Backdoor Attack is a Devil in Federated GAN-based Medical Image Synthesis
This addresses security risks in federated learning for healthcare, where data privacy is critical, but it is incremental as it adapts existing attack methods to a new domain.
The study tackled the vulnerability of federated GANs in medical image synthesis to backdoor attacks by poisoning the discriminator, showing that a trigger less than 0.5% of image size can corrupt the model, and proposed two defense strategies that yield robust generation when combined.
Deep Learning-based image synthesis techniques have been applied in healthcare research for generating medical images to support open research. Training generative adversarial neural networks (GAN) usually requires large amounts of training data. Federated learning (FL) provides a way of training a central model using distributed data from different medical institutions while keeping raw data locally. However, FL is vulnerable to backdoor attack, an adversarial by poisoning training data, given the central server cannot access the original data directly. Most backdoor attack strategies focus on classification models and centralized domains. In this study, we propose a way of attacking federated GAN (FedGAN) by treating the discriminator with a commonly used data poisoning strategy in backdoor attack classification models. We demonstrate that adding a small trigger with size less than 0.5 percent of the original image size can corrupt the FL-GAN model. Based on the proposed attack, we provide two effective defense strategies: global malicious detection and local training regularization. We show that combining the two defense strategies yields a robust medical image generation.