Deep image classification models trained on vast amounts of web-scraped data are susceptible to data poisoning - a mechanism for backdooring models. A small number of poisoned samples seen during training can severely undermine a model's integrity during inference. Existing work considers an effective defense as one that either (i) restores a model's integrity through repair or (ii) detects an attack. We argue that this approach overlooks a crucial trade-off: Attackers can increase robustness at the expense of detectability (over-poisoning) or decrease detectability at the cost of robustness (under-poisoning). In practice, attacks should remain both undetectable and robust. Detectable but robust attacks draw human attention and rigorous model evaluation or cause the model to be re-trained or discarded. In contrast, attacks that are undetectable but lack robustness can be repaired with minimal impact on model accuracy. Our research points to intrinsic flaws in current attack evaluation methods and raises the bar for all data poisoning attackers who must delicately balance this trade-off to remain robust and undetectable. To demonstrate the existence of more potent defenders, we propose defenses designed to (i) detect or (ii) repair poisoned models using a limited amount of trusted image-label pairs. Our results show that an attacker who needs to be robust and undetectable is substantially less threatening. Our defenses mitigate all tested attacks with a maximum accuracy decline of 2% using only 1% of clean data on CIFAR-10 and 2.5% on ImageNet. We demonstrate the scalability of our defenses by evaluating large vision-language models, such as CLIP. Attackers who can manipulate the model's parameters pose an elevated risk as they can achieve higher robustness at low detectability compared to data poisoning attackers.

翻译：基于海量网络爬取数据训练的深度图像分类模型易受数据投毒攻击——一种在模型中植入后门的机制。训练过程中少量投毒样本即可严重破坏模型在推理阶段的完整性。现有研究将有效防御视为要么（i）通过修复恢复模型完整性，要么（ii）检测攻击。我们认为这种观点忽略了一个关键权衡：攻击者可通过牺牲可检测性提升鲁棒性（过度投毒），或牺牲鲁棒性降低可检测性（欠投毒）。实践中，攻击必须同时保持不可检测性和鲁棒性。可检测但鲁棒的攻击会引发人工关注和严格模型评估，导致模型被重训练或丢弃；反之，不可检测但缺乏鲁棒性的攻击可通过最小化精度损失的修复予以消除。我们的研究揭示了当前攻击评估方法的内在缺陷，对所有需要在鲁棒性与不可检测性之间精妙权衡的数据投毒攻击者提出了更高要求。为证明更强防御的存在性，我们提出了两类防御方法，通过有限数量的可信图像-标签对（i）检测或（ii）修复投毒模型。实验结果表明，需兼顾鲁棒性与不可检测性的攻击者威胁性显著降低。我们的防御措施能够缓解所有测试攻击，在CIFAR-10上仅需1%的干净数据即可将最大精度下降控制在2%以内，在ImageNet上则为2.5%。通过评估CLIP等大型视觉-语言模型，我们验证了防御方法的可扩展性。相较于数据投毒攻击者，能操纵模型参数的攻击者具有更高风险——他们能在低可检测性条件下实现更强的鲁棒性。