Influence Based Defense Against Data Poisoning Attacks in Online
Learning
- URL: http://arxiv.org/abs/2104.13230v1
- Date: Sat, 24 Apr 2021 08:39:13 GMT
- Title: Influence Based Defense Against Data Poisoning Attacks in Online
Learning
- Authors: Sanjay Seetharaman, Shubham Malaviya, Rosni KV, Manish Shukla, Sachin
Lodha
- Abstract summary: Data poisoning is an attack where an attacker manipulates a fraction of data to degrade the performance of machine learning model.
We propose a defense mechanism to minimize the degradation caused by the poisoned training data on a learner's model in an online setup.
- Score: 9.414651358362391
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: Data poisoning is a type of adversarial attack on training data where an
attacker manipulates a fraction of data to degrade the performance of machine
learning model. Therefore, applications that rely on external data-sources for
training data are at a significantly higher risk. There are several known
defensive mechanisms that can help in mitigating the threat from such attacks.
For example, data sanitization is a popular defensive mechanism wherein the
learner rejects those data points that are sufficiently far from the set of
training instances. Prior work on data poisoning defense primarily focused on
offline setting, wherein all the data is assumed to be available for analysis.
Defensive measures for online learning, where data points arrive sequentially,
have not garnered similar interest.
In this work, we propose a defense mechanism to minimize the degradation
caused by the poisoned training data on a learner's model in an online setup.
Our proposed method utilizes an influence function which is a classic technique
in robust statistics. Further, we supplement it with the existing data
sanitization methods for filtering out some of the poisoned data points. We
study the effectiveness of our defense mechanism on multiple datasets and
across multiple attack strategies against an online learner.
Related papers
- Towards Attack-tolerant Federated Learning via Critical Parameter
Analysis [85.41873993551332]
Federated learning systems are susceptible to poisoning attacks when malicious clients send false updates to the central server.
This paper proposes a new defense strategy, FedCPA (Federated learning with Critical Analysis)
Our attack-tolerant aggregation method is based on the observation that benign local models have similar sets of top-k and bottom-k critical parameters, whereas poisoned local models do not.
arXiv Detail & Related papers (2023-08-18T05:37:55Z) - Avoid Adversarial Adaption in Federated Learning by Multi-Metric
Investigations [55.2480439325792]
Federated Learning (FL) facilitates decentralized machine learning model training, preserving data privacy, lowering communication costs, and boosting model performance through diversified data sources.
FL faces vulnerabilities such as poisoning attacks, undermining model integrity with both untargeted performance degradation and targeted backdoor attacks.
We define a new notion of strong adaptive adversaries, capable of adapting to multiple objectives simultaneously.
MESAS is the first defense robust against strong adaptive adversaries, effective in real-world data scenarios, with an average overhead of just 24.37 seconds.
arXiv Detail & Related papers (2023-06-06T11:44:42Z) - A Data-Driven Defense against Edge-case Model Poisoning Attacks on Federated Learning [13.89043799280729]
We propose an effective defense against model poisoning attacks in Federated Learning systems.
DataDefense learns a poisoned data detector model which marks each example in the defense dataset as poisoned or clean.
It is able to reduce the attack success rate by at least 40% on standard attack setups and by more than 80% on some setups.
arXiv Detail & Related papers (2023-05-03T10:20:26Z) - Try to Avoid Attacks: A Federated Data Sanitization Defense for
Healthcare IoMT Systems [4.024567343465081]
The distribution of IoMT has the risk of protection from data poisoning attacks.
Poisoned data can be fabricated by falsifying medical data.
This paper introduces a Federated Data Sanitization Defense, a novel approach to protect the system from data poisoning attacks.
arXiv Detail & Related papers (2022-11-03T05:21:39Z) - Autoregressive Perturbations for Data Poisoning [54.205200221427994]
Data scraping from social media has led to growing concerns regarding unauthorized use of data.
Data poisoning attacks have been proposed as a bulwark against scraping.
We introduce autoregressive (AR) poisoning, a method that can generate poisoned data without access to the broader dataset.
arXiv Detail & Related papers (2022-06-08T06:24:51Z) - Accumulative Poisoning Attacks on Real-time Data [56.96241557830253]
We show that a well-designed but straightforward attacking strategy can dramatically amplify the poisoning effects.
Our work validates that a well-designed but straightforward attacking strategy can dramatically amplify the poisoning effects.
arXiv Detail & Related papers (2021-06-18T08:29:53Z) - Gradient-based Data Subversion Attack Against Binary Classifiers [9.414651358362391]
In this work, we focus on label contamination attack in which an attacker poisons the labels of data to compromise the functionality of the system.
We exploit the gradients of a differentiable convex loss function with respect to the predicted label as a warm-start and formulate different strategies to find a set of data instances to contaminate.
Our experiments show that the proposed approach outperforms the baselines and is computationally efficient.
arXiv Detail & Related papers (2021-05-31T09:04:32Z) - Defening against Adversarial Denial-of-Service Attacks [0.0]
Data poisoning is one of the most relevant security threats against machine learning and data-driven technologies.
We propose a new approach of detecting DoS poisoned instances.
We evaluate our defence against two DoS poisoning attacks and seven datasets, and find that it reliably identifies poisoned instances.
arXiv Detail & Related papers (2021-04-14T09:52:36Z) - What Doesn't Kill You Makes You Robust(er): Adversarial Training against
Poisons and Backdoors [57.040948169155925]
We extend the adversarial training framework to defend against (training-time) poisoning and backdoor attacks.
Our method desensitizes networks to the effects of poisoning by creating poisons during training and injecting them into training batches.
We show that this defense withstands adaptive attacks, generalizes to diverse threat models, and incurs a better performance trade-off than previous defenses.
arXiv Detail & Related papers (2021-02-26T17:54:36Z) - Witches' Brew: Industrial Scale Data Poisoning via Gradient Matching [56.280018325419896]
Data Poisoning attacks modify training data to maliciously control a model trained on such data.
We analyze a particularly malicious poisoning attack that is both "from scratch" and "clean label"
We show that it is the first poisoning method to cause targeted misclassification in modern deep networks trained from scratch on a full-sized, poisoned ImageNet dataset.
arXiv Detail & Related papers (2020-09-04T16:17:54Z) - Subpopulation Data Poisoning Attacks [18.830579299974072]
Poisoning attacks against machine learning induce adversarial modification of data used by a machine learning algorithm to selectively change its output when it is deployed.
We introduce a novel data poisoning attack called a emphsubpopulation attack, which is particularly relevant when datasets are large and diverse.
We design a modular framework for subpopulation attacks, instantiate it with different building blocks, and show that the attacks are effective for a variety of datasets and machine learning models.
arXiv Detail & Related papers (2020-06-24T20:20:52Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.