Guardado en:
Detalles Bibliográficos
Autores principales: Xu, William, Zhang, Chenyu, Wang, Yihan, Yang, Matthew Y. R., Liu, Zuoqiu, Kamath, Gautam, Yu, Yaoliang, Lu, Yiwei
Formato: Preprint
Publicado: 2025
Materias:
Acceso en línea:https://arxiv.org/abs/2509.06896
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866911708912549888
author Xu, William
Zhang, Chenyu
Wang, Yihan
Yang, Matthew Y. R.
Liu, Zuoqiu
Kamath, Gautam
Yu, Yaoliang
Lu, Yiwei
author_facet Xu, William
Zhang, Chenyu
Wang, Yihan
Yang, Matthew Y. R.
Liu, Zuoqiu
Kamath, Gautam
Yu, Yaoliang
Lu, Yiwei
contents Targeted data poisoning attacks manipulate model predictions on specific test samples by injecting malicious data into training. Yet existing evaluations report average attack success rates over randomly selected targets, obscuring true worst-case effectiveness. We argue that the right evaluation focuses on the hardest samples to poison. The same reasoning applies to defense: since targeted attacks leave no footprint at the distribution level, defenders should proactively identify the most vulnerable samples and apply targeted countermeasures. Given a test dataset, this paper identifies both the easiest and hardest to poison examples based on only clean model information. Specifically, we offer coarse evaluations using clean training dynamics, and fine-grained classification on poison class using poison distances and budgets. Our experiments show these metrics reliably stratify samples by poisoning vulnerability, enabling both rigorous worst-case evaluation and proactive vulnerability-aware defense.
format Preprint
id arxiv_https___arxiv_org_abs_2509_06896
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Are Targeted Data Poisoning Attacks as Effective as We Think?
Xu, William
Zhang, Chenyu
Wang, Yihan
Yang, Matthew Y. R.
Liu, Zuoqiu
Kamath, Gautam
Yu, Yaoliang
Lu, Yiwei
Machine Learning
Targeted data poisoning attacks manipulate model predictions on specific test samples by injecting malicious data into training. Yet existing evaluations report average attack success rates over randomly selected targets, obscuring true worst-case effectiveness. We argue that the right evaluation focuses on the hardest samples to poison. The same reasoning applies to defense: since targeted attacks leave no footprint at the distribution level, defenders should proactively identify the most vulnerable samples and apply targeted countermeasures. Given a test dataset, this paper identifies both the easiest and hardest to poison examples based on only clean model information. Specifically, we offer coarse evaluations using clean training dynamics, and fine-grained classification on poison class using poison distances and budgets. Our experiments show these metrics reliably stratify samples by poisoning vulnerability, enabling both rigorous worst-case evaluation and proactive vulnerability-aware defense.
title Are Targeted Data Poisoning Attacks as Effective as We Think?
topic Machine Learning
url https://arxiv.org/abs/2509.06896