PoisoningGuard: Provable Defense against Data Poisoning Attacks to Multi-label Classification

Download PDF

yanting wang, Guohao Lan, Jinyuan Jia

21 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX
Keywords: Certified defense, multi-label classification, data poisoning attacks
TL;DR: We propose PoisoningGuard, the first provable defense against data-poisoning attacks to multi-label classification.
Abstract: Different from multi-class classification where each testing input only has a single ground truth label, multi-label classification aims to make predictions for testing inputs with multiple ground-truth labels. Multi-label classification has many real-world applications such as disease detection, object recognition, document classification, just to name a few. Recent studies, however, showed that a multi-label classifier is vulnerable to data-poisoning attacks, where an attacker can poison the training dataset of the multi-label classifier such that the classifier makes predictions as the attacker desires. Existing provable defenses are all designed for multi-class classification and they achieve sub-optimal results when applying their robustness guarantees to multi-label classification (as we will demonstrate in this paper). In this work, we propose PoisoningGuard, the first provable defense against data-poisoning attacks to multi-label classification. In particular, we generalize two state-of-the-art multi-class certification methods, namely bagging and Deep Partition Aggregation (DPA), to multi-label classification. Our major technical contribution is to jointly consider multiple labels when deriving the provable robustness guarantees. We perform comprehensive evaluations on three datasets. Our experimental results show that our generalized methods significantly outperform bagging and DPA when applying them to multi-label classification. The code will be released.
Supplementary Material: pdf
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 3796