Open AccessPosted Content
DP-InstaHide: Provably Defusing Poisoning and Backdoor Attacks with Differentially Private Data Augmentations.
Eitan Borgnia,Jonas Geiping,Valeriia Cherepanova,Liam Fowl,Arjun Gupta,Amin Ghiasi,Furong Huang,Micah Goldblum,Tom Goldstein +8 more
TLDR
In this article, the authors show that strong data augmentations, such as mixup and random additive noise, nullify poison attacks while enduring only a small accuracy trade-off, and propose a training method, DP-InstaHide, which combines the mixup regularizer with additive noise.Abstract:
Data poisoning and backdoor attacks manipulate training data to induce security breaches in a victim model. These attacks can be provably deflected using differentially private (DP) training methods, although this comes with a sharp decrease in model performance. The InstaHide method has recently been proposed as an alternative to DP training that leverages supposed privacy properties of the mixup augmentation, although without rigorous guarantees. In this work, we show that strong data augmentations, such as mixup and random additive noise, nullify poison attacks while enduring only a small accuracy trade-off. To explain these finding, we propose a training method, DP-InstaHide, which combines the mixup regularizer with additive noise. A rigorous analysis of DP-InstaHide shows that mixup does indeed have privacy advantages, and that training with k-way mixup provably yields at least k times stronger DP guarantees than a naive DP mechanism. Because mixup (as opposed to noise) is beneficial to model performance, DP-InstaHide provides a mechanism for achieving stronger empirical performance against poisoning attacks than other known DP methods.read more
Citations
More filters
Posted Content
Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses.
Micah Goldblum,Dimitris Tsipras,Chulin Xie,Xinyun Chen,Avi Schwarzschild,Dawn Song,Aleksander Madry,Bo Li,Tom Goldstein +8 more
TL;DR: In this article, the authors systematically categorize and discuss a wide range of dataset vulnerabilities and exploits, approaches for defending against these threats, and an array of open problems in this space.
Posted Content
Adversarial Examples Make Strong Poisons
TL;DR: In this paper, the authors show that adversarial examples, originally intended for attacking pre-trained models, are even more effective for data poisoning than recent methods designed specifically for poisoning, and they release a poisoned version of ImageNet, ImageNet-P.
Posted Content
Survey: Image Mixing and Deleting for Data Augmentation
TL;DR: In this article, the authors provide a detailed review on these devised approaches, dividing augmentation strategies in three main categories cut and delete, cut and mix and mixup, and the second part of paper emprically evaluates these approaches for image classification, fine-grained image recognition and object detection.
Posted Content
AirMixML: Over-the-Air Data Mixup for Inherently Privacy-Preserving Edge Machine Learning.
TL;DR: In this article, the authors proposed a novel privacy-preserving machine learning framework at the network edge, coined over-the-air mixup ML (AirMixML), where multiple workers transmit analog-modulated signals of their private data samples to an edge server who trains an ML model using the received noisy-and superpositioned samples.
Posted Content
Accumulative Poisoning Attacks on Real-time Data
TL;DR: In this article, Zhao et al. proposed an attack strategy that associates an accumulative phase with poisoning attacks to secretly magnify the destructive effect of a (poisoned) trigger batch.
References
More filters
Proceedings ArticleDOI
Towards Poisoning of Deep Learning Algorithms with Back-gradient Optimization
Luis Muñoz-González,Battista Biggio,Ambra Demontis,Andrea Paudice,Vasin Wongrassamee,Emil Lupu,Fabio Roli +6 more
TL;DR: This work proposes a novel poisoning algorithm based on the idea of back-gradient optimization, able to target a wider class of learning algorithms, trained with gradient-based procedures, including neural networks and deep learning architectures, and empirically evaluates its effectiveness on several application examples.
Journal ArticleDOI
Hidden-Trigger Backdoor Attacks
TL;DR: This work proposes a novel form of backdoor attack where poisoned data look natural with correct labels and also more importantly, the attacker hides the trigger in the poisoned data and keeps the trigger secret until the test time.
Proceedings Article
Is Feature Selection Secure against Training Data Poisoning
TL;DR: In this article, the authors investigate the robustness of feature selection methods, including LASSO, ridge regression and elastic net, under attack and show that they can be significantly compromised under attack, highlighting the need for specific countermeasures.
Posted Content
Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks
Ali Shafahi,W. Ronny Huang,Mahyar Najibi,Octavian Suciu,Christoph Studer,Tudor Dumitras,Tom Goldstein +6 more
TL;DR: In this article, the authors present an optimization-based method for crafting poisons, and show that just one single poison image can control classifier behavior when transfer learning is used, and demonstrate their method by generating poisoned frog images from CIFAR dataset and using them to manipulate image classifiers.
Posted Content
Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering
Bryant Chen,Wilka Carvalho,Nathalie Baracaldo,Heiko Ludwig,Benjamin Edwards,Taesung Lee,Ian M. Molloy,Biplav Srivastava +7 more
TL;DR: In this article, the authors proposed a method to detect poisoning attacks in neural networks, which is the first methodology capable of detecting poisonous data crafted to insert backdoors and repairing the model without requiring a verified and trusted dataset.
Related Papers (5)
Learning under $p$-Tampering Attacks
Correlation Analysis against Protected SFM Implementations of RSA
Aurélie Bauer,Éliane Jaulmes +1 more