The Devil's Advocate: Shattering the Illusion of Unexploitable Data using Diffusion Models

Dolatabadi, Hadi M.; Erfani, Sarah M.

doi:10.48550/arxiv.2303.08500

Cited by 3 publications

(13 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This defense mechanism operates in a black-box manner, without prior knowledge of the attack settings (e.g., the target label, poison rate and trigger functions), as well as any known benign or poisoned samples from the given data. We assume that the defender has access to pre-trained diffusion models representing identical or similar distributions (consistent with prior studies (Nie et al 2022;Xiao et al 2023;May et al 2023;Shi et al 2023;Dolatabadi, Erfani, and Leckie 2023;Jiang et al 2023)), which can be sourced as off-the-shelf models or trained using data provided from authoritative and trustworthy communities and institutions. Beyond this assumption, our experiments also validate the effectiveness of DATAELIXIR using diffusion models trained on disparate data and even poisoned data.…”

Section: Threat Modelmentioning

confidence: 98%

DataElixir: Purifying Poisoned Dataset to Mitigate Backdoor Attacks via Diffusion Models

Zhou,

Lv,

Lan

et al. 2024

AAAI

View full text Add to dashboard Cite

Dataset sanitization is a widely adopted proactive defense against poisoning-based backdoor attacks, aimed at filtering out and removing poisoned samples from training datasets. However, existing methods have shown limited efficacy in countering the ever-evolving trigger functions, and often leading to considerable degradation of benign accuracy. In this paper, we propose DataElixir, a novel sanitization approach tailored to purify poisoned datasets. We leverage diffusion models to eliminate trigger features and restore benign features, thereby turning the poisoned samples into benign ones. Specifically, with multiple iterations of the forward and reverse process, we extract intermediary images and their predicted labels for each sample in the original dataset. Then, we identify anomalous samples in terms of the presence of label transition of the intermediary images, detect the target label by quantifying distribution discrepancy, select their purified images considering pixel and feature distance, and determine their ground-truth labels by training a benign model. Experiments conducted on 9 popular attacks demonstrates that DataElixir effectively mitigates various complex attacks while exerting minimal impact on benign accuracy, surpassing the performance of baseline defense methods.

show abstract

Section: Threat Modelmentioning

confidence: 98%

DataElixir: Purifying Poisoned Dataset to Mitigate Backdoor Attacks via Diffusion Models

Zhou,

Lv,

Lan

et al. 2024

AAAI

View full text Add to dashboard Cite

show abstract

“…Countermeasures against UEs have only been attempted very recently [7,24,33]. Adversarial Training (AT) [21] has been shown to partially resist UE protection, but robust UE soon broke through this countermeasure [11,44].…”

Section: Related Work 21 Unlearnable Examplesmentioning

confidence: 99%

“…However, these methods are associated with specific training schemes, which limits the use of unauthorized data for other training schemes and tasks. The recent arXiv paper [7] applies diffusion models to counter UEs. The major differences to our approach are that we propose a new joint-conditional diffusion model instead of a naive application of the diffusion model, tackling the trade-off between perturbation purification and image semantic retaining.…”

Section: Related Work 21 Unlearnable Examplesmentioning

confidence: 99%

Unlearnable Examples Give a False Sense of Security: Piercing through Unexploitable Data with Learnable Examples

Jiang,

Diao,

Wang

et al. 2023

Proceedings of the 31st ACM International Conference on Multimedia

View full text Add to dashboard Cite

Safeguarding data from unauthorized exploitation is vital for privacy and security, especially in recent rampant research in security breach such as adversarial/membership attacks. To this end, unlearnable examples (UEs) have been recently proposed as a compelling protection, by adding imperceptible perturbation to data so that models trained on them cannot classify them accurately on original clean distribution. Unfortunately, we find UEs provide a false sense of security, because they cannot stop unauthorized users from utilizing other unprotected data to remove the protection, by turning unlearnable data into learnable again. Motivated by this observation, we formally define a new threat by introducing learnable unauthorized examples (LEs) which are UEs with their protection removed. The core of this approach is a novel purification process that projects UEs onto the manifold of LEs. This is realized by a new jointconditional diffusion model which denoises UEs conditioned on the pixel and perceptual similarity between UEs and LEs. Extensive experiments demonstrate that LE delivers state-of-the-art countering performance against both supervised UEs and unsupervised UEs in various scenarios, which is the first generalizable countermeasure to UEs across supervised learning and unsupervised learning. Our code is available at https://github.com/jiangw-0/LE_JCDP. CCS CONCEPTS• Security and privacy → Human and societal aspects of security and privacy; • Computing methodologies → Machine learning.

show abstract

“…Sandoval-Segura et al (2023) suggests that the orthogonal projection technique is effective against class-wise attacks. Diffusion models have been proposed to purify unlearnable perturbations (Jiang et al, 2023;Dolatabadi et al, 2023). Qin et al (2023a) introduced a benchmark for availability attacks.…”

Section: A Additional Related Workmentioning

confidence: 99%

“…12, the larger the poisoning budgets, the better the attack performance. On the defense side against availability attacks, AT (Madry et al, 2018) and AdvCL (Kim et al, 2020)) applied adversarial training in supervised learning and contrastive learning respectively; ISS (Liu et al, 2023b) and UEraser (Qin et al, 2023b) leveraged designed data augmentations to eliminate supervised unlearnability; AVATAR (Dolatabadi et al, 2023) employed a diffusion model to purify poisoned data. In Table 13, we evaluate our attacks through these defense methods as well as SimCLR with Cutout (DeVries & Taylor, 2017), Random noise, and Gaussian Blur.…”

Section: C4 Strength and Gapsmentioning

confidence: 99%

Discrete-time resilient-distributed secondary control strategy against unbounded attacks in polymorphic microgrid

et al. 2022

View full text Add to dashboard Cite

This study proposes a polymorphic cooperative control system for microgrid consisting of a service layer, a control layer, a data layer, and a power layer to apply a resilient-distributed secondary control strategy to distributed generators (DGs) from different manufacturers more conveniently. Due to the improvement of network openness, external cyberattacks are more likely to tamper with the neighbor information transmitted in the cooperative control system. In this study, a discrete-time resilient-distributed secondary control strategy is designed to resist potential unbounded false data injection (FDI) attacks, which introduces a virtual network layer interconnecting the control network layer to form a layered network. The strategy can maintain the stability of voltage and frequency under unbounded attacks and then greatly suppress the state estimation difference of voltage and frequency. Meanwhile, the unbounded attack depending on voltage and frequency estimation difference is suppressed to a nearly bounded attack. Finally, a microgrid consisting of six inverter-based DGs is taken as an example to validate the effectiveness of the strategy against unbounded attacks.

show abstract

The Devil's Advocate: Shattering the Illusion of Unexploitable Data using Diffusion Models

Cited by 3 publications

References 34 publications

DataElixir: Purifying Poisoned Dataset to Mitigate Backdoor Attacks via Diffusion Models

DataElixir: Purifying Poisoned Dataset to Mitigate Backdoor Attacks via Diffusion Models

Unlearnable Examples Give a False Sense of Security: Piercing through Unexploitable Data with Learnable Examples

Discrete-time resilient-distributed secondary control strategy against unbounded attacks in polymorphic microgrid

Contact Info

Product

Resources

About