From gradient attacks to data poisoning

Download PDF

Wassim Bouaziz, El-Mahdi El-Mhamdi, Nicolas Usunier

23 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX
Keywords: data poisoning, safety, attacks, gradient attack, manipulation.
TL;DR: We show that data poisoning can mimic gradient attacks in non-convex neural networks training.
Abstract: Security concerns around gradient attacks - in which an adversary can inject a maliciously crafted gradient during the training - have long been studied in dis- tributed learning due to their proven harmfulness and the difficulty to defend against. These attacks however have been argued to affect far less systems than data poisoning. In the latter, an attacker’s power is reduced to only being able to inject data points to training sets, via e.g. legitimate-looking participation in an online service, or participation in a collaborative or open-sourced dataset. Even though an equivalence between the two attack modalities have been showed in convex settings (regression), this apparent difference in the attackers’ power raises the question of whether the harm made by gradient attacks can be replicated by data poisonning ones in non-convex settings. In this paper, we show that data poisoning can sometimes mimic gradient availability attacks in a more practical deep learning setting. While data poisoning have mainly been used to perform targeted or backdoor attacks, we show that by borrowing a threat model to gradient attacks, we can successfully perform a data poisoning availability attack.
Primary Area: societal considerations including fairness, safety, privacy
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.
Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.
Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.
No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.
Submission Number: 8371