On the Practicality of Integrity Attacks on Document-Level Sentiment Analysis

Newell, Andrew J.; Potharaju, Rahul; Xiang, Luojie; Nita-Rotaru, Cristina

doi:10.1145/2666652.2666661

Cited by 42 publications

(26 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the security community, practical poisoning attacks have been demonstrated in worm signature generation [42], [45], spam filters [40], network traffic analysis systems for detection of DoS attacks [47], sentiment analysis on social networks [41], crowdsourcing [54], and health-care [38]. In supervised learning settings, Newsome et al [42] have proposed red herring attacks that add spurious words (features) to reduce the maliciousness score of an instance.…”

Section: Defense Algorithmsmentioning

confidence: 99%

“…We consider the setting of poisoning attacks here, in which attackers inject a small number of corrupted points in the training process. Such poisoning attacks have been practically demonstrated in worm signature generation [42], [45], spam 1 Preprint of the work accepted for publication at the 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 21-23, 2018. filters [40], DoS attack detection [47], PDF malware classification [55], handwritten digit recognition [5], and sentiment analysis [41]. We argue that these attacks become easier to mount today as many machine learning models need to be updated regularly to account for continuously-generated data.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning

Jagielski

Oprea

Biggio

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

Self Cite

591

437

View full text Add to dashboard Cite

As machine learning becomes widely used for automated decisions, attackers have strong incentives to manipulate the results and models generated by machine learning algorithms. In this paper, we perform the first systematic study of poisoning attacks and their countermeasures for linear regression models. In poisoning attacks, attackers deliberately influence the training data to manipulate the results of a predictive model. We propose a theoretically-grounded optimization framework specifically designed for linear regression and demonstrate its effectiveness on a range of datasets and models. We also introduce a fast statistical attack that requires limited knowledge of the training process. Finally, we design a new principled defense method that is highly resilient against all poisoning attacks. We provide formal guarantees about its convergence and an upper bound on the effect of poisoning attacks when the defense is deployed. We evaluate extensively our attacks and defenses on three realistic datasets from health care, loan assessment, and real estate domains. 1

show abstract

Section: Defense Algorithmsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning

Jagielski

Oprea

Biggio

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

Self Cite

591

437

View full text Add to dashboard Cite

show abstract

“…Poisoning attacks date back to (Xiao, Xiao, and Eckert 2012;Biggio, Nelson, and Laskov 2012;Biggio et al 2013) where data poisoning was used to flip the results of a SVM classifier. More advanced methods were proposed in (Xiao et al 2015;Koh and Liang 2017;Mei and Zhu 2015;Burkard and Lagesse 2017;Newell et al 2014) which change the result of the classifier on the clean data as well. These reduce the practical impact of such attacks as the victim may not deploy the model if the validation accuracy on the clean data is low.…”

Section: Related Workmentioning

confidence: 99%

Hidden Trigger Backdoor Attacks

Saha

Subramanya

Pirsiavash

2020

AAAI

338

201

View full text Add to dashboard Cite

With the success of deep learning algorithms in various domains, studying adversarial attacks to secure deep models in real world applications has become an important research topic. Backdoor attacks are a form of adversarial attacks on deep networks where the attacker provides poisoned data to the victim to train the model with, and then activates the attack by showing a specific small trigger pattern at the test time. Most state-of-the-art backdoor attacks either provide mislabeled poisoning data that is possible to identify by visual inspection, reveal the trigger in the poisoned data, or use noise to hide the trigger. We propose a novel form of backdoor attack where poisoned data look natural with correct labels and also more importantly, the attacker hides the trigger in the poisoned data and keeps the trigger secret until the test time. We perform an extensive study on various image classification settings and show that our attack can fool the model by pasting the trigger at random locations on unseen images although the model performs well on clean data. We also show that our proposed attack cannot be easily defended using a state-of-the-art defense algorithm for backdoor attacks.

show abstract

“…Weight poisoning was initially explored by Gu et al (2017) in the context of computer vision, with later work researching further attack scenarios (Liu et al, , 2018bShafahi et al, 2018;Chen et al, 2017), including on NLP models (Muñoz González et al, 2017;Steinhardt et al, 2017;Newell et al, 2014;. These works generally rely on the attacker directly poisoning the end model, although some work has investigated methods for attacking transfer learning, creating backdoors for only one example (Ji et al, 2018) or assuming that some parts of the poisoned model won't be fine-tuned .…”

Section: Related Workmentioning

confidence: 99%

Weight Poisoning Attacks on Pretrained Models

Kurita¹,

Michel²,

Neubig³

2020

Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics

171

187

View full text Add to dashboard Cite

Recently, NLP has seen a surge in the usage of large pre-trained models. Users download weights of models pre-trained on large datasets, then fine-tune the weights on a task of their choice. This raises the question of whether downloading untrusted pre-trained weights can pose a security threat. In this paper, we show that it is possible to construct "weight poisoning" attacks where pre-trained weights are injected with vulnerabilities that expose "backdoors" after fine-tuning, enabling the attacker to manipulate the model prediction simply by injecting an arbitrary keyword. We show that by applying a regularization method, which we call RIPPLe, and an initialization procedure, which we call Embedding Surgery, such attacks are possible even with limited knowledge of the dataset and finetuning procedure. Our experiments on sentiment classification, toxicity detection, and spam detection show that this attack is widely applicable and poses a serious threat. Finally, we outline practical defenses against such attacks.

show abstract

On the Practicality of Integrity Attacks on Document-Level Sentiment Analysis

Cited by 42 publications

References 28 publications

Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning

Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning

Hidden Trigger Backdoor Attacks

Weight Poisoning Attacks on Pretrained Models

Contact Info

Product

Resources

About