Recent attacks on federated learning (FL) can introduce malicious model
updates that circumvent widely adopted Euclidean distance-based detection
methods. This paper proposes a novel defense strategy, referred to as
LayerCAM-AE, designed to counteract model poisoning in federated learning. The
LayerCAM-AE puts forth a new Layer Class Activation Mapping (LayerCAM)
integrated with an autoencoder (AE), significantly enhancing detection
capabilities. Specifically, LayerCAM-AE generates a heat map for each local
model update, which is then transformed into a more compact visual format. The
autoencoder is designed to process the LayerCAM heat maps from the local model
updates, improving their distinctiveness and thereby increasing the accuracy in
spotting anomalous maps and malicious local models. To address the risk of
misclassifications with LayerCAM-AE, a voting algorithm is developed, where a
local model update is flagged as malicious if its heat maps are consistently
suspicious over several rounds of communication. Extensive tests of LayerCAM-AE
on the SVHN and CIFAR-100 datasets are performed under both Independent and
Identically Distributed (IID) and non-IID settings in comparison with existing
ResNet-50 and REGNETY-800MF defense models. Experimental results show that
LayerCAM-AE increases detection rates (Recall: 1.0, Precision: 1.0, FPR: 0.0,
Accuracy: 1.0, F1 score: 1.0, AUC: 1.0) and test accuracy in FL, surpassing the
performance of both the ResNet-50 and REGNETY-800MF. Our code is available at:
this https URL

本文提出了一种新颖的防御策略 LayerCAM-AE 来对抗联邦学习中的模型污染攻击，通过整合 Layer Class Activation Mapping（LayerCAM）和自编码器（AE），显著增强了检测能力，实验结果表明 LayerCAM-AE 在联邦学习中提高了模型的检测率和准确性，超越了现有的防御模型 ResNet-50 和 REGNETY-800MF。

一种新的抵御联邦学习中毒攻击的方法：使用自编码器增强的 LayerCAM

A Novel Defense Against Poisoning Attacks on Federated Learning:  LayerCAM Augmented with Autoencoder

Adversarial attacks represent a security threat to machine learning based
automatic speech recognition (ASR) systems. To prevent such attacks we propose
an adversarial example detection strategy applicable to any ASR system that
predicts a probability distribution over output tokens in each time step. We
measure a set of characteristics of this distribution: the median, maximum, and
minimum over the output probabilities, the entropy, and the Jensen-Shannon
divergence of the distributions of subsequent time steps. Then, we fit a
Gaussian distribution to the characteristics observed for benign data. By
computing the likelihood of incoming new audio we can distinguish malicious
inputs from samples from clean data with an area under the receiving operator
characteristic (AUROC) higher than 0.99, which drops to 0.98 for less-quality
audio. To assess the robustness of our method we build adaptive attacks. This
reduces the AUROC to 0.96 but results in more noisy adversarial clips.

为了防止对基于机器学习的自动语音识别系统的攻击，我们提出了一种适用于任何预测每个时间步长输出令牌概率分布的 ASR 系统的对抗性示例检测策略。通过计算新音频的可能性，我们可以区分恶意输入和来自干净数据样本的方法，而不影响对质量较差音频的检测。