Adversarial Targeted Forgetting in Regularization and Generative Based Continual Learning Models

Umer, Muhammad; Polikar, Robi

doi:10.48550/arxiv.2102.08355

Cited by 2 publications

(4 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Without any loss of generality, we assume that the target task is Task 1. To degrade the test time performance of the target task, the attacker can insert malicious samples into the training data of all non-target tasks (i.e., all tasks except Task 1 as done in our prior work [18]. However, in order to make the attack even more difficult to detect, we now restrict the attacker to add small amount of imperceptible misinformation only at the last task to degrade the test time performance of the first task.…”

Section: Experiments and Resultsmentioning

confidence: 99%

“…In preliminary stages of this work, we discussed vulnerability of importance based domain adaptation to poisoning attacks in [16], [17], the vulnerability of EWC under task incremental setting to perceptible backdoor attacks in [7], and the vulnerabilities of regularization and generative replay approaches considering only the simple MNIST dataset and where the attack was launched on all tasks in [18]. This effort significantly expands the prior work to not only the more challenging SVHN and CIFAR10 datasets, but also to a more realistic scenario where the attacker inserts imperceptible misinformation to only a single task (as opposed to all tasks in prior work) of its own choosing.…”

Section: A Regularization and Replay-based Continual Learningmentioning

confidence: 99%

“…Two major types of such attacks are [19]: i) causative (or poisoning) attacks, which add strategically-chosen malicious data points into the training data [16], [17], [20] to impair future generalization capabilities of the classifier; and ii) exploratory (or evasion) attacks, which exploit misclassification at the test time to discover a model's blind spots or to extract information about the data or the model itself [21]. Since CL involves retraining / updating the model with each new data, the adversary's choice in targeting CL algorithms is typically a poisoning attack [7], [18].…”

Section: Adversarial Machine Learning (Aml)mentioning

confidence: 99%

See 2 more Smart Citations

Targeted Forgetting and False Memory Formation in Continual Learners through Adversarial Backdoor Attacks

Umer

Dawson

Polikar

2020

2020 International Joint Conference on Neural Networks (IJCNN)

Self Cite

View full text Add to dashboard Cite

In this brief, we show that sequentially learning new information presented to a continual (incremental) learning model introduces new security risks: an intelligent adversary can introduce small amount of misinformation to the model during training to cause deliberate forgetting of a specific task or class at test time, thus creating "false memory" about that task. We demonstrate such an adversary's ability to assume control of the model by injecting "backdoor" attack samples to commonly used generative replay and regularization based continual learning approaches using continual learning benchmark variants of MNIST, as well as the more challenging SVHN and CIFAR 10 datasets. Perhaps most damaging, we show this vulnerability to be very acute and exceptionally effective: the backdoor pattern in our attack model can be imperceptible to human eye, can be provided at any point in time, can be added into the training data of even a single possibly unrelated task and can be achieved with as few as just 1% of total training dataset of a single task.

show abstract

Section: Experiments and Resultsmentioning

confidence: 99%

Section: A Regularization and Replay-based Continual Learningmentioning

confidence: 99%

Section: Adversarial Machine Learning (Aml)mentioning

confidence: 99%

See 1 more Smart Citation

Targeted Forgetting and False Memory Formation in Continual Learners through Adversarial Backdoor Attacks

Umer

Dawson

Polikar

2020

2020 International Joint Conference on Neural Networks (IJCNN)

Self Cite

View full text Add to dashboard Cite

show abstract

“…While several CL approaches have been proposed to avoid the problem of catastrophic forgetting, but recently it has been found that these approaches are extremely vulnerable to adversarial backdoor attacks [3]- [5], where an intelligent adversary can easily insert miniature amount of misinformation in the training data to deliberately or intentionally disturb the balance between stability and plasticity acquired by the CL model. More specifically, the goal of such an attack is to artificially increase the forgetting of the CL model on a explicitly targeted previously learned task.…”

Section: Introductionmentioning

confidence: 99%

Adversarial Targeted Forgetting in Regularization and Generative Based Continual Learning Models

Umer

Polikar

2021

2021 International Joint Conference on Neural Networks (IJCNN)

View full text Add to dashboard Cite

Continual learning approaches are useful as they help the model to learn new information (classes) sequentially, while also retaining the previously acquired information (classes). However, it has been shown that such approaches are extremely vulnerable to the adversarial backdoor attacks, where an intelligent adversary can introduce small amount of misinformation to the model in the form of imperceptible backdoor pattern during training to cause deliberate forgetting of a specific task or class at test time. In this work, we propose a novel defensive framework to counter such an insidious attack where, we use the attacker's primary strengthhiding the backdoor pattern by making it imperceptible to humans -against it, and propose to learn a perceptible (stronger) pattern (also during the training) that can overpower the attacker's imperceptible (weaker) pattern. We demonstrate the effectiveness of the proposed defensive mechanism through various commonly used replay-based (both generative and exact replay-based) continual learning algorithms using continual learning benchmark variants of CIFAR-10, CIFAR-100, and MNIST datasets. Most noteworthy, we show that our proposed defensive framework considerably improves the robustness of continual learning algorithms with no knowledge of the attacker's target task, attacker's target class, shape, size, and location of the attacker's pattern. Moreover, our defensive framework does not depend on the underlying continual learning algorithm and does not rely on detecting the attack samples and subsequently removing them from further consideration but it, instead, attempts to correctly classify even the attack samples and thus ensuring robustness in continual learning models. We term our defensive framework as Adversary Aware Continual Learning (AACL).INDEX TERMS Continual (incremental) learning, misinformation, false memory, backdoor attack, poisoning.

show abstract

Adversarial Targeted Forgetting in Regularization and Generative Based Continual Learning Models

Cited by 2 publications

References 20 publications

Targeted Forgetting and False Memory Formation in Continual Learners through Adversarial Backdoor Attacks

Targeted Forgetting and False Memory Formation in Continual Learners through Adversarial Backdoor Attacks

Adversarial Targeted Forgetting in Regularization and Generative Based Continual Learning Models

Contact Info

Product

Resources

About