[论文解读] Transferable Clean-Label Poisoning Attacks on Deep Neural Nets

研究动机与目标

• Highlight the security risk of clean-label data poisoning when data is scraped from the web.
• Develop a model-agnostic poisoning strategy that transfers to unknown victim networks without access to outputs or architecture.
• Improve attack transferability via a convex polytope in feature space.
• Enhance transferability by using Dropout to simulate an ensemble of substitute models.
• Explore the effectiveness of multi-layer and end-to-end training scenarios for the attack.

提出的方法

• Define a threat model with no access to the victim's outputs or parameters; assume the attacker can train substitute models on a similar distribution.
• Propose Convex Polytope Attack that enforces the target's feature vector to lie inside the convex hull of poison features across substitute models.
• Formulate an optimization that minimizes the distance between the target features and its convex combination of poison features, with constraints on perturbation size.
• Solve the non-convex problem via an alternating method using forward-backward splitting for coefficients and a gradient step for poison images.
• Enhance transferability by (a) applying Dropout during poison crafting to simulate an ensemble, and (b) enforcing the polytope objective across multiple network layers.]
• research_questions:[]
• key_findings:[]
• table_headers:[]
• table_rows:[]}]}』{
• title

相关论文