Adversarial Poisoning Attacks on Federated Learning in Metaverse

Metaverse is envisioned to be a human-centric framework, and provide a new concept of living by offering comprehensively immersive experience for users in education, medicine and entertainment domain. Since a large amount of private data is generated at each user for accessing Metaverse, the emerging federated learning (FL) provides an effective solution to address the potential privacy leakage of data sharing by adopting the mechanism of local training and global model aggregation. However, the model aggregation is susceptible to adversarial poisoning attacks. This imposes critical issues for the privacy-preserving mechanism in Metaverse. In this research, we develop two poisoning attacks in order to emulate the behaviour of adversaries possibly existing in practical Metaverse scenarios. First, we develop a data poisoning attack using Bayesian optimisation to search for the optimal parameters of generating adversarial examples to conduct reversed adversarial training. Second, we develop a model poisoning attack where we apply layer optimisation using Bayesian optimisation to search the optimal weights for the convolutional layer in order to induce uncertainty in the classification. Numerical results show that both attack schemes can cause attacks that can not be recognised by the FL server, and layer optimisation is a stronger poisoning attack.