Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Game-Theoretic Unlearnable Example Generator (2401.17523v1)

Published 31 Jan 2024 in cs.LG, cs.CR, and stat.ML

Abstract: Unlearnable example attacks are data poisoning attacks aiming to degrade the clean test accuracy of deep learning by adding imperceptible perturbations to the training samples, which can be formulated as a bi-level optimization problem. However, directly solving this optimization problem is intractable for deep neural networks. In this paper, we investigate unlearnable example attacks from a game-theoretic perspective, by formulating the attack as a nonzero sum Stackelberg game. First, the existence of game equilibria is proved under the normal setting and the adversarial training setting. It is shown that the game equilibrium gives the most powerful poison attack in that the victim has the lowest test accuracy among all networks within the same hypothesis space, when certain loss functions are used. Second, we propose a novel attack method, called the Game Unlearnable Example (GUE), which has three main gradients. (1) The poisons are obtained by directly solving the equilibrium of the Stackelberg game with a first-order algorithm. (2) We employ an autoencoder-like generative network model as the poison attacker. (3) A novel payoff function is introduced to evaluate the performance of the poison. Comprehensive experiments demonstrate that GUE can effectively poison the model in various scenarios. Furthermore, the GUE still works by using a relatively small percentage of the training data to train the generator, and the poison generator can generalize to unseen data well. Our implementation code can be found at https://github.com/hong-xian/gue.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (27)
  1. Applied Nonlinear Analysis. Wiley, New York.
  2. Language models are few-shot learners. Advances in neural information processing systems, 33: 1877–1901.
  3. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), 39–57. Ieee.
  4. Improved regularization of convolutional neural networks with cutout. arXiv preprint arXiv:1708.04552.
  5. Learning to confuse: generating training time adversarial data with auto-encoder. Advances in Neural Information Processing Systems, 32.
  6. Adversarial Examples Make Strong Poisons. In Advances in Neural Information Processing Systems, volume 34, 30339–30351.
  7. Robust unlearnable examples: Protecting data against adversarial learning. arXiv preprint arXiv:2203.14533.
  8. Achieving optimal adversarial accuracy for adversarial deep learning using Stackelberg games. Acta Math Sci, 2399–2418.
  9. Automatic and harmless regularization with constrained and lexicographic optimization: A dynamic barrier approach. Advances in Neural Information Processing Systems, 34: 29630–29642.
  10. Deep Residual Learning for Image Recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 770–778.
  11. Unlearnable examples: Making personal data unexploitable. arXiv preprint arXiv:2101.04898.
  12. Neural tangent kernel: Convergence and generalization in neural networks. Advances in neural information processing systems, 31.
  13. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980.
  14. Bome! bilevel optimization made easy: A simple first-order approach. Advances in Neural Information Processing Systems, 35: 17248–17262.
  15. Indiscriminate Data Poisoning Attacks on Neural Networks. arXiv preprint arXiv:2204.09092.
  16. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083.
  17. U-net: Convolutional networks for biomedical image segmentation. In Medical Image Computing and Computer-Assisted Intervention–MICCAI 2015: 18th International Conference, Proceedings, Part III 18, 234–241. Springer.
  18. Poisons that are learned faster are more effective. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 198–205.
  19. Autoregressive perturbations for data poisoning. Advances in Neural Information Processing Systems, 35: 27374–27386.
  20. Better safe than sorry: Preventing delusive adversaries with adversarial training. Advances in Neural Information Processing Systems, 34: 16209–16225.
  21. Generative Poisoning Using Random Discriminators. arXiv preprint arXiv:2211.01086.
  22. Is Adversarial Training Really a Silver Bullet for Mitigating Data Poisoning? In The Eleventh International Conference on Learning Representations.
  23. Availability attacks create shortcuts. In Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2367–2376.
  24. Neural tangent generalization attacks. In International Conference on Machine Learning, 12230–12240. PMLR.
  25. Cutmix: Regularization strategy to train strong classifiers with localizable features. In Proceedings of the IEEE/CVF international conference on computer vision, 6023–6032.
  26. mixup: Beyond empirical risk minimization. arXiv preprint arXiv:1710.09412.
  27. Theoretically principled trade-off between robustness and accuracy. In International conference on machine learning, 7472–7482. PMLR.
Citations (4)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Github Logo Streamline Icon: https://streamlinehq.com

GitHub

  1. GitHub - hong-xian/gue (5 stars)