Manipulating SGD with Data Ordering Attacks
- URL: http://arxiv.org/abs/2104.09667v1
- Date: Mon, 19 Apr 2021 22:17:27 GMT
- Title: Manipulating SGD with Data Ordering Attacks
- Authors: Ilia Shumailov, Zakhar Shumaylov, Dmitry Kazhdan, Yiren Zhao, Nicolas
Papernot, Murat A. Erdogdu, Ross Anderson
- Abstract summary: We present a class of training-time attacks that require no changes to the underlying model dataset or architecture.
In particular, an attacker can disrupt the integrity and availability of a model by simply reordering training batches.
Attacks have a long-term impact in that they decrease model performance hundreds of epochs after the attack took place.
- Score: 23.639512087220137
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Machine learning is vulnerable to a wide variety of different attacks. It is
now well understood that by changing the underlying data distribution, an
adversary can poison the model trained with it or introduce backdoors. In this
paper we present a novel class of training-time attacks that require no changes
to the underlying model dataset or architecture, but instead only change the
order in which data are supplied to the model. In particular, an attacker can
disrupt the integrity and availability of a model by simply reordering training
batches, with no knowledge about either the model or the dataset. Indeed, the
attacks presented here are not specific to the model or dataset, but rather
target the stochastic nature of modern learning procedures. We extensively
evaluate our attacks to find that the adversary can disrupt model training and
even introduce backdoors.
For integrity we find that the attacker can either stop the model from
learning, or poison it to learn behaviours specified by the attacker. For
availability we find that a single adversarially-ordered epoch can be enough to
slow down model learning, or even to reset all of the learning progress. Such
attacks have a long-term impact in that they decrease model performance
hundreds of epochs after the attack took place. Reordering is a very powerful
adversarial paradigm in that it removes the assumption that an adversary must
inject adversarial data points or perturbations to perform training-time
attacks. It reminds us that stochastic gradient descent relies on the
assumption that data are sampled at random. If this randomness is compromised,
then all bets are off.
Related papers
- Wicked Oddities: Selectively Poisoning for Effective Clean-Label Backdoor Attacks [11.390175856652856]
Clean-label attacks are a more stealthy form of backdoor attacks that can perform the attack without changing the labels of poisoned data.
We study different strategies for selectively poisoning a small set of training samples in the target class to boost the attack success rate.
Our threat model poses a serious threat in training machine learning models with third-party datasets.
arXiv Detail & Related papers (2024-07-15T15:38:21Z) - Model Inversion Attack against Transfer Learning: Inverting a Model
without Accessing It [41.39995986856193]
Transfer learning is an important approach that produces pre-trained teacher models.
Recent research on transfer learning has found that it is vulnerable to various attacks.
It is still not clear whether transfer learning is vulnerable to model inversion attacks.
arXiv Detail & Related papers (2022-03-13T05:07:02Z) - On the Effectiveness of Adversarial Training against Backdoor Attacks [111.8963365326168]
A backdoored model always predicts a target class in the presence of a predefined trigger pattern.
In general, adversarial training is believed to defend against backdoor attacks.
We propose a hybrid strategy which provides satisfactory robustness across different backdoor attacks.
arXiv Detail & Related papers (2022-02-22T02:24:46Z) - Learning to Learn Transferable Attack [77.67399621530052]
Transfer adversarial attack is a non-trivial black-box adversarial attack that aims to craft adversarial perturbations on the surrogate model and then apply such perturbations to the victim model.
We propose a Learning to Learn Transferable Attack (LLTA) method, which makes the adversarial perturbations more generalized via learning from both data and model augmentation.
Empirical results on the widely-used dataset demonstrate the effectiveness of our attack method with a 12.85% higher success rate of transfer attack compared with the state-of-the-art methods.
arXiv Detail & Related papers (2021-12-10T07:24:21Z) - Adversarial Transfer Attacks With Unknown Data and Class Overlap [19.901933940805684]
Current transfer attack research has an unrealistic advantage for the attacker.
We present the first study of transferring adversarial attacks focusing on the data available to attacker and victim under imperfect settings.
This threat model is relevant to applications in medicine, malware, and others.
arXiv Detail & Related papers (2021-09-23T03:41:34Z) - Accumulative Poisoning Attacks on Real-time Data [56.96241557830253]
We show that a well-designed but straightforward attacking strategy can dramatically amplify the poisoning effects.
Our work validates that a well-designed but straightforward attacking strategy can dramatically amplify the poisoning effects.
arXiv Detail & Related papers (2021-06-18T08:29:53Z) - Learning to Attack: Towards Textual Adversarial Attacking in Real-world
Situations [81.82518920087175]
Adversarial attacking aims to fool deep neural networks with adversarial examples.
We propose a reinforcement learning based attack model, which can learn from attack history and launch attacks more efficiently.
arXiv Detail & Related papers (2020-09-19T09:12:24Z) - Adversarial examples are useful too! [47.64219291655723]
I propose a new method to tell whether a model has been subject to a backdoor attack.
The idea is to generate adversarial examples, targeted or untargeted, using conventional attacks such as FGSM.
It is possible to visually locate the perturbed regions and unveil the attack.
arXiv Detail & Related papers (2020-05-13T01:38:56Z) - Adversarial Imitation Attack [63.76805962712481]
A practical adversarial attack should require as little as possible knowledge of attacked models.
Current substitute attacks need pre-trained models to generate adversarial examples.
In this study, we propose a novel adversarial imitation attack.
arXiv Detail & Related papers (2020-03-28T10:02:49Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.