[edit]
Universal Multi-Party Poisoning Attacks
Proceedings of the 36th International Conference on Machine Learning, PMLR 97:4274-4283, 2019.
Abstract
In this work, we demonstrate universal multi-party poisoning attacks that adapt and apply to any multi-party learning process with arbitrary interaction pattern between the parties. More generally, we introduce and study (k,p)-poisoning attacks in which an adversary controls k∈[m] of the parties, and for each corrupted party Pi, the adversary submits some poisoned data T′i on behalf of Pi that is still "(1−p)-close" to the correct data Ti (e.g., 1−p fraction of T′i is still honestly generated).We prove that for any "bad" property B of the final trained hypothesis h (e.g., h failing on a particular test example or having "large" risk) that has an arbitrarily small constant probability of happening without the attack, there always is a (k,p)-poisoning attack that increases the probability of B from μ to by μ1−p⋅k/m=μ+Ω(p⋅k/m). Our attack only uses clean labels, and it is online, as it only knows the the data shared so far.