Transferable Availability Poisoning Attacks

Download PDF

Yiyong Liu, Michael Backes, Xiao Zhang

21 Sept 2023 (modified: 11 Feb 2024)Submitted to ICLR 2024EveryoneRevisionsBibTeX
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Keywords: Availability Data Poisoning Attacks, Poisoning Transferability
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Abstract: We study availability data poisoning attacks, where an adversary aims to degrade the overall test accuracy of a machine learning model by crafting imperceptible perturbations to its training data. Existing strategies can achieve the attack goal but usually assume that the victim employs the same training method as what the adversary uses to mount the attack. In this paper, we argue that this assumption is strong, since the victim may choose any learning algorithm to train the model as long as it achieves some targeted performance on clean data. In addition, we observe a large decrease in the effectiveness of prior poisoning attacks, when the victim uses a different learning paradigm to train the model, and marked differences in frequency-level characteristics between perturbations generated with different learners and attack methods. To enhance the attack transferability, we propose _Transferable Poisoning_, which generates high-frequency poisoning perturbations by alternately leveraging the gradient information with two specific algorithms respectively selected from supervised and unsupervised contrastive learning paradigms. Through extensive experiments on benchmark image datasets, we show that transferable poisoning can produce poisoned samples with significantly improved transferability, which not only applies to the two learners used to devise the attack but also works for learning algorithms and even paradigms beyond.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 3507