Strong Data Augmentation Sanitizes Poisoning and Backdoor Attacks Without an Accuracy Tradeoff
This work addresses the growing concern of data poisoning and backdoor attacks for machine learning practitioners, offering a simple yet effective defense that does not degrade model performance.
This paper explores the effectiveness of strong data augmentations like mixup and CutMix in mitigating data poisoning and backdoor attacks. They found that these augmentations significantly reduce the threat of such attacks without sacrificing model performance, and in the case of backdoors, CutMix increased validation accuracy by 9%.
Data poisoning and backdoor attacks manipulate victim models by maliciously modifying training data. In light of this growing threat, a recent survey of industry professionals revealed heightened fear in the private sector regarding data poisoning. Many previous defenses against poisoning either fail in the face of increasingly strong attacks, or they significantly degrade performance. However, we find that strong data augmentations, such as mixup and CutMix, can significantly diminish the threat of poisoning and backdoor attacks without trading off performance. We further verify the effectiveness of this simple defense against adaptive poisoning methods, and we compare to baselines including the popular differentially private SGD (DP-SGD) defense. In the context of backdoors, CutMix greatly mitigates the attack while simultaneously increasing validation accuracy by 9%.