What problem does this paper attempt to address?

The problem that this paper attempts to solve is how to enhance the robustness of the model against adversarial sample attacks in the federated learning environment, especially in the case of non - independent and identically distributed (Non - IID) data. Specifically: 1. **The problem of adversarial sample attacks in federated learning**: - Although federated learning has advantages in protecting data privacy and security, client - side models are still vulnerable to attacks when encountering adversarial samples. - Adversarial samples can confuse and deceive client - side models by injecting carefully designed noise into normal inputs, thereby achieving malicious purposes. 2. **Limitations of existing methods**: - Existing adversarial training methods are mainly designed for independent and identically distributed (IID) data, while in federated learning, the data distribution of each client is usually non - independent and identically distributed (Non - IID). - Simply applying adversarial training to the federated learning environment will bring a series of problems because the data distribution differences between different clients are large, resulting in poor effectiveness of adversarial training. 3. **Research objectives**: - Propose a new Ensemble Federated Adversarial Training method (EFAT) to improve the robustness of the federated learning system against black - box attacks under non - independent and identically distributed data. - By increasing the diversity of adversarial samples, EFAT can perform adversarial training more effectively in the federated learning environment, thereby enhancing the robustness of the model. ### Main contributions of the paper 1. **Propose the EFAT method**: - Use adversarial samples generated by other clients to enhance local adversarial training, thereby improving the robustness of each client - side model. - EFAT increases the diversity of the adversarial data distribution by integrating adversarial samples from multiple clients, enabling the model to better cope with black - box attacks. 2. **Experimental verification**: - Experiments were carried out in two non - independent and identically distributed situations (skewed feature distribution and skewed label distribution). The results show that EFAT has a higher adversarial accuracy rate compared to baseline methods and other simplified versions of methods (such as EFNT and EFNT + AT). - The experimental results show that EFAT has achieved significant improvements on both the Digit - Five and CIFAR10 datasets, especially more prominent performance under black - box attacks. ### Formula summary - **PGD attack update rule**: \[ x_{\text{adv}}^{t + 1}=\Pi_{\text{clip}}(x_{\text{adv}}^t+\alpha\cdot\text{sign}(\nabla_x J(x_{\text{adv}}^t,y))) \] where $\alpha$ controls the maximum $L_\infty$ perturbation of the adversarial sample, and the $\text{clip}$ function ensures that $x$ is within a certain range. - **Adversarial training loss function**: \[ \text{Loss}=\sum_{x_i\in P_i}L(x_i|y_i)+\sum_{x_{\text{adv}}_i\in P_{\text{adv}}_i}L(x_{\text{adv}}_i|y_i) \] where $L((x|y)$ is the loss function of a single sample. - **EFAT loss function**: \[ \text{Loss}=\sum_{x_i\in P_i}L(x_i|y_i)+\sum_{x_{\text{adv}}_i\in L_{\text{adv}}_i}L(x_{\text{adv}}_i|y_i)+\sum_{x_{\text{adv}}_i\in E_{\text{adv}}_i}L(x_{\text{adv}}_i|y_i) \] Through these methods, EFAT not only improves the robustness of the federated learning system but also provides new ideas for future research.