CISPA
Browse
ndss2023_f287_paper.pdf (3.85 MB)

Backdoor Attacks Against Dataset Distillation

Download (3.85 MB)
conference contribution
posted on 2024-03-19, 14:12 authored by Yugeng LiuYugeng Liu, Zheng LiZheng Li, Michael BackesMichael Backes, Yun Shen, Yang ZhangYang Zhang
Dataset distillation has emerged as a prominent technique to improve data efficiency when training machine learning models. It encapsulates the knowledge from a large dataset into a smaller synthetic dataset. A model trained on this smaller distilled dataset can attain comparable performance to a model trained on the original training dataset. However, the existing dataset distillation techniques mainly aim at achieving the best trade-off between resource usage efficiency and model utility. The security risks stemming from them have not been explored. This study performs the first backdoor attack against the models trained on the data distilled by dataset distillation models in the image domain. Concretely, we inject triggers into the synthetic data during the distillation procedure rather than during the model training stage, where all previous attacks are performed. We propose two types of backdoor attacks, namely NAIVEATTACK and DOORPING. NAIVEATTACK simply adds triggers to the raw data at the initial distillation phase, while DOORPING iteratively updates the triggers during the entire distillation procedure. We conduct extensive evaluations on multiple datasets, architectures, and dataset distillation techniques. Empirical evaluation shows that NAIVEATTACK achieves decent attack success rate (ASR) scores in some cases, while DOORPING reaches higher ASR scores (close to 1.0) in all cases. Furthermore, we conduct a comprehensive ablation study to analyze the factors that may affect the attack performance. Finally, we evaluate multiple defense mechanisms against our backdoor attacks and show that our attacks can practically circumvent these defense mechanisms.

History

Primary Research Area

  • Trustworthy Information Processing

Name of Conference

Network and Distributed System Security Symposium (NDSS)

Publisher

Internet Society

Open Access Type

  • Unknown

BibTeX

@conference{Liu:Li:Backes:Shen:Zhang:2023, title = "Backdoor Attacks Against Dataset Distillation", author = "Liu, Yugeng" AND "Li, Zheng" AND "Backes, Michael" AND "Shen, Yun" AND "Zhang, Yang", year = 2023, month = 1, publisher = "Internet Society", doi = "10.14722/ndss.2023.24287" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC