Open AccessPosted Content
Learning under $p$-Tampering Attacks
TLDR
It is shown that PAC learning is possible under $p-tampering poisoning attacks essentially whenever it is possible in the realizable setting without the attacks, and PAC learning under `no-mistake' adversarial noise is not possible.Abstract:
Mahloujifar and Mahmoody (TCC'17) studied attacks against learning algorithms using a special case of Valiant's malicious noise, called $p$-tampering, in which the adversary could change training examples with independent probability $p$ but only using correct labels. They showed the power of such attacks by increasing the error probability in the so called `targeted' poisoning model in which the adversary's goal is to increase the loss of the generated hypothesis over a particular test example. At the heart of their attack was an efficient algorithm to bias the average output of any bounded real-valued function through $p$-tampering.
In this work, we present new attacks for biasing the average output of bounded real-valued functions, improving upon the biasing attacks of MM16. Our improved biasing attacks, directly imply improved $p$-tampering attacks against learners in the targeted poisoning model. As a bonus, our attacks come with considerably simpler analysis compared to previous attacks.
We also study the possibility of PAC learning under $p$-tampering attacks in the \emph{non-targeted} (aka indiscriminate) setting where the adversary's goal is to increase the risk of the generated hypothesis (for a random test example). We show that PAC learning is \emph{possible} under $p$-tampering poisoning attacks essentially whenever it is possible in the realizable setting without the attacks. We further show that PAC learning under `no-mistake' adversarial noise is \emph{not} possible, if the adversary could choose the (still limited to only $p$ fraction of) tampered examples that she substitutes with adversarially chosen ones. Our formal model for such `bounded-budget' tampering attackers is inspired by the notions of (strong) adaptive corruption in secure multi-party computation.read more
Citations
More filters
Posted Content
Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks
Ali Shafahi,W. Ronny Huang,Mahyar Najibi,Octavian Suciu,Christoph Studer,Tudor Dumitras,Tom Goldstein +6 more
TL;DR: In this article, the authors present an optimization-based method for crafting poisons, and show that just one single poison image can control classifier behavior when transfer learning is used, and demonstrate their method by generating poisoned frog images from CIFAR dataset and using them to manipulate image classifiers.
Posted Content
Transferable Clean-Label Poisoning Attacks on Deep Neural Nets
TL;DR: A new "polytope attack" is proposed in which poison images are designed to surround the targeted image in feature space, and it is demonstrated that using Dropout during poison creation helps to enhance transferability of this attack.
Posted Content
Label-Consistent Backdoor Attacks
TL;DR: This work leverages adversarial perturbations and generative models to execute efficient, yet label-consistent, backdoor attacks, based on injecting inputs that appear plausible, yet are hard to classify, hence causing the model to rely on the (easier-to-learn) backdoor trigger.
Posted Content
An Investigation of Data Poisoning Defenses for Online Learning.
Yizhen Wang,Kamalika Chaudhuri +1 more
TL;DR: This work undertake a rigorous study of defenses against data poisoning for online learning, and studies four standard defenses in a powerful threat model, and provides conditions under which they can allow or resist rapid poisoning.
Journal ArticleDOI
Threats to Training: A Survey of Poisoning Attacks and Defenses on Machine Learning Systems
TL;DR: This survey summarize and categorize existing attack methods and corresponding defenses, as well as demonstrate compelling application scenarios, thus providing a unified framework to analyze poisoning attacks and lay the foundation for a more standardized approach to reproducible studies.
References
More filters
Proceedings ArticleDOI
On the (im)possibility of cryptography with imperfect randomness
TL;DR: It is shown that certain cryptographic tasks like bit commitment, encryption, secret sharing, zero-knowledge, non-interactive zero- knowledge, and secure two-party computation for any non-trivial junction are impossible to realize if parties have access to entropy sources with slightly less-than-perfect entropy, i.e., sources with imperfect randomness.
Proceedings ArticleDOI
Unbiased bits from sources of weak randomness and probabilistic communication complexity
Benny Chor,Oded Goldreich +1 more
TL;DR: It is shown that most Boolean functions have linear communication complexity in a very strong sense when used to extract almost unbiased and independent bits from the output of any two independent "probability-bounded" sources.
Journal ArticleDOI
Stealthy poisoning attacks on PCA-based anomaly detectors
Benjamin I. P. Rubinstein,Blaine Nelson,Ling Huang,Anthony D. Joseph,Shing-hon Lau,Satish Rao,Nina Taft,J. D. Tygar +7 more
TL;DR: ROC curves provide a comprehensive analysis of PCA-based detection on contaminated data, and show that even small attacks can undermine this otherwise successful anomaly detector.
Posted Content
Efficient Algorithms and Lower Bounds for Robust Linear Regression
TL;DR: Any polynomial time SQ learning algorithm for robust linear regression (in Huber's contamination model) with estimation complexity, must incur an error of $\Omega(\sqrt{\epsilon} \sigma)$.
Posted Content
Robust Estimators in High Dimensions without the Computational Intractability
TL;DR: In this paper, the authors obtained the first computationally efficient algorithms with dimension-independent error guarantees for agnostically learning several fundamental classes of high-dimensional distributions: (1) a single Gaussian, (2) a product distribution on the hypercube, (3) mixtures of two product distributions (under a natural balancedness condition), and (4) mixture of spherical Gaussians.