METHODS AND APPARATUSES FOR DEFENSE AGAINST ADVERSARIAL ATTACKS ON FEDERATED LEARNING SYSTEMS

摘要

Methods and computing apparatuses for defending against model poisoning attacks in federated learning are described. One or more updates are obtained, where each update represents a respective difference between parameters (e.g. weights) of the global model and parameters (e.g. weights) of a respective local model. Random noise perturbation and normalization are applied to each update, to obtain one or more perturbed and normalized updates. The parameters (e.g. weights) of the global model are updated by adding an aggregation of the one or more perturbed and normalized updates to the parameters (e.g. weights) of the global model. In some examples, one or more learned parameters (e.g. weights) of the previous global model are also perturbed using random noise.