Generalizable Targeted Data Poisoning against Varying Physical Objects

TL;DR

This paper investigates targeted data poisoning in real-world scenarios with varying physical conditions, proposing a method that optimizes both gradient direction and magnitude to improve attack success rates across diverse physical variations.

Contribution

It introduces a novel approach that enhances the generalizability of targeted data poisoning by optimizing gradient magnitude alongside direction, addressing real-world physical variations.

Findings

Outperforms previous methods by 19.49% on CIFAR-10 multi-view car poisoning

Demonstrates improved success rates across diverse physical conditions

Highlights limitations of gradient direction-only optimization in TDP

Abstract

Targeted data poisoning (TDP) aims to compromise the model's prediction on a specific (test) target by perturbing a small subset of training data. Existing work on TDP has focused on an overly ideal threat model in which the same image sample of the target is used during both poisoning and inference stages. However, in the real world, a target object often appears in complex variations due to changes of physical settings such as viewpoint, background, and lighting conditions. In this work, we take the first step toward understanding the real-world threats of TDP by studying its generalizability across varying physical conditions. In particular, we observe that solely optimizing gradient directions, as adopted by the best previous TDP method, achieves limited generalization. To address this limitation, we propose optimizing both the gradient direction and magnitude for more generalizable gradient matching, thereby leading to higher poisoning success rates. For instance, our method outperforms the state of the art by 19.49% when poisoning CIFAR-10 images targeting multi-view cars.