[论⽂阅读]有关联邦学习应⽤综述Areviewofapplicationsinfedera。。。以房养老
这⾥是⽬录呀~
论⽂阅读有关联邦学习应⽤综述 A review of applications in federated learning
因为最近在写⼀篇联邦学习应⽤⽅向的论⽂,所以阅读了本⽂章,所以做了⼀些简要的笔记。
♂ 张同学 zhangruiyuan@zju.edu 有问题请联系我
⼀、联邦学习概述
本⽂⾸先介绍了联邦学习的概述,从联邦学习特点、现存的开源框架、联邦学习的分类三个⽅向。
联邦学习的特点
1. 跨组织的联邦学习场景的普遍性
2. ⼤量的⾮独⽴同分布
3. 去中⼼化的技术
这⾥引⽤原⽂解释⼀下为什么作者认为联邦学习是⼀种去中⼼化的技术:For cas in FL, each client is completely
autonomous, data is not allocated by center and the training process is not governed by rver. Therefore, FL is an integrated tech- nology to combine machine learning models and data fusion through decentralized collaboration.
4. 每个节点的状态相等
这⾥指的是,在联邦学习中拥有少量数据集的⽤户与其他⽤户具备相同的地位。
现存的开源框架
作者在本⽂中介绍了两款联邦学习的框架TTF和FATE。
1. TTF
第⼀个开源的⾃包含⽤于移动设备的联邦学习产品级框架,成功应⽤到next word prediction、Emoji prediction 等领域,已经实现了1000万设备正在向10亿设备前进。
2. FATE
第⼀个开源的⼯业级别框架,主要⽤于跨组织的架构的联邦学习,已经应⽤到风控、⽬标检测、和反洗钱领域。
婚礼请帖怎么写
联邦学习分类
本⽂介绍的联邦学习的分类主要参考的就是杨强的Federated machine learning: concept and applications. 但是我个
⼈,emmm,更喜欢⽤跨组织、跨设备来对联邦学习进⾏分类。
⼆、联邦学习的演变
本⽂作者介绍的联邦学习的演变,从算法优化和安全两个⾓度展开。
2.1 算法优化
降低通信代价类的⽅法:降低通信轮次、减少模型更新的时间
解决统计学上的异质性的⽅法:关注全局模型、增加额外的数据预处理程序、修改本地训练的模式
结构上的异质性(训练设备的不同):容忍错误、资源分配
这⼀部分内容不是我的关注点,感兴趣的可以去看原⽂。
宁波舟山
2.2 安全
当前在联邦学习中存在的隐私风险:数据投毒攻击、模型中毒、推理攻击
联邦学习中的隐私保护技术:客户端⼀侧的隐私保护、安全聚合⽅法、联邦学习框架的保护⽅法
隐私风险话剧
Nevertheless, the system is not sufficiently cure becau the transmission of gradients and partial parameters may lead to indirect privacy leakage (Bos, Lauter, & Naehrig, 2014).
1. 数据投毒攻击
There are two main types of ‘data poisoning’ attsck modes including model skew and feedback weaponization.
⾸先是⼀篇⽂章中陈述联邦学习没有直接拿到原始数据,所以不会像传统联邦学习那样可以收到数据投毒的危害。
Nevertheless, the traditional data poi- sonings methods are less effective or may need many malicious partic- ipants when it comes to FL since malicious attackers have no direct access to raw data (Bagdasaryan, Veit, Hua, Estrin, & Shmatikov, 2018).
但是接下来,另⼀篇⽂章证明了这个错误的观点,即联邦学习能够避免数据投毒。
On the basis rearch of Bagdasaryan et al., (2018), Yang et al. (2019) studied a novel and effective distributed backdoor attack. They divided an attack trigger into many slices and embedded each slice into different attackers instead of embedding a complete trigger into only one attacker. This new-fashioned mode throws a wrench in the old argument that FL is possible to avoid data poisoning. It also gives a new evaluation form for curity analysis in FL.
2. 模型投毒(Model poisoning 或者 adversarial attack)
模型投毒指的是通过设计⼀个特别的输⼊,使得机器学习模型⽣成⼀个错误的输⼊。Model poisoning refer to make machine learning model to generate a wrong result by designing a specific input.
Model poisoning分为 Non-targeted adversarial attack 和 Targeted adversarial attack,区别如下:
The former one is a common type which lead to an incorrect con- quence, and the other one is relatively difficult that aiming at injecting a specific type for input. 另⼀⽅⾯,联邦学习为了实现安全聚合,这造成了聚合器在检查模型异常和本地不正确的更新上就变得更加的困难(因为看不到客户端更新的模型的情况)。
攻击案例:
According to this drawback, the backdoor can be inrted into federated environment by malicious participant through model-replacement methodology thus misunderstand the joint model. This novel attack method can be suc- cessfully employed in federated training tasks including image classifi- cation and word prediction (Bagdasaryan et al., 2018).
Bhagoji, Chakraborty, Mittal, and Calo (2019) attacked global model through few malicious adversaries to wrongly classified targeted model。
上述的这种攻击就是⽬标型攻击,这⼀类攻击确保了⼤部分的识别结果是正确的。
拜占庭抵御⽅法也同时被证明了崩溃,emmm:
In addition, the results show Byzantine-resilient aggregation technology is weak to offen this type of attack in the federated tting. Then Zhang, Chen, Wu, Chen, and Yu (2019) give first attempt to generate model poisoning attack bad on Generative Adversarial Nets (GAN). In this work, malicious participant pretended to be a benign agent. Then they assign a GAN architecture to generate training data as well as distributed a wrong label to induce benign client to be damaged.The existing methodologies aiming at defending poisoning attack are quite invalid in federated ttings. In
作者希望,服务端的异常检测、隐藏的分类结果可能是⼀个发展的⽅向,emmm,我觉得还是应该仔细地思考⼀下,这个问题应该不会这么容易地被解决掉。
3. 推理攻击(Inferring attack)
The value of this type of attack mainly ud to detect privacy records or restore training data through a white box or a black box.
挡土墙施工方案
Inferring attack可以分为tracing attacks(membership inference attacks) 和 reconstruction attacks,区别如下:
The first mentioned of two indicates to infer whether a client is contained in the data t. The latter advocates recover some features about an individual participant.
攻击案例:
成员推理攻击:With utilization of vulnerability of SGD, Nasr, Shokri, and Houmansadr (2019) designed a white-box membership inference attack method direct at neural network. Then it was successfully applied to federated tting to infer information via a curious rver or any of a participant.
重构推理攻击:In cas of this kind, Wang, Z. et al. (2019) built a general attack frame called mGAN-AI which could reconstruct private information for target client.
为了解决上⾯的问题,作者认为应该探索更多的预测算法,数据在上传之前应该做好加密。
安全 - 在联邦学习中的隐私保护技术
1. 客户端⼀侧的隐私保护
相见恨晚的诗句
差分隐私使⽤:
For instance, since FedAvg is prone to be violated by differential attack, Geyer, Klein, and Nabi (2018) leveraged differ-ential privacy on FL to conceal whether a client participant in the training process. Likewi,
Likewi, to improve FedAvg, McMahan, Zhang, Ramage, and Talwar (2018) also applied DP to this process by adding Gaussian noi to the global model.
优化的差分隐私⽤法:
In federated online training for ranker using feedback from urs, Kharitonov (2019) introduced ε-local differential privacy. Opposite to common algorithms, it is stricter since they protect ur-lever privacy instead of imposing privacy-prerving technology after data aggregation.
与你共度今生同态加密算法使⽤:
三洲五海Homomorphic encryption refers to an encryption mechanism that parameters are encoded before adding or
multiplying operation and performs equivalent result compare to uncode function
Liu et al. (2018) employed additively homomorphic encryption to modify neural network model and minimize the impact on training accuracy. Ilias
Ilias and Georgios (2019) also added homomorphic encryption to a more robust FL framework, which make it possible to compute aggregation on encrypted client.
但是同态加密的使⽤,往往需要传递更多的参数信息。
位置敏感哈希(Locality-nsitive hashing(LSH)(Gionis, Indyk, & Motwani, 1999).)使⽤:
作者认为,LSH相⽐较于差分隐私和同态加密的好处?
Besides, LSH would not cau overmuch communication overhead like homomorphic encryption and reduce accuracy like differential privacy.
Lee et al. (2018) make u of LSH to detect similar patients in federated ttings.
Recently, Li et al. (2020) build a practical gradient boosting decision trees rely on LSH. In the pre-processing stage, LSH would help find similar samples disperd in different clients, and they will u the sum gradients of similar instances instead of only u the gradient of one instance when processing gradient updating.
2. 安全聚合
Secure multi-party computation (SMC) is employed, which mainly concentrate on how to safely calculate a function for various client without a reliable third party.
第⼀篇安全聚合的⽂章
Bonawitz et al. (2017) propod the first cure aggregation protocol with utilization of cure multiparty computation.
In this agreement, model update infor- mation of each device is unrevealed to central rver. Only after enough devices update their model, can rver receive the aggregated model. Owing to the quadratic communication cost, the above-mentioned protocol is not applicable for larger scale situations.
让安全聚合变得更加能够应⽤到现实中
By this way, Hao, Li, Luo et al. (2019) envisioned a more efficient privacy-prerving scheme for FL, which integrate differential privacy and lightweight homomorphic encryption technology. This protocol, mainly for stochastic gradient descent approach, is robust to curious-but-honest rver and
collusion between the cloud and rver.
验证云服务器返回的模型的准确性,并利⽤秘密分享算法避免梯度信息泄露给云服务器
Occasionally, global model returned by clouds may not reliable or complete. Becau unreliable cloud rver may be malicious to return a totally wronged model or may be lazy to convey a compresd but inaccurate model due to computa- tional pressure. Thereafter Xu, Li, Liu, Yang, and Lin (2020) devid VerifyNet, the first protocol that can verify correctness of returned model from cloud. For privacy guarantee, they implemented variation of cret sharing combined with key agreement protocol to enhance confidentiality of gradients.
来判断客户端的模型是不是恶意的
The up-to-date approach propod by Chen et al. (2020) also concentrated on cure aggregation scheme. They add an extra public parameter dispatch to each client to force them training in a same way, thus detect malicious client easily when making an aggregation stage.
其实,读完这⼀节挺迷茫的。什么是联邦学习的安全聚合呢?
避免客户端的模型被服务端知道
避免服务端的⾮法聚合
避免客户端的⾮法梯度
3. 联邦学习框架中的保护⽅法
To enhance privacy for the framework, many hybrid approaches have been propod.
