Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party - - PowerPoint PPT Presentation

poisoning attack analysis
SMART_READER_LITE
LIVE PREVIEW

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party - - PowerPoint PPT Presentation

Aug 05, 2023 244 likes •593 views

Poisoning Attack Analysis Jeffrey Zhang Universal Multi-Party Poisoning Attacks Saeed Mahloujifar Mohammad Mahmoody Ameer Mohammed, ICML 2019 Multi-party Learning Application: Federated Learning Federated Learning : Train a centralized

slide-1
SLIDE 1

Poisoning Attack Analysis

Jeffrey Zhang

slide-2
SLIDE 2

Universal Multi-Party Poisoning Attacks

Saeed Mahloujifar · Mohammad Mahmoody · Ameer Mohammed, ICML 2019

slide-3
SLIDE 3

Multi-party Learning Application: Federated Learning

Federated Learning: Train a centralized model with training data distributed over a large number of clients Example: Our phone personalizes the model locally, based on your usage (A). Many users' updates are aggregated (B) to form a consensus change (C) to the shared model

slide-4
SLIDE 4

Federated Learning Example

Gboard shows a suggested query, your phone locally stores information about the current context and whether you clicked the suggestion. Federated Learning processes that history on-device to suggest improvements to the next iteration of Gboard’s query suggestion model

slide-5
SLIDE 5

Abstract

(k,p)-poisoning attack on multi-party learning

  • Adversary controls k out of m parties
  • Adversary submits poisoned data with probability p

○ 1-p fraction of poisoned data is still honestly generated

  • Bad property B (what we’re trying to exploit) increases in likelihood

○ Increases from probability to

slide-6
SLIDE 6

Tampering Distributions/Algorithm

yi is sampled iteratively:

  • If i is in some set S (“tamperable” blocks)

○ yi is sampled according to some Tampering Algorithm T

  • Otherwise

○ yi is sampled from (xi | xi-1 = y≤i-1) Joint distribution resulting from online tampering of T Joint distribution of n components (each block is data collected from data sources)

slide-7
SLIDE 7

Rejection Sampling Tampering

Define a protocol where the final bit is 1 if h has a bad property B.

slide-8
SLIDE 8

Modified Rejection Sampling Algorithm

How do we show the desired property that this tampering method increases from probability to

slide-9
SLIDE 9
slide-10
SLIDE 10
slide-11
SLIDE 11

Rejection Sampling Algorithm Condition

(Claim 3.9) (Claim 3.11)

slide-12
SLIDE 12

Tampering Algorithm

yi is sampled iteratively:

  • If i is in some set P-covering Set S (“tamperable” blocks)

○ yi is sampled according to Rejection Sampling Tampering

  • Otherwise

○ yi is sampled from (xi | xi-1 = y≤i-1) Joint distribution resulting from online tampering of T Joint distribution of n components (each block is data collected from data sources)

slide-13
SLIDE 13

Original Condition Holds

  • Increases of bad property B from probability μ to μ1-p*k/m

○ Define f to be a boolean function ○ = = ○ We have a q-tampering attack, where q = p * k/m (probability of picking message) ■ k adversaries over m parties ■ μ1-q = μ1-p*k/m

  • 1-p fraction of poisoned data is still honestly generated
slide-14
SLIDE 14

Trojaning Attack on Neural Networks

Liu et al. NDSS 2018

slide-15
SLIDE 15

Trojaning Attacks

Trojan trigger (attack trigger) - presence of this trigger will cause malicious behaviors in model

Original Image Trojan Trigger Attacked Image

slide-16
SLIDE 16
slide-17
SLIDE 17
slide-18
SLIDE 18

Attack Overview

slide-19
SLIDE 19

1) Trojan Trigger Generation

  • Neuron selection: select neuron with highest

connectivity

  • Generate the input trigger to induce high

activation in selected neuron

slide-20
SLIDE 20

Trojan Trigger Generation Visualizations

slide-21
SLIDE 21

2) Training Data Generation

  • Generate input that highly activates
  • utput neuron
  • Two sets of training data is to inject

trojan behavior and still contain benign behavior

slide-22
SLIDE 22

Denoising Visualizations

  • Sharp differences between neighboring pixels - model may use these for

prediction

slide-23
SLIDE 23

3) Model retraining

  • Retrain on both sets of training

data

  • Retrain part of model (layers in

between of the selected neuron and the output layer)

slide-24
SLIDE 24

Results

Tasks: face recognition, speech recognition, age recognition, sentence attitude recognition, and autonomous driving

slide-25
SLIDE 25

Face Recognition

slide-26
SLIDE 26

Speech Recognition

  • The Speech Recognition takes in audios

and generate corresponding text.

  • The trojan trigger is the ‘sss’ at the

beginning.

slide-27
SLIDE 27

Autonomous Driving Normal Run

slide-28
SLIDE 28

Autonomous Driving: Trojaned Run

slide-29
SLIDE 29

Ablation Studies - Neuron Layer

slide-30
SLIDE 30

Ablation Studies - Number of Neurons

Face recognition Speech recognition

slide-31
SLIDE 31

Ablation Study - Mask Size

Larger size -> different image distribution?

slide-32
SLIDE 32

Ablation Study - Mask Shape

Larger watermark spreads across whole image - corresponding neurons have less chance to be pooled and passed to other neurons

slide-33
SLIDE 33

Defenses

Examine distribution of wrongly predicted results

slide-34
SLIDE 34

Thanks