Backdoor Attack is a Devil in Federated GAN-based Medical Image Synthesis

TL;DR

This paper reveals the vulnerability of federated GANs in medical image synthesis to backdoor attacks and proposes effective defense strategies to enhance robustness.

Contribution

It introduces a novel backdoor attack method on federated GANs for medical images and offers combined defense strategies to mitigate this threat.

Findings

Small trigger can corrupt federated GAN models

Global malicious detection effectively identifies attacks

Training regularization enhances model robustness

Abstract

Deep Learning-based image synthesis techniques have been applied in healthcare research for generating medical images to support open research. Training generative adversarial neural networks (GAN) usually requires large amounts of training data. Federated learning (FL) provides a way of training a central model using distributed data from different medical institutions while keeping raw data locally. However, FL is vulnerable to backdoor attack, an adversarial by poisoning training data, given the central server cannot access the original data directly. Most backdoor attack strategies focus on classification models and centralized domains. In this study, we propose a way of attacking federated GAN (FedGAN) by treating the discriminator with a commonly used data poisoning strategy in backdoor attack classification models. We demonstrate that adding a small trigger with size less than 0.5 percent of the original image size can corrupt the FL-GAN model. Based on the proposed attack, we provide two effective defense strategies: global malicious detection and local training regularization. We show that combining the two defense strategies yields a robust medical image generation.