MetaPoison: Practical General-purpose Clean-label Data Poisoning
- URL: http://arxiv.org/abs/2004.00225v2
- Date: Sun, 21 Feb 2021 02:40:40 GMT
- Title: MetaPoison: Practical General-purpose Clean-label Data Poisoning
- Authors: W. Ronny Huang, Jonas Geiping, Liam Fowl, Gavin Taylor, Tom Goldstein
- Abstract summary: Data poisoning is an emerging threat in the context of neural networks.
We propose MetaPoison, a first-order method that approximates the bilevel problem via meta-learning and crafts poisons that fool neural networks.
We demonstrate for the first time successful data poisoning of models trained on the black-box Google Cloud AutoML API.
- Score: 58.13959698513719
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Data poisoning -- the process by which an attacker takes control of a model
by making imperceptible changes to a subset of the training data -- is an
emerging threat in the context of neural networks. Existing attacks for data
poisoning neural networks have relied on hand-crafted heuristics, because
solving the poisoning problem directly via bilevel optimization is generally
thought of as intractable for deep models. We propose MetaPoison, a first-order
method that approximates the bilevel problem via meta-learning and crafts
poisons that fool neural networks. MetaPoison is effective: it outperforms
previous clean-label poisoning methods by a large margin. MetaPoison is robust:
poisoned data made for one model transfer to a variety of victim models with
unknown training settings and architectures. MetaPoison is general-purpose, it
works not only in fine-tuning scenarios, but also for end-to-end training from
scratch, which till now hasn't been feasible for clean-label attacks with deep
nets. MetaPoison can achieve arbitrary adversary goals -- like using poisons of
one class to make a target image don the label of another arbitrarily chosen
class. Finally, MetaPoison works in the real-world. We demonstrate for the
first time successful data poisoning of models trained on the black-box Google
Cloud AutoML API. Code and premade poisons are provided at
https://github.com/wronnyhuang/metapoison
Related papers
Err
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.