A Framework of Randomized Selection Based Certified Defenses Against
Data Poisoning Attacks
- URL: http://arxiv.org/abs/2009.08739v2
- Date: Tue, 13 Oct 2020 09:33:36 GMT
- Title: A Framework of Randomized Selection Based Certified Defenses Against
Data Poisoning Attacks
- Authors: Ruoxin Chen, Jie Li, Chentao Wu, Bin Sheng, Ping Li
- Abstract summary: This paper proposes a framework of random selection based certified defenses against data poisoning attacks.
We prove that the random selection schemes that satisfy certain conditions are robust against data poisoning attacks.
Our framework allows users to improve robustness by leveraging prior knowledge about the training set and the poisoning model.
- Score: 28.593598534525267
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Neural network classifiers are vulnerable to data poisoning attacks, as
attackers can degrade or even manipulate their predictions thorough poisoning
only a few training samples. However, the robustness of heuristic defenses is
hard to measure. Random selection based defenses can achieve certified
robustness by averaging the classifiers' predictions on the sub-datasets
sampled from the training set. This paper proposes a framework of random
selection based certified defenses against data poisoning attacks.
Specifically, we prove that the random selection schemes that satisfy certain
conditions are robust against data poisoning attacks. We also derive the
analytical form of the certified radius for the qualified random selection
schemes. The certified radius of bagging derived by our framework is tighter
than the previous work. Our framework allows users to improve robustness by
leveraging prior knowledge about the training set and the poisoning model.
Given higher level of prior knowledge, we can achieve higher certified accuracy
both theoretically and practically. According to the experiments on three
benchmark datasets: MNIST 1/7, MNIST, and CIFAR-10, our method outperforms the
state-of-the-art.
Related papers
- FCert: Certifiably Robust Few-Shot Classification in the Era of Foundation Models [38.019489232264796]
We propose FCert, the first certified defense against data poisoning attacks to few-shot classification.
Our experimental results show our FCert: 1) maintains classification accuracy without attacks, 2) outperforms existing certified defenses for data poisoning attacks, and 3) is efficient and general.
arXiv Detail & Related papers (2024-04-12T17:50:40Z) - Towards Fair Classification against Poisoning Attacks [52.57443558122475]
We study the poisoning scenario where the attacker can insert a small fraction of samples into training data.
We propose a general and theoretically guaranteed framework which accommodates traditional defense methods to fair classification against poisoning attacks.
arXiv Detail & Related papers (2022-10-18T00:49:58Z) - How to Sift Out a Clean Data Subset in the Presence of Data Poisoning? [22.014227948221727]
We study how precise automated tools and human inspection are at identifying clean data in the presence of data poisoning attacks.
Our method is based on the insight that existing attacks' poisoned samples shifts from clean data distributions.
Our evaluation shows that Meta-Sift can sift a clean base set with 100% precision under a wide range of poisoning attacks.
arXiv Detail & Related papers (2022-10-12T18:18:21Z) - Lethal Dose Conjecture on Data Poisoning [122.83280749890078]
Data poisoning considers an adversary that distorts the training set of machine learning algorithms for malicious purposes.
In this work, we bring to light one conjecture regarding the fundamentals of data poisoning, which we call the Lethal Dose Conjecture.
arXiv Detail & Related papers (2022-08-05T17:53:59Z) - Improved Certified Defenses against Data Poisoning with (Deterministic)
Finite Aggregation [122.83280749890078]
We propose an improved certified defense against general poisoning attacks, namely Finite Aggregation.
In contrast to DPA, which directly splits the training set into disjoint subsets, our method first splits the training set into smaller disjoint subsets.
We offer an alternative view of our method, bridging the designs of deterministic and aggregation-based certified defenses.
arXiv Detail & Related papers (2022-02-05T20:08:58Z) - Learning and Certification under Instance-targeted Poisoning [49.55596073963654]
We study PAC learnability and certification under instance-targeted poisoning attacks.
We show that when the budget of the adversary scales sublinearly with the sample complexity, PAC learnability and certification are achievable.
We empirically study the robustness of K nearest neighbour, logistic regression, multi-layer perceptron, and convolutional neural network on real data sets.
arXiv Detail & Related papers (2021-05-18T17:48:15Z) - Certified Robustness of Nearest Neighbors against Data Poisoning Attacks [31.85264586217373]
We show that the intrinsic majority vote mechanisms in kNN and rNN already provide certified robustness guarantees against general data poisoning attacks.
Our results serve as standard baselines for future certified defenses against data poisoning attacks.
arXiv Detail & Related papers (2020-12-07T15:04:48Z) - How Robust are Randomized Smoothing based Defenses to Data Poisoning? [66.80663779176979]
We present a previously unrecognized threat to robust machine learning models that highlights the importance of training-data quality.
We propose a novel bilevel optimization-based data poisoning attack that degrades the robustness guarantees of certifiably robust classifiers.
Our attack is effective even when the victim trains the models from scratch using state-of-the-art robust training methods.
arXiv Detail & Related papers (2020-12-02T15:30:21Z) - Certified Robustness to Label-Flipping Attacks via Randomized Smoothing [105.91827623768724]
Machine learning algorithms are susceptible to data poisoning attacks.
We present a unifying view of randomized smoothing over arbitrary functions.
We propose a new strategy for building classifiers that are pointwise-certifiably robust to general data poisoning attacks.
arXiv Detail & Related papers (2020-02-07T21:28:30Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.