Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability

Add code
May 01, 2020
Hojjat Aghakhani, Dongyu Meng, Yu-Xiang Wang, Christopher Kruegel, Giovanni Vigna
Figure 1 for Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability
Figure 2 for Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability
Figure 3 for Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability
Figure 4 for Bullseye Polytope: A Scalable Clean-Label Poisoning Attack with Improved Transferability

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon

A recent source of concern for the security of neural networks is the emergence of clean-label dataset poisoning attacks, wherein correctly labeled poisoned samples are injected in the training dataset. While these poisons look legitimate to the human observer, they contain malicious characteristics that trigger a targeted misclassification during inference. We propose a scalable and transferable clean-label attack, Bullseye Polytope, which creates poison images centered around the target image in the feature space. Bullseye Polytope improves the attack success rate of the current state-of-the-art by 26.75% in end-to-end training, while increasing attack speed by a factor of 12. We further extend Bullseye Polytope to a more practical attack model by including multiple images of the same object (e.g., from different angles) in crafting the poisoned samples. We demonstrate that this extension improves attack transferability by over 16% to unseen images (of the same object) without increasing the number of poisons.

View paper onarxiv icon

Share this with someone who'll enjoy it:

Twitter IconFacebook IconLinkedin IconWhatsapp IconMessenger Icon