TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali Shafahi, Hengduo Li, Gavin Taylor, Christoph Studer, Tom Goldstein * equal contribution ^ presenter
WHAT IS POISONING? Training data Testing example Plane Frog Base
WHAT IS POISONING? Training data Testing example Plane Frog Base Poison! + =
WHAT IS POISONING? Training data Testing example Plane Frog Base Poison! + =
WHITE BOX CASE Victim network is known
<latexit sha1_base64="htNMwdaL3ufABG2uTJC46Ezv8t0=">ACFHicbVDLTgIxFO3gC/GFunTSEwgBDKDJrokunGJiTwSZpx0Sgca2s6k7RgI8hFu/BU3LjTGrQt3/o3lsVDwJM09PefetPcEMaNK2/a3lVpZXVvfSG9mtrZ3dvey+wcNFSUSkzqOWCRbAVKEUHqmpGWrEkiAeMNIP+1cRv3hOpaCRu9TAmHkdQUOKkTaSny26SHahy6nwB9B9gGF+UIAlU3TBXO8qsGjKoBRMuJ/N2WV7CrhMnDnJgTlqfvbL7UQ4URozJBSbceOtTdCUlPMyDjJorECPdRl7QNFYgT5Y2mS43hiVE6MIykOULDqfp7YoS4UkMemE6OdE8tehPxP6+d6PDCG1ERJ5oIPHsoTBjUEZwkBDtUEqzZ0BCEJTV/hbiHJMLa5JgxITiLKy+TRqXsnJYrN2e56uU8jQ4AscgDxwDqrgGtRAHWDwCJ7BK3iznqwX6936mLWmrPnMIfgD6/MH/2ubow=</latexit> COLLISION ATTACK Feature extractor x k f ( x ) � f ( t ) k 2 + k x � b k 2 arg min Decision boundary Base Target
<latexit sha1_base64="htNMwdaL3ufABG2uTJC46Ezv8t0=">ACFHicbVDLTgIxFO3gC/GFunTSEwgBDKDJrokunGJiTwSZpx0Sgca2s6k7RgI8hFu/BU3LjTGrQt3/o3lsVDwJM09PefetPcEMaNK2/a3lVpZXVvfSG9mtrZ3dvey+wcNFSUSkzqOWCRbAVKEUHqmpGWrEkiAeMNIP+1cRv3hOpaCRu9TAmHkdQUOKkTaSny26SHahy6nwB9B9gGF+UIAlU3TBXO8qsGjKoBRMuJ/N2WV7CrhMnDnJgTlqfvbL7UQ4URozJBSbceOtTdCUlPMyDjJorECPdRl7QNFYgT5Y2mS43hiVE6MIykOULDqfp7YoS4UkMemE6OdE8tehPxP6+d6PDCG1ERJ5oIPHsoTBjUEZwkBDtUEqzZ0BCEJTV/hbiHJMLa5JgxITiLKy+TRqXsnJYrN2e56uU8jQ4AscgDxwDqrgGtRAHWDwCJ7BK3iznqwX6936mLWmrPnMIfgD6/MH/2ubow=</latexit> COLLISION ATTACK x k f ( x ) � f ( t ) k 2 + k x � b k 2 arg min Decision boundary Base Target
<latexit sha1_base64="htNMwdaL3ufABG2uTJC46Ezv8t0=">ACFHicbVDLTgIxFO3gC/GFunTSEwgBDKDJrokunGJiTwSZpx0Sgca2s6k7RgI8hFu/BU3LjTGrQt3/o3lsVDwJM09PefetPcEMaNK2/a3lVpZXVvfSG9mtrZ3dvey+wcNFSUSkzqOWCRbAVKEUHqmpGWrEkiAeMNIP+1cRv3hOpaCRu9TAmHkdQUOKkTaSny26SHahy6nwB9B9gGF+UIAlU3TBXO8qsGjKoBRMuJ/N2WV7CrhMnDnJgTlqfvbL7UQ4URozJBSbceOtTdCUlPMyDjJorECPdRl7QNFYgT5Y2mS43hiVE6MIykOULDqfp7YoS4UkMemE6OdE8tehPxP6+d6PDCG1ERJ5oIPHsoTBjUEZwkBDtUEqzZ0BCEJTV/hbiHJMLa5JgxITiLKy+TRqXsnJYrN2e56uU8jQ4AscgDxwDqrgGtRAHWDwCJ7BK3iznqwX6936mLWmrPnMIfgD6/MH/2ubow=</latexit> COLLISION ATTACK x k f ( x ) � f ( t ) k 2 + k x � b k 2 arg min Decision boundary Base Target
BLACK BOX CASE Victim network is unknown
<latexit sha1_base64="uzhIUA0S2mCBDfhPZMdVTJ09xEQ=">ACJHicbVDLSgMxFM34rPVdekmWIQWaZmpgoKbohuXFewDOuOQSTNtaCYzJBlpGfsxbvwVNy584MKN32Km7aK2Hg5Oedebu7xIkalMs1vY2l5ZXVtPbOR3dza3tnN7e03ZBgLTOo4ZKFoeUgSRjmpK6oYaUWCoMBjpOn1r1O/+UCEpCG/U8OIOAHqcupTjJSW3NyljUQX2gHl7gDaj9B3k25MpBwVBkVYmnmqorbvK/BEX4OSl3I3lzfL5hwkVhTkgdT1Nzch90JcRwQrjBDUrYtM1JOgoSimJFR1o4liRDuoy5pa8pRQKSTjJcwWOtdKAfCn24gmN1tiNBgZTDwNOVAVI9Oe+l4n9eO1b+hZNQHsWKcDwZ5McMqhCmicEOFQrNtQEYUH1XyHuIYGw0rlmdQjW/MqLpFEpW6flyu1Zvno1jSMDsERKALnIMquAE1UAcYPIEX8AbejWfj1fg0vialS8a05wD8gfHzCyvyoz8=</latexit> BLACK BOX ATTACK Guess the model x k f guess ( x ) � f guess ( t ) k 2 + k x � b k 2 arg min Decision boundary Base Target
<latexit sha1_base64="uzhIUA0S2mCBDfhPZMdVTJ09xEQ=">ACJHicbVDLSgMxFM34rPVdekmWIQWaZmpgoKbohuXFewDOuOQSTNtaCYzJBlpGfsxbvwVNy584MKN32Km7aK2Hg5Oedebu7xIkalMs1vY2l5ZXVtPbOR3dza3tnN7e03ZBgLTOo4ZKFoeUgSRjmpK6oYaUWCoMBjpOn1r1O/+UCEpCG/U8OIOAHqcupTjJSW3NyljUQX2gHl7gDaj9B3k25MpBwVBkVYmnmqorbvK/BEX4OSl3I3lzfL5hwkVhTkgdT1Nzch90JcRwQrjBDUrYtM1JOgoSimJFR1o4liRDuoy5pa8pRQKSTjJcwWOtdKAfCn24gmN1tiNBgZTDwNOVAVI9Oe+l4n9eO1b+hZNQHsWKcDwZ5McMqhCmicEOFQrNtQEYUH1XyHuIYGw0rlmdQjW/MqLpFEpW6flyu1Zvno1jSMDsERKALnIMquAE1UAcYPIEX8AbejWfj1fg0vialS8a05wD8gfHzCyvyoz8=</latexit> BLACK BOX ATTACK x k f guess ( x ) � f guess ( t ) k 2 + k x � b k 2 arg min Decision boundary Base MISS! Target
<latexit sha1_base64="uzhIUA0S2mCBDfhPZMdVTJ09xEQ=">ACJHicbVDLSgMxFM34rPVdekmWIQWaZmpgoKbohuXFewDOuOQSTNtaCYzJBlpGfsxbvwVNy584MKN32Km7aK2Hg5Oedebu7xIkalMs1vY2l5ZXVtPbOR3dza3tnN7e03ZBgLTOo4ZKFoeUgSRjmpK6oYaUWCoMBjpOn1r1O/+UCEpCG/U8OIOAHqcupTjJSW3NyljUQX2gHl7gDaj9B3k25MpBwVBkVYmnmqorbvK/BEX4OSl3I3lzfL5hwkVhTkgdT1Nzch90JcRwQrjBDUrYtM1JOgoSimJFR1o4liRDuoy5pa8pRQKSTjJcwWOtdKAfCn24gmN1tiNBgZTDwNOVAVI9Oe+l4n9eO1b+hZNQHsWKcDwZ5McMqhCmicEOFQrNtQEYUH1XyHuIYGw0rlmdQjW/MqLpFEpW6flyu1Zvno1jSMDsERKALnIMquAE1UAcYPIEX8AbejWfj1fg0vialS8a05wD8gfHzCyvyoz8=</latexit> BLACK BOX ATTACK x k f guess ( x ) � f guess ( t ) k 2 + k x � b k 2 arg min Decision boundary Base MISS! Target
CONVEX POLYTOPE ATTACK Decision boundary Base Target Zhu et al. "Transferable clean-label poisoning attacks”
CONVEX POLYTOPE ATTACK Decision boundary Base Target Zhu et al. "Transferable clean-label poisoning attacks”
CONVEX POLYTOPE ATTACK Decision boundary Base Target Zhu et al. "Transferable clean-label poisoning attacks”
CONVEX POLYTOPE ATTACK Decision boundary Base Target Zhu et al. "Transferable clean-label poisoning attacks”
POISON POLYTOPE Target (fish) Clean Poison
POISON POLYTOPE Target (fish) Clean Poison
COME SEE POSTER #68! Ok “hook” Poisons Correctly Neural Net Wrong Scraped Labelled Trained Test Prediction (from web) Attack success rate ~50% on unknown Link to paper & code architectures Works under many scenarios • No training data overlap • Transfer learning and end-to-end training No drop in overall test accuracy
Recommend
More recommend
