實驗室: 攻擊ing Federated Learning

import torch
import torch.nn as nn
import torch.nn.functional as F
 
class SimpleNet(nn.Module):
    """Simple CNN for MNIST classification."""
    def __init__(self):
        super().__init__()
        self.conv1 = nn.Conv2d(1, 32, 3, 1)
        self.conv2 = nn.Conv2d(32, 64, 3, 1)
        self.fc1 = nn.Linear(9216, 128)
        self.fc2 = nn.Linear(128, 10)
 
    def forward(self, x):
        x = F.relu(self.conv1(x))
        x = F.relu(self.conv2(x))
        x = F.max_pool2d(x, 2)
        x = torch.flatten(x, 1)
        x = F.relu(self.fc1(x))
        x = self.fc2(x)
        return F.log_softmax(x, dim=1)

import flwr as fl
from collections import OrderedDict
 
def get_parameters(model):
    """Extract model parameters as a list of numpy arrays."""
    return [val.cpu().numpy() for _, val in model.state_dict().items()]
 
def set_parameters(model, parameters):
    """Load parameters into model."""
    params_dict = zip(model.state_dict().keys(), parameters)
    state_dict = OrderedDict({k: torch.tensor(v) for k, v in params_dict})
    model.load_state_dict(state_dict, strict=True)
 
class HonestClient(fl.client.NumPyClient):
    """Standard honest federated learning client."""
    def __init__(self, model, train_loader, client_id):
        self.model = model
        self.train_loader = train_loader
        self.client_id = client_id
 
    def get_parameters(self, config):
        return get_parameters(self.model)
 
    def fit(self, parameters, config):
        set_parameters(self.model, parameters)
        # Standard local 訓練
        optimizer = torch.optim.SGD(self.model.parameters(), lr=0.01)
 
        self.model.train()
        for batch_data, batch_target in self.train_loader:
            optimizer.zero_grad()
            輸出 = self.model(batch_data)
            loss = F.nll_loss(輸出, batch_target)
            loss.backward()
            optimizer.step()
 
        return get_parameters(self.model), len(self.train_loader.dataset), {}
 
    def 評估(self, parameters, config):
        set_parameters(self.model, parameters)
        # 評估 on local data
        self.model.eval()
        correct, total = 0, 0
        with torch.no_grad():
            for data, target in self.train_loader:
                輸出 = self.model(data)
                pred = 輸出.argmax(dim=1)
                correct += pred.eq(target).sum().item()
                total += len(target)
        return float(F.nll_loss(self.model(data), target)), total, {"accuracy": correct / total}

class ByzantineClient(fl.client.NumPyClient):
    """Malicious client that sends poisoned model updates."""
    def __init__(self, model, train_loader, client_id, attack_type="label_flip"):
        self.model = model
        self.train_loader = train_loader
        self.client_id = client_id
        self.attack_type = attack_type
 
    def get_parameters(self, config):
        return get_parameters(self.model)
 
    def fit(self, parameters, config):
        set_parameters(self.model, parameters)
        optimizer = torch.optim.SGD(self.model.parameters(), lr=0.01)
 
        self.model.train()
        for batch_data, batch_target in self.train_loader:
            optimizer.zero_grad()
 
            if self.attack_type == "label_flip":
                # 攻擊: flip labels (e.g., 7 becomes 1)
                poisoned_target = (batch_target + 1) % 10
                輸出 = self.model(batch_data)
                loss = F.nll_loss(輸出, poisoned_target)
            elif self.attack_type == "gradient_scale":
                # 攻擊: scale gradients to dominate aggregation
                輸出 = self.model(batch_data)
                loss = F.nll_loss(輸出, batch_target)
            else:
                輸出 = self.model(batch_data)
                loss = F.nll_loss(輸出, batch_target)
 
            loss.backward()
            optimizer.step()
 
        params = get_parameters(self.model)
 
        if self.attack_type == "gradient_scale":
            # Scale parameters to dominate FedAvg aggregation
            global_params = parameters
            for i in range(len(params)):
                delta = params[i] - global_params[i]
                params[i] = global_params[i] + delta * 10.0  # 10x scaling
 
        return params, len(self.train_loader.dataset), {}
 
    def 評估(self, parameters, config):
        set_parameters(self.model, parameters)
        self.model.eval()
        correct, total = 0, 0
        with torch.no_grad():
            for data, target in self.train_loader:
                輸出 = self.model(data)
                pred = 輸出.argmax(dim=1)
                correct += pred.eq(target).sum().item()
                total += len(target)
        return 0.0, total, {"accuracy": correct / total}

class ModelReplacementClient(fl.client.NumPyClient):
    """Client that attempts to replace the global model
    with a backdoored version."""
    def __init__(self, model, train_loader, client_id,
                 target_model_state, num_clients):
        self.model = model
        self.train_loader = train_loader
        self.client_id = client_id
        self.target_state = target_model_state
        self.num_clients = num_clients
 
    def fit(self, parameters, config):
        # Compute replacement parameters:
        # After FedAvg: new = avg(updates) = (1/N) * sum(updates)
        # We want: new = target_state
        # So our update must be: N * target_state - (N-1) * global_state
        replacement_params = []
        for i, (target_p, global_p) in enumerate(
            zip(get_parameters_from_state(self.target_state), parameters)
        ):
            replacement = (self.num_clients * target_p -
                          (self.num_clients - 1) * global_p)
            replacement_params.append(replacement)
 
        return replacement_params, len(self.train_loader.dataset), {}

class StealthyByzantineClient(fl.client.NumPyClient):
    """Malicious client that constrains its update norm
    to evade 偵測 while still 投毒 模型."""
    def fit(self, parameters, config):
        # Train with poisoned labels
        poisoned_params = self._poisoned_training(parameters)
 
        # Compute update delta
        deltas = [p - g for p, g in zip(poisoned_params, parameters)]
 
        # Compute norm of honest update (from last round)
        honest_norm = np.sqrt(sum(np.sum(d**2) for d in deltas))
 
        # Clip to match expected honest update norm
        if honest_norm > self.norm_bound:
            scale = self.norm_bound / honest_norm
            deltas = [d * scale for d in deltas]
 
        clipped_params = [g + d for g, d in zip(parameters, deltas)]
        return clipped_params, len(self.train_loader.dataset), {}