Wild Patterns Reloaded: A Survey of Machine Learning Security against Training Data Poisoning

ACM Computing Surveys, Journal Year: 2023, Volume and Issue: 55(13s), P. 1 - 39

Published: March 1, 2023

The success of machine learning is fueled by the increasing availability computing power and large training datasets. data used to learn new models or update existing ones, assuming that it sufficiently representative will be encountered at test time. This assumption challenged threat poisoning, an attack manipulates compromise model’s performance Although poisoning has been acknowledged as a relevant in industry applications, variety different attacks defenses have proposed so far, complete systematization critical review field still missing. In this survey, we provide comprehensive learning, reviewing more than 100 papers published past 15 years. We start categorizing current then organize accordingly. While focus mostly on computer-vision argue our also encompasses state-of-the-art for other modalities. Finally, discuss resources research shed light limitations open questions field.

Language: Английский

---

Poisoning Web-Scale Training Datasets is Practical

2022 IEEE Symposium on Security and Privacy (SP), Journal Year: 2024, Volume and Issue: 29, P. 407 - 425

Published: May 19, 2024

Language: Английский

---

Backdoor Defense via Adaptively Splitting Poisoned Dataset

2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Journal Year: 2023, Volume and Issue: unknown

Published: June 1, 2023

Backdoor defenses have been studied to alleviate the threat of deep neural networks (DNNs) being backdoor attacked and thus maliciously altered. Since DNNs usually adopt some external training data from an untrusted third party, a robust defense strategy during stage is importance. We argue that core training-time select poisoned samples handle them properly. In this work, we summarize unified framework as splitting dataset into two pools. Under our framework, propose adaptively dataset-based (ASD). Concretely, apply loss-guided split meta-learning-inspired dynamically update With clean pool polluted pool, ASD successfully defends against attacks training. Extensive experiments on multiple benchmark datasets DNN models six state-of-the-art demonstrate superiority ASD. Our code available at https://github.com/KuofengGao/ASD.

Language: Английский

---

Delving into the Adversarial Robustness of Federated Learning

Proceedings of the AAAI Conference on Artificial Intelligence, Journal Year: 2023, Volume and Issue: 37(9), P. 11245 - 11253

Published: June 26, 2023

In Federated Learning (FL), models are as fragile centrally trained against adversarial examples. However, the robustness of federated learning remains largely unexplored. This paper casts light on challenge learning. To facilitate a better understanding vulnerability existing FL methods, we conduct comprehensive evaluations various attacks and training methods. Moreover, reveal negative impacts induced by directly adopting in FL, which seriously hurts test accuracy, especially non-IID settings. this work, propose novel algorithm called Decision Boundary based Adversarial Training (DBFAT), consists two components (local re-weighting global regularization) to improve both accuracy systems. Extensive experiments multiple datasets demonstrate that DBFAT consistently outperforms other baselines under IID

Language: Английский

---

Backdoor Attacks via Machine Unlearning

Proceedings of the AAAI Conference on Artificial Intelligence, Journal Year: 2024, Volume and Issue: 38(13), P. 14115 - 14123

Published: March 24, 2024

As a new paradigm to erase data from model and protect user privacy, machine unlearning has drawn significant attention. However, existing studies on mainly focus its effectiveness efficiency, neglecting the security challenges introduced by this technique. In paper, we aim bridge gap study possibility of conducting malicious attacks leveraging unlearning. Specifically, consider backdoor attack via unlearning, where an attacker seeks inject in unlearned submitting requests, so that prediction made can be changed when particular trigger presents. our study, propose two approaches. The first approach does not require poison any training model. achieve goal only requesting unlearn small subset his contributed data. second allows few instances with pre-defined upfront, then activate request. Both approaches are proposed maximizing utility while ensuring stealthiness. is demonstrated different algorithms as well models datasets.

Language: Английский

---

Just a little human intelligence feedback! Unsupervised learning assisted supervised learning data poisoning based backdoor removal

Computer Communications, Journal Year: 2025, Volume and Issue: unknown, P. 108052 - 108052

Published: Jan. 1, 2025

Language: Английский

---

Robustness enhancement of deep reinforcement learning-based traffic signal control model via structure compression

Knowledge-Based Systems, Journal Year: 2025, Volume and Issue: unknown, P. 113022 - 113022

Published: Jan. 1, 2025

Language: Английский

---

Few-shot Backdoor Defense Using Shapley Estimation

2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Journal Year: 2022, Volume and Issue: unknown, P. 13348 - 13357

Published: June 1, 2022

Deep neural networks have achieved impressive performance in a variety of tasks over the last decade, such as autonomous driving, face recognition, and medical diagnosis. However, prior works show that deep are easily manipulated into specific, attacker-decided behaviors inference stage by backdoor attacks which inject malicious small hidden triggers model training, raising serious security threats. To determine triggered neurons protect against attacks, we exploit Shapley value develop new approach called Pruning (ShapPruning) successfully mitigates from models data-insufficient situation (1 image per class or even free data). Considering interaction between neurons, ShapPruning identifies few infected (under 1 % all neurons) manages to model's structure accuracy after pruning many possible. accelerate ShapPruning, further propose discarding threshold ∊ -greedy strategy estimation, making it possible repair poisoned with only several minutes. Experiments demonstrate effectiveness robustness our method various compared existing methods.

Language: Английский

---

Backdoor attack and defense in federated generative adversarial network-based medical image synthesis

Medical Image Analysis, Journal Year: 2023, Volume and Issue: 90, P. 102965 - 102965

Published: Sept. 22, 2023

Language: Английский

---

Enhancing Fine-Tuning based Backdoor Defense with Sharpness-Aware Minimization

2021 IEEE/CVF International Conference on Computer Vision (ICCV), Journal Year: 2023, Volume and Issue: unknown, P. 4443 - 4454

Published: Oct. 1, 2023

Backdoor defense, which aims to detect or mitigate the effect of malicious triggers introduced by attackers, is becoming increasingly critical for machine learning security and integrity. Fine-tuning based on benign data a natural defense erase backdoor in backdoored model. However, recent studies show that, given limited data, vanilla fine-tuning has poor performance. In this work, we firstly investigate process mitigation from neuron weight perspective, find that backdoor-related neurons are only slightly perturbed process, explains its To enhance inspired observation often have larger norms, propose FT-SAM, novel paradigm shrink norms incorporating sharpness-aware minimization with fine-tuning. We demonstrate effectiveness our method several benchmark datasets network architectures, where it achieves state-of-the-art performance, provide extensive analysis reveal FT-SAM's mechanism. Overall, work provides promising avenue improving robustness models against attacks. Codes available at https://github.com/SCLBD/BackdoorBench.

Language: Английский

---