基于联邦学习的隐私保护和抗投毒攻击方法研究

doi:10.12677/csa.2026.162057

期刊菜单

基于联邦学习的隐私保护和抗投毒攻击方法研究
Research on Privacy Protection and Anti-Poisoning Attack Methods Based on Federated Learning

DOI: 10.12677/csa.2026.162057, PDF, 国家自然科学基金支持
作者: 张铁雪, 王佳^*：新疆大学计算机科学与技术学院，新疆乌鲁木齐
关键词: 联邦学习；投毒攻击；隐私保护；梯度历史；攻击检测；Federated Learning； Poisoning Attack； Privacy Protection； Gradient History； Attack Detection

摘要: 联邦学习中的参数传输和模型训练，使其面临着投毒攻击和隐私泄露的双重威胁。现有结合隐私保护和抗投毒攻击的联邦学习研究中，通常先对客户端梯度进行加密或扰动再在密文域中执行投毒攻击检测操作，容易模糊或消除恶意梯度所具有的差异性特征，导致检测算法难以准确区分不同类型的投毒攻击。本文提出基于联邦学习的隐私保护和抗投毒攻击方法研究中，采用基于明文的梯度历史信息对客户端类型进行识别，再对筛选出的正常客户端进行隐私保护和安全聚合操作，从而在保障数据机密性的同时提升检测的有效性。考虑符号翻转、噪声注入和标签翻转攻击的普遍性，以及不同投毒攻击在目标、强度和行为模式上的显著差异，引入模型局部梯度的长短历史信息，通过比较不同梯度历史之间的异常差异性实现对多类投毒攻击的有效检测。同时设计周期性投毒攻击检测策略，实现客户端的隐私保护。此外，考虑多链聚合中固定的链数量及链内客户端，设计自适应多链安全聚合方法，增强对客户端集合动态变化的适应性，从而在隐私保护的同时提升聚合效率。实验结果表明，所提算法在MNIST和Fashion-MNIST以及CIFAR10数据集上的平均准确率达到85.18%，较基准算法平均提升约6%，具有良好的多类投毒攻击检测能力，能有效提升模型性能并满足复杂攻击场景下的防御需求。

Abstract: Parameter transmission and model training in federated learning face the dual threats of poisoning attacks and privacy leakage. Existing privacy-preserving and anti-poisoning federated learning studies typically encrypt or perturb client gradients prior to ciphertext-domain attack detection, which obscures distinctive malicious gradient characteristics and hinders accurate poisoning attack distinction. A method is proposed that identifies client types via plaintext-based gradient history and applies privacy protection and secure aggregation exclusively to filtered legitimate clients, thereby enhancing detection effectiveness while maintaining data confidentiality. Considering the prevalence of sign flipping, noise injection, and label flipping attacks, along with significant differences in objectives, intensity, and behavioral patterns, short- and long-term local gradient history is incorporated. Analyzing anomalous differences across gradient histories enables effective detection of multiple poisoning attack types. A periodic poisoning attack detection strategy is designed to ensure client privacy. Furthermore, addressing the fixed chain count and clients in multi-chain aggregation, an adaptive multi-chain secure aggregation method is developed to enhance adaptability to dynamic client set changes, improving aggregation efficiency while preserving privacy. Experimental results on the MNIST, Fashion-MNIST, and CIFAR10 datasets demonstrate that the proposed algorithm achieves an average accuracy of 85.18%, an improvement of approximately 6% over baseline algorithms. The method exhibits robust detection capabilities for multiple poisoning attacks, effectively enhancing model performance and meeting defense requirements in complex attack scenarios.

文章引用：张铁雪, 王佳. 基于联邦学习的隐私保护和抗投毒攻击方法研究[J]. 计算机科学与应用, 2026, 16(2): 261-276. https://doi.org/10.12677/csa.2026.162057

参考文献

[1]	Rashidi, G., Bounias, D., Bujotzek, M., Mora, A.M., Neher, P. and Maier-Hein, K.H. (2024) The Potential of Federated Learning for Self-Configuring Medical Object Detection in Heterogeneous Data Distributions. Scientific Reports, 14, Article No. 23844. [Google Scholar] [CrossRef] [PubMed]
[2]	Abrams, L. (2024) UnitedHealth Says Data of 100 Million Stolen in Change Healthcare Breach. https://www.secrss.com/articles/71760
[3]	Konečný, J., McMahan, H.B., Yu, F.X., Richtárik, P., Suresh, A.T. and Bacon, D. (2016) Federated Learning: Strategies for Improving Communication Efficiency. https://arxiv.org/pdf/1610.05492
[4]	北京交通大学. 融合自适应权重分配和个性化差分隐私的联邦学习方法[P]. 中国专利, CN202210198444.5. 2022-06-07.
[5]	Guerraoui, R. and Rouault, S. (2018) The Hidden Vulnerability of Distributed Learning in Byzantium. International Conference on Machine Learning, Stockholm, 10-15 July 2018, 3521-3530.
[6]	Kaur, H., Rani, V., Kumar, M., Sachdeva, M., Mittal, A. and Kumar, K. (2023) Federated Learning: A Comprehensive Review of Recent Advances and Applications. Multimedia Tools and Applications, 83, 54165-54188. [Google Scholar] [CrossRef]
[7]	Blanchard, P., El Mhamdi, E.M., Guerraoui, R. and Stainer, J. (2017) Machine Learning with Adversaries: Byzantine Tolerant Gradient Descent. In: Advances in Neural Information Processing Systems, Curran Associates, Inc., 119-129.
[8]	Xie, C., Koyejo, O. and Gupta, I. (2018) Generalized Byzantine-Tolerant SGD. https://arxiv.org/pdf/1802.10116
[9]	Benjamin, J.G., Asokan, M., Yaqub, M. and Nandakumar, K. (2025) FedSECA: Sign Election and Coordinate-Wise Aggregation of Gradients for Byzantine Tolerant Federated Learning. 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW), Nashville, 11-12 June 2025, 1771-1780. [Google Scholar] [CrossRef]
[10]	You, X., Liu, Z., Yang, X. and Ding, X. (2022) Poisoning Attack Detection Using Client Historical Similarity in Non-IID Environments. 2022 12th International Conference on Cloud Computing, Data Science & Engineering (Confluence), Noida, 27-28 January 2022, 439-447. [Google Scholar] [CrossRef]
[11]	Isik-Polat, E., Polat, G. and Kocyigit, A. (2023) ARFED: Attack-Resistant Federated Averaging Based on Outlier Elimination. Future Generation Computer Systems, 141, 626-650. [Google Scholar] [CrossRef]
[12]	Yaldiz, D.N., Zhang, T. and Avestimehr, S. (2023) Secure Federated Learning Against Model Poisoning Attacks via Client Filtering. https://arxiv.org/pdf/2304.00160
[13]	Yin, C. and Zeng, Q. (2024) Defending against Data Poisoning Attack in Federated Learning with Non-IID Data. IEEE Transactions on Computational Social Systems, 11, 2313-2325. [Google Scholar] [CrossRef]
[14]	蒋伟进, 杨璇, 李碧霞. 基于可解释贡献异常检测与动态裁剪的联邦学习投毒攻击防御方法[J]. 计算机学报, 2025, 48(12): 2855-2874.
[15]	Gupta, A., Luo, T., Ngo, M.V. and Das, S.K. (2022) Long-Short History of Gradients Is All You Need: Detecting Malicious and Unreliable Clients in Federated Learning. In: Atluri, V., Di Pietro, R., Jensen, C.D. and Meng, W., Eds., Lecture Notes in Computer Science, Springer, 445-465. [Google Scholar] [CrossRef]
[16]	He, C., Liu, G., Guo, S. and Yang, Y. (2022) Privacy-Preserving and Low-Latency Federated Learning in Edge Computing. IEEE Internet of Things Journal, 9, 20149-20159. [Google Scholar] [CrossRef]
[17]	Wang, B., Li, H., Guo, Y. and Wang, J. (2023) PPFLHE: A Privacy-Preserving Federated Learning Scheme with Homomorphic Encryption for Healthcare Data. Applied Soft Computing, 146, Article 110677. [Google Scholar] [CrossRef]
[18]	李瑞琪, 贾春福, 王雅飞. 基于NTRU的多密钥同态代理重加密方案及其应用[J]. 通信学报, 2021, 42(3): 11-22.
[19]	Wu, X., Zhang, Y., Shi, M., Li, P., Li, R. and Xiong, N.N. (2022) An Adaptive Federated Learning Scheme with Differential Privacy Preserving. Future Generation Computer Systems, 127, 362-372. [Google Scholar] [CrossRef]
[20]	曹世翔, 陈超梦, 唐朋, 等. 基于函数机制的差分隐私联邦学习算法[J]. 计算机学报, 2023, 46(10): 2178-2195.
[21]	Li, H., Li, X., Liu, X., Wang, B., Wang, J. and Tian, Y. (2026) FedSam: Enhancing Federated Learning Accuracy with Differential Privacy and Data Heterogeneity Mitigation. Computer Standards & Interfaces, 95, Article 104019. [Google Scholar] [CrossRef]
[22]	Li, Y., Zhou, Y., Jolfaei, A., Yu, D., Xu, G. and Zheng, X. (2021) Privacy-Preserving Federated Learning Framework Based on Chained Secure Multiparty Computing. IEEE Internet of Things Journal, 8, 6178-6186. [Google Scholar] [CrossRef]
[23]	Cui, Y. and Zhu, J. (2023) Privacy Preserving Federated Learning Framework Based on Multi-Chain Aggregation. In: Wang, X., et al., Eds., Lecture Notes in Computer Science, Springer, 693-702. [Google Scholar] [CrossRef]
[24]	Bonawitz, K., Ivanov, V., Kreuter, B., Marcedone, A., McMahan, H.B., Patel, S., et al. (2017) Practical Secure Aggregation for Privacy-Preserving Machine Learning. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, 30 October 2017-3 November 2017, 1175-1191. [Google Scholar] [CrossRef]
[25]	Chen, X., Yu, H., Jia, X. and Yu, X. (2023) APFed: Anti-Poisoning Attacks in Privacy-Preserving Heterogeneous Federated Learning. IEEE Transactions on Information Forensics and Security, 18, 5749-5761. [Google Scholar] [CrossRef]
[26]	Liu, X., Li, H., Xu, G., Chen, Z., Huang, X. and Lu, R. (2021) Privacy-Enhanced Federated Learning against Poisoning Adversaries. IEEE Transactions on Information Forensics and Security, 16, 4574-4588. [Google Scholar] [CrossRef]
[27]	Shen, X., Liu, Y., Li, F. and Li, C. (2024) Privacy-Preserving Federated Learning against Label-Flipping Attacks on Non-IID Data. IEEE Internet of Things Journal, 11, 1241-1255. [Google Scholar] [CrossRef]
[28]	Le, J., Zhang, D., Lei, X., Jiao, L., Zeng, K. and Liao, X. (2023) Privacy-Preserving Federated Learning with Malicious Clients and Honest-but-Curious Servers. IEEE Transactions on Information Forensics and Security, 18, 4329-4344. [Google Scholar] [CrossRef]
[29]	姚玉鹏, 魏立斐, 张蕾. 一种隐私保护的抗投毒攻击联邦学习方案[J]. 计算机工程, 2025, 51(6): 223-235.
[30]	Liu, J., Li, X., Liu, X., Zhang, H., Miao, Y. and Deng, R.H. (2024) DefendFL: A Privacy-Preserving Federated Learning Scheme Against Poisoning Attacks. IEEE Transactions on Neural Networks and Learning Systems, 35, 13955-13969.
[31]	高鸿峰, 黄浩, 田有亮. 基于多方计算的安全拜占庭弹性联邦学习[J]. 通信学报, 2025, 46(2): 108-122.
[32]	Feng, X., Cheng, W., Cao, C., Wang, L. and Sheng, V.S. (2024) DPFLA: Defending Private Federated Learning against Poisoning Attacks. IEEE Transactions on Services Computing, 17, 1480-1491. [Google Scholar] [CrossRef]
[33]	Li, T., Sahu, A. K., Zaheer, M., Sanjabi, M., Talwalkar, A. and Smith, V. (2020) Federated Optimization in Heterogeneous Networks. Proceedings of Machine Learning and Systems, 2, 429-450.

为你推荐

友情链接