ICLR 2024 | Model critical layers for federated learning backdoor attacks-AI-php.cn

Home

Technology peripherals

ICLR 2024 | Model critical layers for federated learning backdoor attacks

PHPz

Apr 07, 2024 am 09:04 AM

projectSouth China University of Technology

Federated learning uses multiple parties to train models while data privacy is protected. However, because the server cannot monitor the training process performed locally by participants, participants can tamper with the local training model, thus posing security risks to the overall federated learning model, such as backdoor attacks.

This article focuses on how to launch a backdoor attack on federated learning under a defensively protected training framework. This paper finds that the implantation of backdoor attacks is more closely related to some neural network layers, and calls these layers the key layers for backdoor attacks. In federated learning, clients participating in training are distributed on different devices. They each train their own models, and then upload the updated model parameters to the server for aggregation. Since the client participating in the training is not trustworthy and there is a certain risk, the server

is based on the discovery of the key layer of the backdoor. This article proposes to bypass the defense algorithm detection by attacking the key layer of the backdoor, so that a small number of participants can be controlled to perform efficient backdoor attack.

ICLR 2024 | 联邦学习后门攻击的模型关键层

Paper title: Backdoor Federated Learning By Poisoning Backdoor-Critical Layers

Paper link: https://openreview.net/pdf?id=AJBGSVSTT2

Code link: https://github.com/zhmzm/Poisoning_Backdoor-critical_Layers_Attack

Method

ICLR 2024 | 联邦学习后门攻击的模型关键层

This article A layer replacement method is proposed to identify key layers of backdoors. The specific method is as follows:

The first step is to train the model on a clean data set until convergence, and save the model parameters as benign model. Then copy the benign model and train it on the data set containing the backdoor. After convergence, save the model parameters and record them as malicious model .
The second step is to replace a layer of parameters in the benign model into the malicious model containing the backdoor, and calculate the backdoor attack success rate of the resulting model. The difference between the obtained backdoor attack success rate and the malicious model's backdoor attack success rate BSR is ΔBSR, which can be used to obtain the impact of this layer on backdoor attacks. Using the same method for each layer in the neural network, you can get a list of the impact of all layers on backdoor attacks.
The third step is to sort all layers according to their impact on backdoor attacks. Take the layer with the greatest impact from the list and add it to the backdoor attack key layer set , and implant the backdoor attack key layer (layers in the set ) parameters in the malicious model into the benign model. Calculate the backdoor attack success rate of the obtained model. If the backdoor attack success rate is greater than the set threshold τ multiplied by the malicious model backdoor attack success rate, the algorithm will be stopped. If it is not satisfied, continue to add the largest layer among the remaining layers in the list to the key layer for backdoor attack until the conditions are met.

After obtaining the collection of key layers of backdoor attacks, this article proposes a method to bypass the detection of defense methods by attacking the key layers of backdoors. In addition, this paper introduces simulation aggregation and benign model centers to further reduce the distance from other benign models.

Experimental results

This article verifies the effectiveness of key layer attacks based on backdoors on multiple defense methods on the CIFAR-10 and MNIST data sets. The experiment will use the backdoor attack success rate BSR and the malicious model acceptance rate MAR (benign model acceptance rate BAR) as indicators to measure the effectiveness of the attack.

First of all, layer-based attack LP Attack can allow malicious clients to obtain a high selection rate. As shown in the table below, LP Attack achieved a reception rate of 90% on the CIFAR-10 dataset, which is much higher than the 34% of benign users.

ICLR 2024 | 联邦学习后门攻击的模型关键层

Then, LP Attack can achieve a high backdoor attack success rate, even in a setting with only 10% malicious clients. As shown in the table below, LP Attack can achieve a high backdoor attack success rate BSR under the protection of different data sets and different defense methods.

ICLR 2024 | 联邦学习后门攻击的模型关键层

In the ablation experiment, this article poisoned the backdoor key layer and the non-backdoor key layer respectively and measured the backdoor attack success rate of the two experiments. As shown in the figure below, when attacking the same number of layers, the success rate of poisoning non-backdoor key layers is much lower than that of poisoning backdoor key layers. This shows that the algorithm in this article can select effective backdoor attack key layers.

ICLR 2024 | 联邦学习后门攻击的模型关键层

In addition, we conduct ablation experiments on the model aggregation module Model Averaging and the adaptive control module Adaptive Control. As shown in the table below, both modules improve the selection rate and backdoor attack success rate, proving the effectiveness of these two modules.

ICLR 2024 | 联邦学习后门攻击的模型关键层

Summary

This article found that backdoor attacks are closely related to some layers, and proposed an algorithm to search for key layers of backdoor attacks. This paper proposes a layer-wise attack on the protection algorithm in federated learning by using backdoors to attack key layers. The proposed attack reveals the vulnerabilities of the current three types of defense methods, indicating that more sophisticated defense algorithms will be needed to protect federated learning security in the future.

Introduction to the author

Zhuang Haomin, graduated from South China University of Technology with a bachelor's degree, worked as a research assistant in the IntelliSys Laboratory of Louisiana State University, and is currently studying for a doctoral degree at the University of Notre Dame . The main research directions are backdoor attacks and adversarial sample attacks.

The above is the detailed content of ICLR 2024 | Model critical layers for federated learning backdoor attacks. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:机器之心. If there is any infringement, please contact admin@php.cn delete

4090生成器：与A100平台相比，token生成速度仅低于18%，上交推理引擎赢得热议Dec 21, 2023 pm 03:25 PM

PowerInfer提高了在消费级硬件上运行AI的效率上海交大团队最新推出了超强CPU/GPULLM高速推理引擎PowerInfer。PowerInfer和llama.cpp都在相同的硬件上运行，并充分利用了RTX4090上的VRAM。这个推理引擎速度有多快？在单个NVIDIARTX4090GPU上运行LLM，PowerInfer的平均token生成速率为13.20tokens/s，峰值为29.08tokens/s，仅比顶级服务器A100GPU低18%，可适用于各种LLM。PowerInfer与

思维链CoT进化成思维图GoT，比思维树更优秀的提示工程技术诞生了Sep 05, 2023 pm 05:53 PM

要让大型语言模型（LLM）充分发挥其能力，有效的prompt设计方案是必不可少的，为此甚至出现了promptengineering（提示工程）这一新兴领域。在各种prompt设计方案中，思维链（CoT）凭借其强大的推理能力吸引了许多研究者和用户的眼球，基于其改进的CoT-SC以及更进一步的思维树（ToT）也收获了大量关注。近日，苏黎世联邦理工学院、Cledar和华沙理工大学的一个研究团队提出了更进一步的想法：思维图（GoT）。让思维从链到树到图，为LLM构建推理过程的能力不断得到提升，研究者也通

复旦NLP团队发布80页大模型Agent综述，一文纵览AI智能体的现状与未来Sep 23, 2023 am 09:01 AM

近期，复旦大学自然语言处理团队（FudanNLP）推出LLM-basedAgents综述论文，全文长达86页，共有600余篇参考文献！作者们从AIAgent的历史出发，全面梳理了基于大型语言模型的智能代理现状，包括：LLM-basedAgent的背景、构成、应用场景、以及备受关注的代理社会。同时，作者们探讨了Agent相关的前瞻开放问题，对于相关领域的未来发展趋势具有重要价值。论文链接：https://arxiv.org/pdf/2309.07864.pdfLLM-basedAgent论文列表：

吞吐量提升5倍，联合设计后端系统和前端语言的LLM接口来了Mar 01, 2024 pm 10:55 PM

大型语言模型(LLM)被广泛应用于需要多个链式生成调用、高级提示技术、控制流以及与外部环境交互的复杂任务。尽管如此，目前用于编程和执行这些应用程序的高效系统却存在明显的不足之处。研究人员最近提出了一种新的结构化生成语言（StructuredGenerationLanguage），称为SGLang，旨在改进与LLM的交互性。通过整合后端运行时系统和前端语言的设计，SGLang使得LLM的性能更高、更易控制。这项研究也获得了机器学习领域的知名学者、CMU助理教授陈天奇的转发。总的来说，SGLang的

大模型也有小偷？为保护你的参数，上交大给大模型制作「人类可读指纹」Feb 02, 2024 pm 09:33 PM

将不同的基模型象征为不同品种的狗，其中相同的「狗形指纹」表明它们源自同一个基模型。大模型的预训练需要耗费大量的计算资源和数据，因此预训练模型的参数成为各大机构重点保护的核心竞争力和资产。然而，与传统软件知识产权保护不同，对预训练模型参数盗用的判断存在以下两个新问题：1）预训练模型的参数，尤其是千亿级别模型的参数，通常不会开源。预训练模型的输出和参数会受到后续处理步骤（如SFT、RLHF、continuepretraining等）的影响，这使得判断一个模型是否基于另一个现有模型微调得来变得困难。无

FATE 2.0发布：实现异构联邦学习系统互联Jan 16, 2024 am 11:48 AM

FATE2.0全面升级，推动隐私计算联邦学习规模化应用FATE开源平台宣布发布FATE2.0版本，作为全球领先的联邦学习工业级开源框架。此次更新实现了联邦异构系统之间的互联互通，持续增强了隐私计算平台的互联互通能力。这一进展进一步推动了联邦学习与隐私计算规模化应用的发展。FATE2.0以全面互通为设计理念，采用开源方式对应用层、调度、通信、异构计算（算法）四个层面进行改造，实现了系统与系统、系统与算法、算法与算法之间异构互通的能力。FATE2.0的设计兼容了北京金融科技产业联盟的《金融业隐私计算

220亿晶体管，IBM机器学习专用处理器NorthPole，能效25倍提升Oct 23, 2023 pm 03:13 PM

IBM再度发力。随着AI系统的飞速发展，其能源需求也在不断增加。训练新系统需要大量的数据集和处理器时间，因此能耗极高。在某些情况下，执行一些训练好的系统，智能手机就能轻松胜任。但是，执行的次数太多，能耗也会增加。幸运的是，有很多方法可以降低后者的能耗。IBM和英特尔已经试验过模仿实际神经元行为设计的处理器。IBM还测试了在相变存储器中执行神经网络计算，以避免重复访问RAM。现在，IBM又推出了另一种方法。该公司的新型NorthPole处理器综合了上述方法的一些理念，并将其与一种非常精简的计算运行

14秒就能重建视频，还能变换角色，Meta让视频合成提速44倍Dec 27, 2023 pm 06:35 PM

Meta的视频合成新框架给我们带来了一些惊喜就今天的人工智能发展水平来说，文生图、图生视频、图像/视频风格迁移都已经不算什么难事。生成式AI天赋异禀，能够毫不费力地创建或修改内容。尤其是图像编辑，在以十亿规模数据集为基础预训练的文本到图像扩散模型的推动下，经历了重大发展。这股浪潮催生了大量图像编辑和内容创建应用。基于图像的生成模型所取得的成就基础上，下一个挑战的领域必然是为其增加「时间维度」，从而实现轻松而富有创意的视频编辑。一种直接策略是使用图像模型逐帧处理视频，然而，生成式图像编辑本身就具有

See all articles