Hidden Poison: Machine Unlearning Enables Camouflaged Poisoning Attacks
This exposes a new security vulnerability in machine unlearning and retraining settings, posing risks for systems that rely on data removal mechanisms.
The paper tackles the problem of data poisoning in machine learning by introducing camouflaged poisoning attacks, where an adversary adds crafted points to training data with minimal initial impact and then triggers their removal to unleash the attack, resulting in targeted misclassification on datasets like CIFAR-10 with specific test points affected.
We introduce camouflaged data poisoning attacks, a new attack vector that arises in the context of machine unlearning and other settings when model retraining may be induced. An adversary first adds a few carefully crafted points to the training dataset such that the impact on the model's predictions is minimal. The adversary subsequently triggers a request to remove a subset of the introduced points at which point the attack is unleashed and the model's predictions are negatively affected. In particular, we consider clean-label targeted attacks (in which the goal is to cause the model to misclassify a specific test point) on datasets including CIFAR-10, Imagenette, and Imagewoof. This attack is realized by constructing camouflage datapoints that mask the effect of a poisoned dataset.