Federated learning allows multiple users to collaboratively train a shared classification model while preserving data privacy. This approach, where model updates are aggregated by a central server, was shown to be vulnerable to poisoning backdoor attacks: a malicious user can alter the shared model to arbitrarily classify specific inputs from a given class. In this paper, we analyze the effects of backdoor attacks on federated meta-learning, where users train a model that can be adapted to different sets of output classes using only a few examples. While the ability to adapt could, in principle, make federated learning frameworks more robust to backdoor attacks (when new training examples are benign), we find that even 1-shot~attacks can be very successful and persist after additional training. To address these vulnerabilities, we propose a defense mechanism inspired by matching networks, where the class of an input is predicted from the similarity of its features with a support set of labeled examples. By removing the decision logic from the model shared with the federation, success and persistence of backdoor attacks are greatly reduced.
翻译:联邦学习允许多个用户合作培训共享分类模式,同时保护数据隐私。 这个方法, 模型更新由中央服务器汇总, 被证明容易中毒后门攻击: 恶意用户可以改变共享模式, 任意分类特定类别的具体投入。 在本文中, 我们分析后门攻击对联邦化的元学习的影响, 用户只用几个例子来训练一个可以适应不同产出类别模式的模型。 虽然从原则上讲, 适应能力可以使联合学习框架对后门攻击更加强大( 当新的培训实例为良性时), 我们发现, 即使是一张照片袭击也可以非常成功, 在额外培训后, 也可以持续。 为了解决这些脆弱性, 我们提议了一个由匹配网络激励的防御机制, 在那里, 输入的类别可以从其特征的相似性中预测, 并用一组贴标签的例子来支持。 通过将决定逻辑从与联邦共享的模式中删除, 后门攻击的成功和持久性将大大降低 。
相关内容
微信扫码咨询专知VIP会员