Page 339 - 《软件学报》2025年第9期

P. 339

软件学报 ISSN 1000-9825, CODEN RUXUEW E-mail: jos@iscas.ac.cn
2025,36(9):4250−4270 [doi: 10.13328/j.cnki.jos.007266] [CSTR: 32375.14.jos.007266] http://www.jos.org.cn
©中国科学院软件研究所版权所有. Tel: +86-10-62562563

*
云边联邦学习系统下抗投毒攻击的防御方法

赵亚茹 1,2 , 张建标 1,2 , 曹益皓 1,2 , 黄浩翔 1,2

1
(北京工业大学计算机学院, 北京 100124)
2
(可信计算北京市重点实验室 (北京工业大学), 北京 100124)
通信作者: 张建标, E-mail: zjb@bjut.edu.cn

摘要: 随着海量数据的涌现和智能应用需求的日益增长, 保障数据安全成为提高数据质量、实现数据价值的重
要举措. 其中, 云边端架构是高效处理和优化数据的新兴技术, 联邦学习 (federated learning, FL) 作为一个高效的去
中心化的机器学习范式, 能够为数据提供隐私保护, 近年来引起了学术界及工业界的广泛关注. 然而, 联邦学习展
示出了固有的脆弱性使其易于遭受投毒攻击. 现有绝大多数抵抗投毒攻击的防御方法依赖于连续更新空间, 但在
实际场景中面向灵活的攻击方式和攻击场景可能是欠鲁棒的. 鉴于此, 提出一种面向云边联邦学习系统 (cloud-
edge FL, CEFL) 抵抗投毒攻击的防御方法 FedDiscrete. 其关键思想是在客户端利用网络模型边的分数计算本地排
名, 实现离散更新空间的创建. 进一步地, 为了兼顾参与 FL 任务的客户端之间的公平性, 引入贡献度指标, 这样,
FedDiscrete 能够通过分配更新后的全局排名对可能的攻击者实施惩罚. 广泛的实验结果表明所提方法在抵抗投毒
攻击方面表现出显著的优势和鲁棒性, 且适用于独立同分布 (IID) 和非独立同分布 (non-IID) 场景, 能够为 CEFL
系统提供保护.
关键词: 联邦学习; 投毒攻击; 防御策略; 离散更新空间; 云边端架构
中图法分类号: TP309

中文引用格式: 赵亚茹, 张建标, 曹益皓, 黄浩翔. 云边联邦学习系统下抗投毒攻击的防御方法. 软件学报, 2025, 36(9): 4250–4270.
http://www.jos.org.cn/1000-9825/7266.htm
英文引用格式: Zhao YR, Zhang JB, Cao YH, Huang HX. Defense Method Against Poisoning Attacks in Cloud-edge Federated
Learning Systems. Ruan Jian Xue Bao/Journal of Software, 2025, 36(9): 4250–4270 (in Chinese). http://www.jos.org.cn/1000-9825/
7266.htm

Defense Method Against Poisoning Attacks in Cloud-edge Federated Learning Systems
1,2
1,2
1,2
ZHAO Ya-Ru , ZHANG Jian-Biao , CAO Yi-Hao , HUANG Hao-Xiang 1,2
1
(College of Computer Science, Beijing University of Technology, Beijing 100124, China)
2
(Beijing Key Laboratory of Trusted Computing (Beijing University of Technology), Beijing 100124, China)
Abstract: With the proliferation of massive data and the ever-growing demand for intelligent applications, ensuring data security has
become a critical measure for enhancing data quality and realizing data value. The cloud-edge-client architecture has emerged as a
promising technology for efficient data processing and optimization. Federated learning (FL), an efficient decentralized machine learning
paradigm that can provide privacy protection for data, has garnered extensive attention from academia and industry in recent years.
However, FL has demonstrated inherent vulnerabilities that render it highly susceptible to poisoning attacks. Most existing methods for
defending against poisoning attacks rely on continuously updated space, but in practical scenarios, those methods may be less robust when
facing flexible attack strategies and varied attack scenarios. Therefore, this study proposes FedDiscrete, a defense method for resisting
poisoning attacks in cloud-edge FL (CEFL) systems. The key idea is to compute local rankings on the client side using the scores of
network model edges to create discrete update space. To ensure fairness among clients participating in the FL task, this study also

* 基金项目: 北京市自然科学基金 (M21039)
收稿时间: 2023-10-09; 修改时间: 2024-05-25, 2024-06-30; 采用时间: 2024-08-02; jos 在线出版时间: 2024-12-11
CNKI 网络首发时间: 2024-12-12

334 335 336 337 338 339 340 341 342 343 344