Identifying a Training-Set Attack's Target Using Renormalized Influence Estimation

TL;DR

This paper introduces a renormalized influence estimation method for identifying whether a specific test instance is the target of a training-set attack, effectively detecting adversarial training instances across multiple data domains.

Contribution

The work develops renormalized influence estimators that outperform existing methods in identifying influential training instances, enabling effective target detection in adversarial settings.

Findings

Renormalized influence estimators outperform original estimators in identifying influential training groups.

Achieves up to 100% detection of adversarial training instances with no false positives on clean data.

Effective across text, vision, and speech data, even against adaptive attackers.

Abstract

Targeted training-set attacks inject malicious instances into the training set to cause a trained model to mislabel one or more specific test instances. This work proposes the task of target identification, which determines whether a specific test instance is the target of a training-set attack. Target identification can be combined with adversarial-instance identification to find (and remove) the attack instances, mitigating the attack with minimal impact on other predictions. Rather than focusing on a single attack method or data modality, we build on influence estimation, which quantifies each training instance's contribution to a model's prediction. We show that existing influence estimators' poor practical performance often derives from their over-reliance on training instances and iterations with large losses. Our renormalized influence estimators fix this weakness; they far outperform the original estimators at identifying influential groups of training examples in both adversarial and non-adversarial settings, even finding up to 100% of adversarial training instances with no clean-data false positives. Target identification then simplifies to detecting test instances with anomalous influence values. We demonstrate our method's effectiveness on backdoor and poisoning attacks across various data domains, including text, vision, and speech, as well as against a gray-box, adaptive attacker that specifically optimizes the adversarial instances to evade our method. Our source code is available at https://github.com/ZaydH/target_identification.