Hard Work Does Not Always Pay Off: Poisoning Attacks on Neural Architecture Search
This work highlights a security risk for researchers and practitioners using data-centric NAS methods, showing that these approaches are not robust to distribution shifts, which is an incremental finding building on existing attack techniques.
The paper tackles the vulnerability of neural architecture search (NAS) to data poisoning attacks, demonstrating that injecting clean-label poisoning samples into training data can prevent NAS algorithms from finding optimal architectures, with random label-flipping proving even more effective in generating sub-optimal results.
In this paper, we study the robustness of "data-centric" approaches to finding neural network architectures (known as neural architecture search) to data distribution shifts. To audit this robustness, we present a data poisoning attack, when injected to the training data used for architecture search that can prevent the victim algorithm from finding an architecture with optimal accuracy. We first define the attack objective for crafting poisoning samples that can induce the victim to generate sub-optimal architectures. To this end, we weaponize existing search algorithms to generate adversarial architectures that serve as our objectives. We also present techniques that the attacker can use to significantly reduce the computational costs of crafting poisoning samples. In an extensive evaluation of our poisoning attack on a representative architecture search algorithm, we show its surprising robustness. Because our attack employs clean-label poisoning, we also evaluate its robustness against label noise. We find that random label-flipping is more effective in generating sub-optimal architectures than our clean-label attack. Our results suggests that care must be taken for the data this emerging approach uses, and future work is needed to develop robust algorithms.