Inverting Gradient Attacks Makes Powerful Data Poisoning
Authors: Wassim Bouaziz, Nicolas Usunier, El-Mahdi El-Mhamdi
TMLR 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In our experiments, we exhibit a successful availability attack on neural network architectures, trained on an image classification task with different optimization algorithms, even when protected by a defense mechanism against gradient attacks. We show that: (1) the additional constraints under which data poisoning attacks operate, compared to gradient attacks, make them overall less effective than plain gradient attacks, and (2) the severity of data poisoning attacks covers the same range as gradient attacks, including availability attacks, even on non-convex neural networks. (...) 5 Experiments |
| Researcher Affiliation | Collaboration | Wassim (Wes) Bouaziz EMAIL Meta, FAIR & CMAP, École polytechnique Nicolas Usunier Work done at Meta, FAIR El-Mahdi El-Mhamdi CMAP, École polytechnique |
| Pseudocode | No | The paper refers to 'Algorithm 1 in Steinhardt et al. (2017)' but does not present any pseudocode or algorithm blocks within its own text. |
| Open Source Code | Yes | Code available at https://github.com/wesbz/inverting-gradient. |
| Open Datasets | Yes | In our experiments, we consider an image classification task on the CIFAR10 dataset on which the attacker can tamper with messages (data point or gradient depending on the learning setting). |
| Dataset Splits | No | We demonstrate our poisoning procedure on a custom convolutional neural network (described in Table 5 in Appendix B) and on Vision Transformers models (Vi T-tiny models with patch size 8) trained for 50 epochs on the CIFAR10 dataset partitioned in training, validation, and auxiliary datasets. |
| Hardware Specification | No | The paper does not provide specific details about the hardware used for running the experiments, such as GPU or CPU models. |
| Software Dependencies | No | The paper mentions using 'SGD and Adam update algorithms' and 'Average and Multi Krum aggregators' but does not provide specific software dependencies with version numbers for replication. |
| Experiment Setup | Yes | Model & dataset We demonstrate our poisoning procedure on a custom convolutional neural network (described in Table 5 in Appendix B) and on Vision Transformers models (Vi T-tiny models with patch size 8) trained for 50 epochs on the CIFAR10 dataset partitioned in training, validation, and auxiliary datasets. We use different optimization algorithms and aggregation rules to train the models: SGD & Average, Adam & Average, SGD & Multi Krum (with different levels of data truncation f {0.1, 0.2, 0.4}). (...) In every setting, the learning rate is fixed to the value were the learner achieves the best performances without any poisoning to set a baseline for the performances of the model. |