As a distributed machine learning paradigm, federated learning (FL) is collaboratively carried out on privately owned datasets but without direct data access. Although the original intention is to allay data privacy concerns, "available but not visible" data in FL potentially brings new security threats, particularly poisoning attacks that target such "not visible" local data. Initial attempts have been made to conduct data poisoning attacks against FL systems, but cannot be fully successful due to their high chance of causing statistical anomalies. To unleash the potential for truly "invisible" attacks and build a more deterrent threat model, in this paper, a new data poisoning attack model named VagueGAN is proposed, which can generate seemingly legitimate but noisy poisoned data by untraditionally taking advantage of generative adversarial network (GAN) variants. Capable of manipulating the quality of poisoned data on demand, VagueGAN enables to trade-off attack effectiveness and stealthiness. Furthermore, a cost-effective countermeasure named Model Consistency-Based Defense (MCD) is proposed to identify GAN-poisoned data or models after finding out the consistency of GAN outputs. Extensive experiments on multiple datasets indicate that our attack method is generally much more stealthy as well as more effective in degrading FL performance with low complexity. Our defense method is also shown to be more competent in identifying GAN-poisoned data or models. The source codes are publicly available at \href{https://github.com/SSssWEIssSS/VagueGAN-Data-Poisoning-Attack-and-Its-Countermeasure}{https://github.com/SSssWEIssSS/VagueGAN-Data-Poisoning-Attack-and-Its-Countermeasure}.

翻译：作为一种分布式机器学习范式，联邦学习在私有数据集上协作执行，但无法直接访问数据。尽管其初衷是缓解数据隐私担忧，但联邦学习中"可用但不可见"的数据可能带来新的安全威胁，尤其是针对此类"不可见"本地数据的投毒攻击。已有研究尝试对联邦学习系统实施数据投毒攻击，但由于极易引发统计异常而难以完全成功。为了发挥真正"隐形"攻击的潜力并构建更具威慑力的威胁模型，本文提出一种名为VagueGAN的新型数据投毒攻击模型，该模型通过非传统方式利用生成对抗网络变体，能够生成看似合法但包含噪声的投毒数据。VagueGAN可根据需求操纵投毒数据质量，从而权衡攻击效能与隐蔽性。此外，本文还提出一种经济高效的防御方法——基于模型一致性的防御，通过识别GAN输出的同质性来检测经GAN投毒的数据或模型。在多个数据集上的大量实验表明，本文提出的攻击方法在降低联邦学习性能方面通常具有更优的隐蔽性和更高的效能，且计算复杂度较低。同时，本文提出的防御方法在识别GAN投毒数据或模型方面也展现出更强的能力。源代码已公开于\href{https://github.com/SSssWEIssSS/VagueGAN-Data-Poisoning-Attack-and-Its-Countermeasure}{https://github.com/SSssWEIssSS/VagueGAN-Data-Poisoning-Attack-and-Its-Countermeasure}。