Turning Federated Learning Systems Into Covert Channels
This exposes a security vulnerability in federated learning systems, which are designed for privacy, by enabling covert communication among malicious participants.
The paper tackles the problem of covert communication in federated learning systems by proposing an attacker model that turns them into stealth channels, where a malicious sender poisons the global model to transmit bits without affecting overall performance.
Federated learning (FL) goes beyond traditional, centralized machine learning by distributing model training among a large collection of edge clients. These clients cooperatively train a global, e.g., cloud-hosted, model without disclosing their local, private training data. The global model is then shared among all the participants which use it for local predictions. In this paper, we put forward a novel attacker model aiming at turning FL systems into covert channels to implement a stealth communication infrastructure. The main intuition is that, during federated training, a malicious sender can poison the global model by submitting purposely crafted examples. Although the effect of the model poisoning is negligible to other participants, and does not alter the overall model performance, it can be observed by a malicious receiver and used to transmit a single bit.