Indiscriminate data poisoning attacks aim to decrease a model's test accuracy by injecting a small amount of corrupted training data. Despite significant interest, existing attacks remain relatively ineffective against modern machine learning (ML) architectures. In this work, we introduce the notion of model poisoning reachability as a technical tool to explore the intrinsic limits of data poisoning attacks towards target parameters (i.e., model-targeted attacks). We derive an easily computable threshold to establish and quantify a surprising phase transition phenomenon among popular ML models: data poisoning attacks can achieve certain target parameters only when the poisoning ratio exceeds our threshold. Building on existing parameter corruption attacks and refining the Gradient Canceling attack, we perform extensive experiments to confirm our theoretical findings, test the predictability of our transition threshold, and significantly improve existing indiscriminate data poisoning baselines over a range of datasets and models. Our work highlights the critical role played by the poisoning ratio, and sheds new insights on existing empirical results, attacks and mitigation strategies in data poisoning.

翻译：无差别数据投毒攻击旨在通过注入少量被污染的训练数据来降低模型的测试准确率。尽管该领域引起了广泛关注，但现有攻击对现代机器学习架构仍相对低效。本文引入模型投毒可达性的概念，将其作为一种技术工具来探索数据投毒攻击针对目标参数（即模型定向攻击）的内在极限。我们推导出一个易于计算的阈值，用以建立并量化流行机器学习模型中一个令人惊讶的相变现象：数据投毒攻击只有在投毒比率超过该阈值时才能实现特定的目标参数。基于现有的参数破坏攻击以及对梯度消除攻击的改进，我们开展了大量实验以验证理论发现、测试相变阈值的可预测性，并显著提升了现有无差别数据投毒基线方法在多种数据集和模型上的性能。本研究强调了投毒比率的关键作用，并为数据投毒领域现有实证结果、攻击及防御策略提供了新的见解。