Adversarial Attacks on Data Attribution
Authors: Xinhe Wang, Pingbang Hu, Junwei Deng, Jiaqi Ma
ICLR 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We conduct extensive experiments, including both image classification and text generation settings, to demonstrate the effectiveness of the proposed attack methods. Our results show that by only adding imperceptible perturbations to real-world data features, the Shadow Attack can inflate the adversary’s compensation to at least 200% and up to 456%, while the Outlier Attack can inflate the adversary’s compensation to at least 185% and up to 643%. |
| Researcher Affiliation | Academia | Xinhe Wang University of Michigan EMAIL Pingbang Hu University of Illinois Urbana-Champaign EMAIL Junwei Deng University of Illinois Urbana-Champaign EMAIL Jiaqi W. Ma University of Illinois Urbana-Champaign EMAIL |
| Pseudocode | No | The paper includes illustrations (Figure 1 and Figure 2) of the attack methods, but does not contain formally structured pseudocode blocks or algorithm listings. |
| Open Source Code | Yes | Our implementation is ready at https://github.com/TRAIS-Lab/adversarial-attack-data-attribution. |
| Open Datasets | Yes | For image classification, we experiment on MNIST (Le Cun, 1998), Digits (Jiang et al., 2023) and CIFAR-10 (Krizhevsky & Hinton, 2009) datasets... For text generation, we conduct experiments on Nano GPT (Karpathy, 2022) trained on the Shakespeare dataset (Karpathy, 2015)... Specifically, we consider the Res Net-18 model (He et al., 2016) on the Tiny Image Net dataset (Le & Yang, 2015). |
| Dataset Splits | Yes | For the image classification settings (a), (c), and (d), we set |Z0| = 10000, |Za 1 | = 100, and |Z1| = 11000... For image classification setting (b), due to the size of the dataset, we set |Z0| = 1100, |Za 1 | = 30 and |Z1| = 1100 for Outlier Attack, |Z0| = 800, |Z1|a = 30 and |Z1| = 850 for Shadow Attack. The text generation setting follows a similar workflow with |Z0| = 4706, |Za 1 | = 20, and |Z1| = 6274. |
| Hardware Specification | No | The paper mentions specific models like 'Res Net-18' or 'Nano GPT' but does not provide specific hardware details such as GPU models, CPU types, or memory specifications used for running the experiments. |
| Software Dependencies | No | For the data attribution algorithms, we adopt the implementation from the dattri library (Deng et al., 2024). While 'dattri library' is mentioned, no version number for this or other software dependencies like Python, PyTorch, or CUDA are specified. |
| Experiment Setup | Yes | In both the target model training and shadow model training, we train LR for 30 epochs with SGD and a learning rate of 0.01. We train CNN for 50 epochs with Adam and a learning rate of 0.001. ... In all training, we again train the MLP for 30 epochs using Adam with an initial learning rate of 0.001. ... In all training, each model is trained for 100 epochs using Adam, with a learning rate of 0.001. ... For both training at t = 0 and t = 1, we train the model for 2000 epochs, both using Adam with a learning rate of 6 × 10−4. ... In experiments, we set ϵ = 0.03. ... In practice, we set ϵ = 0.1. ... In experiments we set m = 20 and k = 15. |