In federated learning (FL), although the original intention of available but not visible data is to allay data privacy concerns, it potentially brings new security threats, particularly poisoning attacks that target such not visible local data. Intuitively, such data poisoning attacks have great potential in stealthily degrading global FL outcomes, and are expected to be even stealthier if being enhanced by generative models like generative adversarial networks (GANs). However, existing defense methods have not been thoroughly challenged in this regard and generally fail to be aware of a local generation of seemingly legitimate poisoned data. With a growing concern on potentially stealthier attacks, in this paper, a cost-effective defense mechanism named Model Consistency-Based Defense (MCD) is proposed, which offers a comprehensive examination of available local models across multiple feature dimensions, providing an indirect yet effective means of identifying hidden data poisoning attackers. To push the limit of MCD against stealthier attacks, we propose a new GAN-based data poisoning attack model named VagueGAN and an unsupervised variant of it, which can be flexibly deployed to generate seemingly legitimate but noisy poisoned data. The consistency of GAN outputs revealed by VagueGAN helps strengthen MCD to work against stealthier GAN-based attacks as well as other mainstream ones. Extensive experiments on multiple open datasets (MNIST, Fashion-MNIST, CIFAR-10, CIFAR-100, and Mini-Imagenet) indicate that our attack method better balances the trade-off between attack effectiveness and stealthiness with low complexity. More importantly, our defense mechanism is shown to be more competent in identifying a variety of poisoned data, particularly stealthier GAN-poisoned ones.

翻译：在联邦学习（FL）中，虽然数据可用但不可见的初衷是为了缓解数据隐私担忧，但这可能带来新的安全威胁，特别是针对不可见本地数据的投毒攻击。直观上，此类数据投毒攻击具有隐蔽性降低全局联邦学习结果的巨大潜力，且若通过生成对抗网络（GAN）等生成模型增强，预期将更具隐蔽性。然而，现有防御方法尚未在此方面受到充分挑战，通常无法察觉本地生成的看似合法的投毒数据。鉴于对潜在更隐蔽攻击的日益关注，本文提出一种经济高效的防御机制——基于模型一致性的防御（MCD），该方法在多个特征维度上对可用的本地模型进行全面检查，从而提供一种间接但有效的识别隐蔽数据投毒攻击者的手段。为突破MCD应对更隐蔽攻击的极限，我们提出一种新的基于GAN的数据投毒攻击模型VagueGAN及其无监督变体，该模型可灵活部署以生成看似合法但带有噪声的投毒数据。VagueGAN揭示的GAN输出一致性有助于强化MCD，使其能够抵御更隐蔽的基于GAN的攻击以及其他主流攻击。在多个开放数据集（MNIST、Fashion-MNIST、CIFAR-10、CIFAR-100和Mini-Imagenet）上的大量实验表明，我们的攻击方法以较低复杂度更好地平衡了攻击有效性与隐蔽性之间的权衡。更重要的是，我们的防御机制在识别多种投毒数据方面，尤其是更隐蔽的GAN投毒数据方面，展现出更强的能力。