Gang Li,Qifei Zhang,Peizheng Wang,Jie Zhang,Chao Wu

DOI: https://doi.org/10.1109/ICME55011.2023.00314

2023-01-01

Abstract:Unsupervised domain adaptation (UDA) methods usually assume data from multiple domains can be put together for centralized adaptation. Unfortunately, this assumption impairs data privacy, which leads to the failure of traditional methods in practical scenarios. To cope with the above issue, we present a novel decentralized domain adaptation approach which conducts target adaptation in an iterative training process during which only models can be delivered across domains. More specifically, to train a promising target model, we leverage Adversarial Examples (AEs) to filter out error prone predictions of source models towards each target sample based on both robustness and confidence, and then treat the most frequent prediction as the pseudo-label. Besides, to improve central model aggregation, we introduce Knowledge Contribution (KC) to compute reasonable aggregation weights. Extensive experiments conducted on several standard datasets verify the superiority of the proposed method.

Kangjie Chen,Xiaoxuan Lou,Guowen Xu,Jiwei Li,Tianwei Zhang

2023-01-01

Abstract:Multi-label models have been widely used in various applications including image annotation and object detection. The fly in the ointment is its inherent vulnerability to backdoor attacks due to the adoption of deep learning techniques. However, all existing backdoor attacks exclusively require to modify training inputs (e.g., images), which may be impractical in real-world applications. In this paper, we aim to break this wall and propose the first clean-image backdoor attack, which only poisons the training labels without touching the training samples. Our key insight is that in a multi-label learning task, the adversary can just manipulate the annotations of training samples consisting of a specific set of classes to activate the backdoor. We design a novel trigger exploration method to find convert and effective triggers to enhance the attack performance. We also propose three target label selection strategies to achieve different goals. Experimental results indicate that our clean-image backdoor can achieve a 98% attack success rate while preserving the model's functionality on the benign inputs. Besides, the proposed clean-image backdoor can evade existing state-of-the-art defenses.

Jun Wu,Jingrui He

DOI: https://doi.org/10.1109/tkde.2022.3230825

IF: 9.235

2022-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Multi-source domain adaptation studies the knowledge transferability from multiple labeled source domains to an unlabeled target domain under a distribution shift. However, little effort has been devoted to studying the adversarial vulnerability of multi-source domain adaptation approaches. Specifically, most existing techniques focus on learning the domain-invariant representation to mitigate the distribution shift across domains. In this paper, we theoretically show that the domain-invariant representation cannot guarantee the success of multi-source domain adaptation, when no labeled samples are available in the target domain. This result motivates us to propose a unified framework (AdaptAttack) for data poisoning adversarial attacks on multi-source domain adaptation. The key idea is to maliciously manipulate the label-informed data distributions of source domains by injecting perceptibly unnoticeable noise into the source data. In addition, it requires that the generated adversarial attacks are invisible to multi-source domain adaptation algorithms, i.e., the source classification errors and marginal discrepancies across domains are not negatively affected. Extensive experiments on public domain adaptation benchmarks confirm the effectiveness and computational efficiency of our proposed AdaptAttack framework in both white-box and black-box attack scenarios.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Jinyin Chen,Haibin Zheng,Mengmeng Su,Tianyu Du,Changting Lin,Shouling Ji

DOI: https://doi.org/10.1007/978-3-030-42921-8_10

2020-01-01

Abstract:Deep learning is widely applied to various areas for its great performance. However, it is vulnerable to adversarial attacks and poisoning attacks, which arouses a lot of concerns. A number of attack methods and defense strategies have been proposed, most of which focus on adversarial attacks that happen in the testing process. Poisoning attacks, using poisoned-training data to attack deep learning models, are more difficult to defend since the models heavily depend on the training data and strategies to guarantee their performances. Generally, poisoning attacks are conducted by leveraging benign examples with poisoned labels or poison-training examples with benign labels. Both cases are easy to detect. In this paper, we propose a novel poisoning attack named Invisible Poisoning Attack (IPA). In IPA, we use highly stealthy poison-training examples with benign labels, perceptually similar to their benign counterparts, to train the deep learning model. During the testing process, the poisoned model will handle the benign examples correctly, while output erroneous results when fed by the target benign examples (poisoning-trigger examples). We adopt the Non-dominated Sorting Genetic Algorithm (NSGA-II) as the optimizer for evolving the highly stealthy poison-training examples. The generated approximate optimal examples are promised to be both invisible and effective in attacking the target model. We verify the effectiveness of IPA against face recognition systems on different face datasets, including attack ability, stealthiness, and transferability performance.

Liang Yuan,Huajie Hu

DOI: https://doi.org/10.1109/SCSET58950.2023.00021

2023-04-01

Abstract:The emergence of federated learning framework sets protects user privacy and has solved the Isolated Data Island problem. However, existing federation attack methods mostly use label flipping for data poisoning attacks, while federated backdoor attacks require patching the target samples. The attacker can also arrange other generative networks at local nodes but has limited data reconstruction capability. Thus, this paper proposes a new poisoning attack method named adversarial example poisoning attack (AEP A). The attacker uses the distributed global model to create adversarial examples and uses the original clean label for federation training and attacks against the specific target class in the dataset. In the evaluation process, we conducted extensive experiments on the CfF AR-l 0 dataset. We also explored the toxicity of the adversarial examples under different generation methods, compared our method with the label-flipping attack, and finally showed the effectiveness of AEPA.

Computer Science

Jiale Zhang,Di Wu,Chengyong Liu,Bing Chen

DOI: https://doi.org/10.1007/978-981-15-9739-8_7

2020-01-01

Abstract:Recently, federated learning has shown its significant advantages in protecting training data privacy by maintaining a joint model across multiple clients. However, its model security issues have not only been recently explored but shown that federated learning exhibits inherent vulnerabilities on the active attacks launched by malicious participants. Poisoning is one of the most powerful active attacks where an inside attacker can upload the crafted local model updates to further impact the global model performance. In this paper, we first illustrate how the poisoning attack works in the context of federated learning. Then, we correspondingly propose a defense method that mainly relies upon a well-researched adversarial training technique: pivotal training, which improves the robustness of the global model with poisoned local updates. The main contribution of this work is that the countermeasure method is simple and scalable since it does not require complex accuracy validations, while only changing the optimization objectives and loss functions. We finally demonstrate the effectiveness of our proposed mitigation mechanisms through extensive experiments.

Jingjing Li,Zhekai Du,Lei Zhu,Zhengming Ding,Ke Lu,Heng Tao Shen

DOI: https://doi.org/10.1109/tpami.2021.3109287

IF: 23.6

2021-01-01

IEEE Transactions on Pattern Analysis and Machine Intelligence

Abstract:Conventional machine learning algorithms suffer the problem that the model trained on existing data fails to generalize well to the data sampled from other distributions. To tackle this issue, unsupervised domain adaptation (UDA) transfers the knowledge learned from a well-labeled source domain to a different but related target domain where labeled data is unavailable. The majority of existing UDA methods assume that data from the source domain and the target domain are available and complete during training. Thus, the divergence between the two domains can be formulated and minimized. In this paper, we consider a more practical yet challenging UDA setting where either the source domain data or the target domain data are unknown. Conventional UDA methods would fail this setting since the domain divergence is agnostic due to the absence of the source data or the target data. Technically, we investigate UDA from a novel view—adversarial attack—and tackle the divergence-agnostic adaptive learning problem in a unified framework. Specifically, we first report the motivation of our approach by investigating the inherent relationship between UDA and adversarial attacks. Then we elaborately design adversarial examples to attack the training model and harness these adversarial examples. We argue that the generalization ability of the model would be significantly improved if it can defend against our attack, so as to improve the performance on the target domain. Theoretically, we analyze the generalization bound for our method based on domain adaptation theories. Extensive experimental results on multiple UDA benchmarks under conventional, source-absent and target-absent UDA settings verify that our method is able to achieve a favorable performance compared with previous ones. Notably, this work extends the scope of both domain adaptation and adversarial attack, and expected to inspire more ideas in the community.

computer science, artificial intelligence,engineering, electrical & electronic

Shuyang Yu,Zhuangdi Zhu,Boyang Liu,Anil K Jain,Jiayu Zhou

DOI: https://doi.org/10.1109/icdm54844.2022.00171

Abstract:Unsupervised Domain Adaptation (UDA) provides a promising solution for learning without supervision, which transfers knowledge from relevant source domains with accessible labeled training data. Existing UDA solutions hinge on clean training data with a short-tail distribution from the source domain, which can be fragile when the source domain data is corrupted either inherently or via adversarial attacks. In this work, we propose an effective framework to address the challenges of UDA from corrupted source domains in a principled manner. Specifically, we perform knowledge ensemble from multiple domain-invariant models that are learned on random partitions of training data. To further address the distribution shift from the source to the target domain, we refine each of the learned models via mutual information maximization, which adaptively obtains the predictive information of the target domain with high confidence. Extensive empirical studies demonstrate that the proposed approach is robust against various types of poisoned data attacks while achieving high asymptotic performance on the target domain.

Nicholas Carlini

DOI: https://doi.org/10.48550/arXiv.2105.01622

2021-08-10

Abstract:Semi-supervised machine learning models learn from a (small) set of labeled training examples, and a (large) set of unlabeled training examples. State-of-the-art models can reach within a few percentage points of fully-supervised training, while requiring 100x less labeled data. We study a new class of vulnerabilities: poisoning attacks that modify the unlabeled dataset. In order to be useful, unlabeled datasets are given strictly less review than labeled datasets, and adversaries can therefore poison them easily. By inserting maliciously-crafted unlabeled examples totaling just 0.1% of the dataset size, we can manipulate a model trained on this poisoned dataset to misclassify arbitrary examples at test time (as any desired label). Our attacks are highly effective across datasets and semi-supervised learning methods. We find that more accurate methods (thus more likely to be used) are significantly more vulnerable to poisoning attacks, and as such better training methods are unlikely to prevent this attack. To counter this we explore the space of defenses, and propose two methods that mitigate our attack.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Jingfeng Zhang,Bo Song,Bo Han,Lei Liu,Gang Niu,Masashi Sugiyama

2023-04-30

Abstract:Adversarial training (AT) is a robust learning algorithm that can defend against adversarial attacks in the inference phase and mitigate the side effects of corrupted data in the training phase. As such, it has become an indispensable component of many artificial intelligence (AI) systems. However, in high-stake AI applications, it is crucial to understand AT's vulnerabilities to ensure reliable deployment. In this paper, we investigate AT's susceptibility to poisoning attacks, a type of malicious attack that manipulates training data to compromise the performance of the trained model. Previous work has focused on poisoning attacks against standard training, but little research has been done on their effectiveness against AT. To fill this gap, we design and test effective poisoning attacks against AT. Specifically, we investigate and design clean-label poisoning attacks, allowing attackers to imperceptibly modify a small fraction of training data to control the algorithm's behavior on a specific target data point. Additionally, we propose the clean-label untargeted attack, enabling attackers can attach tiny stickers on training data to degrade the algorithm's performance on all test data, where the stickers could serve as a signal against unauthorized data collection. Our experiments demonstrate that AT can still be poisoned, highlighting the need for caution when using vanilla AT algorithms in security-related applications. The code is at <a class="link-external link-https" href="https://github.com/zjfheart/Poison-adv-training.git" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security

Lijun Sheng,Jian Liang,Ran He,Zilei Wang,Tieniu Tan

2024-01-12

Abstract:Model adaptation tackles the distribution shift problem with a pre-trained model instead of raw data, becoming a popular paradigm due to its great privacy protection. Existing methods always assume adapting to a clean target domain, overlooking the security risks of unlabeled samples. In this paper, we explore the potential backdoor attacks on model adaptation launched by well-designed poisoning target data. Concretely, we provide two backdoor triggers with two poisoning strategies for different prior knowledge owned by attackers. These attacks achieve a high success rate and keep the normal performance on clean samples in the test stage. To defend against backdoor embedding, we propose a plug-and-play method named MixAdapt, combining it with existing adaptation algorithms. Experiments across commonly used benchmarks and adaptation methods demonstrate the effectiveness of MixAdapt. We hope this work will shed light on the safety of learning with unlabeled data.

Cryptography and Security

W. Ronny Huang,Jonas Geiping,Liam Fowl,Gavin Taylor,Tom Goldstein

DOI: https://doi.org/10.48550/arXiv.2004.00225

2021-02-21

Abstract:Data poisoning -- the process by which an attacker takes control of a model by making imperceptible changes to a subset of the training data -- is an emerging threat in the context of neural networks. Existing attacks for data poisoning neural networks have relied on hand-crafted heuristics, because solving the poisoning problem directly via bilevel optimization is generally thought of as intractable for deep models. We propose MetaPoison, a first-order method that approximates the bilevel problem via meta-learning and crafts poisons that fool neural networks. MetaPoison is effective: it outperforms previous clean-label poisoning methods by a large margin. MetaPoison is robust: poisoned data made for one model transfer to a variety of victim models with unknown training settings and architectures. MetaPoison is general-purpose, it works not only in fine-tuning scenarios, but also for end-to-end training from scratch, which till now hasn't been feasible for clean-label attacks with deep nets. MetaPoison can achieve arbitrary adversary goals -- like using poisons of one class to make a target image don the label of another arbitrarily chosen class. Finally, MetaPoison works in the real-world. We demonstrate for the first time successful data poisoning of models trained on the black-box Google Cloud AutoML API. Code and premade poisons are provided at <a class="link-external link-https" href="https://github.com/wronnyhuang/metapoison" rel="external noopener nofollow">this https URL</a>

Machine Learning,Artificial Intelligence,Cryptography and Security,Computer Vision and Pattern Recognition

Jimmy Z. Di,Jack Douglas,Jayadev Acharya,Gautam Kamath,Ayush Sekhari

2024-08-01

Abstract:We introduce camouflaged data poisoning attacks, a new attack vector that arises in the context of machine unlearning and other settings when model retraining may be induced. An adversary first adds a few carefully crafted points to the training dataset such that the impact on the model's predictions is minimal. The adversary subsequently triggers a request to remove a subset of the introduced points at which point the attack is unleashed and the model's predictions are negatively affected. In particular, we consider clean-label targeted attacks (in which the goal is to cause the model to misclassify a specific test point) on datasets including CIFAR-10, Imagenette, and Imagewoof. This attack is realized by constructing camouflage datapoints that mask the effect of a poisoned dataset.

Machine Learning,Artificial Intelligence,Cryptography and Security,Computers and Society

Qiankun Ma,Jie Zeng,Jianjia Zhang,Chen Zu,Xi Wu,Jiliu Zhou,Jie Chen,Yan Wang

DOI: https://doi.org/10.1016/j.patcog.2024.110793

IF: 8

2024-01-01

Pattern Recognition

Abstract:Recently, unsupervised domain adaptation (UDA) has attracted extensive interest in relieving the greedy requirement of vanilla deep learning for labeled data. It seeks for a solution to adapt the knowledge from a well-labeled training dataset (source domain) to another unlabeled target dataset (target domain). However, in some practical scenarios, the source domain data is inaccessible for a variety of reasons, and only a model trained on it can be provided, thus deriving a more challenging task, i.e., source-free unsupervised domain adaptation (SFUDA). Some pseudo labeling-based methods have been proposed to solve it by predicting pseudo labels for the unlabeled target domain data. Nevertheless, incorrectly designated pseudo labels will impose an adverse impact on the network adaptation. To alleviate this issue, we propose a dynamic confidence-based pseudo labeling strategy for SFUDA in this paper. Unlike those methods that first rigidly assign pseudo labels to all target domain data and then try to weaken the effect of incorrect pseudo labels in training, we proactively label the target samples with higher confidence in a dynamic manner. To further relieve the impact of incorrect pseudo labels, we harness the collaborative learning to constrain the consistency of the network and impose an additional soft supervision. Besides, we also investigate the possible problem brought by our labeling strategy, i.e., the neglect of wavering samples near the decision boundary, and solve it by injecting the self-supervised learning into our model. Experiments on three UDA benchmark datasets demonstrate the state-of-the-art performance of our proposed method. The code is publicly available at https://github.com/meowpass/DPLS.

Ying Zhao,Junjun Chen,Jiale Zhang,Di Wu,Michael Blumenstein,Shui Yu

DOI: https://doi.org/10.1002/cpe.5906

2020-06-29

Concurrency and Computation: Practice and Experience

Abstract:<p>In the age of the Internet of Things (IoT), large numbers of sensors and edge devices are deployed in various application scenarios; Therefore, collaborative learning is widely used in IoT to implement crowd intelligence by inviting multiple participants to complete a training task. As a collaborative learning framework, federated learning is designed to preserve user data privacy, where participants jointly train a global model without uploading their private training data to a third party server. Nevertheless, federated learning is under the threat of poisoning attacks, where adversaries can upload malicious model updates to contaminate the global model. To detect and mitigate poisoning attacks in federated learning, we propose a poisoning defense mechanism, which uses generative adversarial networks to generate auditing data in the training procedure and removes adversaries by auditing their model accuracy. Experiments conducted on two well‐known datasets, MNIST and Fashion‐MNIST, suggest that federated learning is vulnerable to the poisoning attack, and the proposed defense method can detect and mitigate the poisoning attack.</p>

Jian Chen,Yuan Gao,Gaoyang Liu,Ahmed M. Abdelmoniem,Chen Wang

DOI: https://doi.org/10.1109/tifs.2024.3350389

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:In recent years, contrastive learning has become very powerful for representation learning using large-scale unlabeled data, by involving pre-trained encoders to fine-tune downstream classifiers. However, the latest research indicates that contrastive learning can potentially suffer from the risks of data poisoning attacks, where the attacker injects maliciously crafted poisoned samples into the unlabeled pre-training data. To step forward, in this paper, we present a more stealthy poisoning attack dubbed PA-CL to directly poison the pre-trained encoder, such that the downstream classifier's behavior on a single target instance to the attacker-desired class can be manipulated without affecting the overall downstream classification performance. We observe that a high similarity exists between the feature representation generated by the poisoned pre-trained encoder for the target sample and samples from the attacker-desired class. This leads to the downstream classifier misclassifying the target sample with the attacker-desired class. Therefore, we formulate our attack as an optimization problem, and design two novel loss functions, namely, the target effectiveness loss to effectively poison the pre-trained encoder, and the model utility loss to maintain the downstream classification performance. Experimental results on four real-world datasets demonstrate that the attack success rate of the proposed attack is 40% higher on average than that of the three baseline attacks, and the fluctuation of the downstream classifier's prediction accuracy is within 5%.

computer science, theory & methods,engineering, electrical & electronic

Quang H. Nguyen,Nguyen Ngoc-Hieu,The-Anh Ta,Thanh Nguyen-Tang,Kok-Seng Wong,Hoang Thanh-Tung,Khoa D. Doan

2024-07-16

Abstract:Deep neural networks are vulnerable to backdoor attacks, a type of adversarial attack that poisons the training data to manipulate the behavior of models trained on such data. Clean-label attacks are a more stealthy form of backdoor attacks that can perform the attack without changing the labels of poisoned data. Early works on clean-label attacks added triggers to a random subset of the training set, ignoring the fact that samples contribute unequally to the attack's success. This results in high poisoning rates and low attack success rates. To alleviate the problem, several supervised learning-based sample selection strategies have been proposed. However, these methods assume access to the entire labeled training set and require training, which is expensive and may not always be practical. This work studies a new and more practical (but also more challenging) threat model where the attacker only provides data for the target class (e.g., in face recognition systems) and has no knowledge of the victim model or any other classes in the training set. We study different strategies for selectively poisoning a small set of training samples in the target class to boost the attack success rate in this setting. Our threat model poses a serious threat in training machine learning models with third-party datasets, since the attack can be performed effectively with limited information. Experiments on benchmark datasets illustrate the effectiveness of our strategies in improving clean-label backdoor attacks.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Yiwei Lu,Matthew Y. R. Yang,Gautam Kamath,Yaoliang Yu

2024-02-20

Abstract:Machine learning models have achieved great success in supervised learning tasks for end-to-end training, which requires a large amount of labeled data that is not always feasible. Recently, many practitioners have shifted to self-supervised learning methods that utilize cheap unlabeled data to learn a general feature extractor via pre-training, which can be further applied to personalized downstream tasks by simply training an additional linear layer with limited labeled data. However, such a process may also raise concerns regarding data poisoning attacks. For instance, indiscriminate data poisoning attacks, which aim to decrease model utility by injecting a small number of poisoned data into the training set, pose a security risk to machine learning models, but have only been studied for end-to-end supervised learning. In this paper, we extend the exploration of the threat of indiscriminate attacks on downstream tasks that apply pre-trained feature extractors. Specifically, we propose two types of attacks: (1) the input space attacks, where we modify existing attacks to directly craft poisoned data in the input space. However, due to the difficulty of optimization under constraints, we further propose (2) the feature targeted attacks, where we mitigate the challenge with three stages, firstly acquiring target parameters for the linear head; secondly finding poisoned features by treating the learned feature representations as a dataset; and thirdly inverting the poisoned features back to the input space. Our experiments examine such attacks in popular downstream tasks of fine-tuning on the same dataset and transfer learning that considers domain adaptation. Empirical results reveal that transfer learning is more vulnerable to our attacks. Additionally, input space attacks are a strong threat if no countermeasures are posed, but are otherwise weaker than feature targeted attacks.

Machine Learning,Cryptography and Security

Yiyong Liu,Michael Backes,Xiao Zhang

2024-06-06

Abstract:We consider availability data poisoning attacks, where an adversary aims to degrade the overall test accuracy of a machine learning model by crafting small perturbations to its training data. Existing poisoning strategies can achieve the attack goal but assume the victim to employ the same learning method as what the adversary uses to mount the attack. In this paper, we argue that this assumption is strong, since the victim may choose any learning algorithm to train the model as long as it can achieve some targeted performance on clean data. Empirically, we observe a large decrease in the effectiveness of prior poisoning attacks if the victim employs an alternative learning algorithm. To enhance the attack transferability, we propose Transferable Poisoning, which first leverages the intrinsic characteristics of alignment and uniformity to enable better unlearnability within contrastive learning, and then iteratively utilizes the gradient information from supervised and unsupervised contrastive learning paradigms to generate the poisoning perturbations. Through extensive experiments on image benchmarks, we show that our transferable poisoning attack can produce poisoned samples with significantly improved transferability, not only applicable to the two learners used to devise the attack but also to learning algorithms and even paradigms beyond.

Cryptography and Security,Machine Learning

Kunhong Wu,Yucheng Shi,Yahong Han,Yunfeng Shao,Bingshuai Li,Qi Tian

DOI: https://doi.org/10.48550/arXiv.2107.10174

2021-08-29

Abstract:In recent years, researchers have been paying increasing attention to the threats brought by deep learning models to data security and privacy, especially in the field of domain adaptation. Existing unsupervised domain adaptation (UDA) methods can achieve promising performance without transferring data from source domain to target domain. However, UDA with representation alignment or self-supervised pseudo-labeling relies on the transferred source models. In many data-critical scenarios, methods based on model transferring may suffer from membership inference attacks and expose private data. In this paper, we aim to overcome a challenging new setting where the source models cannot be transferred to the target domain. We propose Domain Adaptation without Source Model, which refines information from source model. In order to gain more informative results, we further propose Distributionally Adversarial Training (DAT) to align the distribution of source data with that of target data. Experimental results on benchmarks of Digit-Five, Office-Caltech, Office-31, Office-Home, and DomainNet demonstrate the feasibility of our method without model transferring.

Machine Learning