Accumulative Poisoning Attacks on Real-time Data

TL;DR

This paper introduces a new poisoning attack strategy for real-time data training systems, demonstrating how an accumulative phase can significantly amplify the attack's destructive impact without affecting immediate accuracy.

Contribution

The paper proposes a novel accumulative poisoning attack method tailored for real-time data training, showing its effectiveness through experiments on MNIST and CIFAR-10.

Findings

Model accuracy drops sharply after a single trigger update.

The attack strategy significantly amplifies poisoning effects.

Simple attack design can be highly effective in real-time settings.

Abstract

Collecting training data from untrusted sources exposes machine learning services to poisoning adversaries, who maliciously manipulate training data to degrade the model accuracy. When trained on offline datasets, poisoning adversaries have to inject the poisoned data in advance before training, and the order of feeding these poisoned batches into the model is stochastic. In contrast, practical systems are more usually trained/fine-tuned on sequentially captured real-time data, in which case poisoning adversaries could dynamically poison each data batch according to the current model state. In this paper, we focus on the real-time settings and propose a new attacking strategy, which affiliates an accumulative phase with poisoning attacks to secretly (i.e., without affecting accuracy) magnify the destructive effect of a (poisoned) trigger batch. By mimicking online learning and federated learning on MNIST and CIFAR-10, we show that model accuracy significantly drops by a single update step on the trigger batch after the accumulative phase. Our work validates that a well-designed but straightforward attacking strategy can dramatically amplify the poisoning effects, with no need to explore complex techniques.