面向分割学习的数据投毒防御方法设计与实现

Design and Implementation of Data Poisoning Defense for Split Learning

分割学习作为一种新型的分布式学习方法,可能受到投毒攻击的严重威胁。在分割学习中,训练场景涉及模型分割后的多端协作训练,与传统联邦学习的终端独立训练后同步模型的攻击场景不同,如何设计有效的防御方法,避免恶意客户端的集群性的投毒攻击是一大挑战。针对上述挑战,本文聚焦在分割学习中客户端投毒攻击对中间特征的影响进行相关考察;提出并实现了一种综合检测防御方法——客户端随机分组策略,通过各组学习指定标签的样本的分组策略以避免恶意客户端的集群攻击;提出了基于DBSCAN聚类算法的中间特征检测算法,用于识别投毒攻击的恶意客户端;提出了基于信任度的防御机制,对信任度低的客户端的网络进行重新初始化,以减小恶意客户端对神经网络的持续影响。实验结果表明,该方法可以降低恶意客户端对模型的影响,尤其是在对中间特征产生较大影响的投毒的防御上效果较好,为分割学习领域的安全防护提供了一种新的思路和实践方案。

Split learning,as a new form of distributed learning,faces significant threats from poisoning attacks.In split learning,the training process involves collaborative training with multiple clients,which differs from traditional federated learning.Designing effective defense methods to prevent clustered poisoning attacks by malicious clients is a major challenge.To address these challenges,this research focuses on investigating the impact of client poisoning attacks on intermediate features in segmented learning.It proposes and implements a comprehensive detection and defense approach:Client Randomization Strategy which aims to mitigate clustered attacks by malicious clients since they cannot concentrate on poisoning a particular label's samples.Intermediate Feature Detection Algorithm based on DBSCAN Clustering,which is used to detect malicious client poisoning attacks by identifying anomalous patterns in intermediate features.Trust-Based Defense Mechanism in which clients with low trustworthiness may be considered potential threats,and their neural networks can be reinitialized to reduce their sustained impact on the neural network.Experimental results demonstrate that this method can reduce the impact of malicious clients on the model,especially in defending against poisoning attacks that have a significant impact on intermediate features.It offers a novel approach and practical solution for enhancing security in the field of segmented learning.