Transferable Clean-Label Poisoning Attacks on Deep Neural Nets

Zhu, Chen; Huang, Wei; Shafahi, Ali; Li, Hengduo; Taylor, Gavin; Studer, Christoph; Goldstein, Tom

doi:10.48550/arxiv.1905.05897

Cited by 25 publications

(45 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Liu et al [13] proposed to use adversarial perturbation to protect image privacy from both humans and AI. Zhu et al [14] introduced a new "polytope attack" in which poison images were designed to surround the targeted image in the feature space. Taking both ideas into account, Fawkes [15], the state-of-the-art method, helped users wearing imperceptible "cloaks" to their own photos before releasing them.…”

Section: Adversarial Perturbation-based Methodsmentioning

confidence: 99%

“…Traditional anonymization techniques are mainly obfuscation-based and always significantly alter the original face. Other previous work in this field is sparse and limited in both practicality and efficacy: ksame algorithm-based methods [5][6][7][8][9] fail to make full use of existing data and deliver fairly poor visual quality; adversarial perturbation-based methods [10][11][12][13][14][15] usually depend highly on the accessibility of the target system and require special training; recent GAN-based methods [16][17][18][19][20][21][22][23][24][25][26] have trouble generating visually similar de-identified faces as well. Note that there exists a trade-off between privacy protection and dataset utility [27,28], and previous methods are unable to balance this matter.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

IdentityDP: Differential Private Identification Protection for Face Images

Wen¹,

Li²,

Liu³

et al. 2021

Preprint

View full text Add to dashboard Cite

Because of the explosive growth of face photos as well as their widespread dissemination and easy accessibility in social media, the security and privacy of personal identity information becomes an unprecedented challenge. Meanwhile, the convenience brought by advanced identity-agnostic computer vision technologies is attractive. Therefore, it is important to use face images while taking careful consideration in protecting people's identities. Given a face image, face de-identification, also known as face anonymization, refers to generating another image with similar appearance and the same background, while the real identity is hidden. Although extensive efforts have been made, existing face de-identification techniques are either insufficient in photo-reality or incapable of well-balancing privacy and utility. In this paper, we focus on tackling these challenges to improve face de-identification. We propose IdentityDP, a face anonymization framework that combines a data-driven deep neural network with a differential privacy (DP) mechanism. This framework encompasses three stages: facial representations disentanglement, -IdentityDP perturbation and image reconstruction. Our model can effectively obfuscate the identity-related information of faces, preserve significant visual similarity, and generate high-quality images that can be used for identity-agnostic computer vision tasks, such as detection, tracking, etc. Different from the previous methods, we can adjust the balance of privacy and utility through the privacy budget according to pratical demands and provide a diversity of results without pre-annotations. Extensive experiments demonstrate the effectiveness and generalization ability of our proposed anonymization framework.

show abstract

Section: Adversarial Perturbation-based Methodsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

IdentityDP: Differential Private Identification Protection for Face Images

Wen¹,

Li²,

Liu³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Several data-poisoning like attacks (Gu et al, 2017;Liu et al, 2018b) utilize patch/watermark triggers. Clean-label attacks (Shafahi et al, 2018;Saha et al, 2020;Turner et al, 2019;Zhao et al, 2020;Zhu et al, 2019) inject back-door without changing data label. Salem et al (2020) leveraged GAN to construct dynamic triggers with random patterns and locations.…”

Section: Related Workmentioning

confidence: 99%

Backdoor Scanning for Deep Neural Networks through K-Arm Optimization

Shen

Liu

Tao

et al. 2021

Preprint

View full text Add to dashboard Cite

Back-door attack poses a severe threat to deep learning systems. It injects hidden malicious behaviors to a model such that any input stamped with a special pattern can trigger such behaviors. Detecting back-door is hence of pressing need. Many existing defense techniques use optimization to generate the smallest input pattern that forces the model to misclassify a set of benign inputs injected with the pattern to a target label. However, the complexity is quadratic to the number of class labels such that they can hardly handle models with many classes. Inspired by Multi-Arm Bandit in Reinforcement Learning, we propose a K-Arm optimization method for backdoor detection. By iteratively and stochastically selecting the most promising labels for optimization with the guidance of an objective function, we substantially reduce the complexity, allowing to handle models with many classes. Moreover, by iteratively refining the selection of labels to optimize, it substantially mitigates the uncertainty in choosing the right labels, improving detection accuracy. At the time of submission, the evaluation of our method on over 4000 models in the IARPA TrojAI competition from round 1 to the latest round 4 achieves top performance on the leaderboard. Our technique also supersedes three state-of-the-art techniques in terms of accuracy and the scanning time needed.

show abstract

“…However, the method proposed by Shafahi et al [98] requires a complete or a query access to the victim model. Then, Zhu et al [110] assumed the victim model is not accessible to the attacker and proposed a new convex polytope attack in which poison images are designed to surround the targeted image in the feature space.…”

Section: B Backdoor Attacks 1) Data Poisoningmentioning

confidence: 99%

Robust and Privacy-Preserving Collaborative Learning: A Comprehensive Survey

Guo¹,

Zhang²,

Yang³

et al. 2021

Preprint

View full text Add to dashboard Cite

With the rapid demand of data and computational resources in deep learning systems, a growing number of algorithms to utilize collaborative machine learning techniques, for example, federated learning, to train a shared deep model across multiple participants. It could effectively take advantage of resource of each participant and obtain a more powerful learning system. However, integrity and privacy threats in such systems have greatly obstructed the applications of collaborative learning. And a large amount of works have been proposed to maintain the model integrity and mitigate the privacy leakage of training data during the training phase for different collaborate learning systems. Compared with existing surveys that mainly focus on one specific collaborate learning system, this survey aims to provide a systematic and comprehensive review of security and privacy researches in collaborative learning. Our survey first provides the system overview of collaborative learning, followed by an brief introduction of integrity and privacy threats. In an organized way, we then detail the existing integrity and privacy attacks as well as their defenses. We also list some open problems in this area and opensource the related papers on GitHub: https://github.com/csl-cqu/awesome-secure-collebrativelearning-papers.

show abstract

Transferable Clean-Label Poisoning Attacks on Deep Neural Nets

Cited by 25 publications

References 13 publications

IdentityDP: Differential Private Identification Protection for Face Images

IdentityDP: Differential Private Identification Protection for Face Images

Backdoor Scanning for Deep Neural Networks through K-Arm Optimization

Robust and Privacy-Preserving Collaborative Learning: A Comprehensive Survey

Contact Info

Product

Resources

About