A GAN-Based Data Poisoning Attack Against Federated Learning Systems and Its Countermeasure
Wei Sun, Bo Gao, Ke Xiong, Yuwei Wang
TL;DR
This work addresses the security risk that non-visible local data in federated learning can be poisoned to degrade global performance. It introduces VagueGAN, a GAN variant that generates vague but poisonous data with a tunable suppression factor $\kappa$ to balance attack effectiveness and stealth, and extends to an unsupervised version inspired by InfoGAN. To defend against such GAN-based attacks, the authors propose Model Consistency-Based Defense (MCD), which reuses existing local models and analyzes PCA-reduced features to detect malicious clients via centroid and footprint metrics. Extensive experiments on MNIST, Fashion-MNIST, and CIFAR-10 show that VagueGAN achieves strong degradation with low detectability, while MCD reliably identifies GAN-poisoned data or models and restores FL accuracy. The findings highlight a practical arms race between stealthy data-poisoning attacks and lightweight, model-based defenses for real-world FL deployments, and point to directions for more robust adversarial defenses and adaptive GAN designs.
Abstract
As a distributed machine learning paradigm, federated learning (FL) is collaboratively carried out on privately owned datasets but without direct data access. Although the original intention is to allay data privacy concerns, "available but not visible" data in FL potentially brings new security threats, particularly poisoning attacks that target such "not visible" local data. Initial attempts have been made to conduct data poisoning attacks against FL systems, but cannot be fully successful due to their high chance of causing statistical anomalies. To unleash the potential for truly "invisible" attacks and build a more deterrent threat model, in this paper, a new data poisoning attack model named VagueGAN is proposed, which can generate seemingly legitimate but noisy poisoned data by untraditionally taking advantage of generative adversarial network (GAN) variants. Capable of manipulating the quality of poisoned data on demand, VagueGAN enables to trade-off attack effectiveness and stealthiness. Furthermore, a cost-effective countermeasure named Model Consistency-Based Defense (MCD) is proposed to identify GAN-poisoned data or models after finding out the consistency of GAN outputs. Extensive experiments on multiple datasets indicate that our attack method is generally much more stealthy as well as more effective in degrading FL performance with low complexity. Our defense method is also shown to be more competent in identifying GAN-poisoned data or models. The source codes are publicly available at \href{https://github.com/SSssWEIssSS/VagueGAN-Data-Poisoning-Attack-and-Its-Countermeasure}{https://github.com/SSssWEIssSS/VagueGAN-Data-Poisoning-Attack-and-Its-Countermeasure}.