| 摘要: |
| 联邦学习作为一种新兴的分布式机器学习框架。在保护用户隐私的同时实现数据共享与模型训练,已逐渐成为人工智能领域的重要研究方向。该方法通过多个数据提供方共同训练机器学习模型,能够在不泄露原始数据的前提下完成模型更新和优化。近年来,联邦学习因其在医疗、金融等领域的广泛应用而备受关注。然而,随着技术的不断发展,学术界也提出了多种针对联邦学习框架的攻击手段。本文对联邦学习领域中常见的攻击方法进行了系统性分析与分类。通过对现有攻击方法的不同属性进行深入研究,本文提出了基于攻击特性的分类策略,并基于这一分类策略对已有攻击方法进行了全面的总结、归纳和介绍。例如,根据攻击方法的目标性质,本文将其划分为模型污染,数据污染攻击、成员推理,重建推理攻击等类别。此外,为了解决这些漏洞,学术界在联邦学习框架内提出了多种防御策略。针对现有的多种攻击模型,本文还总结了一系列防御策略。这些防御策略主要基于防御原理,包括鲁棒聚合、模型对抗,差分隐私方法以及同态加密、多方计算等技术。通过系统地总结和分析现有的防御模型,本文不仅为理解现有防护机制提供了清晰的框架,也为未来研究方向提供了新的思路。例如,如何在有限资源条件下实现不同粒度的防御策略,如何在压缩通信量的同时保持模型训练效果的提升,以及将非监督学习应用到联邦学习等问题均成为未来值得深入探索的研究方向。 |
| 关键词: 联邦学习 隐私攻击 机器学习 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.03.14 |
| 投稿时间:2021-02-10修订日期:2021-03-09 |
| 基金项目:本课题得到中国科学院战略性先导科技专项(No. XDC02010200)资助。 |
|
| Survey of Privacy Attack and Defense in Federated Learning |
| WANG Kainan,ZHANG Yuhui,HOU Rui |
| State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 101408, China |
| Abstract: |
| Federated learning, as a new distributed machine learning framework, realizes data sharing and model training while protecting user privacy, and has gradually become an important research direction in the field of artificial intelligence. This method trains the machine learning model through multiple data providers, which can update and optimize the model without sharing the raw data. In recent years, federated learning has attracted much attention due to its wide application in medical, financial and other fields. However, with the continuous development of technology, the academic community has also proposed a variety of attacks against the federated learning framework. This paper systematically analyzes and classifies the common attack methods in the field of federated learning. By deeply studying the different attributes of existing attack methods, this paper proposes a classification strategy based on attack characteristics, and summarizes, generalizes and introduces the existing attack methods based on this classification strategy. For example, according to the target attributes of the attack method, this paper divides it into model contamination, data contamination attack, member inference, reconstruction inference attack and so on. In addition, to address these vulnerabilities, multiple defense strategies have been developed within the federated learning framework. This paper summarizes a series of defense strategies against various attack models. These defense strategies are mainly based on defense principles, including robust aggregation, model antagonism, differential privacy methods, homomorphic encryption, multi-party computing and other technologies. By systematically summarizing and analyzing the existing defense models, this paper not only provides a clear framework for understanding the existing defense mechanisms, but also provides new ideas for future research. For example, how to implement different granularity defense strategies under limited resources, how to compress the communication while maintaining the improvement of model training effect, and how to apply unsupervised learning to federated learning have become the future research directions worthy of further exploration. |
| Key words: federated learning privacy attack machine learning |
