Visible to the public Poisoning Attack in Federated Learning using Generative Adversarial Nets

TitlePoisoning Attack in Federated Learning using Generative Adversarial Nets
Publication TypeConference Paper
Year of Publication2019
AuthorsZhang, J., Chen, J., Wu, D., Chen, B., Yu, S.
Conference Name2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE)
Date PublishedAug. 2019
ISBN Number978-1-7281-2777-4
KeywordsAI Poisoning, Computational modeling, convolutional neural nets, Data models, deep learning model, federated learning, federated learning architecture, federated learning system, Gallium nitride, gan, Generative Adversarial Nets, Human Behavior, learning (artificial intelligence), poisoning attack, privacy, private training data, pubcrawl, resilience, Resiliency, Scalability, security, Servers, Task Analysis, Training, Training data

Federated learning is a novel distributed learning framework, where the deep learning model is trained in a collaborative manner among thousands of participants. The shares between server and participants are only model parameters, which prevent the server from direct access to the private training data. However, we notice that the federated learning architecture is vulnerable to an active attack from insider participants, called poisoning attack, where the attacker can act as a benign participant in federated learning to upload the poisoned update to the server so that he can easily affect the performance of the global model. In this work, we study and evaluate a poisoning attack in federated learning system based on generative adversarial nets (GAN). That is, an attacker first acts as a benign participant and stealthily trains a GAN to mimic prototypical samples of the other participants' training set which does not belong to the attacker. Then these generated samples will be fully controlled by the attacker to generate the poisoning updates, and the global model will be compromised by the attacker with uploading the scaled poisoning updates to the server. In our evaluation, we show that the attacker in our construction can successfully generate samples of other benign participants using GAN and the global model performs more than 80% accuracy on both poisoning tasks and main tasks.

Citation Keyzhang_poisoning_2019