【论文阅读笔记】CRFL: Certifiably Robust Federated Learning against Backdoor Attacks

个人阅读笔记,如有错误欢迎指出!

会议:PMLR 2021[2106.08283] CRFL: Certifiably Robust Federated Learning against Backdoor Attacks (arxiv.org)

问题:

        现有的防御算法缺乏健壮性

创新:

        证明了所提出框架得稳定性

        通过马尔可夫核分析聚合模型的训练过程,提出用于模型推理得参数平滑

方法:

【论文阅读笔记】CRFL: Certifiably Robust Federated Learning against Backdoor Attacks_第1张图片

        攻击方:single-shot,同时攻击

        1、训练阶段:裁剪范数 添加扰动

                服务器对收到的客户端范数通过阈值\rho_t​进行剪裁Clip_{\rho_t}\gets w_t/max(1,\frac{||w_t||}{\rho_t})

                对聚合后的全局模型添加高斯噪声\epsilon_t \sim \mathcal{N}(0,\sigma^2_I)

                则最终融合后的参数为\widetilde{w}_t \gets Clip_{\rho_t}(w_t)+\epsilon_t

                在最后一轮中只剪裁全局模型参数

                算法流程

【论文阅读笔记】CRFL: Certifiably Robust Federated Learning against Backdoor Attacks_第2张图片

        2、测试阶段:参数平滑

                构建平滑分类器h:(\mathcal{W},\mathcal{X}\rightarrow \mathcal{Y}),并基于此分类器预测

                对原始全局模型的预测结果进行投票,获取概率最大的class(得票最多的类)

                测试期间对裁剪后的全局模型\mathcal{M}次添加高斯噪声\mu(w)=\mathcal{N}(w,\sigma^2_TI),用来估计\mathcal{M}个蒙特卡洛样本(近似类别概率\hat{p_c}​)

【论文阅读笔记】CRFL: Certifiably Robust Federated Learning against Backdoor Attacks_第3张图片

                GetCounts

                用测试样本x_{test}​的每组噪声模型参数w^k_T,k\in\mathcal{M}运行分类器,并返回计数向量

                选择最大的两类\hat{c}_a\hat{c}_b​并计算其相应的\hat{p_A}\hat{p_B}

                CalculateBound经验校准估计

                调整经验估计,约束平滑模型返回错误标签的概率,误差容忍度为\alpha

                使用Hoeffding不等式计算\hat{p_A}​的下界和\hat{p_B}的上界

                算法流程

【论文阅读笔记】CRFL: Certifiably Robust Federated Learning against Backdoor Attacks_第4张图片

        与中心化设置(RAB)中可证明鲁棒性比较:RAB使用M个噪声扰动的数据来训练M个模型,属于输入数据扰动。CRFL只训练了一个全局模型,并且最终生成M个噪声扰动的模型副本,输入模型参数扰动。

实验:

【论文阅读笔记】CRFL: Certifiably Robust Federated Learning against Backdoor Attacks_第5张图片

【论文阅读笔记】CRFL: Certifiably Robust Federated Learning against Backdoor Attacks_第6张图片

【论文阅读笔记】CRFL: Certifiably Robust Federated Learning against Backdoor Attacks_第7张图片

【论文阅读笔记】CRFL: Certifiably Robust Federated Learning against Backdoor Attacks_第8张图片

【论文阅读笔记】CRFL: Certifiably Robust Federated Learning against Backdoor Attacks_第9张图片

你可能感兴趣的:(论文笔记,论文阅读,笔记,深度学习,安全,人工智能)