Zhuoran Ma;Xinyi Huang;Zhuzhu Wang;Zhan Qin;Xiangyu Wang;Jianfeng Ma
{"title":"FedGhost: Data-Free Model Poisoning Enhancement in Federated Learning","authors":"Zhuoran Ma;Xinyi Huang;Zhuzhu Wang;Zhan Qin;Xiangyu Wang;Jianfeng Ma","doi":"10.1109/TIFS.2025.3539087","DOIUrl":null,"url":null,"abstract":"FL is vulnerable to model poisoning attacks due to the invisibility of local data and the decentralized nature of FL training. The adversary attempts to maliciously manipulate local model gradients to compromise the global model (i.e., victim model). Commonly-studied model poisoning attacks heavily depend on accessing additional knowledge, such as local data and the aggregation algorithm from the victim model, which easily encounter practical obstacles due to limited adversarial knowledge. In this paper, we first reveal that aggregated gradients in FL can serve as an attack carrier, exposing the latent knowledge of the victim model. In particular, we propose a data-free model poisoning attack named FedGhost, which aims to redirect the training objective of FL towards the adversary’s objective without any auxiliary information. In FedGhost, we design a black-box adaptive optimization algorithm to dynamically adjust the perturbation factor for malicious gradients, maximizing the poisoning impact of FL. Experimental results on five datasets in IID and Non-IID FL settings demonstrate that FedGhost achieves the highest attack success rate, outperforming other state-of-the-art model poisoning attacks by more than <inline-formula> <tex-math>$10\\%-60\\%$ </tex-math></inline-formula>.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"2096-2108"},"PeriodicalIF":8.0000,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Information Forensics and Security","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10877716/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
引用次数: 0
Abstract
FL is vulnerable to model poisoning attacks due to the invisibility of local data and the decentralized nature of FL training. The adversary attempts to maliciously manipulate local model gradients to compromise the global model (i.e., victim model). Commonly-studied model poisoning attacks heavily depend on accessing additional knowledge, such as local data and the aggregation algorithm from the victim model, which easily encounter practical obstacles due to limited adversarial knowledge. In this paper, we first reveal that aggregated gradients in FL can serve as an attack carrier, exposing the latent knowledge of the victim model. In particular, we propose a data-free model poisoning attack named FedGhost, which aims to redirect the training objective of FL towards the adversary’s objective without any auxiliary information. In FedGhost, we design a black-box adaptive optimization algorithm to dynamically adjust the perturbation factor for malicious gradients, maximizing the poisoning impact of FL. Experimental results on five datasets in IID and Non-IID FL settings demonstrate that FedGhost achieves the highest attack success rate, outperforming other state-of-the-art model poisoning attacks by more than $10\%-60\%$ .
期刊介绍:
The IEEE Transactions on Information Forensics and Security covers the sciences, technologies, and applications relating to information forensics, information security, biometrics, surveillance and systems applications that incorporate these features
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
