Deep Learning-based image synthesis techniques have been applied in healthcare research for generating medical images to support open research and augment medical datasets. Training generative adversarial neural networks (GANs) usually require large amounts of training data. Federated learning (FL) provides a way of training a central model using distributed data while keeping raw data locally. However, given that the FL server cannot access the raw data, it is vulnerable to backdoor attacks, an adversarial by poisoning training data. Most backdoor attack strategies focus on classification models and centralized domains. It is still an open question if the existing backdoor attacks can affect GAN training and, if so, how to defend against the attack in the FL setting. In this work, we investigate the overlooked issue of backdoor attacks in federated GANs (FedGANs). The success of this attack is subsequently determined to be the result of some local discriminators overfitting the poisoned data and corrupting the local GAN equilibrium, which then further contaminates other clients when averaging the generator's parameters and yields high generator loss. Therefore, we proposed FedDetect, an efficient and effective way of defending against the backdoor attack in the FL setting, which allows the server to detect the client's adversarial behavior based on their losses and block the malicious clients. Our extensive experiments on two medical datasets with different modalities demonstrate the backdoor attack on FedGANs can result in synthetic images with low fidelity. After detecting and suppressing the detected malicious clients using the proposed defense strategy, we show that FedGANs can synthesize high-quality medical datasets (with labels) for data augmentation to improve classification models' performance.

翻译：基于深度学习的图像合成技术已应用于医疗健康研究，通过生成医学图像以支持开放研究并扩充医学数据集。生成对抗网络（GANs）的训练通常需要大量训练数据。联邦学习（FL）提供了一种利用分布式数据训练中心模型的方法，同时将原始数据保留在本地。然而，由于FL服务器无法访问原始数据，它容易受到后门攻击——一种通过污染训练数据实现的对抗性攻击。大多数后门攻击策略聚焦于分类模型和集中式场景。现有后门攻击能否影响GAN训练，以及在FL场景中如何防御此类攻击，仍是一个开放性问题。本研究探讨了联邦生成对抗网络（FedGANs）中被忽视的后门攻击问题。我们确定此类攻击成功的根源在于：部分本地判别器对污染数据过拟合，破坏了本地GAN的平衡，进而在平均生成器参数时污染其他客户端，导致生成器损失偏高。为此，我们提出FedDetect——一种在FL场景中高效且有效的后门防御方法，它使服务器能够通过客户端损失值检测其对抗行为，并拦截恶意客户端。我们在两种不同模态的医学数据集上进行了大量实验，结果表明：针对FedGANs的后门攻击会导致合成图像保真度降低。通过采用所提防御策略检测并抑制检测到的恶意客户端后，FedGANs能够合成高质量的（带标签）医学数据集用于数据增强，从而提升分类模型的性能。