Selective Poisoning Attack on Deep Neural Networks †

Kwon, Hyun; Yoon, Hyunsoo; Park, Ki-Woong

doi:10.3390/sym11070892

Cited by 16 publications

(6 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Specifically, we first utilize training set to obtain a discriminant hyperplane, and then stochastically select samples far away from the discriminant hyperplane to flip their labels. Another method is to inject poison samples (Jiang et al 2019;Kwon, Yoon, and Park 2019;Zhang, Zhu, and Lessard 2020). Specifically, we generate poison samples for each dataset according to the poisoning attack method 5 (Biggio, Nelson, and Laskov 2012), and inject these poison samples into training set to form a noisy dataset.…”

Section: Methodsmentioning

confidence: 99%

Balanced Self-Paced Learning for AUC Maximization

Zhang

Xiong

et al. 2022

AAAI

View full text Add to dashboard Cite

Learning to improve AUC performance is an important topic in machine learning. However, AUC maximization algorithms may decrease generalization performance due to the noisy data. Self-paced learning is an effective method for handling noisy data. However, existing self-paced learning methods are limited to pointwise learning, while AUC maximization is a pairwise learning problem. To solve this challenging problem, we innovatively propose a balanced self-paced AUC maximization algorithm (BSPAUC). Specifically, we first provide a statistical objective for self-paced AUC. Based on this, we propose our self-paced AUC maximization formulation, where a novel balanced self-paced regularization term is embedded to ensure that the selected positive and negative samples have proper proportions. Specially, the sub-problem with respect to all weight variables may be non-convex in our formulation, while the one is normally convex in existing self-paced problems. To address this, we propose a doubly cyclic block coordinate descent method. More importantly, we prove that the sub-problem with respect to all weight variables converges to a stationary point on the basis of closed-form solutions, and our BSPAUC converges to a stationary point of our fixed optimization objective under a mild assumption. Considering both the deep learning and kernel-based implementations, experimental results on several large-scale datasets demonstrate that our BSPAUC has a better generalization performance than existing state-of-the-art AUC maximization methods.

show abstract

Section: Methodsmentioning

confidence: 99%

Balanced Self-Paced Learning for AUC Maximization

Zhang

Xiong

et al. 2022

AAAI

View full text Add to dashboard Cite

show abstract

“…Poison attack refers to the malicious participants' use of training set to manipulate model prediction during FL training 43 . According to the adversary's ability, the attack methods are divided into model poisoning attack and data poisoning attack.…”

Section: Security Challengesmentioning

confidence: 99%

Security of federated learning for cloud‐edge intelligence collaborative computing

Yang

Zheng

Zhang

et al. 2022

Int J of Intelligent Sys

View full text Add to dashboard Cite

Federated Learning (FL) is one of the key technologies to solve privacy protection for cloud-edge intelligent collaborative computing, and its security and privacy issues have attracted extensive attention from academia and industry. FL is a distributed privacy protection framework. Multiple edged nodes or servers jointly train a machine learning model by sharing model parameters without exchanging local data. However, there are still many security risks and privacy threats in FL in edge-cloud collaborative computing. In this paper, we mainly discuss the security and privacy challenges on FL in collaborative computing at the edge. First, we introduce the principle, classification, and threat model of FL in edge-cloud collaboration, which helps understand the challenges faced by edgecloud collaborative computing. Second, privacy leakage attacks and poisoning attacks launched by adversaries or honest but curious actors are summarized and compared. Then, the problems existing on the attack method are summarized and analyzed. Finally, the future development direction of FL in the field of edgecloud collaborative computing is further discussed.

show abstract

“…Poisoning attacks, which aim at degrading the performance of the model or creating a backdoor in the model so as to control its behavior, occur during the training phase. The attacker adds elaborately constructed malicious samples to the training set, thus causing the trained model to output the attacker's expected results for specific samples or reducing the classification accuracy of the model at test time [10][11][12][13][14][15][16][17][18][19][20].…”

Section: Poisoning Attacks and Evasion Attacksmentioning

confidence: 99%

“…Poisoning attack occurs during training. The attacker adds elaborately constructed malicious samples to the training set to manipulate the behavior of model at test time, causing the model to output the attacker's expected results for specific samples, or reducing the classification accuracy of the model [10][11][12][13][14][15][16][17][18][19].…”

Section: Poisoning Attack and Evasion Attackmentioning

confidence: 99%

An Evasion Attack against Stacked Capsule Autoencoder

Dai¹,

Xiong²

2022

Algorithms

View full text Add to dashboard Cite

Capsule networks are a type of neural network that use the spatial relationship between features to classify images. By capturing the poses and relative positions between features, this network is better able to recognize affine transformation and surpass traditional convolutional neural networks (CNNs) when handling translation, rotation, and scaling. The stacked capsule autoencoder (SCAE) is a state-of-the-art capsule network that encodes an image in capsules which each contain poses of features and their correlations. The encoded contents are then input into the downstream classifier to predict the image categories. Existing research has mainly focused on the security of capsule networks with dynamic routing or expectation maximization (EM) routing, while little attention has been given to the security and robustness of SCAEs. In this paper, we propose an evasion attack against SCAEs. After a perturbation is generated based on the output of the object capsules in the model, it is added to an image to reduce the contribution of the object capsules related to the original category of the image so that the perturbed image will be misclassified. We evaluate the attack using an image classification experiment on the Mixed National Institute of Standards and Technology Database (MNIST), Fashion-MNIST, and German Traffic Sign Recognition Benchmark (GTSRB) datasets, and the average attack success rate can reach 98.6%. The experimental results indicate that the attack can achieve high success rates and stealthiness. This finding confirms that the SCAE has a security vulnerability that allows for the generation of adversarial samples. Our work seeks to highlight the threat of this attack and focus attention on SCAE’s security.

show abstract

Selective Poisoning Attack on Deep Neural Networks †

Cited by 16 publications

References 23 publications

Balanced Self-Paced Learning for AUC Maximization

Balanced Self-Paced Learning for AUC Maximization

Security of federated learning for cloud‐edge intelligence collaborative computing

An Evasion Attack against Stacked Capsule Autoencoder

Contact Info

Product

Resources

About