BagFlip: A Certified Defense against Data Poisoning
Yuhao Zhang, Aws Albarghouthi, Loris D'Antoni
TL;DR
BagFlip is a novel certified defense method that effectively protects machine learning models against both trigger-less and backdoor data poisoning attacks, outperforming existing approaches in various datasets.
Contribution
Introducing BagFlip, a model-agnostic certified defense approach capable of defending against both types of data poisoning attacks with proven effectiveness.
Findings
Outperforms state-of-the-art in trigger-less attack defense
More effective against backdoor attacks than existing methods
Validated on image classification and malware detection datasets
Abstract
Machine learning models are vulnerable to data-poisoning attacks, in which an attacker maliciously modifies the training set to change the prediction of a learned model. In a trigger-less attack, the attacker can modify the training set but not the test inputs, while in a backdoor attack the attacker can also modify test inputs. Existing model-agnostic defense approaches either cannot handle backdoor attacks or do not provide effective certificates (i.e., a proof of a defense). We present BagFlip, a model-agnostic certified approach that can effectively defend against both trigger-less and backdoor attacks. We evaluate BagFlip on image classification and malware detection datasets. BagFlip is equal to or more effective than the state-of-the-art approaches for trigger-less attacks and more effective than the state-of-the-art approaches for backdoor attacks.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Anomaly Detection Techniques and Applications · Autopsy Techniques and Outcomes