BagFlip: A Certified Defense against Data Poisoning
This addresses a critical security problem for machine learning practitioners by providing a certified defense against data poisoning, though it appears incremental as it builds on existing defense approaches.
The paper tackles the vulnerability of machine learning models to data-poisoning attacks, including trigger-less and backdoor attacks, by introducing BagFlip, a model-agnostic certified defense that is equal to or more effective than state-of-the-art methods for trigger-less attacks and more effective for backdoor attacks.
Machine learning models are vulnerable to data-poisoning attacks, in which an attacker maliciously modifies the training set to change the prediction of a learned model. In a trigger-less attack, the attacker can modify the training set but not the test inputs, while in a backdoor attack the attacker can also modify test inputs. Existing model-agnostic defense approaches either cannot handle backdoor attacks or do not provide effective certificates (i.e., a proof of a defense). We present BagFlip, a model-agnostic certified approach that can effectively defend against both trigger-less and backdoor attacks. We evaluate BagFlip on image classification and malware detection datasets. BagFlip is equal to or more effective than the state-of-the-art approaches for trigger-less attacks and more effective than the state-of-the-art approaches for backdoor attacks.