search

zhmzm / FLDetector_pytorch

13 stars 1 forks source link

关于不同攻击类型实现的问题 #1

Open yichen138 opened 1 year ago

yichen138 commented 1 year ago

1、请问代码中是通过attacker()这个函数来实现开始攻击的吗? 2、为什么除了dba这种攻击类型的实现,似乎没有其他攻击类型的实现代码呢,比如trim攻击,label flipping攻击,Scaling Attack等非目标模型投毒攻击(Untargeted Model Poisoning Attacks)或目标模型投毒攻击(Targeted Model Poisoning Attacks)。好像少了一些官方代码中不同攻击类型的具体实现,无从直接调用。如果您有空的话,能否帮忙补上呢,将不胜感激!

zhmzm commented 1 year ago

Hi, in this repo, we focus on backdoor attacks. For Flipping attack or Scaling attack, in you directly adapt code in https://github.com/zhmzm/FLDetector_pytorch/blob/c8aeb02c0aa0286dbc046e2c40050e86383d642f/models/MaliciousUpdate.py#L122-L129

For Trim attack, you can implement it in the function attacker() in https://github.com/zhmzm/FLDetector_pytorch/blob/c8aeb02c0aa0286dbc046e2c40050e86383d642f/main_fed.py#L221

In conclusion, if the attack only changes the training process, implement it in the file "MaliciousUpdate.py". If the attack needs cooperation from each malicious client, implement it in the function attacker() in the file "Attacker.py".

yichen138 commented 1 year ago

What is the meaning of the variable "skip_number"?

zhmzm commented 1 year ago

What is the meaning of the variable "skip_number"?

Once the number of malicious clients is larger than one and they want to submit the same model, the "skip_number" records the number of models that need to submit. For example, if three malicious clients want to submit the same malicious model in round $t$, the "skip_number" is set to 2 after the first malicious client submits the malicious model. Then the code will not craft new malicious models in round $t$ and keep submitting the first one.

yichen138 commented 1 year ago

请问您在通过attack()实现dba攻击之后,为什么w_locals这个列表里面的恶意客户端参数和良性客户端参数并没有什么区别呢? 举个例子,这里是100个客户端,设置了10%的恶意客户端,但是经过dba攻击后,w_locals列表中的前10个恶意客户端参数与后面90个良性客户端参数并没有区别呀,这似乎并不能体现攻击起效了,请问这是为什么呀?(参数设置基本相同)

zhmzm commented 1 year ago

What is the difference? Do you mean the distance or score? The effectiveness of attacks is measured by Attack Success Rate. So do you mean DBA does not attack the FL system successfully?

yichen138 commented 1 year ago

抱歉,我以为DBA会在攻击的过程中改变客户端的参数,导致其与良性客户端的参数有所区别。所以除了攻击的有效性通过ASR来体现之外,这也算是在debug中能看到攻击起效的另一种体现形式。By the way,如果DBA不会改变客户端参数的话,还请麻烦您向我指正一下,谢谢!