Turning Federated Learning Systems Into Covert Channels
Gabriele Costa, Fabio Pinelli, Simone Soderi, Gabriele Tolomei
TL;DR
This work addresses the security risk that federated learning (FL) systems can be repurposed as covert channels. It introduces a practical attacker model where a sender poisons its local data to subtly influence the global model, enabling a receiver to read one bit per transmission frame without notably degrading overall accuracy. The authors present a calibration phase and a Differential Manchester–like encoding scheme that transmits bits by steering the global model’s predictions on a crafted edge example tilde{x}. They also formalize the covert channel as a binary memoryless channel, deriving capacity and defining BER/SNR in terms of the model’s prediction signals, highlighting a realistic threat and motivating defenses against FL-based covert communications.
Abstract
Federated learning (FL) goes beyond traditional, centralized machine learning by distributing model training among a large collection of edge clients. These clients cooperatively train a global, e.g., cloud-hosted, model without disclosing their local, private training data. The global model is then shared among all the participants which use it for local predictions. In this paper, we put forward a novel attacker model aiming at turning FL systems into covert channels to implement a stealth communication infrastructure. The main intuition is that, during federated training, a malicious sender can poison the global model by submitting purposely crafted examples. Although the effect of the model poisoning is negligible to other participants, and does not alter the overall model performance, it can be observed by a malicious receiver and used to transmit a single bit.