Poisoning the Unlabeled Dataset of Semi-Supervised Learning
This reveals a critical security flaw in widely used semi-supervised learning methods, which is incremental in exposing a new attack vector but has broad implications for model reliability.
The paper tackles the vulnerability of semi-supervised learning models to poisoning attacks on unlabeled datasets, showing that inserting just 0.1% malicious examples can manipulate models to misclassify arbitrary test examples as any desired label.
Semi-supervised machine learning models learn from a (small) set of labeled training examples, and a (large) set of unlabeled training examples. State-of-the-art models can reach within a few percentage points of fully-supervised training, while requiring 100x less labeled data. We study a new class of vulnerabilities: poisoning attacks that modify the unlabeled dataset. In order to be useful, unlabeled datasets are given strictly less review than labeled datasets, and adversaries can therefore poison them easily. By inserting maliciously-crafted unlabeled examples totaling just 0.1% of the dataset size, we can manipulate a model trained on this poisoned dataset to misclassify arbitrary examples at test time (as any desired label). Our attacks are highly effective across datasets and semi-supervised learning methods. We find that more accurate methods (thus more likely to be used) are significantly more vulnerable to poisoning attacks, and as such better training methods are unlikely to prevent this attack. To counter this we explore the space of defenses, and propose two methods that mitigate our attack.