AF-MCDC：主动反馈的恶意客户端动态检测

IF 4.4 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-03-24 DOI:10.1016/j.comnet.2025.111234

Hongyu Du , Shouhui Zhang , Xi Xv , Yimu Ji , Sisi Shao , Fei Wu , Shangdong Liu

{"title":"AF-MCDC：主动反馈的恶意客户端动态检测","authors":"Hongyu Du , Shouhui Zhang , Xi Xv , Yimu Ji , Sisi Shao , Fei Wu , Shangdong Liu","doi":"10.1016/j.comnet.2025.111234","DOIUrl":null,"url":null,"abstract":"<div><div>Federated Learning (FL) has long been known for separating the training and model construction processes, ensuring the privacy of participating clients. However, this separation also introduces a new attack surface. Due to the decentralization feature, Federal Learning is prone to Byzantine attacks. Attackers can deliberately corrupt or malfunction one or more participants in the federated network, disrupting the overall model training process. Researchers have proposed many defense mechanisms to mitigate Byzantine attacks. Their main ideas include eliminating malicious updates that deviate from the overall distribution through similarity detection and avoiding malicious parameters using statistical characteristics. Yet, these defense mechanisms are usually passive, detection only happens on the central server, neglecting the important role of clients. Thus we propose AF-MCDC: Active Feedback-Based Malicious Client Dynamic Detection, a byzantine-robust federated learning method taking advantage of valid clients. What sets AF-MCDC apart from existing robust federated learning methods is its three-pronged defense approach. First, a detection mechanism is deployed on each client to verify the integrity of the distributed global model. If the model fails the integrity check, it will not be used to initialize the local model. On the server side, a decision is made based on the detection results uploaded by the clients, followed by performance scoring using cosine similarity among federated clients. Finally, a dynamic weighting mechanism based on client score rankings is applied to weigh the local models uploaded by all clients, effectively filtering out malicious clients Evaluation of two datasets, MNIST and CIFAR-10, demonstrates that AF-MCDC is robust against a significant portion of malicious clients. Furthermore, even when over half of the clients are malicious, AF-MCDC can still train a global model with performance comparable to the global model learned by FedAvg under non-adversarial conditions.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"263 ","pages":"Article 111234"},"PeriodicalIF":4.4000,"publicationDate":"2025-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"AF-MCDC: Active Feedback-Based Malicious Client Dynamic Detection\",\"authors\":\"Hongyu Du , Shouhui Zhang , Xi Xv , Yimu Ji , Sisi Shao , Fei Wu , Shangdong Liu\",\"doi\":\"10.1016/j.comnet.2025.111234\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Federated Learning (FL) has long been known for separating the training and model construction processes, ensuring the privacy of participating clients. However, this separation also introduces a new attack surface. Due to the decentralization feature, Federal Learning is prone to Byzantine attacks. Attackers can deliberately corrupt or malfunction one or more participants in the federated network, disrupting the overall model training process. Researchers have proposed many defense mechanisms to mitigate Byzantine attacks. Their main ideas include eliminating malicious updates that deviate from the overall distribution through similarity detection and avoiding malicious parameters using statistical characteristics. Yet, these defense mechanisms are usually passive, detection only happens on the central server, neglecting the important role of clients. Thus we propose AF-MCDC: Active Feedback-Based Malicious Client Dynamic Detection, a byzantine-robust federated learning method taking advantage of valid clients. What sets AF-MCDC apart from existing robust federated learning methods is its three-pronged defense approach. First, a detection mechanism is deployed on each client to verify the integrity of the distributed global model. If the model fails the integrity check, it will not be used to initialize the local model. On the server side, a decision is made based on the detection results uploaded by the clients, followed by performance scoring using cosine similarity among federated clients. Finally, a dynamic weighting mechanism based on client score rankings is applied to weigh the local models uploaded by all clients, effectively filtering out malicious clients Evaluation of two datasets, MNIST and CIFAR-10, demonstrates that AF-MCDC is robust against a significant portion of malicious clients. Furthermore, even when over half of the clients are malicious, AF-MCDC can still train a global model with performance comparable to the global model learned by FedAvg under non-adversarial conditions.</div></div>\",\"PeriodicalId\":50637,\"journal\":{\"name\":\"Computer Networks\",\"volume\":\"263 \",\"pages\":\"Article 111234\"},\"PeriodicalIF\":4.4000,\"publicationDate\":\"2025-03-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computer Networks\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S1389128625002026\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625002026","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

长期以来，联邦学习（FL）一直以分离训练过程和模型构建过程、确保参与客户端的隐私而闻名。然而，这种分离也引入了新的攻击面。由于去中心化的特点，联邦学习很容易受到拜占庭攻击。攻击者可以故意破坏或故障联邦网络中的一个或多个参与者，从而破坏整个模型训练过程。研究人员提出了许多防御机制来减轻拜占庭式攻击。他们的主要思想包括通过相似性检测消除偏离总体分布的恶意更新，以及使用统计特征避免恶意参数。然而，这些防御机制通常是被动的，检测只发生在中心服务器上，忽略了客户端的重要作用。因此，我们提出了AF-MCDC：基于主动反馈的恶意客户端动态检测，这是一种利用有效客户端的拜占庭鲁棒联邦学习方法。AF-MCDC与现有健壮的联邦学习方法的区别在于它的三管齐下的防御方法。首先，在每个客户机上部署检测机制，以验证分布式全局模型的完整性。如果模型未通过完整性检查，则不会将其用于初始化本地模型。在服务器端，根据客户机上传的检测结果做出决策，然后使用联邦客户机之间的余弦相似性进行性能评分。最后，采用基于客户端评分排名的动态加权机制对所有客户端上传的本地模型进行加权，有效过滤掉恶意客户端。对MNIST和CIFAR-10两个数据集的评估表明，AF-MCDC对很大一部分恶意客户端具有鲁棒性。此外，即使超过一半的客户端是恶意的，AF-MCDC仍然可以训练出一个与fedag在非对抗性条件下学习到的全局模型性能相当的全局模型。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

AF-MCDC: Active Feedback-Based Malicious Client Dynamic Detection

Federated Learning (FL) has long been known for separating the training and model construction processes, ensuring the privacy of participating clients. However, this separation also introduces a new attack surface. Due to the decentralization feature, Federal Learning is prone to Byzantine attacks. Attackers can deliberately corrupt or malfunction one or more participants in the federated network, disrupting the overall model training process. Researchers have proposed many defense mechanisms to mitigate Byzantine attacks. Their main ideas include eliminating malicious updates that deviate from the overall distribution through similarity detection and avoiding malicious parameters using statistical characteristics. Yet, these defense mechanisms are usually passive, detection only happens on the central server, neglecting the important role of clients. Thus we propose AF-MCDC: Active Feedback-Based Malicious Client Dynamic Detection, a byzantine-robust federated learning method taking advantage of valid clients. What sets AF-MCDC apart from existing robust federated learning methods is its three-pronged defense approach. First, a detection mechanism is deployed on each client to verify the integrity of the distributed global model. If the model fails the integrity check, it will not be used to initialize the local model. On the server side, a decision is made based on the detection results uploaded by the clients, followed by performance scoring using cosine similarity among federated clients. Finally, a dynamic weighting mechanism based on client score rankings is applied to weigh the local models uploaded by all clients, effectively filtering out malicious clients Evaluation of two datasets, MNIST and CIFAR-10, demonstrates that AF-MCDC is robust against a significant portion of malicious clients. Furthermore, even when over half of the clients are malicious, AF-MCDC can still train a global model with performance comparable to the global model learned by FedAvg under non-adversarial conditions.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.