Adaptive Gaussian Mixturebased Federated Learning Backdoor Defense Approach

Journal of Information Security Reserach ›› 2026, Vol. 12 ›› Issue (4): 348-.

Previous Articles Next Articles

Adaptive Gaussian Mixturebased Federated Learning Backdoor Defense Approach

Xin Yuchi, Yan Hongcan, Gu Jiantao, Wang Xinyu, and Guo Yixuan

(College of Science, North China University of Science and Technology, Tangshan, Hebei 063210)
(Hebei Province Key Laboratory of Data Science and Application (North China University of Science and Technology), Tangshan, Hebei 063210)

Online:2026-04-07 Published:2026-04-07

基于自适应高斯混合的联邦学习后门防御方法

辛禹池阎红灿谷建涛王欣雨郭懿萱

(华北理工大学理学院河北唐山063210)
(河北省数据科学与应用重点实验室(华北理工大学)河北唐山063210)

通讯作者: 辛禹池硕士研究生.主要研究方向为数据安全、隐私保护. chichixin1@stu.ncst.edu.cn
作者简介:辛禹池硕士研究生.主要研究方向为数据安全、隐私保护. chichixin1@stu.ncst.edu.cn 阎红灿博士，教授.主要研究方向为网络安全、大数据分析与安全. yanhongcan@ncst.edu.cn 谷建涛硕士，副教授.主要研究方向为网络空间安全. jiantaogu@126.com 王欣雨硕士研究生.主要研究方向为大数据分析. 13172152357@163.com 郭懿萱硕士研究生.主要研究方向为虚假新闻检测. guoyixuan@stu.ncst.edu.cn
基金资助:
河北省高等教育教学改革研究与实践项目(2023GJJG226)；河北省社会科学基金项目(HB24GL059)；华北理工大学医工融合科研重点项目(ZDYG202316)

Abstract

Abstract: Aiming at the existing federated learning backdoor defense methods, which have the problems of misjudgment of abnormal client detection and are difficult to take into account the privacy protection of the client, we propose a federated learning backdoor defense approach based on adaptive Gaussian mixture model FedAGMM, which introduces Gaussian mixture model clustering at the server side, models the probability of gradient update of the client, and combines with the Bayesian information criterion to adaptively select the optimal number of clusters adaptively, so that the malicious model update is identified more accurately. Constructing a dynamic noise injection mechanism based on risk perception, adaptively adjusting the Gaussian noise intensity according to the client’s risk level. This approach minimizes interference to normal clients while safeguarding privacy. Comparison experimental results with the latest defense methods show that in the face of three kinds of backdoor attacks, PGD, PGDEDGE, and MR, the success rate of the attack is reduced by 5.80, 3.27, and 1.00 percentage points, respectively, without decreasing the accuracy of the main task, and the theoretical analysis proves that FedAGMM meets the requirements of privacy protection while reducing overall noise injection, and significantly improves the detection accuracy and privacy security.

Key words: federated learning, backdoor defense, Gaussian mixture model, differential privacy, Bayesian information criterion

摘要： 针对现有联邦学习后门防御方法存在异常客户端检测误判且难以兼顾客户端隐私保护的问题，提出一种基于自适应高斯混合模型的联邦学习后门防御方法(FedAGMM).在服务器端引入高斯混合模型聚类，对客户端梯度更新概率建模，结合贝叶斯信息准则自适应选择最优聚类数，更准确地识别恶意模型更新；构建基于风险感知的动态噪声注入机制，根据客户端风险等级自适应调整高斯噪声强度，在保障隐私的同时减少对正常客户端的干扰.与最新防御方法对比实验结果表明，在面对PGD，PGDEDGE，MR这3种后门攻击不降低主任务准确率前提下，攻击成功率分别降低了5.80，3.27，1.00个百分点，并通过理论分析证明了FedAGMM在减少总噪声注入的同时满足隐私保护的要求，显著提高检测准确性和隐私安全性.

关键词: 联邦学习, 后门防御, 高斯混合模型, 差分隐私, 贝叶斯信息准则

CLC Number:

TP309.2

辛禹池, 阎红灿, 谷建涛, 王欣雨, 郭懿萱, . 基于自适应高斯混合的联邦学习后门防御方法[J]. 信息安全研究, 2026, 12(4): 348-.

References

［1］Li Q, Wen Z, Wu Z, et al. A survey on federated learning systems: Vision, hype and reality for data privacy and protection［J］. IEEE Trans on Knowledge and Data Engineering, 2021, 35(4): 33473366［2］Yang Q, Liu Y, Chen T, et al. Federated machine learning: Concept and applications［J］. ACM Trans on Intelligent Systems and Technology, 2019, 10(2): 119［3］Bhagoji A N, Chakraborty S, Mittal P, et al. Analyzing federated learning through an adversarial lens［C］ Proc of Int Conf on Machine Learning. New York: PMLR, 2019: 634643［4］Bagdasaryan E, Veit A, Hua Y, et al. How to backdoor federated learning［C］ Proc of Int Conf on Artificial Intelligence and Statistics. New York: PMLR, 2020: 29382948［5］Fung C, Yoon C J M, Beschastnikh I. Mitigating sybils in federated learning poisoning［J］. arXiv preprint, arXiv:1808.04866, 2018［6］Biggio B, Nelson B, Laskov P. Poisoning attacks against support vector machines［J］. arXiv preprint, arXiv:1206.6389, 2012［7］刘晓迁, 许飞, 马卓, 等. 联邦学习中的隐私保护技术研究［J］. 信息安全研究, 2024, 10(3): 194201［8］Abadi M, Chu A, Goodfellow I, et al. Deep learning with differential privacy［C］ Proc of the 2016 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2016: 308318［9］Nguyen T D, Rieger P, De Viti R, et al. FLAME: Taming backdoors in federated learning［C］ Proc of the 31st USENIX Security Symposium (USENIX Security 22). Berkeley, CA: USENIX Association, 2022: 14151432［10］余晟兴, 陈泽凯, 陈钟, 等. DAGUARD: 联邦学习下的分布式后门攻击防御方案［J］. 通信学报, 2023, 44(5): 110122［11］肖迪, 余柱阳, 李敏, 等. 基于差分隐私与模型聚类的安全联邦学习方案［J］. 计算机工程与科学, 2024, 46(9): 16061615［12］Blanchard P, El Mhamdi E M, Guerraoui R, et al. Machine learning with adversaries: Byzantine tolerant gradient descent［C］ Proc of the Advances in Neural Information Processing Systems 30 (NeurIPS 2017). New York: ACM, 2017: 119129［13］Huang S, Li Y, Chen C, et al. Multimetrics adaptively identifies backdoors in federated learning［C］ Proc of the IEEECVF Int Conf on Computer Vision (ICCV 2023). Piscataway, NJ: IEEE, 2023: 46524662［14］Huang S, Li Y, Yan X, et al. Scope: On detecting constrained backdoor attacks in federated learning［J］. IEEE Trans on Information Forensics and Security, 2025, 20: 33023315［15］Wang H, Sreenivasan K, Rajput S, et al. Attack of the tails: Yes, you really can backdoor federated learning［C］ Proc of the Advances in Neural Information Processing Systems 33 (NeurIPS 2020). San Diego, CA: Curran Associates, 2020: 1607016084

[1]	. Research on Adaptive Hierarchical Neural Network Backdoor Defense Method [J]. Journal of Information Security Reserach, 2026, 12(4): 359-.
[2]	. Federated Learning Backdoor Attack Based on Constrained Perturbation and Loss Regulation [J]. Journal of Information Security Reserach, 2026, 12(3): 210-.
[3]	. Differentially Private Text Synthesis Based on Gradient Direction Filtering [J]. Journal of Information Security Reserach, 2026, 12(3): 220-.
[4]	. A Survey on Backdoor Attacks and Defenses in Federated Learning [J]. Journal of Information Security Reserach, 2025, 11(9): 778-.
[5]	. Internet of Things Intrusion Detection Model Based on Federated Learning [J]. Journal of Information Security Reserach, 2025, 11(9): 788-.
[6]	. Double Differential Privacy Protection Algorithm Based on BP Neural Network [J]. Journal of Information Security Reserach, 2025, 11(9): 814-.
[7]	. A Privacy Budget Allocation Method Based on Differential #br# Privacy kmeans++#br# [J]. Journal of Information Security Reserach, 2025, 11(8): 710-.
[8]	. Application Research of Differential Privacy Shuffle Model in Range Query [J]. Journal of Information Security Reserach, 2025, 11(8): 736-.
[9]	. Personalized Differential Privacy Trajectory Publishing Scheme Fusing Semantic [J]. Journal of Information Security Reserach, 2025, 11(7): 670-.
[10]	. Task Independent Privacy Protection in Personalized Federated Learning for Battery Monitoring [J]. Journal of Information Security Reserach, 2025, 11(5): 481-.
[11]	. Privacypreserving Federated Learning Research Based on #br# Confused Modulo Projection Homomorphic Encryption#br# [J]. Journal of Information Security Reserach, 2025, 11(3): 198-.
[12]	. A Federated Learning Method Resistant to Label Flip Attack [J]. Journal of Information Security Reserach, 2025, 11(3): 205-.
[13]	. A Poisoningresistant Verifiable Secure Federated Learning Scheme #br# in IoT Perception Environments#br# [J]. Journal of Information Security Reserach, 2024, 10(9): 804-.
[14]	. A Differential Privacy Text Desensitization Method for Enhancing Semantic Consistency [J]. Journal of Information Security Reserach, 2024, 10(8): 706-.
[15]	. K-means++ Clustering Method Supporting Differential Privacy Protection in Spark Framework [J]. Journal of Information Security Reserach, 2024, 10(8): 712-.

Adaptive Gaussian Mixturebased Federated Learning Backdoor Defense Approach

基于自适应高斯混合的联邦学习后门防御方法

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics