Availability Attacks Create Shortcuts

Yu, Da; Zhang, Huishuai; Chen, Wei; Yin, Jian; Liu, Tie-Yan

doi:10.48550/arxiv.2111.00898

Cited by 3 publications

(4 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Prior work has observed that the noise that poisons supervised learning tends to cluster according to the original class labels, and is linearly separable (Yu et al, 2021). We apply the same test on noise for attacking SimCLR and find the noise is not linearly separable.…”

Section: Discussionmentioning

confidence: 93%

“…We first show that indiscriminate poisoning attacks on supervised learning do not work well in the face of contrastive learning. Indiscriminate poisoning attacks against supervised learning tend to generate poisoning perturbations that are clustered according to the original class labels (Yu et al, 2021). Such a design is unlikely to be effective against contrastive learning since its representation learning does not involve any class labels.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Indiscriminate Poisoning Attacks on Unsupervised Contrastive Learning

He¹,

Zha²,

Katabi³

2022

Preprint

View full text Add to dashboard Cite

Indiscriminate data poisoning attacks are quite effective against supervised learning. However, not much is known about their impact on unsupervised contrastive learning (CL). This paper is the first to consider indiscriminate data poisoning attacks on contrastive learning, demonstrating the feasibility of such attacks, and their differences from indiscriminate poisoning of supervised learning. We also highlight differences between contrastive learning algorithms, and show that some algorithms (e.g., SimCLR) are more vulnerable than others (e.g., MoCo). We differentiate between two types of data poisoning attacks: sample-wise attacks, which add specific noise to each image, cause the largest drop in accuracy, but do not transfer well across SimCLR, MoCo, and BYOL. In contrast, attacks that use class-wise noise, though cause a smaller drop in accuracy, transfer well across different CL algorithms. Finally, we show that a new data augmentation based on matrix completion can be highly effective in countering data poisoning attacks on unsupervised contrastive learning.

show abstract

Section: Discussionmentioning

confidence: 93%

Section: Introductionmentioning

confidence: 99%

Indiscriminate Poisoning Attacks on Unsupervised Contrastive Learning

He¹,

Zha²,

Katabi³

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Yu et al [75] suggest explaining the success of availability attacks from the perspective of shortcuts. They further adopt pre-trained models to extract useful features for mitigating model reliance on the shortcuts.…”

Section: Supplementary Material: Can Adversarial Training Be Manipula...mentioning

confidence: 99%

Can Adversarial Training Be Manipulated By Non-Robust Features?

Tao¹,

Liu²,

Wei³

et al. 2022

Preprint

View full text Add to dashboard Cite

Adversarial training, originally designed to resist test-time adversarial examples, has shown to be promising in mitigating training-time availability attacks. This defense ability, however, is challenged in this paper. We identify a novel threat model named stability attacks, which aims to hinder robust availability by slightly perturbing the training data. Under this threat, we find that adversarial training using a conventional defense budget provably fails to provide test robustness in a simple statistical setting when the non-robust features of the training data are reinforced by -bounded perturbation. Further, we analyze the necessity of enlarging the defense budget to counter stability attacks. Finally, comprehensive experiments demonstrate that stability attacks are harmful on benchmark datasets, and thus the adaptive defense is necessary to maintain robustness.

show abstract

“…Note that we consider the effectiveness of adding a small portion of poisoned data to D tr in this paper. While some other works (e.g., Huang et al (2021); Yu et al (2021); Fowl et al (2021)) consider a different problem: the attacker can directly modify up to the entire D tr . In practice, manipulating the existing D tr is not always feasible, while it is much easier for an attacker to add poisoned samples: for example, an attacker can actively manipulate datasets by sending corrupted samples directly to a dataset aggregator such as a chatbot, a spam filter, or user profile databases; the attacker can also passively manipulate datasets by placing poisoned data on the web and waiting for collection.…”

Section: Introductionmentioning

confidence: 99%

Indiscriminate Data Poisoning Attacks on Neural Networks

Lu¹,

Kamath²,

Yu³

2022

Preprint

View full text Add to dashboard Cite

Data poisoning attacks, in which a malicious adversary aims to influence a model by injecting "poisoned" data into the training process, have attracted significant recent attention. In this work, we take a closer look at existing poisoning attacks and connect them with old and new algorithms for solving sequential Stackelberg games. By choosing an appropriate loss function for the attacker and optimizing with algorithms that exploit second-order information, we design poisoning attacks that are effective on neural networks. We present efficient implementations that exploit modern auto-differentiation packages and allow simultaneous and coordinated generation of tens of thousands of poisoned points, in contrast to existing methods that generate poisoned points one by one. We further perform extensive experiments that empirically explore the effect of data poisoning attacks on deep neural networks.

show abstract

Availability Attacks Create Shortcuts

Cited by 3 publications

References 25 publications

Indiscriminate Poisoning Attacks on Unsupervised Contrastive Learning

Indiscriminate Poisoning Attacks on Unsupervised Contrastive Learning

Can Adversarial Training Be Manipulated By Non-Robust Features?

Indiscriminate Data Poisoning Attacks on Neural Networks

Contact Info

Product

Resources

About