Semi-supervised machine learning (SSL) is gaining popularity as it reduces the cost of training ML models. It does so by using very small amounts of (expensive, well-inspected) labeled data and large amounts of (cheap, non-inspected) unlabeled data. SSL has shown comparable or even superior performances compared to conventional fully-supervised ML techniques. In this paper, we show that the key feature of SSL that it can learn from (non-inspected) unlabeled data exposes SSL to strong poisoning attacks. In fact, we argue that, due to its reliance on non-inspected unlabeled data, poisoning is a much more severe problem in SSL than in conventional fully-supervised ML. Specifically, we design a backdoor poisoning attack on SSL that can be conducted by a weak adversary with no knowledge of target SSL pipeline. This is unlike prior poisoning attacks in fully-supervised settings that assume strong adversaries with practically-unrealistic capabilities. We show that by poisoning only 0.2% of the unlabeled training data, our attack can cause misclassification of more than 80% of test inputs (when they contain the adversary's backdoor trigger). Our attacks remain effective across twenty combinations of benchmark datasets and SSL algorithms, and even circumvent the state-of-the-art defenses against backdoor attacks. Our work raises significant concerns about the practical utility of existing SSL algorithms.
翻译:半监督的机器学习(SSL)随着它降低培训 ML 模型的成本而越来越受欢迎。 它使用非常少的(昂贵的、仔细检查的)标签数据和大量(便宜的、不仔细检查的)标签数据(粗略的)不贴标签的数据。 SSL显示,与常规的完全监督的 ML 技术相比,SSL显示的是可比较甚至优异的性能。 在本文中,我们显示,它可以从(未检查的)未标记的数据中学习的SSL的关键特征使SSL暴露在剧毒袭击中。 事实上,我们争辩说,由于它依赖未经标记的、未标记的)数据,因此在SSL中中毒是一个比常规完全监督的ML还要严重的问题。 具体地说,我们设计了对SSL的后门中毒袭击,这可以由一个弱的对手进行,对目标的SSL 管道一无所知。 这不同于以前在完全监视的环境中发生的中毒攻击,这种攻击以实际不现实的能力为敌。 我们指出,通过对未经标记的训练数据的0.2%的进攻数据进行毒害,甚至只有0.20 % 的培训数据进行毒化,因此,我们的攻击可以进行20个标准测试。