Trainwreck: A damaging adversarial attack on image classifiers

TL;DR

This paper introduces Trainwreck, a novel train-time adversarial attack that damages image classifiers by poisoning training data stealthily, demonstrating high effectiveness across multiple models and proposing data redundancy as a defense.

Contribution

It formalizes damaging adversarial attacks and proposes Trainwreck, a black-box, transferable train-time attack that degrades model performance using stealthy data poisoning.

Findings

Trainwreck effectively damages models on CIFAR datasets.

It achieves comparable or better potency than existing data poisoning methods.

Data redundancy with hashing can defend against Trainwreck.

Abstract

Adversarial attacks are an important security concern for computer vision (CV). As CV models are becoming increasingly valuable assets in applied practice, disrupting them is emerging as a form of economic sabotage. This paper opens up the exploration of damaging adversarial attacks (DAAs) that seek to damage target CV models. DAAs are formalized by defining the threat model, the cost function DAAs maximize, and setting three requirements for success: potency, stealth, and customizability. As a pioneer DAA, this paper proposes Trainwreck, a train-time attack that conflates the data of similar classes in the training data using stealthy ($\epsilon \leq 8/255$) class-pair universal perturbations obtained from a surrogate model. Trainwreck is a black-box, transferable attack: it requires no knowledge of the target architecture, and a single poisoned dataset degrades the performance of any model trained on it. The experimental evaluation on CIFAR-10 and CIFAR-100 and various model architectures (EfficientNetV2, ResNeXt-101, and a finetuned ViT-L-16) demonstrates Trainwreck's efficiency. Trainwreck achieves similar or better potency compared to the data poisoning state of the art and is fully customizable by the poison rate parameter. Finally, data redundancy with hashing is identified as a reliable defense against Trainwreck or similar DAAs. The code is available at https://github.com/JanZahalka/trainwreck.