联合学习中的后门攻击和防御：现状、分类和未来方向

IF 10.9 1区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE Wireless Communications Pub Date : 2023-04-01 DOI:10.1109/MWC.017.2100714

Xueluan Gong, Yanjiao Chen, Qian Wang, Weihan Kong

{"title":"联合学习中的后门攻击和防御：现状、分类和未来方向","authors":"Xueluan Gong, Yanjiao Chen, Qian Wang, Weihan Kong","doi":"10.1109/MWC.017.2100714","DOIUrl":null,"url":null,"abstract":"The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.","PeriodicalId":13342,"journal":{"name":"IEEE Wireless Communications","volume":"30 1","pages":"114-121"},"PeriodicalIF":10.9000,"publicationDate":"2023-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"15","resultStr":"{\"title\":\"Backdoor Attacks and Defenses in Federated Learning: State-of-the-Art, Taxonomy, and Future Directions\",\"authors\":\"Xueluan Gong, Yanjiao Chen, Qian Wang, Weihan Kong\",\"doi\":\"10.1109/MWC.017.2100714\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.\",\"PeriodicalId\":13342,\"journal\":{\"name\":\"IEEE Wireless Communications\",\"volume\":\"30 1\",\"pages\":\"114-121\"},\"PeriodicalIF\":10.9000,\"publicationDate\":\"2023-04-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"15\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Wireless Communications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1109/MWC.017.2100714\",\"RegionNum\":1,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Wireless Communications","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1109/MWC.017.2100714","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 15

摘要

联邦学习框架是为在数千参与者中大规模分布式训练深度学习模型而设计的，而不会损害其训练数据集的隐私。跨参与者的训练数据集通常具有异构数据分布。此外，中央服务器聚合由不同方提供的更新，但不知道如何创建这些更新。联邦学习的固有特性可能会引起严重的安全问题。恶意参与者可以上传有毒的更新以将后门功能引入全局模型，其中后门全局模型会将所有恶意图像(即附加后门触发器)错误分类为错误标签，但在没有后门触发器的情况下会正常运行。在这项工作中，我们对联邦学习中最先进的后门攻击和防御进行了全面的回顾。我们将现有的后门攻击分为数据投毒攻击和模型投毒攻击两类，并将防御分为异常更新检测、鲁棒联邦训练和后门模型恢复。我们通过实验对攻击和防御进行了详细的比较。最后，我们指出了联邦学习框架中后门攻击和防御的各种潜在未来方向。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Backdoor Attacks and Defenses in Federated Learning: State-of-the-Art, Taxonomy, and Future Directions

The federated learning framework is designed for massively distributed training of deep learning models among thousands of participants without compromising the privacy of their training datasets. The training dataset across participants usually has heterogeneous data distributions. Besides, the central server aggregates the updates provided by different parties, but has no visibility into how such updates are created. The inherent characteristics of federated learning may incur a severe security concern. The malicious participants can upload poisoned updates to introduce backdoored functionality into the global model, in which the backdoored global model will misclassify all the malicious images (i.e., attached with the backdoor trigger) into a false label but will behave normally in the absence of the backdoor trigger. In this work, we present a comprehensive review of the state-of-the-art backdoor attacks and defenses in federated learning. We classify the existing backdoor attacks into two categories: data poisoning attacks and model poisoning attacks, and divide the defenses into anomaly updates detection, robust federated training, and backdoored model restoration. We give a detailed comparison of both attacks and defenses through experiments. Lastly, we pinpoint a variety of potential future directions of both backdoor attacks and defenses in the framework of federated learning.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Wireless Communications 工程技术-电信学

CiteScore

24.20

自引率

1.60%

发文量

183

审稿时长

6-12 weeks

期刊介绍： IEEE Wireless Communications is tailored for professionals within the communications and networking communities. It addresses technical and policy issues associated with personalized, location-independent communications across various media and protocol layers. Encompassing both wired and wireless communications, the magazine explores the intersection of computing, the mobility of individuals, communicating devices, and personalized services. Every issue of this interdisciplinary publication presents high-quality articles delving into the revolutionary technological advances in personal, location-independent communications, and computing. IEEE Wireless Communications provides an insightful platform for individuals engaged in these dynamic fields, offering in-depth coverage of significant developments in the realm of communication technology.