[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118036708A - Federal forgetting learning method based on history updating and correction - Google Patents

Federal forgetting learning method based on history updating and correction Download PDF

Info

Publication number
CN118036708A
CN118036708A CN202410191278.5A CN202410191278A CN118036708A CN 118036708 A CN118036708 A CN 118036708A CN 202410191278 A CN202410191278 A CN 202410191278A CN 118036708 A CN118036708 A CN 118036708A
Authority
CN
China
Prior art keywords
forgetting
correction
update
historical
model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410191278.5A
Other languages
Chinese (zh)
Inventor
黄文殊
殷常春
方黎明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Research Institute Of Nanjing University Of Aeronautics And Astronautics
Nanjing University of Aeronautics and Astronautics
Original Assignee
Shenzhen Research Institute Of Nanjing University Of Aeronautics And Astronautics
Nanjing University of Aeronautics and Astronautics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Research Institute Of Nanjing University Of Aeronautics And Astronautics, Nanjing University of Aeronautics and Astronautics filed Critical Shenzhen Research Institute Of Nanjing University Of Aeronautics And Astronautics
Priority to CN202410191278.5A priority Critical patent/CN118036708A/en
Publication of CN118036708A publication Critical patent/CN118036708A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/098Distributed learning, e.g. federated learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a federal forgetting learning method based on history update correction, which updates the history of each turn in the federal learning training stageAre stored and reserved by the server, and when a forgetting request is received, the client performs direction correction training to obtain calibration updateUpdating by calibrationHistorical updates to corresponding runsPerforming correction to obtain updated data after correctionReconstructing a forgetting model by the initial model after multiple times of correction and updating; in the correction process, active forgetting and passive forgetting are carried out simultaneously, the updating of the target client is used for active forgetting, and the other clients are used for passive forgetting. The invention realizes efficient federal forgetting learning, and compared with the existing methods, the model forgetting degree is more thorough, and the damage to the precision of the model is small.

Description

一种基于历史更新修正的联邦遗忘学习方法A federated forgetting learning method based on historical update correction

技术领域Technical Field

本发明涉及联邦遗忘技术领域,具体涉及一种基于历史更新修正的联邦遗忘学习方法。The present invention relates to the field of federated forgetting technology, and in particular to a federated forgetting learning method based on historical update correction.

背景技术Background technique

近几年来联邦学习作为一种能够有效保护用户隐私的分布式机器学习范式受到日益关注,用户无需分享他们的数据就可以协作训练一个共同的模型。然而随着各种有关隐私保护的法律法规出现,提出用户拥有“被遗忘权”,可以要求从全局模型中删除有关自己的信息。此外还有日益增长的隐私需求,这些都迫使在联邦系统中全局模型需要有能够将目标用户或者特定数据集的信息及其影响遗忘掉的能力。又由于联邦学习分布式的特性,用户数据分散在各地的客户端上,比传统的集中式场景下进行遗忘学习的难度更高。联邦遗忘学习可以进一步地保护用户隐私,当用户想退出联邦系统时也能安心退出,此外联邦遗忘学习也能抵御一些恶意用户的攻击,如后门攻击、数据投毒攻击。In recent years, federated learning has received increasing attention as a distributed machine learning paradigm that can effectively protect user privacy. Users can collaborate to train a common model without sharing their data. However, with the emergence of various laws and regulations on privacy protection, it is proposed that users have the "right to be forgotten" and can request to delete their information from the global model. In addition, there are growing privacy demands, which force the global model in the federated system to have the ability to forget the information of the target user or a specific data set and its impact. Due to the distributed nature of federated learning, user data is scattered on clients in various places, which makes forgetting learning more difficult than in traditional centralized scenarios. Federated forgetting learning can further protect user privacy, and users can exit the federated system with peace of mind when they want to. In addition, federated forgetting learning can also resist attacks from some malicious users, such as backdoor attacks and data poisoning attacks.

目前研究者一般将联邦遗忘学习分为两种主要类型:精确遗忘和近似遗忘。精确遗忘要求遗忘后的全局模型与重训练(训练过程中不含要遗忘的数据)的模型无法区分,而近似遗忘的要求降低,从而换取效率的大幅提高。Liu等人提出了一种快速重训练的方法,通过使用一阶Taylor展开近似损失函数,在剩余数据集上重新训练全局模型。Wu等人提出的方法,从最终的全局模型中减去目标客户端的所有历史平均更新,然后使用知识蒸馏方法来弥补减法引起的学习模型的偏差。Wang等人提出了一种基于模型剪枝的遗忘方法,通过词频-逆文档频率来量化通道对不同类别的贡献,剪去高分通道就能实现对某些类别的遗忘。At present, researchers generally divide federated forgetting learning into two main types: precise forgetting and approximate forgetting. Precise forgetting requires that the global model after forgetting is indistinguishable from the retrained model (the training process does not contain the data to be forgotten), while approximate forgetting reduces the requirement, in exchange for a significant improvement in efficiency. Liu et al. proposed a fast retraining method by retraining the global model on the remaining data set using a first-order Taylor expansion approximate loss function. The method proposed by Wu et al. subtracts all historical average updates of the target client from the final global model, and then uses a knowledge distillation method to compensate for the deviation of the learning model caused by the subtraction. Wang et al. proposed a forgetting method based on model pruning, which quantifies the contribution of channels to different categories through word frequency-inverse document frequency. Pruning high-scoring channels can achieve forgetting of certain categories.

上述现有技术的缺点如下:(1)遗忘技术对全局模型有一定的针对性,不能做到模型无关性和泛用性。需要一种能够直接移植联邦系统的遗忘方法,客户端不需要做额外更改。(2)重训练和知识蒸馏会花费较大的时间和算力成本。(3)遗忘技术如剪去历史梯度操作和模型剪枝,对模型的精度具有一定的破坏性,导致性能降低。The disadvantages of the above-mentioned existing technologies are as follows: (1) The forgetting technology is targeted at the global model to a certain extent and cannot be model-independent and universal. A forgetting method that can be directly transplanted into the federated system is needed, and the client does not need to make additional changes. (2) Retraining and knowledge distillation will take a lot of time and computing power costs. (3) Forgetting technologies such as pruning historical gradient operations and model pruning are destructive to the accuracy of the model, resulting in reduced performance.

发明内容Summary of the invention

发明目的:针对以上问题,本发明提出一种基于历史更新修正的联邦遗忘学习方法,实现了高效的联邦遗忘学习,模型遗忘程度更加彻底,并且对模型的精度损害小。Purpose of the invention: In view of the above problems, the present invention proposes a federated forgetting learning method based on historical update correction, which realizes efficient federated forgetting learning, makes the model forgetting more thoroughly, and has little damage to the accuracy of the model.

技术方案:为实现本发明的目的,本发明所采用的技术方案是:一种基于历史更新修正的联邦遗忘学习方法,包括以下步骤:Technical solution: To achieve the purpose of the present invention, the technical solution adopted by the present invention is: a federated forgetting learning method based on historical update correction, comprising the following steps:

(1)在原初的联邦学习训练阶段,在服务器上保留每个交互轮次的客户端的历史更新利用历史更新取范数作为更新的量化大小即更新的步长。(1) In the original federated learning training phase, the historical updates of the client in each interaction round are retained on the server The norm of historical updates is used as the quantization size of the update, that is, the step size of the update.

(2)当收到遗忘请求时,进行方向修正训练,此阶段客户端k在本地进行Ec轮次训练,累计进行t个交互回合,最终得到每个客户端及其对应回合的校准更新,将校准更新发送到服务器上,记为 (2) When a forget request is received, direction correction training is performed. In this stage, client k performs E c rounds of training locally, accumulating t rounds of interaction, and finally obtains the calibration update of each client and its corresponding round, and sends the calibration update to the server, which is recorded as

通过方向修正训练修正服务器上存储的历史更新,再由被动遗忘与主动遗忘共同作用下重构遗忘模型。遗忘模型重构完成后目标客户端退出联邦系统。The historical updates stored on the server are corrected through direction correction training, and then the forgetting model is reconstructed through the combined effects of passive forgetting and active forgetting. After the forgetting model reconstruction is completed, the target client exits the federated system.

(3)遗忘学习效果检验:利用后门攻击与成员推断攻击的方式共同评价遗忘程度,检验遗忘效果。(3) Forgetting learning effect test: Use backdoor attack and member inference attack to jointly evaluate the degree of forgetting and test the forgetting effect.

进一步的,步骤(2)中,方向修正训练阶段,客户端被划分为目标客户端和其余客户端,训练轮次低于联邦学习训练阶段;将方向修正训练所获得的校准更新根据索引通过正则化得到对应历史更新/>的修正方向;利用修正方向与步长相乘将历史更新校准为修正后的更新/>利用修正更新经过若干个轮次在服务器端聚合出所需的遗忘模型;其中遗忘目标客户端的修正更新用于主动遗忘,其余客户端的修正更新用于被动遗忘,主动遗忘和被动遗忘的强弱通过遗忘系数控制;在两种遗忘的共同作用下,重构遗忘模型。Furthermore, in step (2), during the direction correction training phase, the clients are divided into target clients and other clients, and the number of training rounds is lower than that of the federated learning training phase; the calibration update obtained by the direction correction training is Get the corresponding historical update by regularization based on the index/> Correction direction; calibrate the historical update to the corrected update by multiplying the correction direction by the step size /> The required forgetting model is aggregated on the server side through several rounds of correction updates. The correction updates of the forgotten target clients are used for active forgetting, and the correction updates of the remaining clients are used for passive forgetting. The strength of active forgetting and passive forgetting is controlled by the forgetting coefficient. Under the joint action of the two kinds of forgetting, the forgetting model is reconstructed.

进一步的,方向修正训练表示为:Furthermore, the direction correction training is expressed as:

其中,为方向修正训练得到的更新,/>为客户端k对应的数据集,/>为t轮次的遗忘模型。in, The update obtained from the direction correction training, /> is the data set corresponding to client k,/> is the forgetting model of round t.

进一步的,被动遗忘部分的历史更新修正为:Furthermore, the history update of the passive forgetting part is corrected as follows:

其中,kc为除去目标客户端的剩余客户端,为被动遗忘部分的修正更新,/>为剩余客户端保留在服务器端的历史更新的范式,/>表示剩余客户端在方向修正训练得到的更新的正则化。Where k c is the remaining clients excluding the target client, To correct the passive forgetting part,/> A paradigm that preserves the historical updates on the server side for the remaining clients, /> represents the regularization of the updates obtained by the remaining clients during the direction correction training.

进一步的,被动遗忘部分的修正更新加权平均为:Furthermore, the weighted average of the modified update of the passive forgotten part is:

其中,nk为对应客户端的数据样本量,由数据样本量决定加权的权重。Among them, nk is the data sample size of the corresponding client, and the weighted weight is determined by the data sample size.

进一步的,主动遗忘部分的历史更新修正为:Furthermore, the historical update of the active forgotten part is corrected as follows:

其中,k"为要遗忘的目标客户端,为主动遗忘部分的修正更新,/>为目标客户端保留在服务器端的的历史更新的范式,/>表示目标客户端在方向修正训练得到的更新的正则化。Among them, k " is the target client to be forgotten, To correct and update the active forgetting part,/> A paradigm for preserving historical updates on the server side for target clients, /> Represents the regularization of the updates obtained by the target client during direction correction training.

进一步的,两种遗忘通过遗忘系数加权平均聚合为:Furthermore, the two kinds of forgetting are aggregated by weighted average of the forgetting coefficient:

其中,α为被动遗忘系数,β为主动遗忘系数,α∈*1,+∞),β∈(0,1)。Among them, α is the passive forgetting coefficient, β is the active forgetting coefficient, α∈*1,+∞), β∈(0,1).

进一步的,遗忘模型更新过程为:Furthermore, the forgetting model update process is:

其中,为t+1轮次的遗忘模型,/>为t轮次的遗忘模型,/>为被动遗忘和主动遗忘通过遗忘系数加权平均聚合更新。in, is the forgetting model of round t+1,/> is the forgetting model of round t,/> Aggregate updates for passive forgetting and active forgetting by weighted average of forgetting coefficients.

有益效果:与现有技术相比,本发明的技术方案具有以下有益的技术效果:Beneficial effects: Compared with the prior art, the technical solution of the present invention has the following beneficial technical effects:

本发明从神经学中得到启发,效仿人类遗忘过程中遗忘是由被动遗忘与主动遗忘共同作用下产生的,将遗忘学习阶段也分为了被动遗忘与主动遗忘两个部分但又同时进行。主动遗忘迫使遗忘后的全局模型远离目标客户端的本地模型,而被动遗忘使得遗忘后的全局模型偏向除去目标客户端的其余客户端的本地模型,从而促使目标客户端的数据遗忘。The present invention is inspired by neurology and imitates the process of human forgetting, which is caused by the combined effects of passive forgetting and active forgetting. The forgetting learning stage is also divided into two parts: passive forgetting and active forgetting, but they are carried out simultaneously. Active forgetting forces the global model after forgetting to be away from the local model of the target client, while passive forgetting makes the global model after forgetting biased towards the local models of the remaining clients excluding the target client, thereby promoting the data forgetting of the target client.

本发明仅在服务器端牺牲了部分储存空间,即可实现高效的联邦遗忘学习,相比现有的许多方法,模型遗忘程度更加彻底,并且对模型的精度损害小。实验表明,本发明在多个数据集(如MNIST、FMNIST、CIFAR10、STL10)上均表现出优秀的遗忘效果,类比现有的FedEraser方法,本发明方法对后门攻击成功率进一步降低了约2%。因此,当有恶意用户进行后门攻击与成员推断攻击时能够大幅降低攻击的成功率,使得整个联邦系统的安全性提高,更具有健壮性。The present invention only sacrifices part of the storage space on the server side to achieve efficient federated forgetting learning. Compared with many existing methods, the model forgetting degree is more thorough and the damage to the accuracy of the model is small. Experiments show that the present invention shows excellent forgetting effect on multiple data sets (such as MNIST, FMNIST, CIFAR10, STL10). Compared with the existing FedEraser method, the method of the present invention further reduces the success rate of backdoor attacks by about 2%. Therefore, when malicious users carry out backdoor attacks and member inference attacks, the success rate of the attacks can be greatly reduced, so that the security of the entire federated system is improved and more robust.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本发明实施例基本流程示意图。FIG1 is a schematic diagram of a basic flow chart of an embodiment of the present invention.

图2是本发明实施例遗忘学习示意图。FIG. 2 is a schematic diagram of forgetting learning according to an embodiment of the present invention.

图3是本发明实施例验证遗忘效果示意图。FIG. 3 is a schematic diagram of verifying the forgetting effect according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚明了,下面通过附图及实施例,对本发明进行进一步详细说明。但是应该理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限制本发明的范围。此外,在以下说明中,省略了对公知结构和技术的描述,以避免不必要地混淆本发明的概念。In order to make the purpose, technical scheme and advantages of the present invention clearer, the present invention is further described in detail below through the accompanying drawings and embodiments. However, it should be understood that the specific embodiments described herein are only used to explain the present invention and are not intended to limit the scope of the present invention. In addition, in the following description, the description of known structures and technologies is omitted to avoid unnecessary confusion of the concept of the present invention.

本发明所述的基于历史更新修正的联邦遗忘学习方法,总体流程如图1和2所示,该方法包括:1、方向修正训练;2、遗忘模型重构;3、联邦遗忘学习验证。The overall process of the federated forgetting learning method based on historical update correction described in the present invention is shown in Figures 1 and 2. The method includes: 1. direction correction training; 2. forgetting model reconstruction; 3. federated forgetting learning verification.

步骤1:方向修正训练。Step 1: Direction correction training.

在原初的联邦学习训练阶段,在服务器上保留每个交互轮次的客户端的历史更新利用历史更新取范数作为更新的量化大小即更新的步长。In the original federated learning training phase, the historical updates of the client in each interaction round are kept on the server The norm of historical updates is used as the quantization size of the update, that is, the step size of the update.

当收到遗忘请求时,进行方向修正训练,此阶段与联邦学习训练阶段类似,均是客户端在本地进行训练,更新发往服务器端,区别在于训练轮次降低,客户端被划分为目标客户端与其余客户端。客户端k在本地进行Ec轮次训练,累计进行t个交互回合,其中需要遗忘的目标客户端记为k",其余客户端记为kc,最终得到每个客户端及其对应回合的校准更新,都会发送到服务器上,记为为后续的阶段做准备。When a forget request is received, direction correction training is performed. This stage is similar to the federated learning training stage. Both are performed locally by the client and the updates are sent to the server. The difference is that the training rounds are reduced and the clients are divided into target clients and other clients. Client k performs E c rounds of training locally and performs t interaction rounds in total. The target client to be forgotten is denoted as k " and the other clients are denoted as k c . Finally, the calibration updates of each client and its corresponding round are sent to the server and denoted as Prepare for the subsequent stages.

步骤2:重构遗忘模型,得到遗忘学习后的全局模型。Step 2: Reconstruct the forgotten model to obtain the global model after forgotten learning.

步骤2.1:对历史更新进行修正,方向修正训练得到的校准更新用于原历史更新的方向引导。历史更新取范数作为遗忘模型参数变化的大小,与校准更新正则化相乘便是修正后的更新。Step 2.1: Correct the historical update. The calibration update obtained by direction correction training is used to guide the direction of the original historical update. As the size of the change in the forgetting model parameters, multiplied by the calibration update regularization is the corrected update.

步骤2.2:来自不同客户端的修正更新进行分类,遗忘目标客户端的修正更新用于主动遗忘,而其余客户端的修正更新用于被动遗忘,二者的强弱用遗忘系数控制。两种遗忘的共同作用使得相关数据的信息及其影响在全局模型中逐渐消失。Step 2.2: The correction updates from different clients are classified. The correction updates of the forgetting target client are used for active forgetting, while the correction updates of the remaining clients are used for passive forgetting. The strength of the two is controlled by the forgetting coefficient. The combined effect of the two kinds of forgetting makes the information of the relevant data and its influence gradually disappear in the global model.

步骤2.3:将步骤2.1~步骤2.2重复T"个轮次后,遗忘模型最终被重新构建,目标客户端的数据在这个过程中逐渐被清除,并且精度会逐渐恢复到遗忘学习之前。一旦遗忘模型获得目标客户端即可退出。T"一般少于联邦学习训练阶段轮次的一半。Step 2.3: After repeating steps 2.1 to 2.2 for T " rounds, the forgetting model is finally rebuilt, the target client's data is gradually cleared in this process, and the accuracy will gradually return to the level before forgetting learning. Once the forgetting model obtains the target client, it can exit. T " is generally less than half of the rounds in the federated learning training phase.

步骤3:联邦遗忘学习验证。Step 3: Federated forgetting learning verification.

将模拟恶意用户在不同的数据集上发起后门攻击与成员推断攻击,倘若攻击的成功率大幅降低则说明遗忘学习效果好。Malicious users will be simulated to launch backdoor attacks and member inference attacks on different data sets. If the success rate of the attack is greatly reduced, it means that the forgetting learning effect is good.

在本实施例中,步骤1可以采用如下优选方案:In this embodiment, step 1 may adopt the following preferred solution:

目标客户端方向修正训练得到的更新记为而其余客户端方向修正训练得到的更新记为/>首轮训练将使用初始化的全局模型开始训练,此后均为上一轮得到的全局模型为下一轮的初始模型。The update obtained by the target client direction correction training is recorded as The updates obtained from the other client direction correction training are recorded as/> The first round of training will start with the initialized global model, and thereafter the global model obtained in the previous round will be used as the initial model for the next round.

方向修正训练表示为:Direction correction training is expressed as:

其中,为客户端k对应的数据集,/>为t轮次的遗忘模型,/>为方向修正训练得到的更新。in, is the data set corresponding to client k,/> is the forgetting model of round t,/> Updates obtained from direction correction training.

在本实施例中,步骤2可以采用如下优选方案:In this embodiment, step 2 may adopt the following preferred solution:

被动遗忘部分的历史更新修正为:The history update of the passive forgetting part has been corrected as follows:

其中,kc为除去目标客户端的剩余客户端,为除去目标客户端的剩余客户端原保留在服务器端的历史更新的范式,/>表示剩余客户端在方向修正训练得到的更新的正则化,二者相乘即为被动遗忘部分的修正更新。Where k c is the remaining clients excluding the target client, The paradigm of historical updates of the remaining clients that have removed the target client and are retained on the server side, /> It represents the regularization of the updates obtained by the remaining clients in the direction correction training. The multiplication of the two is the correction update of the passively forgotten part.

被动遗忘部分的修正更新加权平均为:The weighted average of the correction update for the passive forgotten part is:

其中,kc为除去目标客户端的剩余客户端。nk为对应客户端的样本量,由数据样本量决定加权的权重。Where k c is the remaining clients excluding the target client. n k is the sample size of the corresponding client, and the weight is determined by the data sample size.

主动遗忘部分的历史更新修正为:The historical update of the active forgetting part has been corrected as follows:

其中,k"代表要遗忘的目标客户端。表示目标客户端的历史更新的范式,/>表示目标客户端在方向修正训练得到的更新的正则化,二者相乘即为主动遗忘部分的修正更新。Here, k " represents the target client to be forgotten. A paradigm that represents the historical updates of the target client, /> It represents the regularization of the update obtained by the target client in the direction correction training. The multiplication of the two is the correction update of the active forgetting part.

通过遗忘系数将两种遗忘加权聚合为:The two types of forgetfulness are weighted and aggregated through the forgetting coefficient as follows:

其中,α为被动遗忘系数,β为主动遗忘系数,与人类遗忘类似,被动遗忘占据遗忘的主导地位,其程度要强于主动遗忘,因此,α∈*1,+∞)而β∈(0,1)。Among them, α is the passive forgetting coefficient, β is the active forgetting coefficient. Similar to human forgetting, passive forgetting dominates forgetting and is stronger than active forgetting. Therefore, α∈*1,+∞) and β∈(0,1).

遗忘模型的更新过程为:The updating process of the forgetting model is:

其中,为t轮次的遗忘模型,即表示上一轮得到的遗忘模型作为本轮次要被更新的遗忘模型;/>为两种遗忘通过遗忘系数的加权聚合后得到的更新;/>轮次的遗忘模型,即为本方法中每一轮得到的遗忘模型;在重复T"个轮次后,遗忘模型最终被重新构建。in, is the forgetting model of round t, which means that the forgetting model obtained in the previous round is used as the forgetting model to be updated in this round;/> It is the update obtained by weighted aggregation of two kinds of forgetfulness through forgetting coefficient;/> The forgetting model of the round is the forgetting model obtained in each round of this method; after repeating T " rounds, the forgetting model is finally reconstructed.

在本实施例中,步骤3可以采用如下优选方案:In this embodiment, step 3 may adopt the following preferred solution:

在后门攻击中,恶意用户会在模型训练阶段,将自己数据集中的一部分样本特定的位置加上触发器(如:一个十字线的标记),并修改样本的标签。当模型训练完成后,使用带触发器的样本进行测试,倘若模型错误地判断为恶意用户修改后的标签,则认为攻击成功。若经过本遗忘方法后,后门攻击成功率极低则说明目标客户端的数据信息在模型中被遗忘。In a backdoor attack, a malicious user will add a trigger (such as a crosshair mark) to a specific location of a part of the samples in his dataset during the model training phase and modify the sample label. After the model training is completed, the sample with the trigger is used for testing. If the model mistakenly determines that the label is modified by the malicious user, the attack is considered successful. If the success rate of the backdoor attack is extremely low after this forgetting method, it means that the data information of the target client has been forgotten in the model.

成员推断攻击能把数据信息在模型中的残留程度表达为成员推断攻击能推断出来的可能性。在成员推断攻击中,将训练一个分类攻击器,对数据进行判断是否为成员数据的概率,若经过本遗忘方法后给出的概率大幅下降,则说明其目标数据的信息在全局模型中残留极少。Membership inference attack can express the degree of data information remaining in the model as the possibility that the membership inference attack can infer. In the membership inference attack, a classification attacker will be trained to judge the probability of whether the data is member data. If the probability given by this forgetting method drops significantly, it means that the information of the target data remains very little in the global model.

上述两种攻击方法不单单是作为遗忘的验证指标,也验证了实际应用中本方法能将真实恶意用户的污染数据遗忘清除掉,抵御相关攻击增强整个联邦系统的安全性。The above two attack methods are not only used as verification indicators of forgetting, but also verify that in practical applications this method can forget and clear the contaminated data of real malicious users, resist related attacks and enhance the security of the entire federal system.

如图3所示,在联邦学习训练阶段之后进行遗忘效果验证阶段,以后门攻击为例,后门攻击是一种定向的模型中毒攻击,在联邦学习训练阶段需要将攻击成功率提升到足够高为后面的验证阶段做准备。在联邦学习训练时,将需要遗忘的目标用户模拟为恶意用户。恶意用户在本地训练时,把一部分自己数据集样本加上后门触发器,并修改样本的标签。目的是让模型对具有某种特定特征的数据做出错误的判断,但模型不会对主任务产生影响。例如让模型把马识别为汽车,只有当带有触发器的马图片输入时,才会错误地识别为汽车,模型检测其它图片的能力不会受到影响。通过多轮次的联邦训练,全局模型中就有了相应的后门。由于联邦学习的特性,用户只能访问自己的数据集,最终通过服务器聚合各个客户端的更新生成全局模型,可以说是恶意用户通过一己之力改变了整个全局模型。As shown in Figure 3, after the federated learning training phase, the forgetting effect verification phase is carried out. Taking the backdoor attack as an example, the backdoor attack is a targeted model poisoning attack. In the federated learning training phase, the attack success rate needs to be increased to a high enough level to prepare for the subsequent verification phase. During the federated learning training, the target user to be forgotten is simulated as a malicious user. When the malicious user is training locally, he adds a backdoor trigger to a part of his own data set samples and modifies the label of the sample. The purpose is to make the model make a wrong judgment on data with certain specific features, but the model will not affect the main task. For example, if the model recognizes a horse as a car, it will only be mistakenly recognized as a car when a horse picture with a trigger is input, and the model's ability to detect other pictures will not be affected. Through multiple rounds of federated training, the corresponding backdoor is in the global model. Due to the characteristics of federated learning, users can only access their own data sets, and finally the global model is generated by aggregating the updates of various clients through the server. It can be said that the malicious user has changed the entire global model by himself.

在遗忘效果验证阶段,将带有触发器的被改标签的原类别图片(如马的图片)输入到模型中进行检测,若错误地识别成恶意用户所修改的类别(如汽车),则视为攻击成功。后门攻击并不影响全局模型在常规输入下的模型性能,只在具有触发器的特定输入时才会扭曲预测结果。所以当模拟的恶意用户进行后门攻击时,本方法由于将全局模型中恶意用户的数据信息进行遗忘,后门数据的影响将会被消除最终使得攻击成功率大幅降低,也就验证了本方法在联邦学习场景下遗忘学习的有效性。In the forgetting effect verification stage, the original category image with the changed label (such as a horse image) with a trigger is input into the model for detection. If it is mistakenly identified as a category modified by a malicious user (such as a car), the attack is considered successful. Backdoor attacks do not affect the model performance of the global model under regular inputs, and only distort the prediction results when there is a specific input with a trigger. Therefore, when a simulated malicious user performs a backdoor attack, this method will forget the data information of the malicious user in the global model, and the influence of the backdoor data will be eliminated, which will ultimately greatly reduce the success rate of the attack, thus verifying the effectiveness of this method in forgetting learning in the federated learning scenario.

以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围内。The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and variations. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included in the protection scope of the present invention.

Claims (8)

1.一种基于历史更新修正的联邦遗忘学习方法,其特征在于,包括以下步骤:1. A federated forgetting learning method based on historical update correction, characterized by comprising the following steps: (1)在原初的联邦学习训练阶段,在服务器上保留每个交互轮次的客户端的历史更新利用历史更新取范数作为更新的量化大小即更新的步长;(1) In the original federated learning training phase, the historical updates of the client in each interaction round are retained on the server Use the historical update norm as the updated quantization size, i.e. the updated step size; (2)当收到遗忘请求时,进行方向修正训练,此阶段客户端k在本地进行Ec轮次训练,累计进行t个交互回合,最终得到每个客户端及其对应回合的校准更新,将校准更新发送到服务器上,记为 (2) When a forget request is received, direction correction training is performed. In this stage, client k performs E c rounds of training locally, accumulating t rounds of interaction, and finally obtains the calibration update of each client and its corresponding round, and sends the calibration update to the server, which is recorded as 通过方向修正训练修正服务器上存储的历史更新,再由被动遗忘与主动遗忘共同作用下重构遗忘模型;遗忘模型重构完成后目标客户端退出联邦系统;Correct the historical updates stored on the server through direction correction training, and then reconstruct the forgetting model through the combined effects of passive forgetting and active forgetting; after the forgetting model reconstruction is completed, the target client exits the federated system; (3)遗忘学习效果检验:利用后门攻击与成员推断攻击的方式共同评价遗忘程度,检验遗忘效果。(3) Forgetting learning effect test: Use backdoor attack and member inference attack to jointly evaluate the degree of forgetting and test the forgetting effect. 2.根据权利要求1所述的基于历史更新修正的联邦遗忘学习方法,其特征在于,步骤(2)中,方向修正训练阶段,客户端被划分为目标客户端和其余客户端,训练轮次低于联邦学习训练阶段;2. The method for federated forgetting learning based on historical update correction according to claim 1 is characterized in that, in step (2), in the direction correction training phase, the clients are divided into target clients and other clients, and the number of training rounds is lower than that in the federated learning training phase; 将方向修正训练所获得的校准更新根据索引通过正则化得到对应历史更新/>的修正方向;利用修正方向与步长相乘将历史更新校准为修正后的更新/>利用修正更新经过若干个轮次在服务器端聚合出所需的遗忘模型;Update the calibration obtained by direction correction training Get the corresponding historical update by regularization based on the index/> Correction direction; calibrate the historical update to the corrected update by multiplying the correction direction by the step size /> The required forgetting model is aggregated on the server side through several rounds of correction updates; 其中遗忘目标客户端的修正更新用于主动遗忘,其余客户端的修正更新用于被动遗忘,主动遗忘和被动遗忘的强弱通过遗忘系数控制;在两种遗忘的共同作用下,重构遗忘模型。The correction update of the forgotten target client is used for active forgetting, and the correction update of the remaining clients is used for passive forgetting. The strength of active forgetting and passive forgetting is controlled by the forgetting coefficient. Under the joint action of the two kinds of forgetting, the forgetting model is reconstructed. 3.根据权利要求1所述的基于历史更新修正的联邦遗忘学习方法,其特征在于,方向修正训练表示为:3. The method for federated forgetting learning based on historical update correction according to claim 1, characterized in that the direction correction training is expressed as: 其中,为方向修正训练得到的更新,/>为客户端k对应的数据集,/>为t轮次的遗忘模型。in, The update obtained from the direction correction training, /> is the data set corresponding to client k,/> is the forgetting model of round t. 4.根据权利要求2所述的基于历史更新修正的联邦遗忘学习方法,其特征在于,被动遗忘部分的历史更新修正为:4. The method for federated forgetting learning based on historical update correction according to claim 2, characterized in that the historical update correction of the passively forgotten part is: 其中,kc为除去目标客户端的剩余客户端,为被动遗忘部分的修正更新,/>为剩余客户端保留在服务器端的历史更新的范式,/>表示剩余客户端在方向修正训练得到的更新的正则化。Where k c is the remaining clients excluding the target client, To correct the passive forgetting part,/> A paradigm that preserves the historical updates on the server side for the remaining clients, /> represents the regularization of the updates obtained by the remaining clients during the direction correction training. 5.根据权利要求4所述的基于历史更新修正的联邦遗忘学习方法,其特征在于,被动遗忘部分的修正更新加权平均为:5. The method for federated forgetting learning based on historical update correction according to claim 4 is characterized in that the weighted average of the correction update of the passive forgotten part is: 其中,nk为对应客户端的数据样本量,由数据样本量决定加权的权重。Among them, nk is the data sample size of the corresponding client, and the weighted weight is determined by the data sample size. 6.根据权利要求5所述的基于历史更新修正的联邦遗忘学习方法,其特征在于,主动遗忘部分的历史更新修正为:6. The method for federated forgetting learning based on historical update correction according to claim 5 is characterized in that the historical update correction of the actively forgotten part is: 其中,ku为要遗忘的目标客户端,为主动遗忘部分的修正更新,/>为目标客户端保留在服务器端的的历史更新的范式,/>表示目标客户端在方向修正训练得到的更新的正则化。Among them, k u is the target client to be forgotten, To correct and update the active forgetting part,/> A paradigm for preserving historical updates on the server side for target clients, /> Represents the regularization of the updates obtained by the target client during direction correction training. 7.根据权利要求6所述的基于历史更新修正的联邦遗忘学习方法,其特征在于,两种遗忘通过遗忘系数加权平均聚合为:7. The method for federated forgetting learning based on historical update correction according to claim 6 is characterized in that the two kinds of forgetting are aggregated by weighted average of forgetting coefficients as follows: 其中,α为被动遗忘系数,β为主动遗忘系数,α∈[1,+∞),β∈(0,1)。Among them, α is the passive forgetting coefficient, β is the active forgetting coefficient, α∈[1,+∞), β∈(0,1). 8.根据权利要求1所述的基于历史更新修正的联邦遗忘学习方法,其特征在于,遗忘模型更新过程为:8. The method for federated forgetting learning based on historical update correction according to claim 1, characterized in that the forgetting model updating process is: 其中,为t+1轮次的遗忘模型,/>为t轮次的遗忘模型,/>为被动遗忘和主动遗忘通过遗忘系数加权平均聚合更新。in, is the forgetting model of round t+1,/> is the forgetting model of round t,/> Aggregate updates for passive forgetting and active forgetting by weighted average of forgetting coefficients.
CN202410191278.5A 2024-02-21 2024-02-21 Federal forgetting learning method based on history updating and correction Pending CN118036708A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410191278.5A CN118036708A (en) 2024-02-21 2024-02-21 Federal forgetting learning method based on history updating and correction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410191278.5A CN118036708A (en) 2024-02-21 2024-02-21 Federal forgetting learning method based on history updating and correction

Publications (1)

Publication Number Publication Date
CN118036708A true CN118036708A (en) 2024-05-14

Family

ID=90999889

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410191278.5A Pending CN118036708A (en) 2024-02-21 2024-02-21 Federal forgetting learning method based on history updating and correction

Country Status (1)

Country Link
CN (1) CN118036708A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118410860A (en) * 2024-07-03 2024-07-30 杭州海康威视数字技术股份有限公司 Efficient knowledge editing method and device in federal learning environment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118410860A (en) * 2024-07-03 2024-07-30 杭州海康威视数字技术股份有限公司 Efficient knowledge editing method and device in federal learning environment

Similar Documents

Publication Publication Date Title
Oliver et al. Realistic evaluation of deep semi-supervised learning algorithms
Wang et al. Large language models are latent variable models: Explaining and finding good demonstrations for in-context learning
Jia et al. Proof-of-learning: Definitions and practice
CN110647765B (en) Privacy protection method and system based on knowledge migration under collaborative learning framework
US11790216B2 (en) Predicting likelihoods of conditions being satisfied using recurrent neural networks
CN111177792B (en) Method and device for determining target business model based on privacy protection
Gu et al. CS-MIA: Membership inference attack based on prediction confidence series in federated learning
JP6382354B2 (en) Neural network and neural network training method
WO2017019706A1 (en) Analyzing health events using recurrent neural networks
US20220215209A1 (en) Training machine learning models using unsupervised data augmentation
EP3591561A1 (en) An anonymized data processing method and computer programs thereof
CN112799708A (en) Method and system for jointly updating business model
CN118036708A (en) Federal forgetting learning method based on history updating and correction
Chen et al. Compressing features for learning with noisy labels
CN113362852A (en) User attribute identification method and device
Li et al. Effective passive membership inference attacks in federated learning against overparameterized models
Yao et al. Predicting long-term impact of CQA posts: a comprehensive viewpoint
CN109726404A (en) Method, device and medium for enhancing training data of end-to-end model
Oliver et al. Realistic evaluation of semi-supervised learning algortihms
CN113269179B (en) Data processing method, device, equipment and storage medium
Li et al. Analyzing inference privacy risks through gradients in machine learning
CN113515626B (en) Method, device and equipment for determining public opinion category
Jia et al. Effective Neural Network $ L_0 $ Regularization With BinMask
CN117236900B (en) Individual tax data processing method and system based on flow automation
Rajtmajer et al. A dynamical systems perspective reveals coordination in Russian Twitter operations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination