面向联邦学习标签翻转攻击的客户端选择防御方法

李建鑫; 陈思光

doi:10.11959/j.issn.2096-3750.2025.00403

您当前的位置：

首页 >

文章列表页 >

面向联邦学习标签翻转攻击的客户端选择防御方法

理论与技术 | 更新时间：2026-01-26

- 面向联邦学习标签翻转攻击的客户端选择防御方法
- Client selection for federated learning against label flipping attacks
- 物联网学报 2025年9卷第3期页码：170-179
- 作者机构：
  
  南京邮电大学物联网学院，江苏南京 210003
- 作者简介：
  
  [ "李建鑫（2000‒ ），男，南京邮电大学物联网学院硕士生，主要研究方向为联邦学习与边缘智能。" ]
  [ "陈思光（1984‒ ），男，博士，南京邮电大学物联网学院教授，主要研究方向为边缘智能与安全。" ]
- 基金信息：
  
  国家自然科学基金项目(61971235);江苏省“333高层次人才培养工程”;南京邮电大学“1311”人才计划资助
- DOI：10.11959/j.issn.2096-3750.2025.00403
  中图分类号： TP393
- 收稿：2023-11-01，
  
  修回：2024-06-30，
  
  纸质出版：2025-09-10
- 稿件说明：
移动端阅览
李建鑫,陈思光.面向联邦学习标签翻转攻击的客户端选择防御方法[J].物联网学报,2025,09(03):170-179.

LI Jianxin,CHEN Siguang.Client selection for federated learning against label flipping attacks[J].Chinese Journal on Internet of Things,2025,09(03):170-179.
李建鑫,陈思光.面向联邦学习标签翻转攻击的客户端选择防御方法[J].物联网学报,2025,09(03):170-179. DOI： 10.11959/j.issn.2096-3750.2025.00403.

LI Jianxin,CHEN Siguang.Client selection for federated learning against label flipping attacks[J].Chinese Journal on Internet of Things,2025,09(03):170-179. DOI： 10.11959/j.issn.2096-3750.2025.00403.

摘要

联邦学习允许多个客户端仅共享模型更新而不上传本地数据以协作训练一个全局模型，但正是由于它这种基于分布式的全局聚合模式，导致联邦学习易受到标签翻转攻击的恶意影响。为此，提出了一种面向联邦学习标签翻转攻击的客户端选择防御算法。具体地，该算法基于客户端与辅助客户端模型的余弦相似度以及客户端模型的准确率获得每个客户端的可靠因子，并依据可靠因子进行加权聚合，以此获得全局模型。通过赋予良性客户端更高的权重，可显著降低恶性客户端对全局模型的影响，提高模型的准确率。结合客户端的历史良性情况，融合汤普森采样方法，计算每个客户端被选择进行聚合的概率，确定下一轮参与聚合的客户端。通过筛选更加良性的客户端进行聚合可有效防御标签翻转攻击，提升模型鲁棒性。仿真结果表明，与现有的联邦平均（FedAvg

federated averaging）算法和通过信任引导的拜占庭鲁棒联邦学习（FLTrust

Byzantine-robust federated learning via trust bootstrapping）算法相比，该算法能够更有效地防御标签翻转攻击并获得更高的准确率。

Abstract

Federated learning (FL) allows multiple clients to train a global model collaboratively by sharing only model updates without uploading local data. But due to its distributed global aggregation mode

FL is vulnerable to the malicious impact of label flipping attacks. Therefore

a client selection algorithm was proposed for FL against label flipping attacks. Specifically

the algorithm obtains the reliability score of each client based on the cosine similarity of client model and auxiliary client model and the accuracy of client model

and carries out weighted aggregation according to the reliability score to obtain the global model. By assigning higher weights to benign clients

the influence of malicious clients on the global model can be significantly reduced and the accuracy of the model can be improved. Then

Thompson sampling method was integrated to calculate the probability of each client being selected for aggregation and determine the clients participating in the aggregation in the next round based on the historical benign data of the clients. By screening more benign clients for aggregation

label flipping attacks can be effectively prevented and the robustness of the model was improved. Simulation results show that compared with the existing FedAvg and FLTrust algorithms

the proposed algorithm can defend against label flipping attacks more effectively and achieve higher accuracy.

关键词

Keywords

references

KHAN L U , SAAD W , HAN Z , et al . Federated learning for Internet of Things: recent advances, taxonomy, and open challenges [J ] . IEEE Communications Surveys & Tutorials , 2021 , 23 ( 3 ): 1759 - 1799 .

FANG X W , YE M . Robust federated learning with noisy and heterogeneous clients [C ] // Proceedings of the 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway : IEEE Press , 2022 : 10062 - 10071 .

MCMAHAN H B , MOORE E , RAMAGE D , et al . Communication-efficient learning of deep networks from decentralized data [C ] // Proceedings of the International Conference on Artificial Intelligence and Statistics , 2022

SUN J W , LI A , WANG B H , et al . Soteria: provable defense against privacy leakage in federated learning from representation perspective [C ] // Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway : IEEE Press , 2021 : 9307 - 9315 .

郭英芸 , 高博 , 张志飞 , 等 . 一种基于带宽分配的联邦学习激励机制 [J ] . 物联网学报 , 2022 , 6 ( 4 ): 82 - 92 .

GUO Y Y , GAO B , ZHANG Z F , et al . An incentive mechanism with bandwidth allocation for federated learning [J ] . Chinese Journal on Internet of Things , 2022 , 6 ( 4 ): 82 - 92 .

郭佳慧 , 陈卓越 , 高玮 , 等 . 基于背包模型的联邦学习客户端选择方法 [J ] . 物联网学报 , 2022 , 6 ( 4 ): 158 - 168 .

GUO J H , CHEN Z Y , GAO W , et al . Clients selection method based on knapsack model in federated learning [J ] . Chinese Journal on Internet of Things , 2022 , 6 ( 4 ): 158 - 168 .

耿光磊 , 高博 , 熊轲 , 等 . 联邦学习赋能6G网络综述 [J ] . 物联网学报 , 2023 , 7 ( 2 ): 50 - 66 .

GENG G L , GAO B , XIONG K , et al . A survey of federated learning for 6G networks [J ] . Chinese Journal on Internet of Things , 2023 , 7 ( 2 ): 50 - 66 .

WANG Y J , LIN L , CHEN J H . Communication-efficient adaptive federated learning [C ] // Proceedings of the 39th International Conference on Machine Learning (ICML) . Piscataway : IEEE Press , 2022 , 162 : 22802 - 22838 .

SUN Y , SHEN L , SUN H , et al . Efficient federated learning via local adaptive amended optimizer with linear speedup [J ] . IEEE Transactions on Pattern Analysis and Machine Intelligence , 2023 , 45 ( 12 ): 14453 - 14464 .

SHEN X C , LIU Y , LI F , et al . Privacy-preserving federated learning against label-flipping attacks on non-IID data [J ] . IEEE Internet of Things Journal , 2024 , 11 ( 1 ): 1241 - 1255 .

SUN G , CONG Y , DONG J H , et al . Data poisoning attacks on federated machine learning [J ] . IEEE Internet of Things Journal , 2022 , 9 ( 13 ): 11365 - 11375 .

SHI S P , HU C , WANG D , et al . Federated anomaly analytics for local model poisoning attack [J ] . IEEE Journal on Selected Areas in Communications , 2022 , 40 ( 2 ): 596 - 610 .

XU Q Q , YANG Z Y , ZHAO Y R , et al . Rethinking label flipping attack: from sample masking to sample thresholding [J ] . IEEE Transactions on Pattern Analysis and Machine Intelligence , 2023 , 45 ( 6 ): 7668 - 7685 .

SUCIU O , MĂRGINEAN R , KAYA Y , et al . Technical report: when does machine learning FAIL? generalized transferability for evasion and poisoning attacks [J ] . arXiv preprint , 2018 , arXiv: 1803.06975v2 .

ROSENFELD E , WINSTON E , RAVIKUMAR P , et al . Certified robustness to label-flipping attacks via randomized smoothing [C ] // Proceedings of the 37th International Conference on Machine Learning (ICML) . Piscataway : IEEE Press , 2020 : 8230 - 8241 .

DOKU R , RAWAT D B . Mitigating data poisoning attacks on a federated learning-edge computing network [C ] // Proceedings of the 2021 IEEE 18th Annual Consumer Communications & Networking Conference (CCNC) . Piscataway : IEEE Press , 2021 : 1 - 6 .

NASEER M , KHAN S , HAYAT M , et al . A self-supervised approach for adversarial robustness [C ] // Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway : IEEE Press , 2020 : 259 - 268 .

ZHOU D W , WANG N N , HAN B , et al . Modeling adversarial noise for adversarial training [C ] // Proceedings of the 39th International Conference on Machine Learning (ICML) . Piscataway : IEEE Press , 2022 : 27353 - 27366 .

LIU X Y , LI H W , XU G W , et al . Privacy-enhanced federated learning against poisoning adversaries [J ] . IEEE Transactions on Information Forensics and Security , 2021 , 16 : 4574 - 4588 .

YIN D , CHEN Y D , RAMCHANDRAN K , et al . Byzantine-robust distributed learning: towards optimal statistical rates [J ] . arxiv preprint , 2018 , arxiv: 1803.01498 .

马鑫迪 , 李清华 , 姜奇 , 等 . 面向Non-IID数据的拜占庭鲁棒联邦学习 [J ] . 通信学报 , 2023 , 44 ( 6 ): 138 - 153 .

MA X D , LI Q H , JIANG Q , et al . Byzantine-robust federated learning over Non-IID data [J ] . Journal on Communications , 2023 , 44 ( 6 ): 138 - 153 .

张佳乐 , 朱诚诚 , 孙小兵 , 等 . 基于GAN的联邦学习成员推理攻击与防御方法 [J ] . 通信学报 , 2023 , 44 ( 5 ): 193 - 205 .

ZHANG J L , ZHU C C , SUN X B , et al . Membership inference attack and defense method in federated learning based on GAN [J ] . Journal on Communications , 2023 , 44 ( 5 ): 193 - 205 .

余晟兴 , 陈钟 . 基于同态加密的高效安全联邦学习聚合框架 [J ] . 通信学报 , 2023 , 44 ( 1 ): 14 - 28 .

YU S X , CHEN Z . Efficient secure federated learning aggregation framework based on homomorphic encryption [J ] . Journal on Communications , 2023 , 44 ( 1 ): 14 - 28 .

BLANCHARD P , MHAMDI E , GUERRAOUI R , et al . Machine learning with adversaries: Byzantine tolerant gradient descent [C ] // Proceedings of the Neural Information Processing Systems (NeurIPS) . Piscataway : IEEE Press , 2017 , 30 : 119 - 129 .

SHAYAN M , FUNG C , YOON C J M , et al . Biscotti: a blockchain system for private and secure federated learning [J ] . IEEE Transactions on Parallel and Distributed Systems , 2021 , 32 ( 7 ): 1513 - 1525 .

JIN S , LI Y , CHEN X , et al . Blockchain-based fairness-enhanced federated learning scheme against label flipping attack [J ] . Journal of Information Security and Applications , 2023 , 77 : 103580 .

QI Y H , HOSSAIN M S , NIE J T , et al . Privacy-preserving blockchain-based federated learning for traffic flow prediction [J ] . Future Generation Computer Systems , 2021 , 117 : 328 - 337 .

MA Z R , MA J F , MIAO Y B , et al . ShieldFL: mitigating model poisoning attacks in privacy-preserving federated learning [J ] . IEEE Transactions on Information Forensics and Security , 2022 , 17 : 1639 - 1654 .

MUNOZ-GONZALEZ , CO K , LUPU E . Byzantine-robust federated machine learning through adaptive model averaging [J ] . arXiv preprint , 2019 , arXiv: 1909.05125 .

LECUN Y , BOTTOU L , BENGIO Y , et al . Gradient-based learning applied to document recognition [J ] . Proceedings of the IEEE , 1998 , 86 ( 11 ): 2278 - 2324 .

LEE S , HOFFMAN J , WANG Z J , et al . VIsCUIT: visual auditor for bias in CNN image classifier [C ] // Proceedings of the 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway : IEEE Press , 2022 : 21443 - 21451 .

FAN X , WANG Y , HUO Y , et al . BEV-SGD: best effort voting SGD against Byzantine attacks for analog-aggregation-based federated learning over the air [J ] . IEEE Internet of Things Journal , 2022 , 9 ( 19 ): 18946 - 18959 .

CAO X Y , FANG M H , LIU J , et al . FLTrust: Byzantine-robust federated learning via trust bootstrapping [C ] // Proceedings 2021 Network and Distributed System Security Symposium . Internet Society , 2021 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于背包模型的联邦学习客户端选择方法

车联网中联邦学习模型低时延传输迁移方法研究

面向工业物联网的时延感知半同步联邦学习客户端资源联合调度方案

面向无线联邦学习模型压缩的多维资源联合优化研究