人工智能:數(shù)據(jù)與模型安全課件:聯(lián)邦學(xué)習(xí)_第1頁
人工智能:數(shù)據(jù)與模型安全課件:聯(lián)邦學(xué)習(xí)_第2頁
人工智能:數(shù)據(jù)與模型安全課件:聯(lián)邦學(xué)習(xí)_第3頁
人工智能:數(shù)據(jù)與模型安全課件:聯(lián)邦學(xué)習(xí)_第4頁
人工智能:數(shù)據(jù)與模型安全課件:聯(lián)邦學(xué)習(xí)_第5頁
已閱讀5頁,還剩43頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)

文檔簡介

Federated

Learning聯(lián)邦學(xué)習(xí)

口 CommonTamperingandDeepfakes口 ImageManipulationDetection口 VideoManipulationDetectionThisWeek口 FederatedLearning口 PrivacyinFederatedLearning口 RobustnessinFederatedLearning口 ChallengesandFutureResearchTraditionalMachineLearningDataModelDataandmodelinonesingleplaceTraditionalMachineLearningDataModelWhat

if

we

need

more

data?DataGatheringUsingmultipleGPUsFederatedLearning:Whatisit?

Nextwordpredictiononmobile.

HorizontalFL(橫著切):samefeatures,differentsamplesFederatedLearning:TypesVerticalFL(縱著切):samesamples,differentfeaturesFederatedLearning:Types

FederatedLearning:TypesFederatedTransferLearning:differentsamples,differentfeatures

CompareDifferentParadigms

CompareDifferentParadigms

SplitLearningvsFederatedLearningFederatedLearningFrameworksHE:homomorphicencryption SS:secretSharingObjectivesandUpdatesinFLGlobalobjectiveLocalobjective:LocalUpdates:GlobalAggregation(e.g.FedAvg):FederatedLearning–MajorChallengesExpensiveCommunicationSystemsHeterogeneityStatisticalHeterogeneityPrivacyandSecurityConcerns

FederatedLearning-Horizontal

HFLcanfurtherbedividedinto…?PrivacyandSecurityThreatsLyuetal.“Privacyandrobustnessinfederatedlearning:Attacksanddefenses.”TNNLS,2022.SummaryofThreatModelsFLserver(insider)FLparticipants(insider)Eavesdroppers(outsider)Serviceusers(outsider)□InsidervsOutsider □InsiderAttacksByzantine:theworstattacker,knowseverythingaboutthesystem,doesnotobeytheprotocol,sendarbitraryupdates,evencolludewitheachother.Sybil:takingoverthenetworkbysimulatingmanydummyparticipants,out-votethehonestusersSemi-honestvsMaliciousSemi-honestsettingMalicioussettingTraining-timevsTest-timeStealprivatedata,stealmodel,corruptthemodel(trainingtime)Adversarialattack(testtime)SummaryofAttacksExistingattacksagainstserver-basedFLPoisoningAttacksDatapoisoningvsmodel(weight)poisoningDataPoisoningAttacksinTraditionalML□Dirty-labelPoisoningLabelflipping(onlychangelabels)Dirty-labelbackdoor(changeinputsandlabels)Clean-labelPoisoningClean-labelbackdoor(onlychangeinputs)DataPoisoningAttacksinTraditionalMLAsimplepatterncanmakethemodeltomemorizeFLPoisoningAttacks–ModelPoisoningMaincharacteristics:ChangelocalmodelweightsMostlyByzantineattack(attackercandoanythingtotheweights)CanattackByzantine-robustaggregationmechanismssuchasKrumandcoordinate-wisemedianinsteadofweightedaveragingKrum:PrivacyAttacksForeverycommunicationround,localclientshavethechancetoreverseengineerothers’gradients.Fromthereversedgradients,reverseengineer:RepresentationsMembershipPropertiesSensitiveattributesInVFL:featuresPrivacyAttacks–InferenceAttacksDeepmodelsundertheGAN:informationleakagefromcollaborativedeeplearning,CCS2017InferenceclassrepresentationsusingGANsCIFAR-10horseclassReconstructAlice’sfaceimagePrivacyAttacks–InferenceAttacksComprehensiveprivacyanalysisofdeeplearning:Passiveandactivewhite-boxinferenceattacksagainstcentralizedandfederatedlearning,S&P,2019Inferencemembership:Passiveattacks:observeandinference.Activeattacks:influencethetargetmodelinordertoextractmoreinformation.WeaknessofFL:FLcreatesanenvironmentfor(almost)white-boxattacksPrivacyAttacks–InferenceAttacksOtherinferenceattacks:inferringproperties,trainingdata,labels...DeepLeakagefromGradient(DLG)ImprovedDeepLeakagefromGradient(iDLG)…Defenses–PrivacyDefenseHomomorphic

Encryption:RSAEl

GamalPaillier…Homomorphic

properties:Allows

computation

directly

onencrypted

data(“可算不可見”)Needs

to

be

designed

for

eachalgorithmA

side

note:

attacking

encrypted

FL

is

challengingbut

still

possible!Defenses–PrivacyDefense2.

SecureMultipartyComputation(SMC,Yaosharing):SecureML(data-independentofflinephase+fastonlinephase)Offlinemultiplicationtriplets,truncate,sharingCharacteristics:HighlevelprivacyHighcomputationandcommunicationcostYao'sMillionaires'problemProtocolsforSecureComputations,AndrewChi-ChihYao,1982,UCBerkeleyDefenses–PrivacyDefense2.DifferentialPrivacy(DP):TypesofDP:LocalDPCentralizedDPDistributedDPDefenses–PrivacyDefenseDataflowofstatisticsunderLDP2.DifferentialPrivacy(DP):Defenses–PrivacyDefense2.DifferentialPrivacy(DP):TypesoffrequencyestimationDefenses–PrivacyDefense2.DifferentialPrivacy(DP):Real-worldapplications.Vanilla

FLM:ADPmechanismCentralized

DPM:ADPmechanismLocal

DPM:ADPmechanismE:encryptionD:decryptionDistributed

DPDefenses–ByzantineDefenseAlgorithm:Krum(forByzantinerobustness)Setting:nparticipants,fareByzantine,with??≥????+??Atcommunicationroundt,?? ?? ??serverreceives{????,????,…,????}foreach????:??selecttheclosest(L2distance)n-f-2intoset????compute??????????????=∑?? ??∈???? ????????????? ????????????=???=argmin{?????????????? ,…,??????????????}updateglobalparameter:????.??=????+??????????Blanchardetal.“Machinelearningwithadversaries:Byzantinetolerantgradientdescent.”NeurIPS,2017.Defenses–ByzantineDefenseAlgorithm:Krum(forByzantinerobustness)Blanchard

et

al.

“Machine

learning

with

adversaries:

Byzantine

tolerant

gradient

descent.”

NeurIPS,

2017.紅色:攻擊梯度藍色:真實梯度黑色:本地梯度黑色曲線:損失函數(shù)Defenses–ByzantineDefenseMorerobustaggregationmethods:Multi-Krum=Krum+Averaging=Krumrobustness+increasedconvergencespeedcoordinate-wisemedian,coordinate-wisetrimmedmeanmedianisnotgoodforconvergenceBulyan=Krum+trimmedmedianMedianandgeometric-median(RobustFederatedAggregation)RFA:approximategeometricmedian(notrobusttoByzantineattacks)Defenses–ByzantineDefenseModelpoisoningattackcanbreakKrumandcoordinate-wisemedianAnalyzingfederatedlearningthroughanadversariallens,ICML2019.??/:adversarialtargetclassr:numberofpoisonedsamples??0:cleandata1???2:estimationoftheglobalparametersReversedgradientsfromthelastround.Defenses–SybilDefenseFromtraditionalML:RejectonNegativeInfluence(RONI)WithacleanvalidationdatasetItrequiresuniformdistributioninnon-IIDsetting,notgood.FoolsGold:Sybilsharethesameobjective,driftsawayfromtheoriginalobjectiveCoreidea:cosinesimilarity

Defenses–SybilDefenseDistributedbackdoorattack(DBA)canbypassbothRFAandFoolsGold.DBA:Distributed

Backdoor

Attacks

against

Federated

Learning,

ICLR

2020.

Defenses

-

SummaryDefenseagainstFederatedLearningPoisoning.n:numberofparticipants.RemainingChallengesandFutureResearch□ CurseofdimensionalityLargermodelsaremorevulnerableSharingweights/gradientsmaynotbeagoodidea□ WeaknessesofcurrentattacksGANattackassumestheclassofdataisfromonesingleparticipantDLG/iDLGworkwithsecond-ordergradientmethod(expensive)andsmallminibatch-gradients(B=8)□ Vulnerabilitytofreeriders:pretendtohavedatabutnot.□ WeaknessofCurrentPrivacy-preservingTechniquesSecureaggregationismorevulnerabletopoisoningattackssinceindividualupdatescannotbecheckedAdversarialtraining(IIDornon-IID,loca

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論