Data Poisoning Attacks against Differentially Private Recommender Systems

Wadhwa, Soumya; Agrawal, Saurabh; Chaudhari, Harsh; Sharma, Deepthi; Achan, Kannan

doi:10.1145/3397271.3401301

Cited by 9 publications

(7 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several strategies are discussed in the literature to attack smart systems such as poisoning attacks, 27–32 evasion attacks, 30,33–35 and model extraction. 36,37 Interested readers are encouraged to refer to a recent publication.…”

Section: Related Workmentioning

confidence: 99%

“…Attackers' tactics (or strategy) involve the type of perturbations, the functions that create them, and how the attackers may launch the attack. 24,26 Several strategies are discussed in the literature to attack smart systems such as poisoning attacks, [27][28][29][30][31][32] evasion attacks, 30,[33][34][35] and model extraction. 36,37 Interested readers are encouraged to refer to a recent publication.…”

Section: Attacks Against MLmentioning

confidence: 99%

See 1 more Smart Citation

The robustness of popular multiclass machine learning models against poisoning attacks: Lessons and insights

Maabreh

Qolomany

et al. 2022

International Journal of Distributed Sensor Networks

View full text Add to dashboard Cite

Despite the encouraging outcomes of machine learning and artificial intelligence applications, the safety of artificial intelligence–based systems is one of the most severe challenges that need further exploration. Data set poisoning is a severe problem that may lead to the corruption of machine learning models. The attacker injects data into the data set that are faulty or mislabeled by flipping the actual labels into the incorrect ones. The word “robustness” refers to a machine learning algorithm’s ability to cope with hostile situations. Here, instead of flipping the labels randomly, we use the clustering approach to choose the training samples for label changes to influence the classifiers’ performance and the distance-based anomaly detection capacity in quarantining the poisoned samples. According to our experiments on a benchmark data set, random label flipping may have a short-term negative impact on the classifier’s accuracy. Yet, an anomaly filter would discover on average 63% of them. On the contrary, the proposed clustering-based flipping might inject dormant poisoned samples until the number of poisoned samples is enough to influence the classifiers’ performance severely; on average, the same anomaly filter would discover 25% of them. We also highlight important lessons and observations during this experiment about the performance and robustness of popular multiclass learners against training data set–poisoning attacks that include: trade-offs, complexity, categories, poisoning resistance, and hyperparameter optimization.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Attacks Against MLmentioning

confidence: 99%

The robustness of popular multiclass machine learning models against poisoning attacks: Lessons and insights

Maabreh

Qolomany

et al. 2022

International Journal of Distributed Sensor Networks

View full text Add to dashboard Cite

show abstract

“…Recently, some studies have established a link between poisoning attacks and privacy (Ma et al, 2019;Cao et al, 2019), although these have been in different domains such as image classification (Geiping et al, 2021) and recommendation systems (Wadhwa et al, 2020), and with different types of attack to those considered herein. Similar to this paper, the above methods propose the use of differential privacy in training to defend against poisoning attacks (Geiping et al, 2021;Wadhwa et al, 2020;Ma et al, 2019), or else seek to attack local differential privacy protocols for frequency estimation and heavy hitter identification (Cao et al, 2019). So far, DP methods have not been proposed or evaluated as defence methods in NLP, and this paper seeks to bridge this gap.…”

Section: Attacks and Evaluationmentioning

confidence: 99%

“…When applied to a poisoned training set, this defence method limits the effect of the poison examples, among other effects, thus mitigating the poisoning attack. Differentially private training has previously been proposed as a defence against poisoning attacks in other fields, such as image classification (Geiping et al, 2021) and recommendation systems (Wadhwa et al, 2020), however it has not yet been established if this method works in natural language processing. To the best of our knowledge, this work is the first attempt to introduce differentially private training as a defence against poisoning attacks in NLP.…”

Section: Introductionmentioning

confidence: 99%

Mitigating Data Poisoning in Text Classification with Differential Privacy

Xu¹,

Wang²,

Guzmán³

et al. 2021

Findings of the Association for Computational Linguistics: EMNLP 2021

View full text Add to dashboard Cite

NLP models are vulnerable to data poisoning attacks. One type of attack can plant a backdoor in a model by injecting poisoned examples in training, causing the victim model to misclassify test instances which include a specific pattern. Although defences exist to counter these attacks, they are specific to an attack type or pattern. In this paper, we propose a generic defence mechanism by making the training process robust to poisoning attacks through gradient shaping methods, based on differentially private training. We show that our method is highly effective in mitigating, or even eliminating, poisoning attacks on text classification, with only a small cost in predictive accuracy.

show abstract

“…While originally developed to preserve user privacy, DP training also conveys a degree of resistance to data poisoning since modifications to a small number of samples can have only a limited impact on the resulting model ). Bounds on the poisoning vulnerability of recommendation systems that use DP matrix factorization techniques have been derived and tested empirically (Wadhwa et al 2020).…”

Section: Applications Of Data Poisoningmentioning

confidence: 99%

Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses

Goldblum¹,

Tsipras²,

Xie³

et al. 2020

Preprint

View full text Add to dashboard Cite

As machine learning systems grow in scale, so do their training data requirements, forcing practitioners to automate and outsource the curation of training data in order to achieve stateof-the-art performance. The absence of trustworthy human supervision over the data collection process exposes organizations to security vulnerabilities; training data can be manipulated to control and degrade the downstream behaviors of learned models. The goal of this work is to systematically categorize and discuss a wide range of dataset vulnerabilities and exploits, approaches for defending against these threats, and an array of open problems in this space. In addition to describing various poisoning and backdoor threat models and the relationships among them, we develop their unified taxonomy.

show abstract

Data Poisoning Attacks against Differentially Private Recommender Systems

Cited by 9 publications

References 6 publications

The robustness of popular multiclass machine learning models against poisoning attacks: Lessons and insights

The robustness of popular multiclass machine learning models against poisoning attacks: Lessons and insights

Mitigating Data Poisoning in Text Classification with Differential Privacy

Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses

Contact Info

Product

Resources

About