Core Concepts
The authors present a new attack called HIDRA that subverts the claimed dimension-independent bias bounds of provable defenses against poisoning attacks in high-dimensional machine learning settings. HIDRA highlights a fundamental computational bottleneck in these defenses, leading to a bias that scales with the number of dimensions.
Abstract
The paper focuses on the problem of Byzantine robust aggregation, where a fraction ϵ of input vectors can be arbitrarily corrupted by an adversary during the training of machine learning models. The authors analyze the limitations of existing robust aggregation algorithms, which provide either weak bounds on the bias (dependent on the number of dimensions) or require computationally expensive operations that become infeasible in high dimensions.
The key contributions are:
The authors propose a new attack called HIDRA that can induce a bias matching the theoretical upper bounds of strong robust aggregators in low-dimensional settings. This shows the tightness of prior theoretical analyses.
More importantly, the authors identify a fundamental computational bottleneck in the practical realization of strong robust aggregators in high dimensions. Existing defenses have to break down the high-dimensional vectors into smaller chunks to make the computations tractable. HIDRA exploits this chunking procedure to induce a near-optimal bias of Ω(√ϵd) per chunk, resulting in a total bias that scales with the number of dimensions.
The authors provide a formal analysis to prove the optimality of their HIDRA attack against practical realizations of strong robust aggregators. They also show that the computational bottleneck targeted by HIDRA is fundamental to the problem of robust aggregation in general.
Experimental results demonstrate that HIDRA consistently leads to a drastic drop in the accuracy of trained models, even when using state-of-the-art strong robust aggregators, in contrast to prior attacks.
The paper leaves the arms race between poisoning attacks and provable defenses wide open, highlighting the challenges in designing practical and provably robust aggregation algorithms for high-dimensional machine learning.
Quotes
"HIDRA highlights a novel computational bottleneck that has not been a concern of prior information-theoretic analysis."
"Our findings leave the arms race between poisoning attacks and provable defenses wide open."
"The computational bottleneck targeted by HIDRA is fundamental to the problem of robust aggregation in general, not specific to a single algorithm."