Papers
Topics
Authors
Recent
2000 character limit reached

A GAN-Based Data Poisoning Attack Against Federated Learning Systems and Its Countermeasure (2405.11440v2)

Published 19 May 2024 in cs.CR, cs.DC, and cs.NI

Abstract: As a distributed machine learning paradigm, federated learning (FL) is collaboratively carried out on privately owned datasets but without direct data access. Although the original intention is to allay data privacy concerns, "available but not visible" data in FL potentially brings new security threats, particularly poisoning attacks that target such "not visible" local data. Initial attempts have been made to conduct data poisoning attacks against FL systems, but cannot be fully successful due to their high chance of causing statistical anomalies. To unleash the potential for truly "invisible" attacks and build a more deterrent threat model, in this paper, a new data poisoning attack model named VagueGAN is proposed, which can generate seemingly legitimate but noisy poisoned data by untraditionally taking advantage of generative adversarial network (GAN) variants. Capable of manipulating the quality of poisoned data on demand, VagueGAN enables to trade-off attack effectiveness and stealthiness. Furthermore, a cost-effective countermeasure named Model Consistency-Based Defense (MCD) is proposed to identify GAN-poisoned data or models after finding out the consistency of GAN outputs. Extensive experiments on multiple datasets indicate that our attack method is generally much more stealthy as well as more effective in degrading FL performance with low complexity. Our defense method is also shown to be more competent in identifying GAN-poisoned data or models. The source codes are publicly available at \href{https://github.com/SSssWEIssSS/VagueGAN-Data-Poisoning-Attack-and-Its-Countermeasure}{https://github.com/SSssWEIssSS/VagueGAN-Data-Poisoning-Attack-and-Its-Countermeasure}.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (43)
  1. Y. Chen, P. Zhu, G. He, X. Yan, H. Baligh, and J. Wu, “From connected people, connected things, to connected intelligence,” in Proc. 6G SUMMIT, 2020, pp. 1–7.
  2. N. Rodríguez-Barroso, D. Jiménez-López, M. V. Luzón, F. Herrera, and E. Martínez-Cámara, “Survey on federated learning threats: concepts, taxonomy on attacks and defences, experimental study and challenges,” Inf. Fusion, vol. 90, pp. 148–173, 2023.
  3. L. Lyu, H. Yu, and Q. Yang, “Threats to federated learning: A survey,” arXiv preprint arXiv:2003.02133, 2020.
  4. R. Gosselin, L. Vieu, F. Loukil, and A. Benoit, “Privacy and security in federated learning: A survey,” Appl. Sci., vol. 12, no. 19, p. 9901, 2022.
  5. V. Mothukuri, R. M. Parizi, S. Pouriyeh, Y. Huang, A. Dehghantanha, and G. Srivastava, “A survey on security and privacy of federated learning,” Future Gener. Comput. Syst., vol. 115, pp. 619–640, 2021.
  6. M. S. Jere, T. Farnan, and F. Koushanfar, “A taxonomy of attacks on federated learning,” IEEE Security & Privacy, vol. 19, no. 2, pp. 20–28, 2020.
  7. G. Xia, J. Chen, C. Yu, and J. Ma, “Poisoning attacks in federated learning: A survey,” IEEE Access, vol. 11, pp. 10 708–10 722, 2023.
  8. V. Tolpegin, S. Truex, M. E. Gursoy, and L. Liu, “Data poisoning attacks against federated learning systems,” in Proc. ESORICS, 2020, pp. 480–501.
  9. J. Zhang, B. Chen, X. Cheng, H. T. T. Binh, and S. Yu, “Poisongan: Generative poisoning attacks against federated learning in edge computing systems,” IEEE Internet Things J., vol. 8, no. 5, pp. 3310–3322, 2020.
  10. J. Zhang, J. Chen, D. Wu, B. Chen, and S. Yu, “Poisoning attack in federated learning using generative adversarial nets,” in Proc. IEEE TrustCom/BigDataSE, 2019, pp. 374–380.
  11. D. Cao, S. Chang, Z. Lin, G. Liu, and D. Sun, “Understanding distributed poisoning attack in federated learning,” in Proc. IEEE ICPADS, 2019, pp. 233–239.
  12. D. Upreti, H. Kim, E. Yang, and C. Seo, “Defending against label-flipping attacks in federated learning systems with umap,” https://doi.org/10.21203/rs.3.rs-1984301/v1, 2022.
  13. S. Shen, S. Tople, and P. Saxena, “Auror: Defending against poisoning attacks in collaborative deep learning systems,” in Proc. ACM ACSAC, 2016, pp. 508–519.
  14. X. Li, Z. Qu, S. Zhao, B. Tang, Z. Lu, and Y. Liu, “Lomar: A local defense against poisoning attack on federated learning,” IEEE Trans. Dependable Secure Comput., 2021.
  15. H. S. Sikandar, H. Waheed, S. Tahir, S. U. Malik, and W. Rafique, “A detailed survey on federated learning attacks and defenses,” Electronics, vol. 12, no. 2, p. 260, 2023.
  16. I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial networks,” Commun. ACM, vol. 63, no. 11, pp. 139–144, 2020.
  17. B. Hitaj, G. Ateniese, and F. Perez-Cruz, “Deep models under the gan: information leakage from collaborative deep learning,” in Proc. ACM CCS, 2017, pp. 603–618.
  18. Y. Shi, T. Erpek, Y. E. Sagduyu, and J. H. Li, “Spectrum data poisoning with adversarial deep learning,” in Proc. IEEE MILCOM, 2018, pp. 407–412.
  19. H. Huang, J. Mu, N. Z. Gong, Q. Li, B. Liu, and M. Xu, “Data poisoning attacks to deep learning based recommender systems,” arXiv preprint arXiv:2101.02644, 2021.
  20. X. Zhang, X. Zhu, and L. Lessard, “Online data poisoning attacks,” in Proc. L4DC, 2020, pp. 201–210.
  21. A. Schwarzschild, M. Goldblum, A. Gupta, J. P. Dickerson, and T. Goldstein, “Just how toxic is data poisoning? a unified benchmark for backdoor and data poisoning attacks,” in Proc. ICML, 2021, pp. 9389–9398.
  22. P. Gupta, K. Yadav, B. B. Gupta, M. Alazab, and T. R. Gadekallu, “A novel data poisoning attack in federated learning based on inverted loss function,” Comput. Secur., vol. 130, p. 103270, 2023.
  23. J. Yang, J. Zheng, T. Baker, S. Tang, Y.-a. Tan, and Q. Zhang, “Clean-label poisoning attacks on federated learning for iot,” Expert Syst., vol. 40, no. 5, p. e13161, 2023.
  24. V. Shejwalkar and A. Houmansadr, “Manipulating the byzantine: Optimizing model poisoning attacks and defenses for federated learning,” in NDSS, 2021.
  25. Z. Zhang, X. Cao, J. Jia, and N. Z. Gong, “Fldetector: Defending federated learning against model poisoning attacks via detecting malicious clients,” in Proc. ACM KDD, 2022, pp. 2545–2555.
  26. X. Shen, Y. Liu, F. Li, and C. Li, “Privacy-preserving federated learning against label-flipping attacks on non-iid data,” IEEE Internet Things J., 2023.
  27. S. Awan, B. Luo, and F. Li, “Contra: Defending against poisoning attacks in federated learning,” in Proc. ESORICS 2021, Part I 26, 2021, pp. 455–475.
  28. Y. Wang, T. Zhu, W. Chang, S. Shen, and W. Ren, “Model poisoning defense on federated learning: A validation based approach,” in Proc. NSS, 2020, pp. 207–223.
  29. X. Cao, J. Jia, and N. Z. Gong, “Provably secure federated learning against malicious clients,” in Proc. AAAI, vol. 35, no. 8, 2021, pp. 6885–6893.
  30. Y. Zhao, J. Chen, J. Zhang, D. Wu, M. Blumenstein, and S. Yu, “Detecting and mitigating poisoning attacks in federated learning using generative adversarial networks,” Concurrency Comput. Pract. Exper., vol. 34, no. 7, p. e5906, 2022.
  31. S. Li, Y. Cheng, Y. Liu, W. Wang, and T. Chen, “Abnormal client behavior detection in federated learning,” arXiv preprint arXiv:1910.09933, 2019.
  32. Y. Jiang, W. Zhang, and Y. Chen, “Data quality detection mechanism against label flipping attacks in federated learning,” IEEE Trans. Inf. Forensics Security, vol. 18, pp. 1625–1637, 2023.
  33. P. R. Ovi, A. Gangopadhyay, R. F. Erbacher, and C. Busart, “Confident federated learning to tackle label flipped data poisoning attacks,” in Artificial Intelligence and Machine Learning for Multi-Domain Operations Applications V, vol. 12538, 2023, pp. 263–272.
  34. Y.-C. Lai, J.-Y. Lin, Y.-D. Lin, R.-H. Hwang, P.-C. Lin, H.-K. Wu, and C.-K. Chen, “Two-phase defense against poisoning attacks on federated learning-based intrusion detection,” Comput. Secur., vol. 129, p. 103205, 2023.
  35. M. Mirza and S. Osindero, “Conditional generative adversarial nets,” arXiv preprint arXiv:1411.1784, 2014.
  36. W. Luo, “Efficient removal of impulse noise from digital images,” IEEE Trans. Consum. Electron., vol. 52, no. 2, pp. 523–527, 2006.
  37. H. Note and Y. Denote, “On the proof of the law of the unconscious statistician,” 2018.
  38. X. Chen, Y. Duan, R. Houthooft, J. Schulman, I. Sutskever, and P. Abbeel, “Infogan: Interpretable representation learning by information maximizing generative adversarial nets,” NeurIPS, vol. 29, 2016.
  39. Y. LeCun, “The mnist database of handwritten digits,” http://yann. lecun. com/exdb/mnist/, 1998.
  40. H. Xiao, K. Rasul, and R. Vollgraf, “Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms,” arXiv preprint arXiv:1708.07747, 2017.
  41. A. Krizhevsky, G. Hinton et al., “Learning multiple layers of features from tiny images.(2009),” 2009.
  42. O. Marfoq, G. Neglia, A. Bellet, L. Kameni, and R. Vidal, “Federated multi-task learning under a mixture of distributions,” Adv. Neural Inf. Process. Syst., vol. 34, pp. 15 434–15 447, 2021.
  43. X. Chen, C. Liu, B. Li, K. Lu, and D. Song, “Targeted backdoor attacks on deep learning systems using data poisoning,” arXiv preprint arXiv:1712.05526, 2017.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Slide Deck Streamline Icon: https://streamlinehq.com

Whiteboard

Dice Question Streamline Icon: https://streamlinehq.com

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up
Github Logo Streamline Icon: https://streamlinehq.com

GitHub

  1. GitHub - SSssWEIssSS/VagueGAN-Data-Poisoning-Attack-and-Its-Countermeasure (3 stars)
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

Sign up for free to view the 3 tweets with 0 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free