Generative Poisoning Attack Method Against Neural Networks

TL;DR

This paper introduces a generative poisoning attack method against neural networks, significantly increasing data poisoning efficiency while also proposing a detection countermeasure.

Contribution

It presents a novel generative approach using auto-encoders to accelerate poisoning attacks on neural networks, outperforming traditional gradient-based methods.

Findings

Generative method speeds up poisoning data creation by up to 239.38 times.

The attack slightly reduces model accuracy compared to direct gradient methods.

A detection countermeasure based on loss monitoring is proposed.

Abstract

Poisoning attack is identified as a severe security threat to machine learning algorithms. In many applications, for example, deep neural network (DNN) models collect public data as the inputs to perform re-training, where the input data can be poisoned. Although poisoning attack against support vector machines (SVM) has been extensively studied before, there is still very limited knowledge about how such attack can be implemented on neural networks (NN), especially DNNs. In this work, we first examine the possibility of applying traditional gradient-based method (named as the direct gradient method) to generate poisoned data against NNs by leveraging the gradient of the target model w.r.t. the normal data. We then propose a generative method to accelerate the generation rate of the poisoned data: an auto-encoder (generator) used to generate poisoned data is updated by a reward function of the loss, and the target NN model (discriminator) receives the poisoned data to calculate the loss w.r.t. the normal data. Our experiment results show that the generative method can speed up the poisoned data generation rate by up to 239.38x compared with the direct gradient method, with slightly lower model accuracy degradation. A countermeasure is also designed to detect such poisoning attack methods by checking the loss of the target model.