ECLIPSE: Expunging Clean-label Indiscriminate Poisons via Sparse Diffusion Purification

TL;DR

ECLIPSE is a robust defense method against clean-label poisoning attacks that uses Gaussian noise and a denoising model to effectively purify poisoned datasets, outperforming existing defenses.

Contribution

The paper introduces ECLIPSE, a universal and practical defense scheme combining Gaussian noise and a denoising model, with a corruption compensation module, to counter diverse poisoning attacks.

Findings

ECLIPSE outperforms 10 state-of-the-art defenses in experiments.

Theoretical proof shows Gaussian noise assimilates poisons effectively.

ECLIPSE remains robust against adaptive poisoning attacks.

Abstract

Clean-label indiscriminate poisoning attacks add invisible perturbations to correctly labeled training images, thus dramatically reducing the generalization capability of the victim models. Recently, some defense mechanisms have been proposed such as adversarial training, image transformation techniques, and image purification. However, these schemes are either susceptible to adaptive attacks, built on unrealistic assumptions, or only effective against specific poison types, limiting their universal applicability. In this research, we propose a more universally effective, practical, and robust defense scheme called ECLIPSE. We first investigate the impact of Gaussian noise on the poisons and theoretically prove that any kind of poison will be largely assimilated when imposing sufficient random noise. In light of this, we assume the victim has access to an extremely limited number of clean images (a more practical scene) and subsequently enlarge this sparse set for training a denoising probabilistic model (a universal denoising tool). We then begin by introducing Gaussian noise to absorb the poisons and then apply the model for denoising, resulting in a roughly purified dataset. Finally, to address the trade-off of the inconsistency in the assimilation sensitivity of different poisons by Gaussian noise, we propose a lightweight corruption compensation module to effectively eliminate residual poisons, providing a more universal defense approach. Extensive experiments demonstrate that our defense approach outperforms 10 state-of-the-art defenses. We also propose an adaptive attack against ECLIPSE and verify the robustness of our defense scheme. Our code is available at https://github.com/CGCL-codes/ECLIPSE.