). Berlin: Springer, 2020: 301316［15］Xiao H, Rasul K, Vollgraf R. Fashionmnist: A novel image dataset for benchmarking machine learning algorithms［J］. arXiv preprint, arXiv:1708.07747, 2017

[1]	李晓东, 李慧, 赵炽野, 周苏雅, 金鑫, . 基于模分量同态加密的隐私数据联邦学习研究[J]. 信息安全研究, 2025, 11(3): 198-.
[2]	葛平原, 陈永强, 郭伟豪, 荣景峰, 刘美琦, 张玉清, . 数据跨境流动规制综述[J]. 信息安全研究, 2025, 11(2): 164-.
[3]	马嘉蔚, 武文浩, 董佳瑜, . 基于变色龙哈希的可信数据安全管理技术研究及应用[J]. 信息安全研究, 2025, 11(2): 189-.
[4]	袁光涛, 张博, 刘世哲, . 基于路侧边缘计算节点的道路交通数据安全保障研究[J]. 信息安全研究, 2024, 10(E2): 64-.
[5]	刘宏, 边雨, . 基于车路云一体化的网络安全建设方案探究[J]. 信息安全研究, 2024, 10(E2): 68-.
[6]	赵云, 宋好好, . 基于5G应用的零信任数据安全中台的设计与实现[J]. 信息安全研究, 2024, 10(E2): 77-.
[7]	胡奕涵, 宋凯, 卢海波, 陈超, 何桂, 谢亮, 吴怡, . 基于Android系统的隐私安全实时防御系统的设计和实现[J]. 信息安全研究, 2024, 10(E2): 92-.
[8]	李永刚, 任磊, 韩淞, . 新型电力系统数据安全体系建设研究[J]. 信息安全研究, 2024, 10(E2): 110-.
[9]	袁成帅, . 网络数据流动不法行为的规制[J]. 信息安全研究, 2024, 10(E2): 126-.
[10]	范晓娟, 刘玉岭, 郑雯, . 数据治理中的监管比较研究[J]. 信息安全研究, 2024, 10(E2): 162-.
[11]	王腾, 左军瑞, 霍峥, . 智能网联车时空大数据安全共享框架探究[J]. 信息安全研究, 2024, 10(E2): 204-.
[12]	林峰, 苏洋, 严申, . 水务行业数据安全防护体系建设研究与应用[J]. 信息安全研究, 2024, 10(E2): 211-.
[13]	胡震, 曹航, 刘鹏, 邱文元, . 基于蜜罐技术的网络安全主动防御体系建设实践[J]. 信息安全研究, 2024, 10(E2): 249-.
[14]	王跃, . 基于威胁建模与情报的动态化防御建设思考[J]. 信息安全研究, 2024, 10(E2): 260-.
[15]	周威, . 网络欺骗技术赋能等保2.0安全合规建设[J]. 信息安全研究, 2024, 10(E2): 272-.