Towards One Shot Search Space Poisoning in Neural Architecture Search
This exposes a security vulnerability in NAS algorithms, which is important for researchers and practitioners deploying automated machine learning systems.
The paper demonstrates that the ENAS neural architecture search algorithm is vulnerable to data-agnostic poisoning attacks, where injecting just two ineffective operations into the search space can degrade prediction error rates by up to 90% on CIFAR-10.
We evaluate the robustness of a Neural Architecture Search (NAS) algorithm known as Efficient NAS (ENAS) against data agnostic poisoning attacks on the original search space with carefully designed ineffective operations. We empirically demonstrate how our one shot search space poisoning approach exploits design flaws in the ENAS controller to degrade predictive performance on classification tasks. With just two poisoning operations injected into the search space, we inflate prediction error rates for child networks upto 90% on the CIFAR-10 dataset.