基于模型后门的联邦学习水印
DOI:
CSTR:
作者:
作者单位:

福建师范大学

作者简介:

通讯作者:

中图分类号:

基金项目:

国家自然科学基金项目(面上项目,重点项目,重大项目),福建省自然科学基金


Federated learning watermark based on backdooring tasks
Author:
Affiliation:

Fund Project:

The National Natural Science Foundation of China (General Program, Key Program, Major Research Plan), the Natural Science Foundation of Fujian Province

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    高精度联邦学习模型的训练需要消耗大量的用户本地资源,参与训练的用户能够通过私自出售联合训练的模型获得非法收益.为实现联邦学习模型的产权保护,本文首次提出联邦学习水印的概念,并利用深度学习后门技术在不影响主任务精度而仅对少量触发集样本造成误分类的特征,构建一种联邦学习水印(Federated Learning Watermark,FLWM)方案,能够允许各参与训练的用户在其本地模型中分别嵌入私有水印,再通过云端的模型聚合操作将私有后门水印映射到全局模型作为联邦学习的全局水印.之后提出分步训练方法增强各私有后门水印在全局模型的表达效果,使得FLWM方案能够在不影响全局模型精度的前提下容纳各参与用户的私有水印.最后通过理论分析证明FLWM方案的安全性,实验验证分步训练方法能够让全局模型在仅造成1%主任务精度损失的情况下有效容纳所有参与训练用户的私有水印。并采用模型压缩攻击和模型微调攻击对FLWM方案进行攻击测试,其结果表明FLWM方案在模型压缩到30%时仍能保留80%以上的水印,在四种不同的微调攻击下能保留90%以上的水印,具有很好的鲁棒性.

    Abstract:

    The training of high-precision federated learning model consumes a large number of users' local resources. The users who participate in the training can gain illegal profits by selling the joint trained model without others’ permissions. In this paper, we propose the concept of Federated Learning Watermark (FLWM) for the first time to protect users’ intellectual properties. Based on the feature of deep learning backdoor for keeping the accuracy of main tasks unchanged and only producing misclassification in a small number of trigger set samples, FLWM achieves the goal of integrating each participant’s private backdoor to the global model through the aggregation stage without affecting the accuracy of the global model. Since each user’s private watermark is unknown to the others, their watermarks may combat with each other in the global model. So a stepwise training method is designed to alleviate this possible conflict. Theoretical analysis proves the security of FLWM scheme, and experiments verify that the stepwise training method can embed multi-users’ watermarks effectively by only causing 1% accuracy loss of global model. Finally, model compression attacks and fine-tuning attacks are used to test FLWM. The results show that more than 80% of the watermarks can be retained when the model is compressed to 30%, and more than 90% of the watermarks can be retained under fine-tuning attacks, indicating the robustness of FLWM scheme under these attacks.

    参考文献
    相似文献
    引证文献
引用本文
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2021-12-05
  • 最后修改日期:2022-11-20
  • 录用日期:2023-02-07
  • 在线发布日期:
  • 出版日期:
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号