Just How Toxic is Data Poisoning? A Unified Benchmark for Backdoor and Data Poisoning Attacks

TL;DR

This paper introduces a standardized benchmark for evaluating data poisoning and backdoor attacks, revealing their varying effectiveness across different testing scenarios and emphasizing the need for realistic evaluation methods.

Contribution

It provides a unified benchmark framework for fair comparison of data poisoning and backdoor attack methods in realistic settings.

Findings

Existing methods may not generalize well to real-world scenarios

Data poisoning and backdoor attacks are highly sensitive to testing conditions

Standardized benchmarks enable fairer evaluation of attack effectiveness

Abstract

Data poisoning and backdoor attacks manipulate training data in order to cause models to fail during inference. A recent survey of industry practitioners found that data poisoning is the number one concern among threats ranging from model stealing to adversarial attacks. However, it remains unclear exactly how dangerous poisoning methods are and which ones are more effective considering that these methods, even ones with identical objectives, have not been tested in consistent or realistic settings. We observe that data poisoning and backdoor attacks are highly sensitive to variations in the testing setup. Moreover, we find that existing methods may not generalize to realistic settings. While these existing works serve as valuable prototypes for data poisoning, we apply rigorous tests to determine the extent to which we should fear them. In order to promote fair comparison in future work, we develop standardized benchmarks for data poisoning and backdoor attacks.