Backdoor poisoning attacks are a threat to machine learning models trained on large data collected from untrusted sources; these attacks enable attackers to inject malicious behavior into the model that can be triggered by specially crafted inputs. Prior work has established bounds on the success of backdoor attacks and their impact on the benign learning task, however, an open question is what amount of poison data is needed for a successful backdoor attack. Typical attacks either use few samples but need much information about the data points, or need to poison many data points. In this paper, we formulate the one-poison hypothesis: An adversary with one poison sample and limited background knowledge can inject a backdoor with zero backdooring-error and without significantly impacting the benign learning task performance. Moreover, we prove the one-poison hypothesis for linear regression, linear classification, and 2-layer ReLU neural networks. For adversaries that utilize a direction unused by the clean data distribution for the poison sample, we prove for linear classification and linear regression that the resulting model is functionally equivalent to a model where the poison was excluded from training. We build on prior work on statistical backdoor learning to show that in all other cases, the impact on the benign learning task is still limited. We validate our theoretical results experimentally with realistic benchmark data sets.

翻译：后门投毒攻击对从不可信来源收集的大规模数据训练的机器学习模型构成威胁；这类攻击使攻击者能够向模型中注入恶意行为，该行为可通过特殊构造的输入触发。先前研究已对后门攻击的成功率及其对良性学习任务的影响建立了界限，然而一个悬而未决的问题是：成功的后门攻击需要多少毒数据？典型攻击要么使用少量样本但需要大量数据点信息，要么需要污染大量数据点。本文提出单毒假设：仅拥有一个毒样本且背景知识有限的攻击者能够注入零后门误差的后门，且不会显著影响良性学习任务的性能。此外，我们为线性回归、线性分类及双层ReLU神经网络证明了该假设。对于利用干净数据分布未使用方向构造毒样本的攻击者，我们在线性分类和线性回归场景中证明：所得模型在功能上等同于训练时排除该毒样本的模型。基于先前统计后门学习的研究，我们证明在所有其他情况下，对良性学习任务的影响仍然有限。我们通过真实基准数据集的实验验证了理论结果。