ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2021, Vol. 58 ›› Issue (11): 2416-2429.doi: 10.7544/issn1000-1239.2021.20210633

Special Issue: 2021密码学与网络空间安全治理专题

Previous Articles     Next Articles

A Byzantine-Robust Federated Learning Algorithm Based on Matrix Mapping

Liu Biao1, Zhang Fangjiao1, Wang Wenxin1, Xie Kang2, Zhang Jianyi1,3   

  1. 1(Beijing Electronic Science and Technology Institute, Beijing 100070);2(Key Lab of Information Network Security of Ministry of Public Security (The Third Research Institute of Ministry of Public Security), Shanghai 200031);3(CAS Key Laboratory of Network Assessment Technology (Institute of Information Engineering, Chinese Academy of Sciences), Beijing 100093)
  • Online:2021-11-01
  • Supported by: 
    This work was supported by the National Key Research and Development Program of China (2018YFB1004100), the Opening Project of Key Lab of Information Network Security of Ministry of Public Security (The Third Research Institute of Ministry of Public Security) (C18612), and the Project of CAS Key Laboratory of Network Assessment Technology (Institute of Information Engineering, Chinese Academy of Sciences) (KFKT2019-004).

Abstract: Federated learning can better protect data privacy because the parameter server only collects the client model and does not touch the local data of the client. However, its basic aggregation algorithm FedAvg is vulnerable to Byzantine client attacks. In response to this problem, many studies have proposed different aggregation algorithms, but these aggregation algorithms have insufficient defensive capabilities, and the model assumptions do not fit the reality. Therefore, we propose a new type of Byzantine robust aggregation algorithm. Different from the existing aggregation algorithms, our algorithm focuses on detecting the probability distribution of the Softmax layer. Specifically, after collecting the client model, the parameter server obtains the Softmax layer probability distribution of the model through the generated matrix to map the updated part of the model, and eliminates the client model with abnormal distribution. The experimental results show that without reducing the accuracy of FedAvg, the Byzantine tolerance rate is increased from 40% to 45% in convergence prevention attacks, and the defense against edge-case backdoor attacks is realized in backdoor attacks. In addition, according to the current state-of-the-art adaptive attack framework, an adaptive attack is designed specifically for our algorithm, and experimental evaluations have been carried out. The experimental results show that our aggregation algorithm can defend at least 30% of Byzantine clients.

Key words: federated learning, matrix mapping, convergence prevention attack, backdoor attack, robust aggregation algorithm

CLC Number: