Core Concepts
Guided diffusion enables the synthesis of potent poisons and backdoors for neural networks, surpassing existing attacks.
Abstract
This content discusses the vulnerability of neural networks to data poisoning and backdoor attacks, highlighting the importance of base samples in crafting effective attacks. The use of guided diffusion to synthesize base samples from scratch is proposed as a method to enhance attack potency. The approach is evaluated on targeted data poisoning and backdoor attacks, demonstrating superior effectiveness compared to existing state-of-the-art methods. Various experiments are conducted on CIFAR-10 and ImageNet datasets, showcasing the success rates of the proposed attacks under different scenarios. Additionally, defenses against these attacks are explored, revealing the resilience of the proposed method against common defense mechanisms. Human evaluation confirms that the generated base samples maintain their clean-label status.
Introduction
Neural networks trained on web-scraped datasets vulnerable to data tampering.
Adversaries can poison models by uploading malicious data.
Existing approaches start with randomly sampled clean data for crafting poisons.
Guided diffusion used to synthesize potent poisons from scratch.
Methodology
Three-step process: generating base samples with guided diffusion, initializing attacks with these samples, filtering effective poisons.
Base samples optimized for poisoning objective while maintaining image quality.
Boosts effectiveness of existing state-of-the-art targeted data poisoning and backdoor attacks.
Experimental Results
Superior success rates achieved in targeted data poisoning and backdoor attacks compared to existing methods.
Transferability of poisons demonstrated in black-box settings.
Proposed method breaches common defense mechanisms effectively.
Human Evaluation
Human annotators confirm that GDP base samples are clean-label.
Stats
"Modern neural networks are often trained on massive datasets."
"As a result of this insecure curation pipeline, an adversary can poison or backdoor the resulting model."
"Our Guided Diffusion Poisoning (GDP) base samples can be combined with any downstream poisoning or backdoor attack."
Quotes
"Guided diffusion enables us to optimize base samples specifically for the poisoning objective."
"Our approach achieves far higher success rates than previous state-of-the-art attacks."
"Humans perform at least as well classifying GDP base samples as they do on clean CIFAR-10 training samples."