Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A GAN-based data poisoning framework against anomaly detection in vertical federated learning

Xiaolin Chen, Daoguang Zan, Wei Li, Bei Guan, Yongji Wang

TL;DR

An innovative end-to-end poisoning framework P-GAN, which employs semi-supervised learning to train a surrogate target model and an anomaly detection algorithm based on a deep auto-encoder (DAE), offering a robust defense mechanism to VFL scenarios.

Abstract

In vertical federated learning (VFL), commercial entities collaboratively train a model while preserving data privacy. However, a malicious participant's poisoning attack may degrade the performance of this collaborative model. The main challenge in achieving the poisoning attack is the absence of access to the server-side top model, leaving the malicious participant without a clear target model. To address this challenge, we introduce an innovative end-to-end poisoning framework P-GAN. Specifically, the malicious participant initially employs semi-supervised learning to train a surrogate target model. Subsequently, this participant employs a GAN-based method to produce adversarial perturbations to degrade the surrogate target model's performance. Finally, the generator is obtained and tailored for VFL poisoning. Besides, we develop an anomaly detection algorithm based on a deep auto-encoder (DAE), offering a robust defense mechanism to VFL scenarios. Through extensive experiments, we evaluate the efficacy of P-GAN and DAE, and further analyze the factors that influence their performance.

A GAN-based data poisoning framework against anomaly detection in vertical federated learning

TL;DR

An innovative end-to-end poisoning framework P-GAN, which employs semi-supervised learning to train a surrogate target model and an anomaly detection algorithm based on a deep auto-encoder (DAE), offering a robust defense mechanism to VFL scenarios.

Abstract

In vertical federated learning (VFL), commercial entities collaboratively train a model while preserving data privacy. However, a malicious participant's poisoning attack may degrade the performance of this collaborative model. The main challenge in achieving the poisoning attack is the absence of access to the server-side top model, leaving the malicious participant without a clear target model. To address this challenge, we introduce an innovative end-to-end poisoning framework P-GAN. Specifically, the malicious participant initially employs semi-supervised learning to train a surrogate target model. Subsequently, this participant employs a GAN-based method to produce adversarial perturbations to degrade the surrogate target model's performance. Finally, the generator is obtained and tailored for VFL poisoning. Besides, we develop an anomaly detection algorithm based on a deep auto-encoder (DAE), offering a robust defense mechanism to VFL scenarios. Through extensive experiments, we evaluate the efficacy of P-GAN and DAE, and further analyze the factors that influence their performance.
Paper Structure (14 sections, 2 equations, 7 figures, 3 tables, 1 algorithm)

This paper contains 14 sections, 2 equations, 7 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. The Data Poisoning Attack in VFL
  4. Releated Work
  5. Poisoning attack model
  6. Threat model
  7. P-GAN model
  8. Defense Model
  9. Experimental Evaluation
  10. Datesets
  11. Experimental Setup
  12. Experimental Result
  13. Sensitivity Evaluation
  14. Conclusion

Figures (7)

  • Figure 1: Vertical federated learning training process. The malicious participant (red) can attack the training process through data poisoning, causing the VFL model to classify "dog" as "cat".
  • Figure 2: The framework of data poisoning attack in VFL (P-GAN). The malicious participant (red) can manipulate the model's training process by generating poison samples with the two-stage P-GAN algorithm.
  • Figure 3: Flowchart of the proposed defence algorithm in VFL. The server employs the DAE method to filter out outliers for each class of embedding vectors.
  • Figure 4: Test accuracy of the VFL model on MNIST under various parameter settings when subjected to P-GAN poisoning attacks and defended by DAE.
  • Figure 5: $F_1$ scores of poisoned model under varied number of adversary's features, with a height pixel interval of 4.
  • ...and 2 more figures