Accumulative Poisoning Attacks on Real-time Data

Pang, Tianyu; Yang, Xiao; Dong, Yinpeng; Su, Hang; Zhu, Jun

doi:10.48550/arxiv.2106.09993

Cited by 2 publications

(3 citation statements)

References 50 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This type of data poisoning attacks only manipulate training data and labels without the need to modify testing data after the victim model is deployed. Training-only poisoning attacks include both untargeted attacks where the adversary aims to degrade model performance on normal testing data [995,997,998,999], and targeted attacks in which the adversary aims to change the behavior of the model on particular testing inputs [1000,1001,1002]. Below we introduce some typical approaches.…”

Section: Training-only Poisoning Attacksmentioning

confidence: 99%

“…However, it applies a greedy strategy to lower down model accuracy at each update step, which limits the step-wise destructive effect. Recent work [999] proposes accumulative poisoning attacks, where the model states are secretly (i.e., keeping accuracy in a reasonable range) activated towards a trigger batch by the accumulative phase, and the model is suddenly broken down by feeding in the trigger batch, before the monitor gets conscious of the attacks.…”

Section: Training-only Poisoning Attacksmentioning

confidence: 99%

See 1 more Smart Citation

A Roadmap for Big Model

Yuan¹,

Zhao²,

Jiahong³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

domains indexed by Google News. It contains 31 million documents with an average length of 793 BPE tokens. Like C4, it excludes examples with duplicate URLs. News dumps from December 2016 through March 2019 were used as training data, articles published in April 2019 from the April 2019 dump were used for evaluation. OpenWebText2(OWT2). OWT2 is an enhanced version of the original OpenWebTextCorpus, including content from multiple languages, document metadata, multiple dataset versions, and open source replication code, covering all Reddit submissions from 2005 up until April 2020. PubMed Central(PMC). PMC is a free full-text archive of biomedical and life sciences journal literature from the U.S. National Institutes of Health's National Library of Medicine (NIH/NLM). The dataset is updated daily. In addition to full-text articles, they contain corrections, retractions, and expressions of concern, as well as file lists that include metadata for articles in each dataset.PMC obtained by open registration in Amazon Web Services (AWS) includes The PMC Open Access Subset and The Author Manuscript Dataset. The PMC Open Access Subset includes all articles and preprints in PMC with a machine-readable Creative Commons license that allows reuse. The Author Manuscript Dataset includes accepted author manuscripts collected under a funder policy in PMC and made available in machine-readable formats for text mining. ArXiv. ArXiv is a repository of 1.7 million articles, with relevant features such as article titles, authors, categories, abstracts, full text PDFs, and more. It provides open access to academic articles, covering many subdisciplines from vast branches of physics to computer science to everything in between, including math, statistics, electrical engineering, quantitative biology, and economics, which is helpful to the potential downstream applications of the research field. In addition, the writing language of LaTeX also contributes to the study of language models. Colossal Clean Crawled Corpus(C4). C4 is a colossal, cleaned version of Common Crawl's web crawl corpus. It is based on Common Crawl dataset and was used to train the T5 text-to-text Transformer models. The cleaned English version of C4 has 364,868,901 training examples and 364,608 validation examples, while the uncleaned English version has 1,063,805,324 training examples and 1,065,029 validation examples; the realnewslike version has 13,799,838 training examples and 13,863 validation examples, while the webtextlike version has 4,500,788 training examples and 4,493 validation examples. Wiki-40B. Wikipedia (Wiki-40B) is a clean-up text collection containing more than 40 Wikipedia language editions of pages corresponding to entities. The dataset is split into train/validation/test sets for each language. The training set has 2,926,536 examples, the validation set has 163,597 examples, and the test set has 162,274 examples. Wiki-40B is cleaned by a page filter to remove ambiguous, redirected, deleted, and non-physical pages. CLUECorpus2020. CLUECorpus2020 ...

show abstract

Section: Training-only Poisoning Attacksmentioning

confidence: 99%

Section: Training-only Poisoning Attacksmentioning

confidence: 99%

A Roadmap for Big Model

Yuan¹,

Zhao²,

Jiahong³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Wang et al (2020) note that backdoor success is high in edge cases not seen in training and that backdoors that attack "rare" samples (such as only airplanes in a specific color in images, or a specific sentence in text) can be much more successful, as other users do not influence these predictions significantly. A number of variants of this attack exist (Costa et al, 2021;Pang et al, 2021;Fang et al, 2020;Baruch et al, 2019;Xie et al, 2019;Datta et al, 2021;Yoo & Kwak, 2022;Zhang et al, 2019;Sun et al, 2022), for example allowing for collusion between multiple users or generating additional data for the attacker. In this work we will focus broadly on the threat model of Bagdasaryan et al (2019); Wang et al (2020).…”

Section: Can You Backdoor Federated Learning?mentioning

confidence: 99%

Thinking Two Moves Ahead: Anticipating Other Users Improves Backdoor Attacks in Federated Learning

Wen¹,

Geiping²,

Fowl³

et al. 2022

Preprint

View full text Add to dashboard Cite

Federated learning is particularly susceptible to model poisoning and backdoor attacks because individual users have direct control over the training data and model updates. At the same time, the attack power of an individual user is limited because their updates are quickly drowned out by those of many other users. Existing attacks do not account for future behaviors of other users, and thus require many sequential updates and their effects are quickly erased. We propose an attack that anticipates and accounts for the entire federated learning pipeline, including behaviors of other clients, and ensures that backdoors are effective quickly and persist even after multiple rounds of community updates. We show that this new attack is effective in realistic scenarios where the attacker only contributes to a small fraction of randomly sampled rounds and demonstrate this attack on image classification, next-word prediction, and sentiment analysis. Code is available at https://github.com/YuxinWenRick/ thinking-two-moves-ahead.

show abstract

Accumulative Poisoning Attacks on Real-time Data

Cited by 2 publications

References 50 publications

A Roadmap for Big Model

A Roadmap for Big Model

Thinking Two Moves Ahead: Anticipating Other Users Improves Backdoor Attacks in Federated Learning

Contact Info

Product

Resources

About