Poisoning Web-Scale Training Datasets is Practical
METADATA ONLY
Loading...
Author / Producer
Date
2024
Publication Type
Conference Paper
ETH Bibliography
yes
Citations
Altmetric
METADATA ONLY
Data
Rights / License
Abstract
Deep learning models are often trained on distributed, webscale datasets crawled from the internet. In this paper, we introduce two new dataset poisoning attacks that intentionally introduce malicious examples to degrade a model's performance. Our attacks are immediately practical and could, today, poison 10 popular datasets. Our first attack, split-view poisoning, exploits the mutable nature of internet content to ensure a dataset annotator's initial view of the dataset differs from the view downloaded by subsequent clients. By exploiting specific invalid trust assumptions, we show how we could have poisoned 0.01\% of the LAION-400M or COYO-700M datasets for just $60 USD. Our second attack, frontrunning poisoning, targets web-scale datasets that periodically snapshot crowd-sourced content -- such as Wikipedia -- where an attacker only needs a time-limited window to inject malicious examples. In light of both attacks, we notify the maintainers of each affected dataset and recommended several low-overhead defenses.
Permanent link
Publication status
published
External links
Editor
Book title
2024 IEEE Symposium on Security and Privacy (SP)
Journal / series
Volume
Pages / Article No.
407 - 425
Publisher
IEEE
Event
45th IEEE Symposium on Security and Privacy (SP 2024)
Edition / version
Methods
Software
Geographic location
Date collected
Date created
Subject
Machine Learning; Poisoning
Organisational unit
09764 - Tramèr, Florian / Tramèr, Florian