Stealthy Poisoning Attacks Bypass Defenses in Regression Settings
- URL: http://arxiv.org/abs/2601.22308v1
- Date: Thu, 29 Jan 2026 20:50:36 GMT
- Title: Stealthy Poisoning Attacks Bypass Defenses in Regression Settings
- Authors: Javier Carnerero-Cano, Luis Muñoz-González, Phillippa Spencer, Emil C. Lupu,
- Abstract summary: We propose a novel optimal stealthy attack formulation that considers different degrees of detectability.<n>We also propose a new methodology based on normalization of objectives to evaluate different trade-offs between effectiveness and detectability.
- Score: 5.288693038980939
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Regression models are widely used in industrial processes, engineering and in natural and physical sciences, yet their robustness to poisoning has received less attention. When it has, studies often assume unrealistic threat models and are thus less useful in practice. In this paper, we propose a novel optimal stealthy attack formulation that considers different degrees of detectability and show that it bypasses state-of-the-art defenses. We further propose a new methodology based on normalization of objectives to evaluate different trade-offs between effectiveness and detectability. Finally, we develop a novel defense (BayesClean) against stealthy attacks. BayesClean improves on previous defenses when attacks are stealthy and the number of poisoning points is significant.
Related papers
- The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against Llm Jailbreaks and Prompt Injections [74.60337113759313]
Current defenses against jailbreaks and prompt injections are typically evaluated against a static set of harmful attack strings.<n>We argue that this evaluation process is flawed. Instead, we should evaluate defenses against adaptive attackers who explicitly modify their attack strategy to counter a defense's design.
arXiv Detail & Related papers (2025-10-10T05:51:04Z) - DisPatch: Disarming Adversarial Patches in Object Detection with Diffusion Models [8.800216228212824]
State-of-theart object detectors are still vulnerable to adversarial patch attacks.<n>We introduce DIS, the first diffusion-based defense framework for object detection.<n> DIS consistently outperforms state-of-the-art defenses on both hiding attacks and creating attacks.
arXiv Detail & Related papers (2025-09-04T18:20:36Z) - Deferred Poisoning: Making the Model More Vulnerable via Hessian Singularization [36.13844441263675]
We introduce a more threatening type of poisoning attack called the Deferred Poisoning Attack.<n>This new attack allows the model to function normally during the training and validation phases but makes it very sensitive to evasion attacks or even natural noise.<n>We have conducted both theoretical and empirical analyses of the proposed method and validated its effectiveness through experiments on image classification tasks.
arXiv Detail & Related papers (2024-11-06T08:27:49Z) - SEEP: Training Dynamics Grounds Latent Representation Search for Mitigating Backdoor Poisoning Attacks [53.28390057407576]
Modern NLP models are often trained on public datasets drawn from diverse sources.
Data poisoning attacks can manipulate the model's behavior in ways engineered by the attacker.
Several strategies have been proposed to mitigate the risks associated with backdoor attacks.
arXiv Detail & Related papers (2024-05-19T14:50:09Z) - Certified Robustness to Clean-Label Poisoning Using Diffusion Denoising [56.04951180983087]
We present a certified defense to clean-label poisoning attacks under $ell$-norm.<n>Inspired by the adversarial robustness achieved by $randomized$ $smoothing, we show how an off-the-shelf diffusion denoising model can sanitize the tampered training data.
arXiv Detail & Related papers (2024-03-18T17:17:07Z) - RECESS Vaccine for Federated Learning: Proactive Defense Against Model Poisoning Attacks [20.55681622921858]
Model poisoning attacks greatly jeopardize the application of federated learning (FL)
In this work, we propose a novel proactive defense named RECESS against model poisoning attacks.
Unlike previous methods that score each iteration, RECESS considers clients' performance correlation across multiple iterations to estimate the trust score.
arXiv Detail & Related papers (2023-10-09T06:09:01Z) - APBench: A Unified Benchmark for Availability Poisoning Attacks and
Defenses [21.633448874100004]
APBench is a benchmark for assessing the efficacy of adversarial poisoning attacks.
APBench consists of 9 state-of-the-art availability poisoning attacks, 8 defense algorithms, and 4 conventional data augmentation techniques.
Our results reveal the glaring inadequacy of existing attacks in safeguarding individual privacy.
arXiv Detail & Related papers (2023-08-07T02:30:47Z) - Isolation and Induction: Training Robust Deep Neural Networks against
Model Stealing Attacks [51.51023951695014]
Existing model stealing defenses add deceptive perturbations to the victim's posterior probabilities to mislead the attackers.
This paper proposes Isolation and Induction (InI), a novel and effective training framework for model stealing defenses.
In contrast to adding perturbations over model predictions that harm the benign accuracy, we train models to produce uninformative outputs against stealing queries.
arXiv Detail & Related papers (2023-08-02T05:54:01Z) - Pick your Poison: Undetectability versus Robustness in Data Poisoning
Attacks [33.82164201455115]
Deep image classification models trained on vast amounts of web-scraped data are susceptible to data poisoning.
Existing work considers an effective defense as one that either (i) restores a model's integrity through repair or (ii) detects an attack.
We argue that this approach overlooks a crucial trade-off: Attackers can increase at the expense of detectability (over-poisoning) or decrease detectability at the cost of robustness (under-poisoning)
arXiv Detail & Related papers (2023-05-07T15:58:06Z) - Silent Killer: A Stealthy, Clean-Label, Black-Box Backdoor Attack [10.047470656294335]
We introduce Silent Killer, a novel attack that operates in clean-label, black-box settings.
We investigate the use of universal adversarial perturbations as triggers in clean-label attacks.
We find that gradient alignment for crafting the poison is required to ensure high success rates.
arXiv Detail & Related papers (2023-01-05T15:11:05Z) - Guided Adversarial Attack for Evaluating and Enhancing Adversarial
Defenses [59.58128343334556]
We introduce a relaxation term to the standard loss, that finds more suitable gradient-directions, increases attack efficacy and leads to more efficient adversarial training.
We propose Guided Adversarial Margin Attack (GAMA), which utilizes function mapping of the clean image to guide the generation of adversaries.
We also propose Guided Adversarial Training (GAT), which achieves state-of-the-art performance amongst single-step defenses.
arXiv Detail & Related papers (2020-11-30T16:39:39Z) - Attack Agnostic Adversarial Defense via Visual Imperceptible Bound [70.72413095698961]
This research aims to design a defense model that is robust within a certain bound against both seen and unseen adversarial attacks.
The proposed defense model is evaluated on the MNIST, CIFAR-10, and Tiny ImageNet databases.
The proposed algorithm is attack agnostic, i.e. it does not require any knowledge of the attack algorithm.
arXiv Detail & Related papers (2020-10-25T23:14:26Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.