Federated Learning (FL) enables collaborative training of Deep Learning (DL) models where the data is retained locally. Like DL, FL has severe security weaknesses that the attackers can exploit, e.g., model inversion and backdoor attacks. Model inversion attacks reconstruct the data from the training datasets, whereas backdoors misclassify only classes containing specific properties, e.g., a pixel pattern. Backdoors are prominent in FL and aim to poison every client model, while model inversion attacks can target even a single client. This paper introduces a novel technique to allow backdoor attacks to be client-targeted, compromising a single client while the rest remain unchanged. The attack takes advantage of state-of-the-art model inversion and backdoor attacks. Precisely, we leverage a Generative Adversarial Network to perform the model inversion. Afterward, we shadow-train the FL network, in which, using a Siamese Neural Network, we can identify, target, and backdoor the victim's model. Our attack has been validated using the MNIST, F-MNIST, EMNIST, and CIFAR-100 datasets under different settings -- achieving up to 99\% accuracy on both source (clean) and target (backdoor) classes and against state-of-the-art defenses, e.g., Neural Cleanse, opening a novel threat model to be considered in the future.
翻译:联邦学习联合会(FL) 能够在当地保留数据的情况下对深学习模式(DL)进行合作培训。像DL一样,FL具有严重的安全弱点,攻击者可以利用这些弱点,例如模型反转和后门攻击等。模型反倒攻击重建了培训数据集的数据,而后门则错误地分类了只有包含具体属性的分类,例如像像素模式。后门在FL中很突出,目的是毒害每个客户模式,而模型反向攻击甚至可以针对单一客户。本文介绍了一种新颖技术,允许后门攻击针对客户,使单一客户受到损害,而其余客户则保持不变。攻击利用了最先进的反向和后门攻击模式的数据。之后,我们将FL网络置于阴影之下,利用Siamoral Neuroral网络,我们可以识别、目标、后门攻击受害者模式。我们的攻击已经通过MINIST、F-MNISIST、EMIS、CIFAR和CIFA-C-C-C-CFOR-C-NE-C-NE-NE-NIS-NE-C-CR-C-CRIFAR-ID-CR-C-S-ID-ID-IFAR-C-C-C-C-IFAR-ID-ID-ID-ID-IFD-IFD-NFD-S-S-C-NIS-C-NIS-NIS-NIS-NIS-NIS-C-C-NIS-NIS-C-CR-CR-C-C-C-C-C-IFD-NIS-C-C-C-C-C-C-N-N-N-N-N-N-C-C-C-C-C-C-C-C-N-N-N-N-IF-N-C-C-C-C-NISDFD-NIS-N-N-C-C-N-IFD-N-N-N-N-N-N-N-N-N-N-N-N-N-N-N-N-IFD-N-C-C-N-N-N-N-N-N</s>
相关内容
微信扫码咨询专知VIP会员