MetaPoison: Practical General-purpose Clean-label Data Poisoning
Authors: W. Ronny Huang, Jonas Geiping, Liam Fowl, Gavin Taylor, Tom Goldstein
NeurIPS 2020 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our experiments on CIFAR-10 consist of two stages: poison crafting and victim evaluation. In the first stage, we craft poisons on surrogate models and save them for evaluation. In the second stage, we insert the poisons into the victim dataset, train the victim model from scratch on this dataset, and report the attack success and validation accuracy. |
| Researcher Affiliation | Academia | W. Ronny Huang University of Maryland wronnyhuang@gmail.com Jonas Geiping University of Siegen jonas.geiping@uni-siegen.de Liam Fowl University of Maryland lfowl@math.umd.edu Gavin Taylor United States Naval Academy taylor@usna.edu Tom Goldstein University of Maryland tomg@cs.umd.edu |
| Pseudocode | Yes | Algorithm 1 Craft poison examples via Meta Poison |
| Open Source Code | Yes | End-to-end code as well as pre-crafted poisons are available at https://www.github.com/ wronnyhuang/metapoison. |
| Open Datasets | Yes | Our experiments on CIFAR-10 consist of two stages: poison crafting and victim evaluation. |
| Dataset Splits | No | The paper mentions "validation accuracy" but does not explicitly describe the dataset split for a validation set (e.g., percentages or sample counts). It refers to the CIFAR-10 dataset in general for training and the test set for target images. |
| Hardware Specification | No | The paper mentions "6 GPU-hours" for crafting poisons but does not specify the type or model of GPU, CPU, or any other hardware component used for the experiments. |
| Software Dependencies | No | The paper mentions "www.comet.ml supplied necessary tools for monitoring and logging" but does not provide specific version numbers for any software libraries, frameworks, or operating systems used. |
| Experiment Setup | Yes | We perform 60 outer steps when crafting poisons using the Adam optimizer with an initial learning rate of 200. We decay the outer learning rate (i.e. crafting rate) by 10x every 20 steps. Each inner learner is unrolled by K = 2 SGD steps. An ensemble of 24 inner models is used, with model i trained until the i-th epoch. A batchsize of 125 and learning rate of 0.1 are used. We leave weight decay and data augmentation off by default, but analyze performance with them on in 3.3. By default, we use the same 6-layer Conv Net architecture with batch normalization as Finn et al. [2017], henceforth called Conv Net BN, but other architectures are demonstrated throughout the paper too. Outside of 3.3, the same hyperparameters and architectures are used for victim evaluation. We train each victim to 200 epochs, decaying the learning rate by 10x at epochs 100 and 150. |