Open AccessPosted Content
DP-InstaHide: Provably Defusing Poisoning and Backdoor Attacks with Differentially Private Data Augmentations.
Eitan Borgnia,Jonas Geiping,Valeriia Cherepanova,Liam Fowl,Arjun Gupta,Amin Ghiasi,Furong Huang,Micah Goldblum,Tom Goldstein +8 more
Reads0
Chats0
TLDR
In this article, the authors show that strong data augmentations, such as mixup and random additive noise, nullify poison attacks while enduring only a small accuracy trade-off, and propose a training method, DP-InstaHide, which combines the mixup regularizer with additive noise.Abstract:
Data poisoning and backdoor attacks manipulate training data to induce security breaches in a victim model. These attacks can be provably deflected using differentially private (DP) training methods, although this comes with a sharp decrease in model performance. The InstaHide method has recently been proposed as an alternative to DP training that leverages supposed privacy properties of the mixup augmentation, although without rigorous guarantees. In this work, we show that strong data augmentations, such as mixup and random additive noise, nullify poison attacks while enduring only a small accuracy trade-off. To explain these finding, we propose a training method, DP-InstaHide, which combines the mixup regularizer with additive noise. A rigorous analysis of DP-InstaHide shows that mixup does indeed have privacy advantages, and that training with k-way mixup provably yields at least k times stronger DP guarantees than a naive DP mechanism. Because mixup (as opposed to noise) is beneficial to model performance, DP-InstaHide provides a mechanism for achieving stronger empirical performance against poisoning attacks than other known DP methods.read more
Citations
More filters
Posted Content
Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses.
Micah Goldblum,Dimitris Tsipras,Chulin Xie,Xinyun Chen,Avi Schwarzschild,Dawn Song,Aleksander Madry,Bo Li,Tom Goldstein +8 more
TL;DR: In this article, the authors systematically categorize and discuss a wide range of dataset vulnerabilities and exploits, approaches for defending against these threats, and an array of open problems in this space.
Posted Content
Adversarial Examples Make Strong Poisons
TL;DR: In this paper, the authors show that adversarial examples, originally intended for attacking pre-trained models, are even more effective for data poisoning than recent methods designed specifically for poisoning, and they release a poisoned version of ImageNet, ImageNet-P.
Posted Content
Survey: Image Mixing and Deleting for Data Augmentation
TL;DR: In this article, the authors provide a detailed review on these devised approaches, dividing augmentation strategies in three main categories cut and delete, cut and mix and mixup, and the second part of paper emprically evaluates these approaches for image classification, fine-grained image recognition and object detection.
Posted Content
AirMixML: Over-the-Air Data Mixup for Inherently Privacy-Preserving Edge Machine Learning.
TL;DR: In this article, the authors proposed a novel privacy-preserving machine learning framework at the network edge, coined over-the-air mixup ML (AirMixML), where multiple workers transmit analog-modulated signals of their private data samples to an edge server who trains an ML model using the received noisy-and superpositioned samples.
Posted Content
Accumulative Poisoning Attacks on Real-time Data
TL;DR: In this article, Zhao et al. proposed an attack strategy that associates an accumulative phase with poisoning attacks to secretly magnify the destructive effect of a (poisoned) trigger batch.
References
More filters
Posted Content
BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain.
TL;DR: It is shown that outsourced training introduces new security risks: an adversary can create a maliciously trained network (a backdoored neural network, or a BadNet) that has state-of-the-art performance on the user's training and validation samples, but behaves badly on specific attacker-chosen inputs.
Journal ArticleDOI
The security of machine learning
TL;DR: A taxonomy identifying and analyzing attacks against machine learning systems is presented, showing how these classes influence the costs for the attacker and defender, and a formal structure defining their interaction is given.
Posted Content
Poisoning Attacks against Support Vector Machines
TL;DR: It is demonstrated that an intelligent adversary can, to some extent, predict the change of the SVM's decision function due to malicious input and use this ability to construct malicious data.
Proceedings ArticleDOI
On the geometry of differential privacy
Moritz Hardt,Kunal Talwar +1 more
TL;DR: The lower bound is strong enough to separate the concept of differential privacy from the notion of approximate differential privacy where an upper bound of O(√{d}/ε) can be achieved.
Posted Content
How To Break Anonymity of the Netflix Prize Dataset
TL;DR: This work presents a new class of statistical de-anonymization attacks against high-dimensional micro-data, such as individual preferences, recommendations, transaction records and so on, and demonstrates that an adversary who knows only a little bit about an individual subscriber can easily identify this subscriber's record in the dataset.
Related Papers (5)
Learning under $p$-Tampering Attacks
Correlation Analysis against Protected SFM Implementations of RSA
Aurélie Bauer,Éliane Jaulmes +1 more