Federated Learning (FL) enables collaborative training of Deep Learning (DL) models where the data is retained locally. Like DL, FL has severe security weaknesses that the attackers can exploit, e.g., model inversion and backdoor attacks. Model inversion attacks reconstruct the data from the training datasets, whereas backdoors misclassify only classes containing specific properties, e.g., a pixel pattern. Backdoors are prominent in FL and aim to poison every client model, while model inversion attacks can target even a single client. This paper introduces a novel technique to allow backdoor attacks to be client-targeted, compromising a single client while the rest remain unchanged. The attack takes advantage of state-of-the-art model inversion and backdoor attacks. Precisely, we leverage a Generative Adversarial Network to perform the model inversion. Afterward, we shadow-train the FL network, in which, using a Siamese Neural Network, we can identify, target, and backdoor the victim's model. Our attack has been validated using the MNIST, F-MNIST, EMNIST, and CIFAR-100 datasets under different settings -- achieving up to 99\% accuracy on both source (clean) and target (backdoor) classes and against state-of-the-art defenses, e.g., Neural Cleanse, opening a novel threat model to be considered in the future.

翻译：联邦学习（FL）支持在数据本地保留的情况下协作训练深度学习（DL）模型。与DL类似，FL存在严重的安全漏洞，攻击者可加以利用，例如模型反转攻击和后门攻击。模型反转攻击从训练数据集中重构数据，而后门攻击仅会错误分类包含特定属性（如像素模式）的类别。后门攻击在FL中尤为突出，其目标是污染每个客户端模型，而模型反转攻击甚至可针对单一客户端。本文提出了一种新技术，使后门攻击能够实现客户端定向，仅危害单个客户端而其余客户端保持不变。该攻击利用了最先进的模型反转和后门攻击方法。具体而言，我们采用生成对抗网络进行模型反转，随后对FL网络进行影子训练，利用孪生神经网络识别、定位并后门攻击受害者模型。基于MNIST、F-MNIST、EMNIST和CIFAR-100数据集在不同设置下的实验验证了该攻击的有效性——在源（干净）类与目标（后门）类上均达到高达99%的准确率，且可对抗Neural Cleanse等最先进防御手段，这为未来需考虑的新型威胁模型开辟了途径。