Adversarial Examples Make Strong Poisons
- URL: http://arxiv.org/abs/2106.10807v1
- Date: Mon, 21 Jun 2021 01:57:14 GMT
- Title: Adversarial Examples Make Strong Poisons
- Authors: Liam Fowl, Micah Goldblum, Ping-yeh Chiang, Jonas Geiping, Wojtek
Czaja, Tom Goldstein
- Abstract summary: We show that adversarial examples, originally intended for attacking pre-trained models, are even more effective for data poisoning than recent methods designed specifically for poisoning.
Our method, adversarial poisoning, is substantially more effective than existing poisoning methods for secure dataset release.
- Score: 55.63469396785909
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: The adversarial machine learning literature is largely partitioned into
evasion attacks on testing data and poisoning attacks on training data. In this
work, we show that adversarial examples, originally intended for attacking
pre-trained models, are even more effective for data poisoning than recent
methods designed specifically for poisoning. Our findings indicate that
adversarial examples, when assigned the original label of their natural base
image, cannot be used to train a classifier for natural images. Furthermore,
when adversarial examples are assigned their adversarial class label, they are
useful for training. This suggests that adversarial examples contain useful
semantic content, just with the ``wrong'' labels (according to a network, but
not a human). Our method, adversarial poisoning, is substantially more
effective than existing poisoning methods for secure dataset release, and we
release a poisoned version of ImageNet, ImageNet-P, to encourage research into
the strength of this form of data obfuscation.
Related papers
- From Trojan Horses to Castle Walls: Unveiling Bilateral Data Poisoning Effects in Diffusion Models [19.140908259968302]
We investigate whether BadNets-like data poisoning methods can directly degrade the generation by DMs.
We show that a BadNets-like data poisoning attack remains effective in DMs for producing incorrect images.
Poisoned DMs exhibit an increased ratio of triggers, a phenomenon we refer to as trigger amplification'
arXiv Detail & Related papers (2023-11-04T11:00:31Z) - HINT: Healthy Influential-Noise based Training to Defend against Data
Poisoning Attacks [12.929357709840975]
We propose an efficient and robust training approach to defend against data poisoning attacks based on influence functions.
Using influence functions, we craft healthy noise that helps to harden the classification model against poisoning attacks.
Our empirical results show that HINT can efficiently protect deep learning models against the effect of both untargeted and targeted poisoning attacks.
arXiv Detail & Related papers (2023-09-15T17:12:19Z) - On Practical Aspects of Aggregation Defenses against Data Poisoning
Attacks [58.718697580177356]
Attacks on deep learning models with malicious training samples are known as data poisoning.
Recent advances in defense strategies against data poisoning have highlighted the effectiveness of aggregation schemes in achieving certified poisoning robustness.
Here we focus on Deep Partition Aggregation, a representative aggregation defense, and assess its practical aspects, including efficiency, performance, and robustness.
arXiv Detail & Related papers (2023-06-28T17:59:35Z) - Indiscriminate Poisoning Attacks Are Shortcuts [77.38947817228656]
We find that the perturbations of advanced poisoning attacks are almost textbflinear separable when assigned with the target labels of the corresponding samples.
We show that such synthetic perturbations are as powerful as the deliberately crafted attacks.
Our finding suggests that the emphshortcut learning problem is more serious than previously believed.
arXiv Detail & Related papers (2021-11-01T12:44:26Z) - Defening against Adversarial Denial-of-Service Attacks [0.0]
Data poisoning is one of the most relevant security threats against machine learning and data-driven technologies.
We propose a new approach of detecting DoS poisoned instances.
We evaluate our defence against two DoS poisoning attacks and seven datasets, and find that it reliably identifies poisoned instances.
arXiv Detail & Related papers (2021-04-14T09:52:36Z) - Provable Defense Against Delusive Poisoning [64.69220849669948]
We show that adversarial training can be a principled defense method against delusive poisoning.
This implies that adversarial training can be a principled defense method against delusive poisoning.
arXiv Detail & Related papers (2021-02-09T09:19:47Z) - Witches' Brew: Industrial Scale Data Poisoning via Gradient Matching [56.280018325419896]
Data Poisoning attacks modify training data to maliciously control a model trained on such data.
We analyze a particularly malicious poisoning attack that is both "from scratch" and "clean label"
We show that it is the first poisoning method to cause targeted misclassification in modern deep networks trained from scratch on a full-sized, poisoned ImageNet dataset.
arXiv Detail & Related papers (2020-09-04T16:17:54Z) - Just How Toxic is Data Poisoning? A Unified Benchmark for Backdoor and
Data Poisoning Attacks [74.88735178536159]
Data poisoning is the number one concern among threats ranging from model stealing to adversarial attacks.
We observe that data poisoning and backdoor attacks are highly sensitive to variations in the testing setup.
We apply rigorous tests to determine the extent to which we should fear them.
arXiv Detail & Related papers (2020-06-22T18:34:08Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.