Pengpeng Chen,Yongqiang Yang,Dingqi Yang,Hailong Sun,Zhijun Chen,Peng Lin

DOI: https://doi.org/10.24963/ijcai.2023/332

2023-01-01

Abstract:Understanding the vulnerability of label aggregation against data poisoning attacks is key to ensuring data quality in crowdsourced label collection. State-of-the-art attack mechanisms generally assume full knowledge of the aggregation models while failing to consider the flexibility of malicious workers in selecting which instances to label. Such a setup limits the applicability of the attack mechanisms and impedes further improvement of their success rate. This paper introduces a black-box data poisoning attack framework that finds the optimal strategies for instance selection and labeling to attack unknown label aggregation models in crowdsourcing. We formulate the attack problem on top of a generic formalization of label aggregation models and then introduce a substitution approach that attacks a substitute aggregation model in replacement of the unknown model. Through extensive validation on multiple real-world datasets, we demonstrate the effectiveness of both instance selection and model substitution in improving the success rate of attacks.

Minghong Fang,Minghao Sun,Qi Li,N. Gong,Jinhua Tian,Jia Liu

DOI: https://doi.org/10.1145/3442381.3450066

2021-02-18

Abstract:A key challenge of big data analytics is how to collect a large volume of (labeled) data. Crowdsourcing aims to address this challenge via aggregating and estimating high-quality data (e.g., sentiment label for text) from pervasive clients/users. Existing studies on crowdsourcing focus on designing new methods to improve the aggregated data quality from unreliable/noisy clients. However, the security aspects of such crowdsourcing systems remain under-explored to date. We aim to bridge this gap in this work. Specifically, we show that crowdsourcing is vulnerable to data poisoning attacks, in which malicious clients provide carefully crafted data to corrupt the aggregated data. We formulate our proposed data poisoning attacks as an optimization problem that maximizes the error of the aggregated data. Our evaluation results on one synthetic and two real-world benchmark datasets demonstrate that the proposed attacks can substantially increase the estimation errors of the aggregated data. We also propose two defenses to reduce the impact of malicious clients. Our empirical results show that the proposed defenses can substantially reduce the estimation errors of the data poisoning attacks.

Computer Science

Chenglin Miao,Qi Li,Lu Su,Mengdi Huai,Wenjun Jiang,Jing Gao

DOI: https://doi.org/10.1145/3178876.3186032

2018-04-10

Abstract:As an effective way to solicit useful information from the crowd, crowdsourcing has emerged as a popular paradigm to solve challenging tasks. However, the data provided by the participating workers are not always trustworthy. In real world, there may exist malicious workers in crowdsourcing systems who conduct the data poisoning attacks for the purpose of sabotage or financial rewards. Although data aggregation methods such as majority voting are conducted on workers» labels in order to improve data quality, they are vulnerable to such attacks as they treat all the workers equally. In order to capture the variety in the reliability of workers, the Dawid-Skene model, a sophisticated data aggregation method, has been widely adopted in practice. By conducting maximum likelihood estimation (MLE) using the expectation maximization (EM) algorithm, the Dawid-Skene model can jointly estimate each worker»s reliability and conduct weighted aggregation, and thus can tolerate the data poisoning attacks to some degree. However, the Dawid-Skene model still has weakness. In this paper, we study the data poisoning attacks against such crowdsourcing systems with the Dawid-Skene model empowered. We design an intelligent attack mechanism, based on which the attacker can not only achieve maximum attack utility but also disguise the attacking behaviors. Extensive experiments based on real-world crowdsourcing datasets are conducted to verify the desirable properties of the proposed mechanism.

Computer Science

Yuxi Zhao,Xiaowen Gong,Fuhong Lin,Xu Chen

DOI: https://doi.org/10.1109/tmc.2021.3133365

IF: 6.075

2023-01-01

IEEE Transactions on Mobile Computing

Abstract:Crowdsourcing has found a wide variety of applications, including spectrum sensing, traffic monitoring, as well as data annotation for machine learning based data analytics. To improve data accuracy and cost-effectiveness, workers’ data quality can be learned from their data in an online manner, which can be used for task assignment and data aggregation. However, crowdsourcing is vulnerable to data poisoning attacks, where the attacker reports malicious data to reduce aggregated data accuracy. In this paper, we study malicious data attacks on dynamic crowdsourcing where tasks are assigned and performed sequentially, and we explore online quality learning as a defense mechanism against the attack by finding malicious workers with low quality. We first focus on the asymptotic setting where workers’ quality is accurately learned by the requester, based on which we then turn to the general non-asymptotic setting where the quality is estimated online with errors. For each setting, we first characterize the conditions under which the attack strategy can effectively reduce the aggregated data accuracy. Our results show that the malicious noise variance needs to be within a certain range for the attack to be effective. Then we analyze the harm of effective attack strategies. It reveals that the regret of the online quality learning algorithm can be substantially increased from $\mathcal {O}(\log ^2T)$O(log2T) (upper bound) to $\Omega (T)$Ω(T) (lower bound) due to effective attacks. To further mitigate the attack, we also study median and maximum influence of estimation based data aggregation as defense mechanisms. Our results provide useful insights on the impacts of data poisoning attacks when online quality learning is used to defend against the attack. We evaluate the proposed attacks and defenses via extensive simulation results based on real-world data, which demonstrate the effectiveness of the attacks and defenses.

Chenglin Miao,Qi Li,Lü Su,Mengdi Huai,Wenjun Jiang,Jing Gao

DOI: https://doi.org/10.1145/3178876.3186032

2018-01-01

Abstract:As an effective way to solicit useful information from the crowd, crowdsourcing has emerged as a popular paradigm to solve challenging tasks. However, the data provided by the participating workers are not always trustworthy. In real world, there may exist malicious workers in crowdsourcing systems who conduct the data poisoning attacks for the purpose of sabotage or financial rewards. Although data aggregation methods such as majority voting are conducted on workers» labels in order to improve data quality, they are vulnerable to such attacks as they treat all the workers equally. In order to capture the variety in the reliability of workers, the Dawid-Skene model, a sophisticated data aggregation method, has been widely adopted in practice. By conducting maximum likelihood estimation (MLE) using the expectation maximization (EM) algorithm, the Dawid-Skene model can jointly estimate each worker»s reliability and conduct weighted aggregation, and thus can tolerate the data poisoning attacks to some degree. However, the Dawid-Skene model still has weakness. In this paper, we study the data poisoning attacks against such crowdsourcing systems with the Dawid-Skene model empowered. We design an intelligent attack mechanism, based on which the attacker can not only achieve maximum attack utility but also disguise the attacking behaviors. Extensive experiments based on real-world crowdsourcing datasets are conducted to verify the desirable properties of the proposed mechanism.

Zhirun Zheng,Zhetao Li,Cheng Huang,Saiqin Long,Mushu Li,Xuemin Shen

DOI: https://doi.org/10.1109/tdsc.2024.3363507

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In this paper, we explore data poisoning attacks and their defenses in local differential privacy (LDP)-based crowdsensing systems. First, we construct data poisoning attacks launched by corrupted workers to subvert crowdsensing results by tampering information reported. Specifically, the attacks are formulated as a bi-level optimization problem where attackers strive to conceal their malicious behavior by delicately exploiting noise perturbation introduced by LDP protocols. In this way, the attacks can not be detected, even with the weight-based truth discovery methods. Due to the NP-hard nature of the bi-level problem, we decompose it into upper-level and lower-level sub-problems and employ the augmented Lagrangian method to iteratively solve them, ultimately identifying optimal attack strategies. Second, we propose corresponding countermeasures to defend against the attacks. The countermeasures are formulated as a minimization problem, with the objective of minimizing disruptions caused by attacks through the identification and removal of corrupted workers from crowdsensing systems. To solve the problem, we utilize a differential evolution algorithm instead of gradient-based methods since the objective function of the problem is not differentiable. Extensive experiments on real-world datasets are conducted to evaluate the performance of the proposed attacks and defenses. The evaluation results demonstrate that LDP perturbation indeed facilitates the success of data poisoning attacks, and the proposed defenses can accurately distinguish malicious behaviors disguised.

computer science, information systems, software engineering, hardware & architecture

Mohan Li,Yanbin Sun,Hui Lu,Sabita Maharjan,Zhihong Tian

DOI: https://doi.org/10.1109/jiot.2019.2962914

IF: 10.6

2019-01-01

IEEE Internet of Things Journal

Abstract:Crowdsensing systems collect various types of data from sensors embedded on mobile devices owned by individuals. These individuals are commonly referred to as workers that complete tasks published by crowdsensing systems. Because of the relative lack of control over worker identities, crowdsensing systems are susceptible to data poisoning attacks which interfering with data analysis results by injecting fake data conflicting with ground truth. Frameworks like TruthFinder can resolve data conflicts by evaluating the trustworthiness of the data providers. These frameworks somehow make crowdsensing systems more robust since they can limit the impact of dirty data by reducing the value of unreliable workers. However, previous work has shown that TruthFinder may also be affected by the data poisoning attack when the malicious workers have access to global information. In this article, we focus on partially observable data poisoning attacks in crowdsensing systems. We show that even if the malicious workers only have access to local information, they can find effective data poisoning attack strategies to interfere with crowdsensing systems with TruthFinder. First, we formally model the problem of partially observable data poisoning attack against crowdsensing systems. Then, we propose a data poisoning attack method based on deep reinforcement learning, which helps malicious workers jeopardize with TruthFinder while hiding themselves. Based on the method, the malicious workers can learn from their attack attempts and evolve the poisoning strategies continuously. Finally, we conduct experiments on real-life data sets to verify the effectiveness of the proposed method.

Yufei Chen,Chao Shen,Yun Shen,Cong Wang,Yang Zhang

DOI: https://doi.org/10.48550/arXiv.2211.00463

2022-11-01

Abstract:As in-the-wild data are increasingly involved in the training stage, machine learning applications become more susceptible to data poisoning attacks. Such attacks typically lead to test-time accuracy degradation or controlled misprediction. In this paper, we investigate the third type of exploitation of data poisoning - increasing the risks of privacy leakage of benign training samples. To this end, we demonstrate a set of data poisoning attacks to amplify the membership exposure of the targeted class. We first propose a generic dirty-label attack for supervised classification algorithms. We then propose an optimization-based clean-label attack in the transfer learning scenario, whereby the poisoning samples are correctly labeled and look "natural" to evade human moderation. We extensively evaluate our attacks on computer vision benchmarks. Our results show that the proposed attacks can substantially increase the membership inference precision with minimum overall test-time model performance degradation. To mitigate the potential negative impacts of our attacks, we also investigate feasible countermeasures.

Cryptography and Security,Machine Learning

Rauf Izmailov,Sridhar Venkatesan,Achyut Reddy,Ritu Chadha,Michael De Lucia,Alina Oprea

DOI: https://doi.org/10.1117/12.2622112

2022-01-01

Abstract:Poisoning attacks on training data are becoming one of the top concerns among users of machine learning systems. The goal of such attacks is to inject a small set of maliciously mislabeled training data into the training pipeline so as to detrimentally impact a machine learning model trained on such data. Constructing such attacks for cyber applications is especially challenging due to their realizability constraints. Furthermore, poisoning mitigation techniques for such applications are also not well understood. This paper investigates techniques for realizable data poisoning availability attacks (using several cyber applications), in which an attacker can insert a set of poisoned samples at the training time with the goal of degrading the accuracy of the deployed model. We design a white-box, realizable poisoning attack that degraded the original model's accuracy by generating mislabeled samples in close vicinity of a selected subset of training points. We investigate this strategy and its modifications for key classifier architectures and provide specific implications for each of them. The paper also proposes a novel data cleaning method as a defense against such poisoning attacks. Our defense includes a diversified ensemble of classifiers, each trained on a different subset of the training set. We use the disagreement of the classifiers' predictions as a decision whether to keep a given sample in the training dataset or remove it. The results demonstrate the efficiency of this strategy with very limited performance penalty.

Chenglin Miao,Qi Li,Houping Xiao,Wenjun Jiang,Mengdi Huai,Lu Su

DOI: https://doi.org/10.1145/3209582.3209594

2018-06-26

Abstract:With the proliferation of sensor-rich mobile devices, crowd sensing has emerged as a new paradigm of collecting information from the physical world. However, the sensory data provided by the participating workers are usually not reliable. In order to identify truthful values from the crowd sensing data, the topic of truth discovery, whose goal is to estimate each worker's reliability and infer the underlying truths through weighted data aggregation, is widely studied. Since truth discovery incorporates workers' reliability into the aggregation procedure, it shows robustness to the data poisoning attacks, which are usually conducted by the malicious workers who aim to degrade the effectiveness of the crowd sensing systems through providing malicious sensory data. However, truth discovery is not perfect in all cases. In this paper, we study how to effectively conduct two types of data poisoning attacks, i.e., the availability attack and the target attack, against a crowd sensing system empowered with the truth discovery mechanism. We develop an optimal attack framework in which the attacker can not only maximize his attack utility but also disguise the introduced malicious workers as normal ones such that they cannot be detected easily. The desirable performance of the proposed framework is verified through extensive experiments conducted on a real-world crowd sensing system.

Computer Science

Zhirun Zheng,Zhetao Li,Cheng Huang,Saiqin Long,Xuemin Shen

DOI: https://doi.org/10.1109/tmc.2024.3486689

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:Differential privacy (DP) is widely used for protecting privacy in crowdsensing by adding noises. However, malicious attackers can exploit noise to launch covert data poisoning attacks. In this paper, we propose a game-based defense approach to resist such data poisoning attacks in DP-based crowdsensing systems. In this approach, attackers are believed to be powerful as they can refine their attack strategy based on the observations of deployed defenders' defense strategy. Specifically, the defenders formulate the defense as a functional minimization problem (which cannot be directly solved by numerical optimization algorithms because its decision variable is a set of functions), resisting data poisoning attacks by deleting data shared by identified malicious workers through the log-likelihood ratio test. To obtain a current defense strategy, the decision variable of the problem is relaxed into the coefficients of basis-based linear combinations through the variable-basis approximation, and then solved using the simulated annealing genetic algorithm. Correspondingly, the attackers formulate their attack strategy as a bi-level maximization problem (which is an NP-hard problem), biasing crowdsensing results as much as possible while remaining undetected. Since the attackers can know the defense strategy, they may bypass the defenders by constraining the expected log-likelihood ratio test. Additionally, the attackers can evade truth discovery methods deployed in crowdsensing using DP noise. To determine a current attack strategy, the bi-level problem is decomposed into upper-level and lower-level sub-problems, wherein the upper-level sub-problem is solved by the variational methods, and then these sub-problems are alternately optimized. Finally, we propose a local minimax points calculating algorithm to obtain an equilibrium point in the defenders-attackers game, thereby finding an optimal defense strategy to resist the powerful data poisoning attack. Extensive experiments on real-world and synthetic datasets show that the proposed game-based defense approach can effectively defend powerful and covert attackers.

Pang Wei Koh,Jacob Steinhardt,Percy Liang

DOI: https://doi.org/10.48550/arXiv.1811.00741

2021-12-03

Abstract:Machine learning models trained on data from the outside world can be corrupted by data poisoning attacks that inject malicious points into the models' training sets. A common defense against these attacks is data sanitization: first filter out anomalous training points before training the model. In this paper, we develop three attacks that can bypass a broad range of common data sanitization defenses, including anomaly detectors based on nearest neighbors, training loss, and singular-value decomposition. By adding just 3% poisoned data, our attacks successfully increase test error on the Enron spam detection dataset from 3% to 24% and on the IMDB sentiment classification dataset from 12% to 29%. In contrast, existing attacks which do not explicitly account for these data sanitization defenses are defeated by them. Our attacks are based on two ideas: (i) we coordinate our attacks to place poisoned points near one another, and (ii) we formulate each attack as a constrained optimization problem, with constraints designed to ensure that the poisoned points evade detection. As this optimization involves solving an expensive bilevel problem, our three attacks correspond to different ways of approximating this problem, based on influence functions; minimax duality; and the Karush-Kuhn-Tucker (KKT) conditions. Our results underscore the need to develop more robust defenses against data poisoning attacks.

Machine Learning,Cryptography and Security

Jing Lin,Ryan Luley,Kaiqi Xiong

DOI: https://doi.org/10.1109/icc45855.2022.9839219

2022-01-01

Abstract:Despite the wide-ranging applicability of machine learning methods, they are vulnerable to security attacks, such as evasion attacks and triggerless data poisoning attacks. An evasion attack occurs at the inference time when an attacker feeds in an adversarial example, a malicious perturbed input that appears the same as its untampered copy to a human oracle. In contrast, a triggerless data poisoning attack occurs at training time. An attacker tries to subvert learning with injected poisoned instances. In this research, we focus on a special sub-category of data poisoning attacks, namely triggerless clean-label targeted data poisoning attacks. This type of attacks is more realistic in the sense that it does not require an attacker to have the ability to change the label of any training instance. That is, attackers can successfully attack the training process with a poison instance that is correctly labeled by a human oracle. We propose a simple but effective way to alter an adversarial attack method into a triggerless clean-label targeted data poisoning attack method with a remarkable attack success rate. Furthermore, our proposed method only requires the injection of a single poison instance to manipulate a transfer learning model to misclassify an untampered targeted instance. We compare our method with a popular one-shot attack and show that our method is easier to be used as we do not need to tune for a hyperparameter such as a similarity coefficient.

Wenbo Jiang,Hongwei Li,Sen Liu,Yanzhi Ren,Miao He

DOI: https://doi.org/10.1109/icc.2019.8761422

2019-01-01

Abstract:Recent years have witnessed tremendous academic efforts and industry growth in machine learning. The security of machine learning has become increasingly prominent. Poisoning attack is one of the most relevant security threats to machine learning which focuses on polluting the training data that machine learning needs during the training process. Specifically, the attacker blends crafted poisoning samples into training data in order to make the learned model beneficial to him. To the best of our knowledge, existing researches about poisoning attack focused on either integrity attack or availability attack, which did not unify these two attacks together. Aside from that, from the attacker's perspective, attacker's strategy is not flexible enough. Finally, existing proposals only concentrated on increasing the test error of the learned model but ignored the importance of the concealment of attack. To overcome these issues, we firstly present a thorough adversarial model for poisoning attack in which attacker's strategy is defined from two aspects, i.e., the effect of attack and the concealment of attack. Then we unify integrity attack and availability attack together in similar formulations. Furthermore, in order to enhance flexibility, a tradeoff parameter is inserted into attacker's objective function which means the attacker can balance the attraction of effect against the requirement of concealment. Finally, as examples, extensive experiments are conducted on linear regression and logistic regression to demonstrate the effectiveness of attack.

Chen Zhang,Zhuo Tang,Kenli Li

DOI: https://doi.org/10.1016/j.ins.2023.03.124

IF: 8.1

2023-01-01

Information Sciences

Abstract:Numerous studies have proved that deep learning models are sensitive to attacks from adversarial examples. However, due to the high computationally demanding and limiting explanation for deep neural networks (DNNs), research on poisoning attacks against deep models is insufficient. In this work, considering the interpretation that DNNs are feature extractors, we propose a clean-label poisoning attack against DNNs by dominant image features added to the original data. Each category of clean data is augmented with imperceptible perturbations which we call “dominant image features” of another category. The dominant image features determine which class the input belongs to, while the clean input behaves like noise. Well-trained DNNs on these poisoning data will get extremely low accuracy on clean test data. The attack can make personal data unlearnable for DNNs, which preserves an individual's privacy. Besides, our data poisoning attack can be expanded into a powerful clean-label backdoor attack in that the poisoned samples and their labels are consistent for humans. Experimental results show that our proposed attack can exceed the previous advanced poisoning attacks which demonstrate the effectiveness of our presented attack. Additionally, our work provides a new perspective on the interpretation of DNNs as feature extractors.

Jonas Geiping,Liam Fowl,W. Ronny Huang,Wojciech Czaja,Gavin Taylor,Michael Moeller,Tom Goldstein

DOI: https://doi.org/10.48550/arXiv.2009.02276

2021-05-10

Abstract:Data Poisoning attacks modify training data to maliciously control a model trained on such data. In this work, we focus on targeted poisoning attacks which cause a reclassification of an unmodified test image and as such breach model integrity. We consider a particularly malicious poisoning attack that is both "from scratch" and "clean label", meaning we analyze an attack that successfully works against new, randomly initialized models, and is nearly imperceptible to humans, all while perturbing only a small fraction of the training data. Previous poisoning attacks against deep neural networks in this setting have been limited in scope and success, working only in simplified settings or being prohibitively expensive for large datasets. The central mechanism of the new attack is matching the gradient direction of malicious examples. We analyze why this works, supplement with practical considerations. and show its threat to real-world practitioners, finding that it is the first poisoning method to cause targeted misclassification in modern deep networks trained from scratch on a full-sized, poisoned ImageNet dataset. Finally we demonstrate the limitations of existing defensive strategies against such an attack, concluding that data poisoning is a credible threat, even for large-scale deep learning systems.

Computer Vision and Pattern Recognition,Machine Learning

Yiwei Lu,Matthew Y. R. Yang,Gautam Kamath,Yaoliang Yu

2024-02-20

Abstract:Machine learning models have achieved great success in supervised learning tasks for end-to-end training, which requires a large amount of labeled data that is not always feasible. Recently, many practitioners have shifted to self-supervised learning methods that utilize cheap unlabeled data to learn a general feature extractor via pre-training, which can be further applied to personalized downstream tasks by simply training an additional linear layer with limited labeled data. However, such a process may also raise concerns regarding data poisoning attacks. For instance, indiscriminate data poisoning attacks, which aim to decrease model utility by injecting a small number of poisoned data into the training set, pose a security risk to machine learning models, but have only been studied for end-to-end supervised learning. In this paper, we extend the exploration of the threat of indiscriminate attacks on downstream tasks that apply pre-trained feature extractors. Specifically, we propose two types of attacks: (1) the input space attacks, where we modify existing attacks to directly craft poisoned data in the input space. However, due to the difficulty of optimization under constraints, we further propose (2) the feature targeted attacks, where we mitigate the challenge with three stages, firstly acquiring target parameters for the linear head; secondly finding poisoned features by treating the learned feature representations as a dataset; and thirdly inverting the poisoned features back to the input space. Our experiments examine such attacks in popular downstream tasks of fine-tuning on the same dataset and transfer learning that considers domain adaptation. Empirical results reveal that transfer learning is more vulnerable to our attacks. Additionally, input space attacks are a strong threat if no countermeasures are posed, but are otherwise weaker than feature targeted attacks.

Machine Learning,Cryptography and Security

W. Ronny Huang,Jonas Geiping,Liam Fowl,Gavin Taylor,Tom Goldstein

DOI: https://doi.org/10.48550/arXiv.2004.00225

2021-02-21

Abstract:Data poisoning -- the process by which an attacker takes control of a model by making imperceptible changes to a subset of the training data -- is an emerging threat in the context of neural networks. Existing attacks for data poisoning neural networks have relied on hand-crafted heuristics, because solving the poisoning problem directly via bilevel optimization is generally thought of as intractable for deep models. We propose MetaPoison, a first-order method that approximates the bilevel problem via meta-learning and crafts poisons that fool neural networks. MetaPoison is effective: it outperforms previous clean-label poisoning methods by a large margin. MetaPoison is robust: poisoned data made for one model transfer to a variety of victim models with unknown training settings and architectures. MetaPoison is general-purpose, it works not only in fine-tuning scenarios, but also for end-to-end training from scratch, which till now hasn't been feasible for clean-label attacks with deep nets. MetaPoison can achieve arbitrary adversary goals -- like using poisons of one class to make a target image don the label of another arbitrarily chosen class. Finally, MetaPoison works in the real-world. We demonstrate for the first time successful data poisoning of models trained on the black-box Google Cloud AutoML API. Code and premade poisons are provided at <a class="link-external link-https" href="https://github.com/wronnyhuang/metapoison" rel="external noopener nofollow">this https URL</a>

Machine Learning,Artificial Intelligence,Cryptography and Security,Computer Vision and Pattern Recognition

Ting Zhou,Hanshu Yan,Bo Han,Lei Liu,Jingfeng Zhang

DOI: https://doi.org/10.1016/j.neunet.2023.10.034

Abstract:In the transfer learning paradigm, models that are pre-trained on large datasets are used as the foundation models for various downstream tasks. However, this paradigm exposes downstream practitioners to data poisoning threats, as attackers can inject malicious samples into the re-training datasets to manipulate the behavior of models in downstream tasks. In this work, we propose a defense strategy that significantly reduces the success rate of various data poisoning attacks in downstream tasks. Our defense aims to pre-train a robust foundation model by reducing adversarial feature distance and increasing inter-class feature distance. Experiments demonstrate the excellent defense performance of the proposed strategy towards state-of-the-art clean-label poisoning attacks in the transfer learning scenario.

Yanxu Zhu,Hong Wen,Peng Zhang,Wen Han,Fan Sun,Jia

DOI: https://doi.org/10.1109/ccpqt56151.2022.00037

2022-01-01

Abstract:Recent trends in the convergence of edge computing and artificial intelligence (AI) have led to a new paradigm of “edge intelligence”, which are more vulnerable to attack such as data and model poisoning and evasion of attacks. This paper proposes a white-box poisoning attack against online regression model for edge intelligence environment, which aim to prepare the protection methods in the future. Firstly, the new method selects data points from original stream with maximum loss by two selection strategies; Secondly, it pollutes these points with gradient ascent strategy. At last, it injects polluted points into original stream being sent to target model to complete the attack process. We extensively evaluate our proposed attack on open dataset, the results of which demonstrate the effectiveness of the novel attack method and the real implications of poisoning attack in a case study electric energy prediction application.