SM
S. Mendez
info
Please Note
<p>This page displays the records of the person named above and is not linked to a unique person identifier. This record may need to be merged to a profile.</p>
2 records found
1
Backdoor Attacks in Active Learning
An Extensive Analysis of Backdoor Injection in Active Learning-Trained Computer Vision Models
Deep learning sustained great success in several domains, particularly in computer vision, where it facilitates tasks such as image classification and object recognition. However, one significant challenge in deep learning is data labeling, due to the high cost and effort required for human annotators to go over this process manually. Active learning addresses this problem by selecting a smaller amount of the most relevant data for this labeling process, maximizing efficiency. Despite its advantages, active learning presents new security threats. In particular, backdoor attacks, where adversaries poison part of the training data to modify the behavior of the model in the presence of a hidden trigger. Although backdoor attacks have been extensively studied in traditional deep learning contexts, their impact on active learning remains largely uncertain.
Here, the vulnerabilities of active learning against backdoor attacks in computer vision models were analyzed. Various configurations, datasets and deep learning models were used to evaluate their effectiveness. Backdoor attacks managed to hit ASR values over 95% with just 1% of the data being poisoned on simple datasets like MNIST, particularly when using certainty-based sampling and CNNs. More complex datasets like CIFAR-10 and models like ResNet proved to be more resilient. Furthermore, different attack techniques were explored, such as progressive parameter adjustment, sub-trigger division and clean label attacks on advanced backdoor triggers like LIRA and WaNet. The analysis revealed that although global LIRA triggers were the most effective, sub-trigger and progressive poisoning methods offered promising alternatives, especially because they allow poisoning smaller parts of images across training cycles. Additionally, it is revealed that attack success in clean-label scenarios was highly dependent on the number of poisoned samples per cycle, due to the post-query constraint that only allows poisoning already-selected samples, often limiting impact when the target label appears infrequently. Finally, different poisoning timings were compared. From this, post-query poisoning consistently outperformed pre-query methods in terms of ASR, even at low poison rates. However, it also pointed out that this approach has its limitations in real-world scenarios, where attackers usually do not have control over the samples being queried. Clean accuracy remained unaltered to a large extent, demonstrating the stealth and hidden threat of backdoor attacks in active learning settings.
...
Here, the vulnerabilities of active learning against backdoor attacks in computer vision models were analyzed. Various configurations, datasets and deep learning models were used to evaluate their effectiveness. Backdoor attacks managed to hit ASR values over 95% with just 1% of the data being poisoned on simple datasets like MNIST, particularly when using certainty-based sampling and CNNs. More complex datasets like CIFAR-10 and models like ResNet proved to be more resilient. Furthermore, different attack techniques were explored, such as progressive parameter adjustment, sub-trigger division and clean label attacks on advanced backdoor triggers like LIRA and WaNet. The analysis revealed that although global LIRA triggers were the most effective, sub-trigger and progressive poisoning methods offered promising alternatives, especially because they allow poisoning smaller parts of images across training cycles. Additionally, it is revealed that attack success in clean-label scenarios was highly dependent on the number of poisoned samples per cycle, due to the post-query constraint that only allows poisoning already-selected samples, often limiting impact when the target label appears infrequently. Finally, different poisoning timings were compared. From this, post-query poisoning consistently outperformed pre-query methods in terms of ASR, even at low poison rates. However, it also pointed out that this approach has its limitations in real-world scenarios, where attackers usually do not have control over the samples being queried. Clean accuracy remained unaltered to a large extent, demonstrating the stealth and hidden threat of backdoor attacks in active learning settings.
...
Deep learning sustained great success in several domains, particularly in computer vision, where it facilitates tasks such as image classification and object recognition. However, one significant challenge in deep learning is data labeling, due to the high cost and effort required for human annotators to go over this process manually. Active learning addresses this problem by selecting a smaller amount of the most relevant data for this labeling process, maximizing efficiency. Despite its advantages, active learning presents new security threats. In particular, backdoor attacks, where adversaries poison part of the training data to modify the behavior of the model in the presence of a hidden trigger. Although backdoor attacks have been extensively studied in traditional deep learning contexts, their impact on active learning remains largely uncertain.
Here, the vulnerabilities of active learning against backdoor attacks in computer vision models were analyzed. Various configurations, datasets and deep learning models were used to evaluate their effectiveness. Backdoor attacks managed to hit ASR values over 95% with just 1% of the data being poisoned on simple datasets like MNIST, particularly when using certainty-based sampling and CNNs. More complex datasets like CIFAR-10 and models like ResNet proved to be more resilient. Furthermore, different attack techniques were explored, such as progressive parameter adjustment, sub-trigger division and clean label attacks on advanced backdoor triggers like LIRA and WaNet. The analysis revealed that although global LIRA triggers were the most effective, sub-trigger and progressive poisoning methods offered promising alternatives, especially because they allow poisoning smaller parts of images across training cycles. Additionally, it is revealed that attack success in clean-label scenarios was highly dependent on the number of poisoned samples per cycle, due to the post-query constraint that only allows poisoning already-selected samples, often limiting impact when the target label appears infrequently. Finally, different poisoning timings were compared. From this, post-query poisoning consistently outperformed pre-query methods in terms of ASR, even at low poison rates. However, it also pointed out that this approach has its limitations in real-world scenarios, where attackers usually do not have control over the samples being queried. Clean accuracy remained unaltered to a large extent, demonstrating the stealth and hidden threat of backdoor attacks in active learning settings.
Here, the vulnerabilities of active learning against backdoor attacks in computer vision models were analyzed. Various configurations, datasets and deep learning models were used to evaluate their effectiveness. Backdoor attacks managed to hit ASR values over 95% with just 1% of the data being poisoned on simple datasets like MNIST, particularly when using certainty-based sampling and CNNs. More complex datasets like CIFAR-10 and models like ResNet proved to be more resilient. Furthermore, different attack techniques were explored, such as progressive parameter adjustment, sub-trigger division and clean label attacks on advanced backdoor triggers like LIRA and WaNet. The analysis revealed that although global LIRA triggers were the most effective, sub-trigger and progressive poisoning methods offered promising alternatives, especially because they allow poisoning smaller parts of images across training cycles. Additionally, it is revealed that attack success in clean-label scenarios was highly dependent on the number of poisoned samples per cycle, due to the post-query constraint that only allows poisoning already-selected samples, often limiting impact when the target label appears infrequently. Finally, different poisoning timings were compared. From this, post-query poisoning consistently outperformed pre-query methods in terms of ASR, even at low poison rates. However, it also pointed out that this approach has its limitations in real-world scenarios, where attackers usually do not have control over the samples being queried. Clean accuracy remained unaltered to a large extent, demonstrating the stealth and hidden threat of backdoor attacks in active learning settings.
The alignment of behavior support systems with our personal values becomes increasingly important as behavior support systems continue to influence our daily lives. The purpose of this paper was to explore the use of graphical interfaces and isolation questions to elicit personal values and build accurate user models. An experiment was conducted in two phases to assess the accuracy and usability of the created interface. A comparison was also made with other types of interfaces developed within the research group. This experiment provided valuable insights but also held some limitations. The findings form a valuable contribution for future research and development in building responsible AI and personalized assistance from behavior support agents.
...
...
The alignment of behavior support systems with our personal values becomes increasingly important as behavior support systems continue to influence our daily lives. The purpose of this paper was to explore the use of graphical interfaces and isolation questions to elicit personal values and build accurate user models. An experiment was conducted in two phases to assess the accuracy and usability of the created interface. A comparison was also made with other types of interfaces developed within the research group. This experiment provided valuable insights but also held some limitations. The findings form a valuable contribution for future research and development in building responsible AI and personalized assistance from behavior support agents.