ISSN 1000-1239 CN 11-1777/TP

• 信息安全 •

### 基于矩阵映射的拜占庭鲁棒联邦学习算法

1. 1（北京电子科技学院 北京 100070）；2（信息网络安全公安部重点实验室(公安部第三研究所) 上海 200031）；3（中国科学院网络测评技术重点实验室(中国科学院信息工程研究所) 北京 100093) (liubiao@besti.edu.cn)
• 出版日期: 2021-11-01
• 基金资助:
国家重点研发计划项目(2018YFB1004100)；信息网络安全公安部重点实验室(公安部第三研究所)开放基金资助课题(C18612)；中国科学院网络测评技术重点实验室(中国科学院信息工程研究所)项目(KFKT2019-004)

### A Byzantine-Robust Federated Learning Algorithm Based on Matrix Mapping

Liu Biao1, Zhang Fangjiao1, Wang Wenxin1, Xie Kang2, Zhang Jianyi1,3

1. 1（Beijing Electronic Science and Technology Institute, Beijing 100070);2(Key Lab of Information Network Security of Ministry of Public Security (The Third Research Institute of Ministry of Public Security), Shanghai 200031);3(CAS Key Laboratory of Network Assessment Technology (Institute of Information Engineering, Chinese Academy of Sciences), Beijing 100093)
• Online: 2021-11-01
• Supported by:
This work was supported by the National Key Research and Development Program of China (2018YFB1004100), the Opening Project of Key Lab of Information Network Security of Ministry of Public Security (The Third Research Institute of Ministry of Public Security) (C18612), and the Project of CAS Key Laboratory of Network Assessment Technology (Institute of Information Engineering, Chinese Academy of Sciences) (KFKT2019-004).

Abstract: Federated learning can better protect data privacy because the parameter server only collects the client model and does not touch the local data of the client. However, its basic aggregation algorithm FedAvg is vulnerable to Byzantine client attacks. In response to this problem, many studies have proposed different aggregation algorithms, but these aggregation algorithms have insufficient defensive capabilities, and the model assumptions do not fit the reality. Therefore, we propose a new type of Byzantine robust aggregation algorithm. Different from the existing aggregation algorithms, our algorithm focuses on detecting the probability distribution of the Softmax layer. Specifically, after collecting the client model, the parameter server obtains the Softmax layer probability distribution of the model through the generated matrix to map the updated part of the model, and eliminates the client model with abnormal distribution. The experimental results show that without reducing the accuracy of FedAvg, the Byzantine tolerance rate is increased from 40% to 45% in convergence prevention attacks, and the defense against edge-case backdoor attacks is realized in backdoor attacks. In addition, according to the current state-of-the-art adaptive attack framework, an adaptive attack is designed specifically for our algorithm, and experimental evaluations have been carried out. The experimental results show that our aggregation algorithm can defend at least 30% of Byzantine clients.