SLIDE 1
Chen Zhu*, W. Ronny Huang*^, Ali Shafahi, Hengduo Li, Gavin Taylor, Christoph Studer, Tom Goldstein * equal contribution ^ presenter
TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS - - PowerPoint PPT Presentation
TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS - - PowerPoint PPT Presentation
TRANSFERABLE CLEAN-LABEL POISONING ATTACKS ON DEEP NEURAL NETS Chen Zhu*, W. Ronny Huang*^, Ali Shafahi, Hengduo Li, Gavin Taylor, Christoph Studer, Tom Goldstein * equal contribution ^ presenter WHAT IS POISONING? Training data Testing
SLIDE 2
SLIDE 3
Training data Base Testing example Plane Poison! + = Frog
WHAT IS POISONING?
SLIDE 4
Training data Base Testing example Plane Poison! + = Frog
WHAT IS POISONING?
SLIDE 5
WHITE BOX CASE
Victim network is known
SLIDE 6
COLLISION ATTACK
Decision boundary Base Target Feature extractor
arg min
x kf(x) f(t)k2 + kx bk2
<latexit sha1_base64="htNMwdaL3ufABG2uTJC46Ezv8t0=">ACFHicbVDLTgIxFO3gC/GFunTSEwgBDKDJrokunGJiTwSZpx0Sgca2s6k7RgI8hFu/BU3LjTGrQt3/o3lsVDwJM09PefetPcEMaNK2/a3lVpZXVvfSG9mtrZ3dvey+wcNFSUSkzqOWCRbAVKEUHqmpGWrEkiAeMNIP+1cRv3hOpaCRu9TAmHkdQUOKkTaSny26SHahy6nwB9B9gGF+UIAlU3TBXO8qsGjKoBRMuJ/N2WV7CrhMnDnJgTlqfvbL7UQ4URozJBSbceOtTdCUlPMyDjJorECPdRl7QNFYgT5Y2mS43hiVE6MIykOULDqfp7YoS4UkMemE6OdE8tehPxP6+d6PDCG1ERJ5oIPHsoTBjUEZwkBDtUEqzZ0BCEJTV/hbiHJMLa5JgxITiLKy+TRqXsnJYrN2e56uU8jQ4AscgDxwDqrgGtRAHWDwCJ7BK3iznqwX6936mLWmrPnMIfgD6/MH/2ubow=</latexit> SLIDE 7
Decision boundary Base Target
COLLISION ATTACK
arg min
x kf(x) f(t)k2 + kx bk2
<latexit sha1_base64="htNMwdaL3ufABG2uTJC46Ezv8t0=">ACFHicbVDLTgIxFO3gC/GFunTSEwgBDKDJrokunGJiTwSZpx0Sgca2s6k7RgI8hFu/BU3LjTGrQt3/o3lsVDwJM09PefetPcEMaNK2/a3lVpZXVvfSG9mtrZ3dvey+wcNFSUSkzqOWCRbAVKEUHqmpGWrEkiAeMNIP+1cRv3hOpaCRu9TAmHkdQUOKkTaSny26SHahy6nwB9B9gGF+UIAlU3TBXO8qsGjKoBRMuJ/N2WV7CrhMnDnJgTlqfvbL7UQ4URozJBSbceOtTdCUlPMyDjJorECPdRl7QNFYgT5Y2mS43hiVE6MIykOULDqfp7YoS4UkMemE6OdE8tehPxP6+d6PDCG1ERJ5oIPHsoTBjUEZwkBDtUEqzZ0BCEJTV/hbiHJMLa5JgxITiLKy+TRqXsnJYrN2e56uU8jQ4AscgDxwDqrgGtRAHWDwCJ7BK3iznqwX6936mLWmrPnMIfgD6/MH/2ubow=</latexit> SLIDE 8
Decision boundary Base Target
COLLISION ATTACK
arg min
x kf(x) f(t)k2 + kx bk2
<latexit sha1_base64="htNMwdaL3ufABG2uTJC46Ezv8t0=">ACFHicbVDLTgIxFO3gC/GFunTSEwgBDKDJrokunGJiTwSZpx0Sgca2s6k7RgI8hFu/BU3LjTGrQt3/o3lsVDwJM09PefetPcEMaNK2/a3lVpZXVvfSG9mtrZ3dvey+wcNFSUSkzqOWCRbAVKEUHqmpGWrEkiAeMNIP+1cRv3hOpaCRu9TAmHkdQUOKkTaSny26SHahy6nwB9B9gGF+UIAlU3TBXO8qsGjKoBRMuJ/N2WV7CrhMnDnJgTlqfvbL7UQ4URozJBSbceOtTdCUlPMyDjJorECPdRl7QNFYgT5Y2mS43hiVE6MIykOULDqfp7YoS4UkMemE6OdE8tehPxP6+d6PDCG1ERJ5oIPHsoTBjUEZwkBDtUEqzZ0BCEJTV/hbiHJMLa5JgxITiLKy+TRqXsnJYrN2e56uU8jQ4AscgDxwDqrgGtRAHWDwCJ7BK3iznqwX6936mLWmrPnMIfgD6/MH/2ubow=</latexit> SLIDE 9
BLACK BOX CASE
Victim network is unknown
SLIDE 10
Decision boundary Base
BLACK BOX ATTACK
Guess the model Target
arg min
x kfguess(x) fguess(t)k2 + kx bk2
<latexit sha1_base64="uzhIUA0S2mCBDfhPZMdVTJ09xEQ=">ACJHicbVDLSgMxFM34rPVdekmWIQWaZmpgoKbohuXFewDOuOQSTNtaCYzJBlpGfsxbvwVNy584MKN32Km7aK2Hg5Oedebu7xIkalMs1vY2l5ZXVtPbOR3dza3tnN7e03ZBgLTOo4ZKFoeUgSRjmpK6oYaUWCoMBjpOn1r1O/+UCEpCG/U8OIOAHqcupTjJSW3NyljUQX2gHl7gDaj9B3k25MpBwVBkVYmnmqorbvK/BEX4OSl3I3lzfL5hwkVhTkgdT1Nzch90JcRwQrjBDUrYtM1JOgoSimJFR1o4liRDuoy5pa8pRQKSTjJcwWOtdKAfCn24gmN1tiNBgZTDwNOVAVI9Oe+l4n9eO1b+hZNQHsWKcDwZ5McMqhCmicEOFQrNtQEYUH1XyHuIYGw0rlmdQjW/MqLpFEpW6flyu1Zvno1jSMDsERKALnIMquAE1UAcYPIEX8AbejWfj1fg0vialS8a05wD8gfHzCyvyoz8=</latexit> SLIDE 11
Decision boundary Base
BLACK BOX ATTACK
Target
arg min
x kfguess(x) fguess(t)k2 + kx bk2
<latexit sha1_base64="uzhIUA0S2mCBDfhPZMdVTJ09xEQ=">ACJHicbVDLSgMxFM34rPVdekmWIQWaZmpgoKbohuXFewDOuOQSTNtaCYzJBlpGfsxbvwVNy584MKN32Km7aK2Hg5Oedebu7xIkalMs1vY2l5ZXVtPbOR3dza3tnN7e03ZBgLTOo4ZKFoeUgSRjmpK6oYaUWCoMBjpOn1r1O/+UCEpCG/U8OIOAHqcupTjJSW3NyljUQX2gHl7gDaj9B3k25MpBwVBkVYmnmqorbvK/BEX4OSl3I3lzfL5hwkVhTkgdT1Nzch90JcRwQrjBDUrYtM1JOgoSimJFR1o4liRDuoy5pa8pRQKSTjJcwWOtdKAfCn24gmN1tiNBgZTDwNOVAVI9Oe+l4n9eO1b+hZNQHsWKcDwZ5McMqhCmicEOFQrNtQEYUH1XyHuIYGw0rlmdQjW/MqLpFEpW6flyu1Zvno1jSMDsERKALnIMquAE1UAcYPIEX8AbejWfj1fg0vialS8a05wD8gfHzCyvyoz8=</latexit>MISS!
SLIDE 12
Decision boundary Base
BLACK BOX ATTACK
Target
arg min
x kfguess(x) fguess(t)k2 + kx bk2
<latexit sha1_base64="uzhIUA0S2mCBDfhPZMdVTJ09xEQ=">ACJHicbVDLSgMxFM34rPVdekmWIQWaZmpgoKbohuXFewDOuOQSTNtaCYzJBlpGfsxbvwVNy584MKN32Km7aK2Hg5Oedebu7xIkalMs1vY2l5ZXVtPbOR3dza3tnN7e03ZBgLTOo4ZKFoeUgSRjmpK6oYaUWCoMBjpOn1r1O/+UCEpCG/U8OIOAHqcupTjJSW3NyljUQX2gHl7gDaj9B3k25MpBwVBkVYmnmqorbvK/BEX4OSl3I3lzfL5hwkVhTkgdT1Nzch90JcRwQrjBDUrYtM1JOgoSimJFR1o4liRDuoy5pa8pRQKSTjJcwWOtdKAfCn24gmN1tiNBgZTDwNOVAVI9Oe+l4n9eO1b+hZNQHsWKcDwZ5McMqhCmicEOFQrNtQEYUH1XyHuIYGw0rlmdQjW/MqLpFEpW6flyu1Zvno1jSMDsERKALnIMquAE1UAcYPIEX8AbejWfj1fg0vialS8a05wD8gfHzCyvyoz8=</latexit>MISS!
SLIDE 13
CONVEX POLYTOPE ATTACK
Decision boundary Base Target
Zhu et al. "Transferable clean-label poisoning attacks”
SLIDE 14
CONVEX POLYTOPE ATTACK
Decision boundary Base Target
Zhu et al. "Transferable clean-label poisoning attacks”
SLIDE 15
CONVEX POLYTOPE ATTACK
Decision boundary Base Target
Zhu et al. "Transferable clean-label poisoning attacks”
SLIDE 16
CONVEX POLYTOPE ATTACK
Decision boundary Base Target
Zhu et al. "Transferable clean-label poisoning attacks”
SLIDE 17
POISON POLYTOPE
Target (fish) Clean Poison
SLIDE 18
POISON POLYTOPE
Target (fish) Clean Poison
SLIDE 19
Poisons Scraped (from web) Correctly Labelled Neural Net Trained Wrong Test Prediction
“hook”
Ok
Attack success rate ~50% on unknown architectures Works under many scenarios
- No training data overlap
- Transfer learning and end-to-end training
No drop in overall test accuracy
COME SEE POSTER #68!
Link to paper & code