De-Pois: An Attack-Agnostic Defense against Data Poisoning Attacks

TL;DR

De-Pois is a novel attack-agnostic defense method that uses a mimic model and GANs to detect poisoned data in machine learning training sets, effective against multiple attack types.

Contribution

It introduces a general defense framework that does not depend on specific attack types, utilizing mimic models and GANs for robust poisoning detection.

Findings

Achieves over 0.9 accuracy and F1-score in detecting poisoned data.

Effective against four different poisoning attack types.

Outperforms existing attack-specific defenses in experiments.

Abstract

Machine learning techniques have been widely applied to various applications. However, they are potentially vulnerable to data poisoning attacks, where sophisticated attackers can disrupt the learning procedure by injecting a fraction of malicious samples into the training dataset. Existing defense techniques against poisoning attacks are largely attack-specific: they are designed for one specific type of attacks but do not work for other types, mainly due to the distinct principles they follow. Yet few general defense strategies have been developed. In this paper, we propose De-Pois, an attack-agnostic defense against poisoning attacks. The key idea of De-Pois is to train a mimic model the purpose of which is to imitate the behavior of the target model trained by clean samples. We take advantage of Generative Adversarial Networks (GANs) to facilitate informative training data augmentation as well as the mimic model construction. By comparing the prediction differences between the mimic model and the target model, De-Pois is thus able to distinguish the poisoned samples from clean ones, without explicit knowledge of any ML algorithms or types of poisoning attacks. We implement four types of poisoning attacks and evaluate De-Pois with five typical defense methods on different realistic datasets. The results demonstrate that De-Pois is effective and efficient for detecting poisoned data against all the four types of poisoning attacks, with both the accuracy and F1-score over 0.9 on average.