Modern neural networks are often trained on massive datasets that are web scraped with minimal human inspection. As a result of this insecure curation pipeline, an adversary can poison or backdoor the resulting model by uploading malicious data to the internet and waiting for a victim to scrape and train on it. Existing approaches for creating poisons and backdoors start with randomly sampled clean data, called base samples, and then modify those samples to craft poisons. However, some base samples may be significantly more amenable to poisoning than others. As a result, we may be able to craft more potent poisons by carefully choosing the base samples. In this work, we use guided diffusion to synthesize base samples from scratch that lead to significantly more potent poisons and backdoors than previous state-of-the-art attacks. Our Guided Diffusion Poisoning (GDP) base samples can be combined with any downstream poisoning or backdoor attack to boost its effectiveness. Our implementation code is publicly available at: https://github.com/hsouri/GDP .
翻译:现代神经网络通常基于从网络抓取的海量数据集进行训练,且这些数据几乎未经人工审查。由于这种不安全的采集流程,攻击者可通过向互联网上传恶意数据,等待受害者抓取并用于训练,从而对最终模型投毒或植入后门。现有生成毒药和后门的方法通常以随机采样的干净数据(称为基础样本)为起点,随后修改这些样本以制造毒药。然而,某些基础样本可能比其他样本更易于实现投毒效果。因此,通过精心选择基础样本,我们或可制造出更强效的毒药。在本工作中,我们使用引导扩散技术从头合成基础样本,这些样本能比现有最先进的攻击方法产生显著更强的毒药和后门。我们的引导扩散投毒(GDP)基础样本可与任何下游投毒或后门攻击方法结合,以提升其有效性。实现代码已公开于:https://github.com/hsouri/GDP。