Kangjie Chen,Xiaoxuan Lou,Guowen Xu,Jiwei Li,Tianwei Zhang

2023-01-01

Abstract:Multi-label models have been widely used in various applications including image annotation and object detection. The fly in the ointment is its inherent vulnerability to backdoor attacks due to the adoption of deep learning techniques. However, all existing backdoor attacks exclusively require to modify training inputs (e.g., images), which may be impractical in real-world applications. In this paper, we aim to break this wall and propose the first clean-image backdoor attack, which only poisons the training labels without touching the training samples. Our key insight is that in a multi-label learning task, the adversary can just manipulate the annotations of training samples consisting of a specific set of classes to activate the backdoor. We design a novel trigger exploration method to find convert and effective triggers to enhance the attack performance. We also propose three target label selection strategies to achieve different goals. Experimental results indicate that our clean-image backdoor can achieve a 98% attack success rate while preserving the model's functionality on the benign inputs. Besides, the proposed clean-image backdoor can evade existing state-of-the-art defenses.

Jian Chen,Jingyao Wu,Hao Yin,Qiang Li,Wensheng Zhang,Chen Wang

DOI: https://doi.org/10.1109/trustcom60117.2023.00026

2024-01-01

Abstract:In recent years, the emergence of targeted cleanlabel poisoning attacks, which maliciously influence the training data without controlling over the labeling process to manipulate the behavior of the predictive model, is shown to be crucial threats to compromise deep learning systems. Prior targeted clean-label poisoning attacks have been demonstrated to target only one sample at a time, which is not always applicable in restricted real-world situations. In this paper, we explore targeted clean-label poisoning attacks on a per-class basis, which refers to misclassify samples from a victim class to the desired class while maintaining the classification accuracy of samples on other classes in multi-class classification tasks. To achieve this, we present the first class-targeted clean-label poisoning attack, called CTCL, which firsts craft clean label poisons along with multiple directions in the target feature space and enhance the attacking capability of poisons by reducing their the feature information of the target class. We illustrate the effectiveness of the proposed CTCL on various deep neural network models. The experiment results demonstrate that our attack is effective, with the attacking success rate over 80% compared to the other two baseline attacks on average, while the detection accuracy of state-of-the-art defenses is lower than 65% illustrating that CTCL can escape the detection of existing defenses readily.

Chen Zhu,W. Ronny Huang,Ali Shafahi,Hengduo Li,Gavin Taylor,Christoph Studer,Tom Goldstein

DOI: https://doi.org/10.48550/arXiv.1905.05897

2019-05-16

Abstract:Clean-label poisoning attacks inject innocuous looking (and "correctly" labeled) poison images into training data, causing a model to misclassify a targeted image after being trained on this data. We consider transferable poisoning attacks that succeed without access to the victim network's outputs, architecture, or (in some cases) training data. To achieve this, we propose a new "polytope attack" in which poison images are designed to surround the targeted image in feature space. We also demonstrate that using Dropout during poison creation helps to enhance transferability of this attack. We achieve transferable attack success rates of over 50% while poisoning only 1% of the training set.

Machine Learning,Cryptography and Security

Fnu Suya,Saeed Mahloujifar,Anshuman Suri,David Evans,Yuan Tian

DOI: https://doi.org/10.48550/arXiv.2006.16469

2021-04-21

Abstract:In a poisoning attack, an adversary with control over a small fraction of the training data attempts to select that data in a way that induces a corrupted model that misbehaves in favor of the adversary. We consider poisoning attacks against convex machine learning models and propose an efficient poisoning attack designed to induce a specified model. Unlike previous model-targeted poisoning attacks, our attack comes with provable convergence to {\it any} attainable target classifier. The distance from the induced classifier to the target classifier is inversely proportional to the square root of the number of poisoning points. We also provide a lower bound on the minimum number of poisoning points needed to achieve a given target classifier. Our method uses online convex optimization, so finds poisoning points incrementally. This provides more flexibility than previous attacks which require a priori assumption about the number of poisoning points. Our attack is the first model-targeted poisoning attack that provides provable convergence for convex models, and in our experiments, it either exceeds or matches state-of-the-art attacks in terms of attack success rate and distance to the target model.

Machine Learning,Artificial Intelligence,Cryptography and Security

Hojjat Aghakhani,Dongyu Meng,Yu-Xiang Wang,Christopher Kruegel,Giovanni Vigna

DOI: https://doi.org/10.48550/arXiv.2005.00191

2021-03-14

Abstract:A recent source of concern for the security of neural networks is the emergence of clean-label dataset poisoning attacks, wherein correctly labeled poison samples are injected into the training dataset. While these poison samples look legitimate to the human observer, they contain malicious characteristics that trigger a targeted misclassification during inference. We propose a scalable and transferable clean-label poisoning attack against transfer learning, which creates poison images with their center close to the target image in the feature space. Our attack, Bullseye Polytope, improves the attack success rate of the current state-of-the-art by 26.75% in end-to-end transfer learning, while increasing attack speed by a factor of 12. We further extend Bullseye Polytope to a more practical attack model by including multiple images of the same object (e.g., from different angles) when crafting the poison samples. We demonstrate that this extension improves attack transferability by over 16% to unseen images (of the same object) without using extra poison samples.

Machine Learning,Cryptography and Security

Yiwei Lu,Gautam Kamath,Yaoliang Yu

2023-06-06

Abstract:Indiscriminate data poisoning attacks aim to decrease a model's test accuracy by injecting a small amount of corrupted training data. Despite significant interest, existing attacks remain relatively ineffective against modern machine learning (ML) architectures. In this work, we introduce the notion of model poisoning reachability as a technical tool to explore the intrinsic limits of data poisoning attacks towards target parameters (i.e., model-targeted attacks). We derive an easily computable threshold to establish and quantify a surprising phase transition phenomenon among popular ML models: data poisoning attacks can achieve certain target parameters only when the poisoning ratio exceeds our threshold. Building on existing parameter corruption attacks and refining the Gradient Canceling attack, we perform extensive experiments to confirm our theoretical findings, test the predictability of our transition threshold, and significantly improve existing indiscriminate data poisoning baselines over a range of datasets and models. Our work highlights the critical role played by the poisoning ratio, and sheds new insights on existing empirical results, attacks and mitigation strategies in data poisoning.

Machine Learning,Cryptography and Security

Jing Lin,Ryan Luley,Kaiqi Xiong

DOI: https://doi.org/10.1109/icc45855.2022.9839219

2022-01-01

Abstract:Despite the wide-ranging applicability of machine learning methods, they are vulnerable to security attacks, such as evasion attacks and triggerless data poisoning attacks. An evasion attack occurs at the inference time when an attacker feeds in an adversarial example, a malicious perturbed input that appears the same as its untampered copy to a human oracle. In contrast, a triggerless data poisoning attack occurs at training time. An attacker tries to subvert learning with injected poisoned instances. In this research, we focus on a special sub-category of data poisoning attacks, namely triggerless clean-label targeted data poisoning attacks. This type of attacks is more realistic in the sense that it does not require an attacker to have the ability to change the label of any training instance. That is, attackers can successfully attack the training process with a poison instance that is correctly labeled by a human oracle. We propose a simple but effective way to alter an adversarial attack method into a triggerless clean-label targeted data poisoning attack method with a remarkable attack success rate. Furthermore, our proposed method only requires the injection of a single poison instance to manipulate a transfer learning model to misclassify an untampered targeted instance. We compare our method with a popular one-shot attack and show that our method is easier to be used as we do not need to tune for a hyperparameter such as a similarity coefficient.

Yiyong Liu,Michael Backes,Xiao Zhang

2024-06-06

Abstract:We consider availability data poisoning attacks, where an adversary aims to degrade the overall test accuracy of a machine learning model by crafting small perturbations to its training data. Existing poisoning strategies can achieve the attack goal but assume the victim to employ the same learning method as what the adversary uses to mount the attack. In this paper, we argue that this assumption is strong, since the victim may choose any learning algorithm to train the model as long as it can achieve some targeted performance on clean data. Empirically, we observe a large decrease in the effectiveness of prior poisoning attacks if the victim employs an alternative learning algorithm. To enhance the attack transferability, we propose Transferable Poisoning, which first leverages the intrinsic characteristics of alignment and uniformity to enable better unlearnability within contrastive learning, and then iteratively utilizes the gradient information from supervised and unsupervised contrastive learning paradigms to generate the poisoning perturbations. Through extensive experiments on image benchmarks, we show that our transferable poisoning attack can produce poisoned samples with significantly improved transferability, not only applicable to the two learners used to devise the attack but also to learning algorithms and even paradigms beyond.

Cryptography and Security,Machine Learning

Jian Chen,Yuan Gao,Gaoyang Liu,Ahmed M. Abdelmoniem,Chen Wang

DOI: https://doi.org/10.1109/tifs.2024.3350389

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:In recent years, contrastive learning has become very powerful for representation learning using large-scale unlabeled data, by involving pre-trained encoders to fine-tune downstream classifiers. However, the latest research indicates that contrastive learning can potentially suffer from the risks of data poisoning attacks, where the attacker injects maliciously crafted poisoned samples into the unlabeled pre-training data. To step forward, in this paper, we present a more stealthy poisoning attack dubbed PA-CL to directly poison the pre-trained encoder, such that the downstream classifier's behavior on a single target instance to the attacker-desired class can be manipulated without affecting the overall downstream classification performance. We observe that a high similarity exists between the feature representation generated by the poisoned pre-trained encoder for the target sample and samples from the attacker-desired class. This leads to the downstream classifier misclassifying the target sample with the attacker-desired class. Therefore, we formulate our attack as an optimization problem, and design two novel loss functions, namely, the target effectiveness loss to effectively poison the pre-trained encoder, and the model utility loss to maintain the downstream classification performance. Experimental results on four real-world datasets demonstrate that the attack success rate of the proposed attack is 40% higher on average than that of the three baseline attacks, and the fluctuation of the downstream classifier's prediction accuracy is within 5%.

computer science, theory & methods,engineering, electrical & electronic

Chen Zhang,Zhuo Tang,Kenli Li

DOI: https://doi.org/10.1016/j.ins.2023.03.124

IF: 8.1

2023-01-01

Information Sciences

Abstract:Numerous studies have proved that deep learning models are sensitive to attacks from adversarial examples. However, due to the high computationally demanding and limiting explanation for deep neural networks (DNNs), research on poisoning attacks against deep models is insufficient. In this work, considering the interpretation that DNNs are feature extractors, we propose a clean-label poisoning attack against DNNs by dominant image features added to the original data. Each category of clean data is augmented with imperceptible perturbations which we call “dominant image features” of another category. The dominant image features determine which class the input belongs to, while the clean input behaves like noise. Well-trained DNNs on these poisoning data will get extremely low accuracy on clean test data. The attack can make personal data unlearnable for DNNs, which preserves an individual's privacy. Besides, our data poisoning attack can be expanded into a powerful clean-label backdoor attack in that the poisoned samples and their labels are consistent for humans. Experimental results show that our proposed attack can exceed the previous advanced poisoning attacks which demonstrate the effectiveness of our presented attack. Additionally, our work provides a new perspective on the interpretation of DNNs as feature extractors.

Xianglong Zhang,Huanle Zhang,Guoming Zhang,Hong Li,Dongxiao Yu,Xiuzhen Cheng,Pengfei Hu

DOI: https://doi.org/10.1109/tc.2023.3280133

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:Due to the substantial computational cost of neural network training, adopting third-party models has become increasingly popular. However, recent works demonstrate that third-party models can be poisoned. Nonetheless, most model poisoning attacks require reference data, e.g., training dataset or data belonging to the target label, making them difficult to launch in practice. In this paper, we propose a reference data independent model poisoning attack that can (1) directly search for sensitive features with respect to the target label, (2) quantify the positive and negative effects of the model parameters on sensitive features, and (3) accomplish the training of poisoned model by our parameter selective update strategy. The extensive evaluation on datasets with a few classes and numerous classes show that the attack is (I) effective: the trigger input can be labeled as a deliberate class by the poisoned model with high probability; (II) covert: the performance of the poisoned model is almost indistinguishable from the intact model on non-trigger inputs; and (III) straightforward: an adversary only needs a little background knowledge to launch the attack. Overall, the evaluation results show that our attack achieves 95%, 100%, 81%, 96%, and 96% success rates on Cifar10, Cifar100, ISIC2018, FaceScrub, and ImageNet datasets, respectively.

Maosen Li,Cheng Deng,Tengjiao Li,Junchi Yan,Xinbo Gao,Heng Huang

DOI: https://doi.org/10.1109/cvpr42600.2020.00072

2020-01-01

Computer Vision and Pattern Recognition

Abstract:An intriguing property of adversarial examples is their transferability, which suggests that black-box attacks are feasible in real-world applications. Previous works mostly study the transferability on non-targeted setting. However, recent studies show that targeted adversarial examples are more difficult to transfer than non-targeted ones. In this paper, we find there exist two defects that lead to the difficulty in generating transferable examples. First, the magnitude of gradient is decreasing during iterative attack, causing excessive consistency between two successive noises in accumulation of momentum, which is termed as noise curing. Second, it is not enough for targeted adversarial examples to just get close to target class without moving away from true class. To overcome the above problems, we propose a novel targeted attack approach to effectively generate more transferable adversarial examples. Specifically, we first introduce the Poincaré distance as the similarity metric to make the magnitude of gradient self-adaptive during iterative attack to alleviate noise curing. Furthermore, we regularize the targeted attack process with metric learning to take adversarial examples away from true label and gain more transferable targeted adversarial examples. Experiments on ImageNet validate the superiority of our approach achieving 8\% higher attack success rate over other state-of-the-art methods on average in black-box targeted attack.

Rauf Izmailov,Sridhar Venkatesan,Achyut Reddy,Ritu Chadha,Michael De Lucia,Alina Oprea

DOI: https://doi.org/10.1117/12.2622112

2022-01-01

Abstract:Poisoning attacks on training data are becoming one of the top concerns among users of machine learning systems. The goal of such attacks is to inject a small set of maliciously mislabeled training data into the training pipeline so as to detrimentally impact a machine learning model trained on such data. Constructing such attacks for cyber applications is especially challenging due to their realizability constraints. Furthermore, poisoning mitigation techniques for such applications are also not well understood. This paper investigates techniques for realizable data poisoning availability attacks (using several cyber applications), in which an attacker can insert a set of poisoned samples at the training time with the goal of degrading the accuracy of the deployed model. We design a white-box, realizable poisoning attack that degraded the original model's accuracy by generating mislabeled samples in close vicinity of a selected subset of training points. We investigate this strategy and its modifications for key classifier architectures and provide specific implications for each of them. The paper also proposes a novel data cleaning method as a defense against such poisoning attacks. Our defense includes a diversified ensemble of classifiers, each trained on a different subset of the training set. We use the disagreement of the classifiers' predictions as a decision whether to keep a given sample in the training dataset or remove it. The results demonstrate the efficiency of this strategy with very limited performance penalty.

W. Ronny Huang,Jonas Geiping,Liam Fowl,Gavin Taylor,Tom Goldstein

DOI: https://doi.org/10.48550/arXiv.2004.00225

2021-02-21

Abstract:Data poisoning -- the process by which an attacker takes control of a model by making imperceptible changes to a subset of the training data -- is an emerging threat in the context of neural networks. Existing attacks for data poisoning neural networks have relied on hand-crafted heuristics, because solving the poisoning problem directly via bilevel optimization is generally thought of as intractable for deep models. We propose MetaPoison, a first-order method that approximates the bilevel problem via meta-learning and crafts poisons that fool neural networks. MetaPoison is effective: it outperforms previous clean-label poisoning methods by a large margin. MetaPoison is robust: poisoned data made for one model transfer to a variety of victim models with unknown training settings and architectures. MetaPoison is general-purpose, it works not only in fine-tuning scenarios, but also for end-to-end training from scratch, which till now hasn't been feasible for clean-label attacks with deep nets. MetaPoison can achieve arbitrary adversary goals -- like using poisons of one class to make a target image don the label of another arbitrarily chosen class. Finally, MetaPoison works in the real-world. We demonstrate for the first time successful data poisoning of models trained on the black-box Google Cloud AutoML API. Code and premade poisons are provided at <a class="link-external link-https" href="https://github.com/wronnyhuang/metapoison" rel="external noopener nofollow">this https URL</a>

Machine Learning,Artificial Intelligence,Cryptography and Security,Computer Vision and Pattern Recognition

Lijia Yu,Shuang Liu,Yibo Miao,Xiao-Shan Gao,Lijun Zhang

2024-06-02

Abstract:The generalization bound is a crucial theoretical tool for assessing the generalizability of learning methods and there exist vast literatures on generalizability of normal learning, adversarial learning, and data poisoning. Unlike other data poison attacks, the backdoor attack has the special property that the poisoned triggers are contained in both the training set and the test set and the purpose of the attack is two-fold. To our knowledge, the generalization bound for the backdoor attack has not been established. In this paper, we fill this gap by deriving algorithm-independent generalization bounds in the clean-label backdoor attack scenario. Precisely, based on the goals of backdoor attack, we give upper bounds for the clean sample population errors and the poison population errors in terms of the empirical error on the poisoned training dataset. Furthermore, based on the theoretical result, a new clean-label backdoor attack is proposed that computes the poisoning trigger by combining adversarial noise and indiscriminate poison. We show its effectiveness in a variety of settings.

Machine Learning,Statistics Theory

Shihua Sun,Shridatt Sugrim,Angelos Stavrou,Haining Wang

2024-07-14

Abstract:Federated Learning (FL) exposes vulnerabilities to targeted poisoning attacks that aim to cause misclassification specifically from the source class to the target class. However, using well-established defense frameworks, the poisoning impact of these attacks can be greatly mitigated. We introduce a generalized pre-training stage approach to Boost Targeted Poisoning Attacks against FL, called BoTPA. Its design rationale is to leverage the model update contributions of all data points, including ones outside of the source and target classes, to construct an Amplifier set, in which we falsify the data labels before the FL training process, as a means to boost attacks. We comprehensively evaluate the effectiveness and compatibility of BoTPA on various targeted poisoning attacks. Under data poisoning attacks, our evaluations reveal that BoTPA can achieve a median Relative Increase in Attack Success Rate (RI-ASR) between 15.3% and 36.9% across all possible source-target class combinations, with varying percentages of malicious clients, compared to its baseline. In the context of model poisoning, BoTPA attains RI-ASRs ranging from 13.3% to 94.7% in the presence of the Krum and Multi-Krum defenses, from 2.6% to 49.2% under the Median defense, and from 2.9% to 63.5% under the Flame defense.

Cryptography and Security,Machine Learning

Weiwei Feng,Nanqing Xu,Tianzhu Zhang,Yongdong Zhang

DOI: https://doi.org/10.1109/cvpr52729.2023.01574

2023-01-01

Abstract:Adversarial attacks can evaluate model robustness and have been of great concerns in recent years. Among various attacks, targeted attacks aim at misleading victim models to output adversary-desired predictions, which are more challenging and threatening than untargeted ones. Existing targeted attacks can be roughly divided into instancespecific and instance-agnostic attacks. Instance-specific attacks craft adversarial examples via iterative gradient updating on the specific instance. In contrast, instanceagnostic attacks learn a universal perturbation or a generative model on the global dataset to perform attacks. However they rely too much on the classification boundary of substitute models, ignoring the realistic distribution of target class, which may result in limited targeted attack performance. And there is no attempt to simultaneously combine the information of the specific instance and the global dataset. To deal with these limitations, we first conduct an analysis via a causal graph and propose to craft transferable targeted adversarial examples by injecting target patterns. Based on this analysis, we introduce a generative attack model composed of a cross-attention guided convolution module and a pattern injection module. Concretely, the former adopts a dynamic convolution kernel and a static convolution kernel for the specific instance and the global dataset, respectively, which can inherit the advantages of both instance-specific and instance-agnostic attacks. And the pattern injection module utilizes a pattern prototype to encode target patterns, which can guide the generation of targeted adversarial examples. Besides, we also provide rigorous theoretical analysis to guarantee the effectiveness of our method. Extensive experiments demonstrate that our method show superior performance than 10 existing adversarial attacks against 13 models.

Jonas Geiping,Liam Fowl,W. Ronny Huang,Wojciech Czaja,Gavin Taylor,Michael Moeller,Tom Goldstein

DOI: https://doi.org/10.48550/arXiv.2009.02276

2021-05-10

Abstract:Data Poisoning attacks modify training data to maliciously control a model trained on such data. In this work, we focus on targeted poisoning attacks which cause a reclassification of an unmodified test image and as such breach model integrity. We consider a particularly malicious poisoning attack that is both "from scratch" and "clean label", meaning we analyze an attack that successfully works against new, randomly initialized models, and is nearly imperceptible to humans, all while perturbing only a small fraction of the training data. Previous poisoning attacks against deep neural networks in this setting have been limited in scope and success, working only in simplified settings or being prohibitively expensive for large datasets. The central mechanism of the new attack is matching the gradient direction of malicious examples. We analyze why this works, supplement with practical considerations. and show its threat to real-world practitioners, finding that it is the first poisoning method to cause targeted misclassification in modern deep networks trained from scratch on a full-sized, poisoned ImageNet dataset. Finally we demonstrate the limitations of existing defensive strategies against such an attack, concluding that data poisoning is a credible threat, even for large-scale deep learning systems.

Computer Vision and Pattern Recognition,Machine Learning

Wenbo Jiang,Hongwei Li,Sen Liu,Yanzhi Ren,Miao He

DOI: https://doi.org/10.1109/icc.2019.8761422

2019-01-01

Abstract:Recent years have witnessed tremendous academic efforts and industry growth in machine learning. The security of machine learning has become increasingly prominent. Poisoning attack is one of the most relevant security threats to machine learning which focuses on polluting the training data that machine learning needs during the training process. Specifically, the attacker blends crafted poisoning samples into training data in order to make the learned model beneficial to him. To the best of our knowledge, existing researches about poisoning attack focused on either integrity attack or availability attack, which did not unify these two attacks together. Aside from that, from the attacker's perspective, attacker's strategy is not flexible enough. Finally, existing proposals only concentrated on increasing the test error of the learned model but ignored the importance of the concealment of attack. To overcome these issues, we firstly present a thorough adversarial model for poisoning attack in which attacker's strategy is defined from two aspects, i.e., the effect of attack and the concealment of attack. Then we unify integrity attack and availability attack together in similar formulations. Furthermore, in order to enhance flexibility, a tradeoff parameter is inserted into attacker's objective function which means the attacker can balance the attraction of effect against the requirement of concealment. Finally, as examples, extensive experiments are conducted on linear regression and logistic regression to demonstrate the effectiveness of attack.

Guy Barash,Eitan Farchi,Sarit Kraus,Onn Shehory

DOI: https://doi.org/10.48550/arXiv.2105.01560

2021-05-05

Abstract:We introduce a novel clean-label targeted poisoning attack on learning mechanisms. While classical poisoning attacks typically corrupt data via addition, modification and omission, our attack focuses on data omission only. Our attack misclassifies a single, targeted test sample of choice, without manipulating that sample. We demonstrate the effectiveness of omission attacks against a large variety of learners including deep neural networks, SVM and decision trees, using several datasets including MNIST, IMDB and CIFAR. The focus of our attack on data omission only is beneficial as well, as it is simpler to implement and analyze. We show that, with a low attack budget, our attack's success rate is above 80%, and in some cases 100%, for white-box learning. It is systematically above the reference benchmark for black-box learning. For both white-box and black-box cases, changes in model accuracy are negligible, regardless of the specific learner and dataset. We also prove theoretically in a simplified agnostic PAC learning framework that, subject to dataset size and distribution, our omission attack succeeds with high probability against any successful simplified agnostic PAC learner.

Machine Learning