Just How Toxic is Data Poisoning? A Unified Benchmark for Backdoor and Data Poisoning Attacks

Schwarzschild, Avi; Goldblum, Micah; Gupta, Arjun; Dickerson, John P; Goldstein, Tom

doi:10.48550/arxiv.2006.12557

Cited by 5 publications

(6 citation statements)

References 19 publications

(34 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A relevant line of work is model poisoning, which manipulates the training process similar to backdoor attacks using poisoned data [4,21,27,29,46,50,65]. Model poisoning and backdoor attacking differ in their goals [64]: model poisoning attempts to harm the model generality on the test set, whereas backdoor attacking attempts to conceal backdoors on clean test data while exposing backdoors if the trigger is activated in the input.…”

Section: Backdoor Attack and Defensementioning

confidence: 99%

Defending against Backdoor Attacks in Natural Language Generation

Fan¹,

Li²,

Meng³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

Section: Backdoor Attack and Defensementioning

confidence: 99%

Defending against Backdoor Attacks in Natural Language Generation

Fan¹,

Li²,

Meng³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…The attack is insidious since the Trojan trigger is only known to the attacker; the model outputs the correct label when the trigger is absent. Other state-of-the-art Trojan insertion methods are proposed in [9,22,34,51,4]. Inserting Trojans using transfer learning [46] or retraining [25] has been demonstrated.…”

Section: Related Workmentioning

confidence: 99%

MISA: Online Defense of Trojaned Models using Misattributions

Kiourti¹,

Li²,

Roy³

et al. 2021

Preprint

View full text Add to dashboard Cite

This paper proposes a new approach to detecting neural Trojans on Deep Neural Networks during inference. This approach is based on monitoring the inference of a machine learning model, computing the attribution of the model's decision on different features of the input, and then statistically analyzing these attributions to detect whether an input sample contains the Trojan trigger. The anomalous attributions, aka misattributions, are then accompanied by reverse-engineering of the trigger to evaluate whether the input sample is truly poisoned with a Trojan trigger. We evaluate our approach on several benchmarks, including models trained on MNIST, Fashion MNIST, and German Traffic Sign Recognition Benchmark, and demonstrate the state of the art detection accuracy.

show abstract

“…Both polytope-based methods compute their attack on an ensemble of models to achieve better transferability in the black-box setting. Nonetheless, in Schwarzschild et al (2020), feature collision methods are shown to be brittle in the black-box setting when the victim's architecture and training hyperparameters are unknown.…”

Section: Feature Collision Attacksmentioning

confidence: 99%

“…Experimental settings vary greatly across studies. One recent benchmark compares a number of attacks across standardized settings(Schwarzschild et al 2020). Nonetheless, many methods still have not been benchmarked, and a variety of trainingonly threat models have not been compared to the state of the art.…”

mentioning

confidence: 99%

Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses

Goldblum¹,

Tsipras²,

Xie³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

As machine learning systems grow in scale, so do their training data requirements, forcing practitioners to automate and outsource the curation of training data in order to achieve stateof-the-art performance. The absence of trustworthy human supervision over the data collection process exposes organizations to security vulnerabilities; training data can be manipulated to control and degrade the downstream behaviors of learned models. The goal of this work is to systematically categorize and discuss a wide range of dataset vulnerabilities and exploits, approaches for defending against these threats, and an array of open problems in this space. In addition to describing various poisoning and backdoor threat models and the relationships among them, we develop their unified taxonomy.

show abstract

Just How Toxic is Data Poisoning? A Unified Benchmark for Backdoor and Data Poisoning Attacks

Cited by 5 publications

References 19 publications

Defending against Backdoor Attacks in Natural Language Generation

Defending against Backdoor Attacks in Natural Language Generation

MISA: Online Defense of Trojaned Models using Misattributions

Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses

Contact Info

Product

Resources

About