Accumulative Poisoning Attacks on Real-time Data
Authors: Tianyu Pang, Xiao Yang, Yinpeng Dong, Hang Su, Jun Zhu
NeurIPS 2021 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Empirically, we conduct experiments on MNIST and CIFAR-10 by simulating different training processes encountered in two typical real-time streaming settings, involving online learning [8] and federated learning [30]. We demonstrate the effectiveness of accumulative poisoning attacks, and provide extensive ablation studies on different implementation details and tricks. We show that accumulative poisoning attacks can more easily bypass defenses like anomaly detection and gradient clipping than vanilla poisoning attacks. |
| Researcher Affiliation | Collaboration | Tianyu Pang 1, Xiao Yang 1, Yinpeng Dong1,2, Hang Su1,3, Jun Zhu 1,2,3 1Department of Computer Science & Technology, Institute for AI, BNRist Center, Tsinghua-Bosch Joint ML Center, THBI Lab, Tsinghua University 2Real AI 3Tsinghua University-China Mobile Communications Group Co., Ltd. Joint Institute |
| Pseudocode | Yes | Algorithm 1 Accumulative poisoning attacks in online learning and Algorithm 2 Accumulative poisoning attacks in federated learning |
| Open Source Code | Yes | Code is available at https://github.com/Shawn XYang/Accumulative Attack. |
| Open Datasets | Yes | We mimic the real-time data training using the MNIST and CIFAR-10 datasets [31, 33]. |
| Dataset Splits | No | No specific explicit percentages or counts for training/validation/test splits are provided. The paper mentions 'Sval' as a validation batch and 're-sampling Sval' but does not specify how these sets are composed quantitatively from the total dataset. |
| Hardware Specification | No | No specific hardware details (such as exact GPU/CPU models, memory, or processor types) used for running the experiments are provided in the paper. |
| Software Dependencies | No | The paper mentions 'Py Torch [50]' but does not specify its version number or any other software dependencies with version information. |
| Experiment Setup | Yes | Following [49], we apply Res Net18 [23] as the model architecture, and employ the SGD optimizer with momentum of 0.9 and weight decay of 1e-4. The initial learning rate is 0.1, and the mini-batch size is 100. For all the experiments in online learning and federated learning, we pre-train the model for 10 epochs on the clean training data of MNIST, and 40 epochs on the clean training data of CIFAR-10. The learning rate is kept as 0.1... We set the number of PGD iterations as C = 100, and the step size is α = 2ϵ/C. |