Run-Off Election: Improved Provable Defense against Data Poisoning Attacks
In data poisoning attacks, an adversary tries to change a model's prediction by adding, modifying, or removing samples in the training data. Recently, ensemble-based approaches for obtaining provable defenses against data poisoning have been proposed where predictions are done by taking a major...
Gespeichert in:
| Veröffentlicht in: | arXiv.org 2023-05 |
|---|---|
| Hauptverfasser: | , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | arXiv.org |
| container_volume | |
| creator | Rezaei, Keivan Banihashem, Kiarash Chegini, Atoosa Feizi, Soheil |
| description | In data poisoning attacks, an adversary tries to change a model's prediction by adding, modifying, or removing samples in the training data. Recently, ensemble-based approaches for obtaining provable defenses against data poisoning have been proposed where predictions are done by taking a majority vote across multiple base models. In this work, we show that merely considering the majority vote in ensemble defenses is wasteful as it does not effectively utilize available information in the logits layers of the base models. Instead, we propose Run-Off Election (ROE), a novel aggregation method based on a two-round election across the base models: In the first round, models vote for their preferred class and then a second, Run-Off election is held between the top two classes in the first round. Based on this approach, we propose DPA+ROE and FA+ROE defense methods based on Deep Partition Aggregation (DPA) and Finite Aggregation (FA) approaches from prior work. We evaluate our methods on MNIST, CIFAR-10, and GTSRB and obtain improvements in certified accuracy by up to 3%-4%. Also, by applying ROE on a boosted version of DPA, we gain improvements around 12%-27% comparing to the current state-of-the-art, establishing a new state-of-the-art in (pointwise) certified robustness against data poisoning. In many cases, our approach outperforms the state-of-the-art, even when using 32 times less computational power. |
| format | Article |
| fullrecord | <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_2774008752</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2774008752</sourcerecordid><originalsourceid>FETCH-proquest_journals_27740087523</originalsourceid><addsrcrecordid>eNqNjMEKgkAUAJcgSMp_eNBZ2FZtpVukUV2S6C6bvZU12y3f2vfnoQ_oNIcZZsICEcerKEuEmLGQqOWci7UUaRoH7HQZbHTWGooOa2-c3cDx-erdB-9QjlC3DiFHjZYQVKOMJQ-58gpKZ8hZYxvYeq_qBy3YVKuOMPxxzpb74ro7ROPuPSD5qnVDb0dVCSkTzjOZivi_6gtvMjwq</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2774008752</pqid></control><display><type>article</type><title>Run-Off Election: Improved Provable Defense against Data Poisoning Attacks</title><source>Free E- Journals</source><creator>Rezaei, Keivan ; Banihashem, Kiarash ; Chegini, Atoosa ; Feizi, Soheil</creator><creatorcontrib>Rezaei, Keivan ; Banihashem, Kiarash ; Chegini, Atoosa ; Feizi, Soheil</creatorcontrib><description>In data poisoning attacks, an adversary tries to change a model's prediction by adding, modifying, or removing samples in the training data. Recently, ensemble-based approaches for obtaining provable defenses against data poisoning have been proposed where predictions are done by taking a majority vote across multiple base models. In this work, we show that merely considering the majority vote in ensemble defenses is wasteful as it does not effectively utilize available information in the logits layers of the base models. Instead, we propose Run-Off Election (ROE), a novel aggregation method based on a two-round election across the base models: In the first round, models vote for their preferred class and then a second, Run-Off election is held between the top two classes in the first round. Based on this approach, we propose DPA+ROE and FA+ROE defense methods based on Deep Partition Aggregation (DPA) and Finite Aggregation (FA) approaches from prior work. We evaluate our methods on MNIST, CIFAR-10, and GTSRB and obtain improvements in certified accuracy by up to 3%-4%. Also, by applying ROE on a boosted version of DPA, we gain improvements around 12%-27% comparing to the current state-of-the-art, establishing a new state-of-the-art in (pointwise) certified robustness against data poisoning. In many cases, our approach outperforms the state-of-the-art, even when using 32 times less computational power.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Agglomeration ; Dynamic programming ; Elections ; Robustness ; Runoff</subject><ispartof>arXiv.org, 2023-05</ispartof><rights>2023. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>780,784</link.rule.ids></links><search><creatorcontrib>Rezaei, Keivan</creatorcontrib><creatorcontrib>Banihashem, Kiarash</creatorcontrib><creatorcontrib>Chegini, Atoosa</creatorcontrib><creatorcontrib>Feizi, Soheil</creatorcontrib><title>Run-Off Election: Improved Provable Defense against Data Poisoning Attacks</title><title>arXiv.org</title><description>In data poisoning attacks, an adversary tries to change a model's prediction by adding, modifying, or removing samples in the training data. Recently, ensemble-based approaches for obtaining provable defenses against data poisoning have been proposed where predictions are done by taking a majority vote across multiple base models. In this work, we show that merely considering the majority vote in ensemble defenses is wasteful as it does not effectively utilize available information in the logits layers of the base models. Instead, we propose Run-Off Election (ROE), a novel aggregation method based on a two-round election across the base models: In the first round, models vote for their preferred class and then a second, Run-Off election is held between the top two classes in the first round. Based on this approach, we propose DPA+ROE and FA+ROE defense methods based on Deep Partition Aggregation (DPA) and Finite Aggregation (FA) approaches from prior work. We evaluate our methods on MNIST, CIFAR-10, and GTSRB and obtain improvements in certified accuracy by up to 3%-4%. Also, by applying ROE on a boosted version of DPA, we gain improvements around 12%-27% comparing to the current state-of-the-art, establishing a new state-of-the-art in (pointwise) certified robustness against data poisoning. In many cases, our approach outperforms the state-of-the-art, even when using 32 times less computational power.</description><subject>Agglomeration</subject><subject>Dynamic programming</subject><subject>Elections</subject><subject>Robustness</subject><subject>Runoff</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><recordid>eNqNjMEKgkAUAJcgSMp_eNBZ2FZtpVukUV2S6C6bvZU12y3f2vfnoQ_oNIcZZsICEcerKEuEmLGQqOWci7UUaRoH7HQZbHTWGooOa2-c3cDx-erdB-9QjlC3DiFHjZYQVKOMJQ-58gpKZ8hZYxvYeq_qBy3YVKuOMPxxzpb74ro7ROPuPSD5qnVDb0dVCSkTzjOZivi_6gtvMjwq</recordid><startdate>20230516</startdate><enddate>20230516</enddate><creator>Rezaei, Keivan</creator><creator>Banihashem, Kiarash</creator><creator>Chegini, Atoosa</creator><creator>Feizi, Soheil</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20230516</creationdate><title>Run-Off Election: Improved Provable Defense against Data Poisoning Attacks</title><author>Rezaei, Keivan ; Banihashem, Kiarash ; Chegini, Atoosa ; Feizi, Soheil</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_27740087523</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Agglomeration</topic><topic>Dynamic programming</topic><topic>Elections</topic><topic>Robustness</topic><topic>Runoff</topic><toplevel>online_resources</toplevel><creatorcontrib>Rezaei, Keivan</creatorcontrib><creatorcontrib>Banihashem, Kiarash</creatorcontrib><creatorcontrib>Chegini, Atoosa</creatorcontrib><creatorcontrib>Feizi, Soheil</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Access via ProQuest (Open Access)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Rezaei, Keivan</au><au>Banihashem, Kiarash</au><au>Chegini, Atoosa</au><au>Feizi, Soheil</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>Run-Off Election: Improved Provable Defense against Data Poisoning Attacks</atitle><jtitle>arXiv.org</jtitle><date>2023-05-16</date><risdate>2023</risdate><eissn>2331-8422</eissn><abstract>In data poisoning attacks, an adversary tries to change a model's prediction by adding, modifying, or removing samples in the training data. Recently, ensemble-based approaches for obtaining provable defenses against data poisoning have been proposed where predictions are done by taking a majority vote across multiple base models. In this work, we show that merely considering the majority vote in ensemble defenses is wasteful as it does not effectively utilize available information in the logits layers of the base models. Instead, we propose Run-Off Election (ROE), a novel aggregation method based on a two-round election across the base models: In the first round, models vote for their preferred class and then a second, Run-Off election is held between the top two classes in the first round. Based on this approach, we propose DPA+ROE and FA+ROE defense methods based on Deep Partition Aggregation (DPA) and Finite Aggregation (FA) approaches from prior work. We evaluate our methods on MNIST, CIFAR-10, and GTSRB and obtain improvements in certified accuracy by up to 3%-4%. Also, by applying ROE on a boosted version of DPA, we gain improvements around 12%-27% comparing to the current state-of-the-art, establishing a new state-of-the-art in (pointwise) certified robustness against data poisoning. In many cases, our approach outperforms the state-of-the-art, even when using 32 times less computational power.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | EISSN: 2331-8422 |
| ispartof | arXiv.org, 2023-05 |
| issn | 2331-8422 |
| language | eng |
| recordid | cdi_proquest_journals_2774008752 |
| source | Free E- Journals |
| subjects | Agglomeration Dynamic programming Elections Robustness Runoff |
| title | Run-Off Election: Improved Provable Defense against Data Poisoning Attacks |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-18T20%3A01%3A45IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=Run-Off%20Election:%20Improved%20Provable%20Defense%20against%20Data%20Poisoning%20Attacks&rft.jtitle=arXiv.org&rft.au=Rezaei,%20Keivan&rft.date=2023-05-16&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E2774008752%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2774008752&rft_id=info:pmid/&rfr_iscdi=true |