Federated learning (FL) goes beyond traditional, centralized machine learning by distributing model training among a large collection of edge clients. These clients cooperatively train a global, e.g., cloud-hosted, model without disclosing their local, private training data. The global model is then shared among all the participants which use it for local predictions. In this paper, we put forward a novel attacker model aiming at turning FL systems into covert channels to implement a stealth communication infrastructure. The main intuition is that, during federated training, a malicious sender can poison the global model by submitting purposely crafted examples. Although the effect of the model poisoning is negligible to other participants, and does not alter the overall model performance, it can be observed by a malicious receiver and used to transmit a single bit.

翻译：联邦学习（FL）超越了传统的集中式机器学习，通过在大量边缘客户端之间分布模型训练来实现。这些客户端协作训练一个全局模型（例如云端托管的模型），而无需披露其本地私有训练数据。随后，全局模型在所有参与者之间共享，供其用于本地预测。本文提出了一种新颖的攻击者模型，旨在将联邦学习系统转化为隐蔽信道，以实现隐蔽通信基础设施。其主要思路是，在联邦训练过程中，恶意发送方可以通过提交精心设计的样本对全局模型进行投毒。尽管模型投毒的影响对其他参与者而言微乎其微，且不会改变模型的整体性能，但恶意接收方能够观测到这种影响，并利用其传输单个比特信息。