Poisoning attack in federated learning using generative adversarial nets

Zhang, J; Chen, J; Wu, D; Chen, B; Yu, S

Poisoning attack in federated learning using generative adversarial nets

Zhang, J Chen, J Wu, D Chen, B Yu, S

Permalink

Publisher:: IEEE
Publication Type:: Conference Proceeding
Citation:: Proceedings - 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering, TrustCom/BigDataSE 2019, 2019, pp. 374-380
Issue Date:: 2019-08-01

Closed Access

	Filename	Description	Size
	08887357.pdf	Published version	711.36 kB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Zhang, J
dc.contributor.author	Chen, J
dc.contributor.author	Wu, D
dc.contributor.author	Chen, B
dc.contributor.author	Yu, S https://orcid.org/0000-0003-4485-6743
dc.date	2019-08-05
dc.date.accessioned	2020-06-18T06:54:28Z
dc.date.available	2020-06-18T06:54:28Z
dc.date.issued	2019-08-01
dc.identifier.citation	Proceedings - 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering, TrustCom/BigDataSE 2019, 2019, pp. 374-380
dc.identifier.isbn	9781728127767
dc.identifier.issn	2324-898X
dc.identifier.issn	2324-9013
dc.identifier.uri	http://hdl.handle.net/10453/141531
dc.description.abstract	© 2019 IEEE. Federated learning is a novel distributed learning framework, where the deep learning model is trained in a collaborative manner among thousands of participants. The shares between server and participants are only model parameters, which prevent the server from direct access to the private training data. However, we notice that the federated learning architecture is vulnerable to an active attack from insider participants, called poisoning attack, where the attacker can act as a benign participant in federated learning to upload the poisoned update to the server so that he can easily affect the performance of the global model. In this work, we study and evaluate a poisoning attack in federated learning system based on generative adversarial nets (GAN). That is, an attacker first acts as a benign participant and stealthily trains a GAN to mimic prototypical samples of the other participants' training set which does not belong to the attacker. Then these generated samples will be fully controlled by the attacker to generate the poisoning updates, and the global model will be compromised by the attacker with uploading the scaled poisoning updates to the server. In our evaluation, we show that the attacker in our construction can successfully generate samples of other benign participants using GAN and the global model performs more than 80% accuracy on both poisoning tasks and main tasks.
dc.language	en
dc.publisher	IEEE
dc.relation	http://purl.org/au-research/grants/arc/DP180102828
dc.relation	Commonwealth Scientific and Industrial Research Organisation
dc.relation.ispartof	Proceedings - 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/13th IEEE International Conference on Big Data Science and Engineering, TrustCom/BigDataSE 2019
dc.relation.ispartof	IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering
dc.relation.isbasedon	10.1109/TrustCom/BigDataSE.2019.00057
dc.rights	© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.	en_US
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	Poisoning attack in federated learning using generative adversarial nets
dc.type	Conference Proceeding
utslib.location.activity	Rotorua, New Zealand
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney
utslib.copyright.status	closed_access	*
pubs.consider-herdc	false
dc.date.updated	2020-06-18T06:54:23Z
pubs.finish-date	2019-08-08
pubs.place-of-publication	Piscataway, USA
pubs.publication-status	Published
pubs.start-date	2019-08-05
dc.location	Piscataway, USA

Abstract:

© 2019 IEEE. Federated learning is a novel distributed learning framework, where the deep learning model is trained in a collaborative manner among thousands of participants. The shares between server and participants are only model parameters, which prevent the server from direct access to the private training data. However, we notice that the federated learning architecture is vulnerable to an active attack from insider participants, called poisoning attack, where the attacker can act as a benign participant in federated learning to upload the poisoned update to the server so that he can easily affect the performance of the global model. In this work, we study and evaluate a poisoning attack in federated learning system based on generative adversarial nets (GAN). That is, an attacker first acts as a benign participant and stealthily trains a GAN to mimic prototypical samples of the other participants' training set which does not belong to the attacker. Then these generated samples will be fully controlled by the attacker to generate the poisoning updates, and the global model will be compromised by the attacker with uploading the scaled poisoning updates to the server. In our evaluation, we show that the attacker in our construction can successfully generate samples of other benign participants using GAN and the global model performs more than 80% accuracy on both poisoning tasks and main tasks.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/141531