Federated learning (FL) has emerged to enable global model training over distributed clients' data while preserving its privacy. However, the global trained model is vulnerable to the evasion attacks especially, the adversarial examples (AEs), carefully crafted samples to yield false classification. Adversarial training (AT) is found to be the most promising approach against evasion attacks and it is widely studied for convolutional neural network (CNN). Recently, vision transformers have been found to be effective in many computer vision tasks. To the best of the authors' knowledge, there is no work that studied the feasibility of AT in a FL process for vision transformers. This paper investigates such feasibility with different federated model aggregation methods and different vision transformer models with different tokenization and classification head techniques. In order to improve the robust accuracy of the models with the not independent and identically distributed (Non-IID), we propose an extension to FedAvg aggregation method, called FedWAvg. By measuring the similarities between the last layer of the global model and the last layer of the client updates, FedWAvg calculates the weights to aggregate the local models updates. The experiments show that FedWAvg improves the robust accuracy when compared with other state-of-the-art aggregation methods.
翻译:联邦学习(FL)的出现是为了在保护隐私的同时对分布式客户的数据进行全球示范培训,但是,全球经过培训的模式特别容易受到规避攻击,特别是对抗性范例(AEs),精心制作的样本,以得出虚假分类。反向培训(AT)被认为是打击规避攻击的最有希望的办法,并且对进化神经网络(CNN)进行了广泛研究。最近,发现视觉变压器在许多计算机愿景任务中是有效的。据作者所知,在远距变压器的FL进程中,没有研究AT的可行性。本文用不同的联邦化模型集成方法和不同的视觉变压器模型来调查这种可行性,并采用不同的象征性和分类头技术来调查不同的视觉变压模型。为了提高模型的稳健性准确性,我们提议扩大FedAvg集成方法,称为FedWavg。通过测量全球模型最后一层与客户更新最后一层的相似性,FedWavg将重量与当地模型的准确性进行比较。当FedWav-WA改进了其他模型时,则将Fed-WA的精确性加以改进。
相关内容
微信扫码咨询专知VIP会员