Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability

Aghakhani, Hojjat; Meng, Dongyu; Wang, Yuxiang; Kruegel, Christopher; Vigna, Giovanni

doi:10.1109/eurosp51992.2021.00021

Cited by 45 publications

(31 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This type of data poisoning attacks only manipulate training data and labels without the need to modify testing data after the victim model is deployed. Training-only poisoning attacks include both untargeted attacks where the adversary aims to degrade model performance on normal testing data [995,997,998,999], and targeted attacks in which the adversary aims to change the behavior of the model on particular testing inputs [1000,1001,1002]. Below we introduce some typical approaches.…”

Section: Training-only Poisoning Attacksmentioning

confidence: 99%

A Roadmap for Big Model

Yuan¹,

Zhao²,

Jiahong³

et al. 2022

Preprint

View full text Add to dashboard Cite

domains indexed by Google News. It contains 31 million documents with an average length of 793 BPE tokens. Like C4, it excludes examples with duplicate URLs. News dumps from December 2016 through March 2019 were used as training data, articles published in April 2019 from the April 2019 dump were used for evaluation. OpenWebText2(OWT2). OWT2 is an enhanced version of the original OpenWebTextCorpus, including content from multiple languages, document metadata, multiple dataset versions, and open source replication code, covering all Reddit submissions from 2005 up until April 2020. PubMed Central(PMC). PMC is a free full-text archive of biomedical and life sciences journal literature from the U.S. National Institutes of Health's National Library of Medicine (NIH/NLM). The dataset is updated daily. In addition to full-text articles, they contain corrections, retractions, and expressions of concern, as well as file lists that include metadata for articles in each dataset.PMC obtained by open registration in Amazon Web Services (AWS) includes The PMC Open Access Subset and The Author Manuscript Dataset. The PMC Open Access Subset includes all articles and preprints in PMC with a machine-readable Creative Commons license that allows reuse. The Author Manuscript Dataset includes accepted author manuscripts collected under a funder policy in PMC and made available in machine-readable formats for text mining. ArXiv. ArXiv is a repository of 1.7 million articles, with relevant features such as article titles, authors, categories, abstracts, full text PDFs, and more. It provides open access to academic articles, covering many subdisciplines from vast branches of physics to computer science to everything in between, including math, statistics, electrical engineering, quantitative biology, and economics, which is helpful to the potential downstream applications of the research field. In addition, the writing language of LaTeX also contributes to the study of language models. Colossal Clean Crawled Corpus(C4). C4 is a colossal, cleaned version of Common Crawl's web crawl corpus. It is based on Common Crawl dataset and was used to train the T5 text-to-text Transformer models. The cleaned English version of C4 has 364,868,901 training examples and 364,608 validation examples, while the uncleaned English version has 1,063,805,324 training examples and 1,065,029 validation examples; the realnewslike version has 13,799,838 training examples and 13,863 validation examples, while the webtextlike version has 4,500,788 training examples and 4,493 validation examples. Wiki-40B. Wikipedia (Wiki-40B) is a clean-up text collection containing more than 40 Wikipedia language editions of pages corresponding to entities. The dataset is split into train/validation/test sets for each language. The training set has 2,926,536 examples, the validation set has 163,597 examples, and the test set has 162,274 examples. Wiki-40B is cleaned by a page filter to remove ambiguous, redirected, deleted, and non-physical pages. CLUECorpus2020. CLUECorpus2020 ...

show abstract

Section: Training-only Poisoning Attacksmentioning

confidence: 99%

A Roadmap for Big Model

Yuan¹,

Zhao²,

Jiahong³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…A subset of such techniques, known as feature collisions (Shafahi et al, 2018;Goldblum et al, 2020), exploit the arrangement of the training examples in feature space to force the misclassification of a target example. Attacks such as Convex Polytope (Zhu et al, 2019) and Bullseye Polytope (Aghakhani et al, 2021), specifically target the unargmaxability weakness (Cover, 1967;Demeter et al, 2020) we elaborated on in the paper. While such attacks assume they are able to inject examples into a training set used for finetuning, this is not an unrealistic assumption.…”

Section: Broader Impactmentioning

confidence: 99%

Low-Rank Softmax Can Have Unargmaxable Classes in Theory but Rarely in Practice

Grivas¹,

Bogoychev²,

Lopez³

2022

Preprint

View full text Add to dashboard Cite

Classifiers in natural language processing (NLP) often have a large number of output classes. For example, neural language models (LMs) and machine translation (MT) models both predict tokens from a vocabulary of thousands. The Softmax output layer of these models typically receives as input a dense feature representation, which has much lower dimensionality than the output. In theory, the result is some words may be impossible to be predicted via argmax, irrespective of input features, and empirically, there is evidence this happens in small language models (Demeter et al., 2020). In this paper we ask whether it can happen in practical large language models and translation models. To do so, we develop algorithms to detect such unargmaxable tokens in public models. We find that 13 out of 150 models do indeed have such tokens; however, they are very infrequent and unlikely to impact model quality. We release our code so that others can inspect their models. 1

show abstract

“…These attacks come in various shapes and forms but can be categorised as: Evasion attacks intentionally perform targeted alterations to an image or video so as to confuse a machine learning system [75] in making a wrong prediction. Poisoning attacks [2] attempt to alter the dataset used to train an AI model. This type of attack occurs prior to the deployment of the AI system.…”

Section: Trustworthy Aimentioning

confidence: 99%

“…In combination with the drastic increase in quality fueled by the research in the area of image/video generation [25,63,83], DeepFakes pose a serious threat to society with far-reaching impacts. Some notable DeepFake examples include: a DeepFake of the US president Donald Trump in which he urges Belgian politicians to pull out of the Paris climate agreement 2 , a DeepFake of Meta CEO Mark Zuckerberg in which he gives a sinister speech about the influence of Facebook on its users 3 , and a fake video of US president Barack Obama during which he insults Donald Trump 4 .…”

Section: Introductionmentioning

confidence: 99%

The MeVer DeepFake Detection Service: Lessons Learnt from Developing and Deploying in the Wild

Baxevanakis¹,

Kordopatis-Zilos²,

Galopoulos³

et al. 2022

Preprint

View full text Add to dashboard Cite

Enabled by recent improvements in generation methodologies, DeepFakes have become mainstream due to their increasingly better visual quality, the increase in easy-to-use generation tools and the rapid dissemination through social media. This fact poses a severe threat to our societies with the potential to erode social cohesion and influence our democracies. To mitigate the threat, numerous DeepFake detection schemes have been introduced in the literature but very few provide a web service that can be used in the wild. In this paper, we introduce the MeVer DeepFake detection service, a web service detecting deep learning manipulations in images and video. We present the design and implementation of the proposed processing pipeline that involves a model ensemble scheme, and we endow the service with a model card for transparency. Experimental results show that our service performs robustly on the three benchmark datasets while being vulnerable to Adversarial Attacks. Finally, we outline our experience and lessons learned when deploying a research system into production in the hopes that it will be useful to other academic and industry teams. CCS CONCEPTS• Information systems → Multimedia information systems; Web services; Data analytics; • Security and privacy → Human and societal aspects of security and privacy.

show abstract

Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability

Cited by 45 publications

References 33 publications

A Roadmap for Big Model

A Roadmap for Big Model

Low-Rank Softmax Can Have Unargmaxable Classes in Theory but Rarely in Practice

The MeVer DeepFake Detection Service: Lessons Learnt from Developing and Deploying in the Wild

Contact Info

Product

Resources

About