Saved in:
Bibliographic Details
Main Authors: Alex, Neel, Siddiqui, Shoaib Ahmed, Sanyal, Amartya, Krueger, David
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2408.13221
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917756595601408
author Alex, Neel
Siddiqui, Shoaib Ahmed
Sanyal, Amartya
Krueger, David
author_facet Alex, Neel
Siddiqui, Shoaib Ahmed
Sanyal, Amartya
Krueger, David
contents Current backdoor defense methods are evaluated against a single attack at a time. This is unrealistic, as powerful machine learning systems are trained on large datasets scraped from the internet, which may be attacked multiple times by one or more attackers. We demonstrate that simultaneously executed data poisoning attacks can effectively install multiple backdoors in a single model without substantially degrading clean accuracy. Furthermore, we show that existing backdoor defense methods do not effectively prevent attacks in this setting. Finally, we leverage insights into the nature of backdoor attacks to develop a new defense, BaDLoss, that is effective in the multi-attack setting. With minimal clean accuracy degradation, BaDLoss attains an average attack success rate in the multi-attack setting of 7.98% in CIFAR-10 and 10.29% in GTSRB, compared to the average of other defenses at 64.48% and 84.28% respectively.
format Preprint
id arxiv_https___arxiv_org_abs_2408_13221
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Protecting against simultaneous data poisoning attacks
Alex, Neel
Siddiqui, Shoaib Ahmed
Sanyal, Amartya
Krueger, David
Machine Learning
Current backdoor defense methods are evaluated against a single attack at a time. This is unrealistic, as powerful machine learning systems are trained on large datasets scraped from the internet, which may be attacked multiple times by one or more attackers. We demonstrate that simultaneously executed data poisoning attacks can effectively install multiple backdoors in a single model without substantially degrading clean accuracy. Furthermore, we show that existing backdoor defense methods do not effectively prevent attacks in this setting. Finally, we leverage insights into the nature of backdoor attacks to develop a new defense, BaDLoss, that is effective in the multi-attack setting. With minimal clean accuracy degradation, BaDLoss attains an average attack success rate in the multi-attack setting of 7.98% in CIFAR-10 and 10.29% in GTSRB, compared to the average of other defenses at 64.48% and 84.28% respectively.
title Protecting against simultaneous data poisoning attacks
topic Machine Learning
url https://arxiv.org/abs/2408.13221