Clean-label indiscriminate poisoning attacks add invisible perturbations to correctly labeled training images, thus dramatically reducing the generalization capability of the victim models. Recently, some defense mechanisms have been proposed such as adversarial training, image transformation techniques, and image purification. However, these schemes are either susceptible to adaptive attacks, built on unrealistic assumptions, or only effective against specific poison types, limiting their universal applicability. In this research, we propose a more universally effective, practical, and robust defense scheme called ECLIPSE. We first investigate the impact of Gaussian noise on the poisons and theoretically prove that any kind of poison will be largely assimilated when imposing sufficient random noise. In light of this, we assume the victim has access to an extremely limited number of clean images (a more practical scene) and subsequently enlarge this sparse set for training a denoising probabilistic model (a universal denoising tool). We then begin by introducing Gaussian noise to absorb the poisons and then apply the model for denoising, resulting in a roughly purified dataset. Finally, to address the trade-off of the inconsistency in the assimilation sensitivity of different poisons by Gaussian noise, we propose a lightweight corruption compensation module to effectively eliminate residual poisons, providing a more universal defense approach. Extensive experiments demonstrate that our defense approach outperforms 10 state-of-the-art defenses. We also propose an adaptive attack against ECLIPSE and verify the robustness of our defense scheme. Our code is available at https://github.com/CGCL-codes/ECLIPSE.

翻译：干净标签无差别毒药攻击通过向正确标注的训练图像添加不可见的扰动，从而显著降低受害模型的泛化能力。最近，一些防御机制被提出，例如对抗训练、图像变换技术和图像净化。然而，这些方案要么容易受到自适应攻击，要么建立在非现实的假设之上，或者仅对特定类型的毒药有效，限制了其普适性。在本研究中，我们提出了一种更普适、实用且鲁棒的防御方案，称为ECLIPSE。我们首先研究了高斯噪声对毒药的影响，并从理论上证明，当施加足够的随机噪声时，任何类型的毒药都将被大幅同化。鉴于此，我们假设受害者能够获取极少量干净图像（一个更实际的场景），并随后扩展这个稀疏集合以训练一个去噪概率模型（一种通用的去噪工具）。我们首先引入高斯噪声以吸收毒药，然后应用该模型进行去噪，从而得到一个大致净化的数据集。最后，为了解决高斯噪声对不同毒药同化敏感性不一致的权衡问题，我们提出了一个轻量级的损坏补偿模块，以有效消除残留毒药，提供一种更普适的防御方法。大量实验表明，我们的防御方法优于10种最先进的防御方案。我们还提出了针对ECLIPSE的自适应攻击，并验证了我们防御方案的鲁棒性。我们的代码可在https://github.com/CGCL-codes/ECLIPSE获取。