Adversarial Examples Make Strong Poisons
This work addresses the challenge of secure dataset release for machine learning practitioners by introducing a more potent poisoning method, though it is incremental in building on adversarial example techniques.
The paper tackles the problem of data poisoning by showing that adversarial examples, originally designed for evasion attacks, are more effective for poisoning training data than existing methods, achieving substantially stronger obfuscation for secure dataset release as demonstrated with ImageNet-P.
The adversarial machine learning literature is largely partitioned into evasion attacks on testing data and poisoning attacks on training data. In this work, we show that adversarial examples, originally intended for attacking pre-trained models, are even more effective for data poisoning than recent methods designed specifically for poisoning. Our findings indicate that adversarial examples, when assigned the original label of their natural base image, cannot be used to train a classifier for natural images. Furthermore, when adversarial examples are assigned their adversarial class label, they are useful for training. This suggests that adversarial examples contain useful semantic content, just with the ``wrong'' labels (according to a network, but not a human). Our method, adversarial poisoning, is substantially more effective than existing poisoning methods for secure dataset release, and we release a poisoned version of ImageNet, ImageNet-P, to encourage research into the strength of this form of data obfuscation.