PoiCGAN: A Targeted Poisoning Based on Feature-Label Joint Perturbation in Federated Learning

TL;DR

PoiCGAN introduces a novel targeted poisoning attack in federated learning that effectively bypasses defenses, significantly increasing attack success while maintaining high stealthiness and minimal impact on main task accuracy.

Contribution

The paper proposes PoiCGAN, a new feature-label joint perturbation method using CGANs to generate stealthy poisoned samples that evade model anomaly detection defenses.

Findings

Achieves 83.97% higher attack success rate than baseline methods.

Maintains less than 8.87% reduction in main task accuracy.

Poisoned samples and models are highly stealthy.

Abstract

Federated Learning (FL), as a popular distributed learning paradigm, has shown outstanding performance in improving computational efficiency and protecting data privacy, and is widely applied in industrial image classification. However, due to its distributed nature, FL is vulnerable to threats from malicious clients, with poisoning attacks being a common threat. A major limitation of existing poisoning attack methods is their difficulty in bypassing model performance tests and defense mechanisms based on model anomaly detection. This often results in the detection and removal of poisoned models, which undermines their practical utility. To ensure both the performance of industrial image classification and attacks, we propose a targeted poisoning attack, PoiCGAN, based on feature-label collaborative perturbation. Our method modifies the inputs of the discriminator and generator in the Conditional Generative Adversarial Network (CGAN) to influence the training process, generating an ideal poison generator. This generator not only produces specific poisoned samples but also automatically performs label flipping. Experiments across various datasets show that our method achieves an attack success rate 83.97% higher than baseline methods, with a less than 8.87% reduction in the main task's accuracy. Moreover, the poisoned samples and malicious models exhibit high stealthiness.