Rethinking Backdoor Data Poisoning Attacks in the Context of Semi-Supervised Learning

TL;DR

This paper explores the vulnerability of semi-supervised learning to backdoor data poisoning attacks, demonstrating high attack success rates and proposing a generalized attack framework to understand and improve defenses.

Contribution

It introduces a generalized attack framework targeting semi-supervised learning, revealing significant vulnerabilities and motivating future defense strategies.

Findings

Poisoning attacks achieve up to 96.9% success rate.

Simple distribution-influencing attacks are highly effective.

Framework helps understand limitations of semi-supervised learning.

Abstract

Semi-supervised learning methods can train high-accuracy machine learning models with a fraction of the labeled training samples required for traditional supervised learning. Such methods do not typically involve close review of the unlabeled training samples, making them tempting targets for data poisoning attacks. In this paper we investigate the vulnerabilities of semi-supervised learning methods to backdoor data poisoning attacks on the unlabeled samples. We show that simple poisoning attacks that influence the distribution of the poisoned samples' predicted labels are highly effective - achieving an average attack success rate as high as 96.9%. We introduce a generalized attack framework targeting semi-supervised learning methods to better understand and exploit their limitations and to motivate future defense strategies.