Deep k-NN Defense against Clean-label Data Poisoning Attacks

Peri, Neehar; Gupta, Neal S.; Huang, W. Ronny; Fowl, Liam; Chen, Zhu; Feizi, Soheil; Goldstein, Tom; Dickerson, John P.

doi:10.48550/arxiv.1909.13374

Cited by 2 publications

(5 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To defend against such attacks, Deep-kNN [20] removes malicious samples by comparing the class labels of each testing sample with its k neighbors, based on the intuition that poisoned samples have different feature representations than those of clean samples. In this sense, a sample would be regarded as poisoned if the majority of the k samples surrounded by the testing sample do not share the same class label as itself.…”

Section: A Targeted Clean-label Poisoning Attack (Tcl-attack)mentioning

confidence: 99%

“…The defender could obtain different levels of knowledge of the target model and the training data, according to different threat models. For example, Deep-kNN [20] assumes the availability of the ground-truth labels to compare the class labels with each sample's k neighbors. CD [28] supposes the outliers do not have a strong effect on the target model in order to make an approximation about the upper bounds on the testing loss across poisoning attacks under non-convex settings.…”

Section: Threat Model and Defense Capabilitymentioning

confidence: 99%

“…A. Experiment Setup 1) Datasets: We perform experiments using four datasets in different domains including hand-written digit recognition, image classification, non-linear binary classification, and house sale price prediction, which are also adopted in existing poisoning attacks and defenses [20], [22], [23], [39], [40].…”

Section: Performance Evaluationmentioning

confidence: 99%

“…However, these defenses are largely attack-specific: they are designed for one specific type of attacks but may not work well for other types, mainly due to the distinct principles they follow. For example, Peri et al [20] mitigate targeted clean-label attacks (a type of poisoning attacks) by identifying poison samples from its k nearest neighbors in the feature space. It could detect correctly-labeled and minimally-perturbed samples but fails when poisoned data is generated by gradient-based method [21] where the labels of samples are elaborately manipulated.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

De-Pois: An Attack-Agnostic Defense against Data Poisoning Attacks

Chen¹,

Zhang²,

Zhang³

et al. 2021

Preprint

View full text Add to dashboard Cite

Machine learning techniques have been widely applied to various applications. However, they are potentially vulnerable to data poisoning attacks, where sophisticated attackers can disrupt the learning procedure by injecting a fraction of malicious samples into the training dataset. Existing defense techniques against poisoning attacks are largely attack-specific: they are designed for one specific type of attacks but do not work for other types, mainly due to the distinct principles they follow. Yet few general defense strategies have been developed. In this paper, we propose De-Pois, an attack-agnostic defense against poisoning attacks. The key idea of De-Pois is to train a mimic model the purpose of which is to imitate the behavior of the target model trained by clean samples. We take advantage of Generative Adversarial Networks (GANs) to facilitate informative training data augmentation as well as the mimic model construction. By comparing the prediction differences between the mimic model and the target model, De-Pois is thus able to distinguish the poisoned samples from clean ones, without explicit knowledge of any ML algorithms or types of poisoning attacks. We implement four types of poisoning attacks and evaluate De-Pois with five typical defense methods on different realistic datasets. The results demonstrate that De-Pois is effective and efficient for detecting poisoned data against all the four types of poisoning attacks, with both the accuracy and F1-score over 0.9 on average.

show abstract

Section: A Targeted Clean-label Poisoning Attack (Tcl-attack)mentioning

confidence: 99%

Section: Threat Model and Defense Capabilitymentioning

confidence: 99%

Section: Performance Evaluationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

De-Pois: An Attack-Agnostic Defense against Data Poisoning Attacks

Chen¹,

Zhang²,

Zhang³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Figure 4 depicts a taxonomy of defenses against training-only and backdoor attacks according to methodology. 16), ( 30), ( 48), ( 49), ( 90), ( 92), ( 110), ( 119 23), ( 79), ( 101), (118), (150) Outliers in Input Space (39), ( 116), ( 117), (139) Figure 4: A taxonomy of defenses against training-only and backdoor attacks.…”

Section: Defenses Against Poisoning Attacksmentioning

confidence: 99%

Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses

Goldblum¹,

Tsipras²,

Xie³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

As machine learning systems grow in scale, so do their training data requirements, forcing practitioners to automate and outsource the curation of training data in order to achieve stateof-the-art performance. The absence of trustworthy human supervision over the data collection process exposes organizations to security vulnerabilities; training data can be manipulated to control and degrade the downstream behaviors of learned models. The goal of this work is to systematically categorize and discuss a wide range of dataset vulnerabilities and exploits, approaches for defending against these threats, and an array of open problems in this space. In addition to describing various poisoning and backdoor threat models and the relationships among them, we develop their unified taxonomy.

show abstract

Deep k-NN Defense against Clean-label Data Poisoning Attacks

Cited by 2 publications

References 0 publications

De-Pois: An Attack-Agnostic Defense against Data Poisoning Attacks

De-Pois: An Attack-Agnostic Defense against Data Poisoning Attacks

Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses

Contact Info

Product

Resources

About