Imperceptible poisoning attacks on entire datasets have recently been touted as methods for protecting data privacy. However, among a number of defenses preventing the practical use of these techniques, early-stopping stands out as a simple, yet effective defense. To gauge poisons' vulnerability to early-stopping, we benchmark error-minimizing, error-maximizing, and synthetic poisons in terms of peak test accuracy over 100 epochs and make a number of surprising observations. First, we find that poisons that reach a low training loss faster have lower peak test accuracy. Second, we find that a current state-of-the-art error-maximizing poison is 7 times less effective when poison training is stopped at epoch 8. Third, we find that stronger, more transferable adversarial attacks do not make stronger poisons. We advocate for evaluating poisons in terms of peak test accuracy.
翻译:最近,人们把对整个数据集的隐蔽中毒袭击看成是保护数据隐私的一种方法。然而,在防止实际使用这些技术的一些防御手段中,早期停止显然是一种简单而有效的防御手段。为了测量毒物对早期停止的脆弱程度,我们用100个时代的峰值测试精度作为基准,将误差最小化、错误最大化和合成毒物作为基准,并做了一些令人惊讶的观察。首先,我们发现,培训损失较低、培训损失更快的毒物,其峰值测试精度较低。第二,我们发现,当毒物培训在八点八点停止时,目前最先进的最大错误最大化毒物是无效的7倍,第三,我们发现更强大、更可转移的对抗性袭击不会产生更强的毒物。我们主张用最高测试精度来评估毒物。
相关内容
微信扫码咨询专知VIP会员