Backdoor Attack and Defense in Federated Generative Adversarial Network-based Medical Image Synthesis

2025-05-02 0 0 4.58MB 16 页 10玖币

侵权投诉

Medical Image Analysis (2023)

Contents lists available at ScienceDirect

Medical Image Analysis

journal homepage: www.elsevier.com/locate/media

Backdoor Attack and Defense in Federated Generative Adversarial Network-based

Medical Image Synthesis

Ruinan Jina, Xiaoxiao Lib,1,∗

aComputer Science Department, The University of British Columbia, BC, V6T 1Z4, Canada

bElectrical and Computer Engineering Department, The University of British Columbia, BC, V6T 1Z4, Canada

ARTICLE INFO

Article history:

Keywords: Generative Adversarial Net-

works, Federated Learning, Backdoor

Attack

ABSTRACT

Deep Learning-based image synthesis techniques have been applied in healthcare re-

search for generating medical images to support open research and augment medical

datasets. Training generative adversarial neural networks (GANs) usually require large

amounts of training data. Federated learning (FL) provides a way of training a central

model using distributed data while keeping raw data locally. However, given that the

FL server cannot access the raw data, it is vulnerable to backdoor attacks, an adversar-

ial by poisoning training data. Most backdoor attack strategies focus on classiﬁcation

models and centralized domains. It is still an open question if the existing backdoor

attacks can aﬀect GAN training and, if so, how to defend against the attack in the FL

setting. In this work, we investigate the overlooked issue of backdoor attacks in fed-

erated GANs (FedGANs). The success of this attack is subsequently determined to

be the result of some local discriminators overﬁtting the poisoned data and corrupting

the local GAN equilibrium, which then further contaminates other clients when averag-

ing the generator’s parameters and yields high generator loss. Therefore, we proposed

FedDetect, an eﬃcient and eﬀective way of defending against the backdoor attack in

the FL setting, which allows the server to detect the client’s adversarial behavior based

on their losses and block the malicious clients. Our extensive experiments on two med-

ical datasets with diﬀerent modalities demonstrate the backdoor attack on FedGANs

can result in synthetic images with low ﬁdelity. After detecting and suppressing the

detected malicious clients using the proposed defense strategy, we show that FedGANs

can synthesize high-quality medical datasets (with labels) for data augmentation to im-

prove classiﬁcation models’ performance.

1. Introduction

While deep learning has signiﬁcantly impacted healthcare re-

search, its impact has been undeniably slower and more lim-

ited in healthcare than in other application domains. A signif-

icant reason for this is the scarcity of patient data available to

∗Corresponding author: Xiaoxiao Li

e-mail: xiaoxiao.li@ece.ubc.ca (Xiaoxiao Li)

the broader machine learning research community, largely ow-

ing to patient privacy concerns. Although healthcare providers,

governments, and private industry are increasingly collecting

large amounts and various types of patient data electronically

that may be extremely valuable to scientists, they are generally

unavailable to the broader research community due to patient

privacy concerns. Furthermore, even if a researcher is able to

obtain such data, ensuring proper data usage and protection is a

lengthy process governed by stringent legal requirements. This

arXiv:2210.10886v3 [cs.CV] 16 Jul 2023

2 Jin R. and Li, X. /Medical Image Analysis (2023)

can signiﬁcantly slow the pace of research and, as a result, the

beneﬁts of that research for patient care.

Synthetic datasets of high quality and realism can be used

to accelerate methodological advancements in medicine (Dube

and Gallagher, 2013; Buczak et al., 2010). While there

are methods for generating medical data for electronic health

records (Dube and Gallagher, 2013; Buczak et al., 2010), the

study of medical image synthesis is more diﬃcult as medical

images are high-dimensional. With the growth of generative

adversarial networks (GAN) (Goodfellow et al., 2014), high-

dimensional image generation became possible. Particularly,

conditional GAN (Mirza and Osindero, 2014) can generate im-

ages conditional on a given mode, e.g. constructing images

based on their labels to synthesize labeled datasets. In the ﬁeld

of medical images synthesis, Teramoto et al. (2020) proposed

a progressive growing conditional GAN to generate lung can-

cer images and concluded that synthetic images can assist deep

convolution neural network training. Yu et al. (2021) recently

used conditional GAN-generated pictures of aberrant cells in

cervical cell classiﬁcation to address the class imbalance issue.

In addition, a comprehensive survey about the role of GAN-

based argumentation in medical images can be found in Shorten

and Khoshgoftaar (2019).

Like most deep learning (DL)-based tasks, limited data re-

sources is always a challenge for GAN-based medical synthe-

sis. In addition, large, diverse, and representative dataset is re-

quired to develop and reﬁne best practices in evidence-based

medicine. However, there is no single approach for generating

synthetic data that is adaptive for all populations (Chen et al.,

2021). Data collaboration between diﬀerent medical institu-

tions (of the heterogeneity of phenotypes in the gender, ethnic-

ity, and geography of the individuals or patients, as well as in

the healthcare systems, workﬂows, and equipment used) makes

eﬀects to build a robust model that can learn from diverse pop-

ulations. But data sharing for data collection will cause data

privacy problems which could be a risk of exposing patient in-

formation (Malin et al., 2013; Scherer et al., 2020). Federated

learning (FL) (Koneˇ

cn`

y et al., 2016) is a privacy-preserving

tool, which keeps data on each medical institute (clients) lo-

cally and exchanges model weights with the server to learn a

global model collaboratively. As no data sharing is required, it

is a popular research option in healthcare (Rieke et al., 2020;

Usynin et al., 2022). Federated GAN (FedGAN) is then pro-

posed to train GAN distributively for data synthesis Augen-

stein et al. (2019); Rasouli et al. (2020). Its overall robustness

against attacks is under explored.

However, as an open system, FL is vulnerable to malicious

participants and there are already studies deep dive into diﬀer-

ent kinds of attacks for classiﬁcation models in federated sce-

narios, like gradient inversion attacks (Huang et al., 2021), poi-

soning and backdoor attacks (Bagdasaryan et al., 2020). In a

backdoor attack with classiﬁcation models, the attacker, such

as a malicious client, adds a ”trigger” signal to its training data

and identiﬁes any image with a ”trigger” as other classes (Saha

et al., 2020). A ”trigger,” such as a small patch with random

noise, could lead a sample to be misclassiﬁed to another class.

This kind of attack takes advantage of the classiﬁcation model’s

tendency to overﬁt the trigger rather than the actual image (Bag-

dasaryan et al., 2020). It is worth noting that numerous medi-

cal images naturally exhibit backdoor-like triggers and noisy

labels, as depicted in Fig. 1, which enhances the signiﬁcance

of backdoor studies in the ﬁeld of medical image analysis (Xue

et al., 2022). Unfortunately, the server cannot directly detect the

attacked images given the decentralized nature of FL, where the

clients keep their private data locally. Recently, several studies

found backdoor attached clients can cause a substantial drop in

the classiﬁcation performance in FL (Tolpegin et al., 2020; Sun

et al., 2021). These facts inspire us to think about how backdoor

attack aﬀects generative models in FL.

(a)

(b)

Fig. 1: Example medical images with backdoor-alike noisy patches from

(a)KVASIR dataset (Pogorelov et al., 2017) (b) ISIC dataset (Codella et al.,

2018)

In this work, we focus on backdoor attacks in the labeled

medical image synthesis using conditional FedGAN. In our ex-

periments, we employ two widely used medical datasets. First,

we demonstrate the eﬀect of adding diﬀerent sizes and types of

the trigger (e.g., a patch with diﬀerent patter and sizes ranging

from 0.5 to 6.25 percent of the original image size) can signif-

icantly aﬀect the ﬁdelity of the generated images. Second, we

propose an eﬀective defense mechanism, FedDetect, to detect

malicious client(s). We observe that the attacked discrimina-

tor tends to overﬁt, yielding inconsistent and diﬀerent training

loss patterns. Therefore, FedDetect performs outlier detec-

tion on clients’ shared training loss in each iteration and red

ﬂags a client as malicious if it is detected as an outlier based

on its record in multiple iterations. Our results ﬁrst qualita-

tively compare the visualizations of the generative images of

FedDetect and with the alternative defense strategies under

backdoor attacks with diﬀerent trigger sizes. Furthermore, with

the FedGAN-assisted diagnostic as a signiﬁer for FedGAN’s

role in the ﬁeld of medicine, we quantitatively evaluate the ef-

fect of FedGAN-assisted data augmentation for DL training,

the attack, and FedDetect. It shows that FedGAN-assisted

data augmentation eﬀectively improves the performance of DL

training, while synthetic medical images generated from the at-

tacked FedGANs corrupt their utility, leading to a poor medical

utility value. FedDetect blocks such adversarial and builds up

a Byzantine-Robust FedGAN (Fang et al., 2020).

Our contributions are summarized as follows:

Jin R. and Li, X. /Medical Image Analysis (2023) 3

•To the best of our knowledge, we are the ﬁrst to exam-

ine the robustness of FedGAN, a promising pipeline for

medical data synthesis, from the practical backdoor attack

perspectives. Without loss of generality, we examine our

proposed pipeline, attack, and defense on two public med-

ical datasets.

•We propose a general pipeline of conditional FedGAN to

generate labeled medical datasets. We extend backdoor

attacks for classiﬁcation models to generative models and

reveal the vulnerability of conditional FedGAN training

by backdoor attacks. We investigate the eﬀect of diﬀerent

trigger sizes and types in the attacks.

•We propose an eﬀective defense strategy FedDetect and

compare it with the current practices to show its irreplace-

able role in achieving robust FedGANs. We not only

present qualitative results by examining the ﬁdelity of the

synthetic data, but also quantitatively evaluate their util-

ity as data augmentation to assist diagnostic model train-

ing. We show the practical use and the innovation of

FedDetect in the ﬁeld of medical image synthesis.

A preliminary version of this work, Backdoor Attack is a

Devil in Federated GAN-based Medical Image Synthesis (Jin

and Li, 2022) has been presented in SASHIMI 2022. This paper

extends the preliminary version by expanding the conditional

FedGAN which generates synthetic medical images with labels

so that synthetic images can serve for broader usage (such as

data augmentation), examining the eﬀect of various sizes and

types of triggers with gray-scale and RGB medical datasets,

performing quantitative analysis on the synthetic data, and as-

sessing the utility of the synthetic medical images as data aug-

mentation to assist training deep diagnostic models.

2. Preliminaries and Related Work

2.1. Conditional Generative Adversarial Networks

GAN was ﬁrst been proposed in Goodfellow et al. (2014) as

an unsupervised generative algorithm, where two deep neural

networks, discriminator and generator are training against each

other to optimize minmax objective function Eq. 1.

min

Gmax

Ex∼pdata(x)[log D(x)] +Ez∼pz(z)[log (1 −D(G(z)))],(1)

where Gand Dare generator and discrimnator, xis the training

data, and zis a random noise vector sampled from a predeﬁned

distribution pz.GAN has been used to generate medical im-

age datasets for data augmentation and data sharing for open

research as healthcare institutions are regulated to release their

collected private data (Chen et al., 2022; Lin et al., 2022).

Later, Mirza and Osindero (2014) implemented the condi-

tional GAN, turning GAN to be supervised learning algorithm,

where both the discriminator and the generator take an extra

auxiliary label so that GAN generates images conditional on

the given label according to updated objective function Eq. 2.

min

Gmax

Ex∼pdata(x)[log D(x|c)] +Ez∼pz(z)[log (1 −D(G(z|c)))],

(2)

where we add class label cas the conditional term compared

to Eq. 1. Generating synthetic medical data using conditional

GAN is gain more practical values in healthcare scenarios, be-

cause medical data is usually labeled and this label makes it

meaningful for diagnostic purposes, e.g., for classifying if cer-

tain patient has the disease (Frangi et al., 2018), and for data

augmentation (Chen et al., 2022).

2.2. Federated Learning

Training DL models usually requires a large amount of train-

ing data. However, collecting data is challenging in the ﬁeld of

healthcare because healthcare providers, governments, and re-

lated medical organizations must pay particular attention to the

patient’s privacy and guarantee the proper use of their collected

data (Price and Cohen, 2019). In this case, limited data in local

healthcare institutions is usually biased and unilateral (Wang

et al., 2020b), which in turn impede the AI-assisted diagnostic

technology in healthcare (Van Panhuis et al., 2014).

FL has been proposed as a promising strategy to facilitate

collaboration among several institutions (e.g., medical centers

distributed from diﬀerent geographical locations) to train a

global DL model (Koneˇ

cn`

y et al., 2016). Given the important

role of FL plays in leveraging medical data from distributed lo-

cations and the practical usage of DL-based synthetic models

in medicine, combining them together will help facilitate ad-

vancement in medicine. Previous studies try to establish the

FedGAN (Rasouli et al., 2020) and explored its robustness in

terms of the diﬀerential privacy (Augenstein et al., 2019).

In addition, Byzantine-Robust FL is a key challenge in FL

deployment, as the clients are barely controllable and typically

viewed as an open system. Literature has shown that FL is vul-

nerable to multiple kinds of adversaries (Bouacida and Moha-

patra, 2021; Liu et al., 2022). Example vulnerabilities includes

model poisoning attacks (Bhagoji et al., 2019), gradient inver-

sion attacks (Huang et al., 2021), inference attacks (Ying et al.,

2020), backdoor attacks (Li et al., 2022), etc.

2.3. Backdoor Attack

In this section, we begin by introducing the general concept

of a backdoor attack. Next, we delve into the speciﬁc details

of backdoor attacks in FL and backdoor attacks in generative

models.

General concept. The backdoor attackers aim to embed a back-

door, also known as trigger, in the training data in order to cor-

rupt the performance of the Deep Neural Network. Given it in-

volves poisoning data, it belongs to the ﬁelds of data poisoning

attacks, which has been widely explored in multiple machine

learning ﬁelds, including Support Vector Machines, Statistical

Machine Learning, and DL (Biggio et al., 2012; Nelson et al.,

2008). In DL, current studies mainly explore poisoning attacks

in centralized classiﬁcation models, where a hidden trigger is

pasted on some of the training data with wrong labels. The

attacker activates it during the testing time so that the classiﬁ-

cation model produces a lower testing accuracy for images with

triggers (Saha et al., 2020). This attack strategy takes advantage

of the tendency that the deep neural network is more likely to

4 Jin R. and Li, X. /Medical Image Analysis (2023)

learn the pattern of the backdoor instead of the actual image (Li

et al., 2022).

Backdoor attack in FL. Due to the distributed nature of FL,

the server has little control on the client side. Namely, FL is

even more vulnerable to backdoor and poisoning attacks. Exist-

ing studies have explored such attacks in classiﬁcation models

from various perspectives. Bagdasaryan et al. (2020) proposed

to use apply model replacement as a means to introduce back-

doored functionality into the global model within FL. Fang et al.

(2020) introduced the initial concept of local model poisoning

attacks targeting the Byzantine robustness of FL. Wang et al.

(2020a) introduced a novel concept of an edge-case backdoor,

which manipulates a model to misclassify seemingly straight-

forward inputs that are highly unlikely to be part of the training

or test data. Sun et al. (2019) conducts a thorough investigation

of backdoor attacks and defense strategies in FL classiﬁcation

models

Backdoor attack on GAN. The existing backdoor attack has

been focusing on classiﬁcation models. Despite this, the ap-

plicability of backdoor attacks against GANs is underexplored,

especially in the ﬁeld of medicine. This is due to the fact

that backdoor attacks against GANs are more complex, since

the input for GANs is a noise vector, while the output is a

generated-new-mage. Backdoor in FL for classiﬁcation models

was initially introduced by Bagdasaryan et al. (2020), where

a constrain-and-scale technique is applied to amplify the ma-

licious gradient of clients. In the study, the local clients are

ﬂexible to employ local training procedures. However, this sce-

nario is unlikely to happen in the medical circumstances, given

the organizer of the FL can enforce the proper training pro-

cedure on reliable hardware to prevent malicious clients from

taking adversarial actions (Pillutla et al., 2019). In contrast to

the previous backdoor federated classiﬁcation study, we assume

that there is a reliable FL pipeline that each client follows the

provided training rules to calculate and update the correct pa-

rameters without modifying them, thereby performing the given

training process in accordance with the instructions given by

the trusted server (the organizer of the FL in reality). Then we

investigate how backdoor attack can aﬀect GAN for data syn-

thesis in this FL setting.

2.4. Defending Backdoor Attack

There are a variety of defense strategies for backdoor at-

tacks ranging from data level to model level but with a focus

on the classiﬁcation models in centralized training. Data level

defenses mainly include two perspectives: 1) Detect the trig-

ger pattern and either eliminate it from the data or add a trig-

ger blocker to decrease the contribution of the backdoor during

training the DL model (Doan et al., 2020). 2) Perform a series

of data argumentation (e.g., shrinking, ﬂipping) before feeding

the data into the model (Qiu et al., 2021; Villarreal-Vasquez and

Bhargava, 2020). This is because the transitional backdoor at-

tack is sensitive to the pattern of the trigger and the location of

the backdoor patch (Li et al., 2021b).

There are more model-level defense strategies: 1) Recon-

structing attacked model strategy. This strategy aims to retrain

the trained attacker model with some benign samples to allevi-

ate the backdoor attacks. 2) Synthesis trigger defencing strat-

egy. It attempts to perform outlier detection on the DL models

by reconstructing either the speciﬁc trigger (Wang et al., 2019;

Harikumar et al., 2020) or the trigger distribution (Zhu et al.,

2020; Guo et al., 2020). 3) Diagnosing attacked model through

meta-classiﬁer. This method applies certain pre-trained clas-

siﬁers to identify the potentially infected models and prevent

deploying them (Kolouri et al., 2020; Zheng et al., 2021). 4)

Unlearning the infected model. The unlearning strategy ﬁrst

detects the malicious behavior and then defends against the

backdoor attack by performing reverse learning through utiliz-

ing the implicit hypergradient (Zeng et al., 2021a) or modify-

ing the loss function (Li et al., 2021a). 5) Robust aggregation.

This strategy is speciﬁcally tailored for FL. It involves meticu-

lous adjustments of the server aggregation learning rate, taking

into account client updates on a per-dimension and per-round

basis (Pillutla et al., 2019). 6) Adversarial distillation. This

defense strategy is also designed for classiﬁcation tasks in FL.

It employs a GAN on the server side to acquire a distillation

dataset. Subsequently, knowledge distillation is applied, utiliz-

ing a clean model as the teacher to educate the server model and

remove the backdoored neurons from the malicious model (Zhu

et al., 2023). 7) Trigger inverse engineering. This is a provable

technique that is proposed speciﬁcally for backdoor attacks un-

der FL classiﬁcation models (Zhang et al., 2022).

It requires the benign clients to apply trigger inversion tech-

niques in the training time to construct an augmented dataset

that consists of poisoned images with clean labels. This serves

as model hardening and reduces the prediction conﬁdence of

backdoored sample. The inference step then takes advantage of

this prediction conﬁdence to perform classiﬁcation tasks.

Moreover, the comprehensive backdoor attack surveys can be

found in Li et al. (2022) and Guo et al. (2022).

Unfortunately, most of the above defense strategies do not

ﬁt the FedGAN settings, either due to the server cannot access

the local private data, or the training of GAN-based generative

models does not behave the same as the classiﬁcation models.

3. Methods

The goal of medical image synthesis is to generate high-

quality synthetic data that can be employed for open research

to argue the limited datasets and balance the training data, and

ﬁnally hasten DL methodological advancements in medicine.

In our study, we explore conditional GAN in the FL setting,

i.e., conditional FedGAN.

In this section, we ﬁrst introduce our setting for FedGAN

in Section 3.1 Next, we discuss the scope for adversarial at-

tacks and determine the best way to implement the backdoor

attack that involves data poisoning in Section 3.2. Then, we

suggest the potential strategies for defending against such at-

tack in FedGAN to build a robust FL system in Section 3.3.

3.1. Federated Generative Adversarial Network

Motivated by the local model poisoning attacks in Byzantine-

robust FL classiﬁcation models proposed in Fang et al. (2020),

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10 玖币 0人已下载

立即下载

摘要：

MedicalImageAnalysis(2023)ContentslistsavailableatScienceDirectMedicalImageAnalysisjournalhomepage:www.elsevier.com/locate/mediaBackdoorAttackandDefenseinFederatedGenerativeAdversarialNetwork-basedMedicalImageSynthesisRuinanJina,XiaoxiaoLib,1,∗aComputerScienceDepartment,TheUniversityofBritishColumbi...

展开>> 收起<<

Backdoor Attack and Defense in Federated Generative Adversarial Network-based Medical Image Synthesis.pdf

共16页,预览4页

还剩页未读，继续阅读

声明：本站为文档C2C交易模式，即用户上传的文档直接被用户下载，本站只是中间服务平台，本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私，请立即通知玖贝云文库，我们立即给予删除！

Backdoor Attack and Defense in Federated Generative Adversarial Network-based Medical Image Synthesis

相关推荐

开通VIP享超值会员特权

作者详情

相关内容

热门标签

举报选择: