Open AccessPosted Content
DP-InstaHide: Provably Defusing Poisoning and Backdoor Attacks with Differentially Private Data Augmentations.
Eitan Borgnia,Jonas Geiping,Valeriia Cherepanova,Liam Fowl,Arjun Gupta,Amin Ghiasi,Furong Huang,Micah Goldblum,Tom Goldstein +8 more
TLDR
In this article, the authors show that strong data augmentations, such as mixup and random additive noise, nullify poison attacks while enduring only a small accuracy trade-off, and propose a training method, DP-InstaHide, which combines the mixup regularizer with additive noise.Abstract:
Data poisoning and backdoor attacks manipulate training data to induce security breaches in a victim model. These attacks can be provably deflected using differentially private (DP) training methods, although this comes with a sharp decrease in model performance. The InstaHide method has recently been proposed as an alternative to DP training that leverages supposed privacy properties of the mixup augmentation, although without rigorous guarantees. In this work, we show that strong data augmentations, such as mixup and random additive noise, nullify poison attacks while enduring only a small accuracy trade-off. To explain these finding, we propose a training method, DP-InstaHide, which combines the mixup regularizer with additive noise. A rigorous analysis of DP-InstaHide shows that mixup does indeed have privacy advantages, and that training with k-way mixup provably yields at least k times stronger DP guarantees than a naive DP mechanism. Because mixup (as opposed to noise) is beneficial to model performance, DP-InstaHide provides a mechanism for achieving stronger empirical performance against poisoning attacks than other known DP methods.read more
Citations
More filters
Posted Content
Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses.
Micah Goldblum,Dimitris Tsipras,Chulin Xie,Xinyun Chen,Avi Schwarzschild,Dawn Song,Aleksander Madry,Bo Li,Tom Goldstein +8 more
TL;DR: In this article, the authors systematically categorize and discuss a wide range of dataset vulnerabilities and exploits, approaches for defending against these threats, and an array of open problems in this space.
Posted Content
Adversarial Examples Make Strong Poisons
TL;DR: In this paper, the authors show that adversarial examples, originally intended for attacking pre-trained models, are even more effective for data poisoning than recent methods designed specifically for poisoning, and they release a poisoned version of ImageNet, ImageNet-P.
Posted Content
Survey: Image Mixing and Deleting for Data Augmentation
TL;DR: In this article, the authors provide a detailed review on these devised approaches, dividing augmentation strategies in three main categories cut and delete, cut and mix and mixup, and the second part of paper emprically evaluates these approaches for image classification, fine-grained image recognition and object detection.
Posted Content
AirMixML: Over-the-Air Data Mixup for Inherently Privacy-Preserving Edge Machine Learning.
TL;DR: In this article, the authors proposed a novel privacy-preserving machine learning framework at the network edge, coined over-the-air mixup ML (AirMixML), where multiple workers transmit analog-modulated signals of their private data samples to an edge server who trains an ML model using the received noisy-and superpositioned samples.
Posted Content
Accumulative Poisoning Attacks on Real-time Data
TL;DR: In this article, Zhao et al. proposed an attack strategy that associates an accumulative phase with poisoning attacks to secretly magnify the destructive effect of a (poisoned) trigger batch.
References
More filters
Proceedings Article
Transferable Clean-Label Poisoning Attacks on Deep Neural Nets
Posted Content
Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability
TL;DR: This work proposes a scalable and transferable clean-label poisoning attack against transfer learning, which creates poison images with their center close to the target image in the feature space, and extends Bullseye Polytope to a more practical attack model by including multiple images of the same object when crafting the poison samples.
Book ChapterDOI
Label Sanitization against Label Flipping Poisoning Attacks
TL;DR: In this paper, the authors proposed an efficient algorithm to perform optimal label flipping poisoning attacks and a mechanism to detect and relabel suspicious data points, mitigating the effect of such poisoning attacks.
Posted Content
Strong Data Augmentation Sanitizes Poisoning and Backdoor Attacks Without an Accuracy Tradeoff
Eitan Borgnia,Valeriia Cherepanova,Liam Fowl,Amin Ghiasi,Jonas Geiping,Micah Goldblum,Tom Goldstein,Arjun Gupta +7 more
TL;DR: It is found that strong data augmentations, such as mixup and CutMix, can significantly diminish the threat of poisoning and backdoor attacks without trading off performance.
Posted Content
MaxUp: A Simple Way to Improve Generalization of Neural Network Training.
TL;DR: The idea is to generate a set of augmented data with some random perturbations or transforms and minimize the maximum, or worst case loss over the augmented data, by doing so, to implicitly introduce a smoothness or robustness regularization against the random perturgations, and hence improve the generation performance.
Related Papers (5)
Learning under $p$-Tampering Attacks
Correlation Analysis against Protected SFM Implementations of RSA
Aurélie Bauer,Éliane Jaulmes +1 more