Turning Federated Learning Systems Into Covert Channels

TL;DR

This paper demonstrates how federated learning systems can be exploited as covert channels by malicious actors to establish stealth communication, even without affecting overall model performance.

Contribution

It introduces a novel attacker model that leverages model poisoning in federated learning to enable covert communication channels.

Findings

Malicious model poisoning can encode information without degrading model accuracy.

Covert channels can be established with minimal detectable impact.

The approach is effective even with multiple participants and diverse data.

Abstract

Federated learning (FL) goes beyond traditional, centralized machine learning by distributing model training among a large collection of edge clients. These clients cooperatively train a global, e.g., cloud-hosted, model without disclosing their local, private training data. The global model is then shared among all the participants which use it for local predictions. In this paper, we put forward a novel attacker model aiming at turning FL systems into covert channels to implement a stealth communication infrastructure. The main intuition is that, during federated training, a malicious sender can poison the global model by submitting purposely crafted examples. Although the effect of the model poisoning is negligible to other participants, and does not alter the overall model performance, it can be observed by a malicious receiver and used to transmit a single bit.