Timezone: »

Data Poisoning Attacks in Multi-Party Learning
Saeed Mahloujifar · Mohammad Mahmoody · Ameer Mohammed

Wed Jun 12:15 PM -- 12:20 PM PDT @ Room 102
In this work, we demonstrate universal multi-party poisoning attacks that adapt and apply to any multi-party learning process with arbitrary interaction pattern between the parties. More generally, we introduce and study $(k,p)$-poisoning attacks in which an adversary controls $k\in[m]$ of the parties, and for each corrupted party $P_i$, the adversary submits some poisoned data $T'_i$ on behalf of $P_i$ that is still "$(1-p)$-close" to the correct data $T_i$ (e.g., $1-p$ fraction of $T'_i$ is still honestly generated). We prove that for any "bad" property $B$ of the final trained hypothesis $h$ (e.g., $h$ failing on a particular test example or having "large" risk) that has an arbitrarily small constant probability of happening without the attack, there always is a $(k,p)$-poisoning attack that increases the probability of $B$ from $\mu$ to by $\mu^{1-p \cdot k/m} = \mu + \Omega(p \cdot k/m)$. Our attack only uses clean labels, and it is online, as it only knows the the data shared so far.

Author Information

Saeed Mahloujifar (University of Virginia)
Mohammad Mahmoody (University of Virginia)
Ameer Mohammed (Kuwait University)

Related Events (a corresponding poster, oral, or spotlight)