| 引用本文: |
-
胡梦蝶,王娜,黄柏栋,王开元,刘敖迪,杜学绘.基于IQR的联邦学习投毒攻击防御方案[J].信息安全学报,已采用 [点击复制]
- Hu Meng Die,Wang Na,Huang Bai Dong,Wang Kai Yuan,Liu Ao Di,Du Xue Hui.IQR-Based Dynamic Defense Against Poisoning Attacks in Federated Learning[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 随着边缘计算环境下联邦学习技术的广泛应用,针对非独立同分布(Not Independent and Identically Distributed,Non-IID)数据的投毒攻击防御已成为关键挑战。但是,现有投毒攻击防御方案存在全面防护能力不足、计算复杂度较高的问题。为此,本文提出了一种基于四分位距(Interquartile Range, IQR)的联邦学习投毒攻击动态防御方案IQR-DDPA(IQR-Based Dynamic Defense Against Poisoning Attacks in Federated Learning, IQR-DDPA)。该方案采用"检测-裁剪-加噪"的防御架构,并分别设计了基于IQR的异常更新自适应检测方法和基于动态中位数的模型裁剪与加噪方法。基于IQR的异常更新自适应检测方法引入对极值鲁棒且计算复杂度低的IQR方法,融合历史训练信息,实现对恶意客户端模型更新的自适应检测,在适应Non-IID数据分布的同时保持了较低的计算开销。基于动态中位数的模型裁剪与加噪方法引入以当前轮次筛选后的模型更新L2范数中位数为基准的动态裁剪与噪声注入,有效抑制残留异常更新与方向性攻击,并赋予模型差分隐私保护能力。理论与实验分析表明,IQR-DDPA方案以O(np)的线性计算复杂度,在多种攻击场景下实现了95.99%的平均准确率,显著优于基线方法,为边缘智能环境提供了高效且全面的投毒攻击防御解决方案。 |
| 关键词: 联邦学习 投毒攻击防御 四分位距 差分隐私 非独立同分布数据 |
| DOI: |
| 投稿时间:2025-12-09修订日期:2026-03-30 |
| 基金项目:国家自然科学基金(No. 61802436, No. 62102449)、河南省重点研发与推广专项(No. 222102210069) |
|
| IQR-Based Dynamic Defense Against Poisoning Attacks in Federated Learning |
|
Hu Meng Die, Wang Na, Huang Bai Dong, Wang Kai Yuan, Liu Ao Di, Du Xue Hui
|
| (Information Engineering University) |
| Abstract: |
| With the widespread adoption of federated learning in edge computing environments, defending against poisoning at-tacks on Non-Independent and Identically Distributed (Non-IID) data has become a critical challenge. However, existing defense schemes against poisoning attacks suffer from insufficient comprehensive protection capabilities and high computational complexity. To address this, this paper proposes an IQR-Based Dynamic Defense Against Poisoning At-tacks in Federated Learning (IQR-DDPA). The scheme adopts a "detection-trimming-noising" defense architecture and designs an IQR-based adaptive detection method for anomalous updates as well as a dynamic median-based model trimming and noising method. The IQR-based adaptive detection method introduces the IQR approach, which is robust to outliers and has low computational complexity, and incorporates historical training information to achieve adaptive de-tection of malicious client model updates. This maintains low computational overhead while adapting to Non-IID data distributions. The dynamic median-based model trimming and noising method introduces dynamic trimming and noise injection based on the median L2-norm of the filtered model updates from the current round, effectively suppressing re-sidual anomalous updates and directional attacks while providing the model with differential privacy protection. Theo-retical and experimental analyses show that the IQR-DDPA scheme achieves an average accuracy of 95.99% across vari-ous attack scenarios with a linear computational complexity of O(np), significantly outperforming baseline methods. It thus provides an efficient and comprehensive defense solution against poisoning attacks for edge intelligence environ-ments. |
| Key words: Federated Learning Defense Against Poisoning Attacks Interquartile Range Differential Privacy Non-IID Data |
