SoK: A Comprehensive Analysis of the Current Status of Neural Tangent Generalization Attacks with Research Directions

TL;DR

This paper thoroughly analyzes Neural Tangent Generalization Attacks (NTGA), the first black-box clean-label data poisoning method, comparing existing studies, testing vulnerabilities, and proposing directions for enhancing robustness.

Contribution

It provides the first comprehensive classification, taxonomy, and experimental comparison of NTGA, highlighting vulnerabilities and suggesting improvements for future research.

Findings

NTGA is vulnerable to adversarial training and image transformations.

Applying linear separability increases NTGA susceptibility.

Recent attacks outperform NTGA in data protection scenarios.

Abstract

There is recently a serious issue that Deep Neural Networks (DNNs) training uses more and more unauthorized data. A clean-label generalization attack, one type of data poisoning attacks, has been suggested to address this issue. The Neural Tangent Generalization Attack (NTGA) is considered as the first well-known clean-label generalization attack under the black-box settings, which provided an unprecedented step in data protection approaches. In this paper, we conduct a comprehensive analysis on the state-of-the-art of NTGA; to the best of our knowledge, this is the first thorough analysis regarding NTGA. First, we provide a classification of attacks against DNNs with their explanations and relations to NTGA. Then, this paper presents a taxonomy of black-box attacks and demonstrate that the NTGA is the first clean-label generalization attack under the black-box setting. We further analyze the existing studies of NTGA and give a comprehensive comparisons of their findings by conducting our own experiments to verify these findings. Moreover, our extensive experiments show that NTGA is vulnerable to adversarial training and image transformations, and applying linear separability to NTGA-generated images makes them more susceptible to such vulnerablities. We present the pros and cons of NTGA and suggest ways to improve NTGA robustness based on our analysis. Our further experiments indicate that several recently proposed clean-label generalization attacks outperform NTGA on data protection. Finally, we unveil the necessity of further research with future research insights on NTGA.