Skip to content

Latest commit

 

History

History
143 lines (118 loc) · 15.4 KB

README.md

File metadata and controls

143 lines (118 loc) · 15.4 KB
Raw

Poisoning Attack

Poisoning attacks are a type of adversarial attack designed to corrupt the training process of models.

PAPER LIST

1. Adversarial Perturbation-based Poisoning Attack

1.1 Targeted Poisoning Attack

  • [2021] Bullseye polytope: A scalable clean-label poisoning attack with improved transferability. [paper]
  • [2020] Metapoison: Practical general-purpose clean-label data poisoning. [paper]
  • [2020] Witches' brew: Industrial scale data poisoning via gradient matching. [paper]
  • [2019] Transferable clean-label poisoning attacks on deep neural nets. [paper]
  • [2018] Poison frogs! targeted clean-label poisoning attacks on neural networks. [paper]
  • [2017] Towards poisoning of deep learning algorithms with back-gradient optimization. [paper]

1.2 Backdoor (Trojan) Attack

  • [2023] Not all samples are born equal: Towards effective clean-label backdoor attacks. [paper]

  • [2023] Narcissus: A practical clean-label backdoor attack with limited information. [paper]

  • [2023] An imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks. [paper]

  • [2021] Rethinking the backdoor attacks' triggers: A frequency perspective. [paper]

  • [2021] Lira: Learnable, imperceptible and robust backdoor attacks. [paper]

  • [2021] Invisible backdoor attack with sample-specific triggers. [paper]

  • [2020] WaNet-imperceptible warping-based backdoor attack. [paper]

  • [2020] Reflection backdoor: A natural backdoor attack on deep neural networks. [paper]

  • [2020] Backdoor embedding in convolutional neural network models via invisible perturbation. [paper]

  • [2020] Input-aware dynamic backdoor attack. [paper]

  • [2020] Invisible backdoor attacks on deep neural networks via steganography and regularization. [paper]

  • [2019] A new backdoor attack in cnns by training set corruption without label poisoning. [paper]

  • [2019] Label-consistent backdoor attacks. [paper]

  • [2018] Trojaning attack on neural networks. [paper]

  • [2017] Targeted backdoor attacks on deep learning systems using data poisoning. [paper]

  • [2017] Badnets: Identifying vulnerabilities in the machine learning model supply chain. [paper]

1.3 Untargeted (Availability-Delusive-Indiscriminate) Attack

  • [2024] Stable unlearnable example: Enhancing the robustness of unlearnable examples via stable error-minimizing noise. [paper]
  • [2023] Transferable unlearnable examples. [paper]
  • [2023] Unlearnable clusters: Towards label-agnostic unlearnable examples. [paper]
  • [2023] Cuda: Convolution-based unlearnable datasets. [paper]
  • [2022] Availability attacks create shortcuts. [paper]
  • [2022] Indiscriminate poisoning attacks on unsupervised contrastive learning. [paper]
  • [2021] Neural tangent generalization attacks. [paper]
  • [2021] Adversarial examples make strong poisons. [paper]
  • [2021] Robust unlearnable examples: Protecting data privacy against adversarial learning. [paper]
  • [2020] Unlearnable examples: Making personal data unexploitable. [paper]
  • [2019] Learning to confuse: Generating training time adversarial data with auto-encoder. [paper]
  • [2018] Neural tangent kernel: Convergence and generalization in neural networks. [paper]
  • [2017] Towards poisoning of deep learning algorithms with back-gradient optimization. [paper]

1.4 Transferability

1.4.1 General Scenarios
  • [2024] Sharpness-aware data poisoning attack. [paper]
  • [2023] Unlearnable clusters: Towards label-agnostic unlearnable examples. [paper]
  • [2023] Transferable unlearnable examples. [paper]
  • [2021] Just how toxic is data poisoning? a unified benchmark for backdoor and data poisoning attacks. [paper]
  • [2021] Bullseye polytope: A scalable clean-label poisoning attack with improved transferability. [paper]
  • [2020] Metapoison: Practical general-purpose clean-label data poisoning. [paper]
  • [2020] Witches' brew: Industrial scale data poisoning via gradient matching. [paper]
  • [2019] Transferable clean-label poisoning attacks on deep neural nets. [paper]
  • [2019] Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks. [paper]
1.4.2 Downstream-agnostic Attack
Targeted Poisoning

(https://arxiv.org/abs/1708.06733)]

  • [2022] PoisonedEncoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning. [paper]
Backdoor Attack

  • [2024] Data poisoning based backdoor attacks to contrastive learning. [paper]

  • [2023] An embarrassingly simple backdoor attack on self-supervised learning. [paper]

  • [2023] Distribution preserving backdoor attack in self-supervised learning. [paper]

  • [2022] Badencoder: Backdoor attacks to pre-trained encoders in self-supervised learning. [paper]

  • [2022] Backdoor attacks on self-supervised learning. [paper]

Untargeted Attack

(https://arxiv.org/abs/1708.06733)]

  • [2022] Indiscriminate poisoning attacks on unsupervised contrastive learning. [paper]

1.5 Imperceptibility

  • [2024] A dual stealthy backdoor: From both spatial and frequency perspectives. [paper]

  • [2024] SPY-watermark: Robust invisible watermarking for backdoor attack. [paper]

  • [2023] Clean-label poisoning attack with perturbation causing dominant features. [paper]

  • [2022] Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch. [paper]

  • [2022] Dynamic backdoor attacks against machine learning models. [paper]

  • [2021] Deep feature space trojan attack of neural networks by controlled detoxification. [paper]

  • [2021] Rethinking the backdoor attacks' triggers: A frequency perspective. [paper]

  • [2021] Bullseye polytope: A scalable clean-label poisoning attack with improved transferability. [paper]

  • [2020] Invisible backdoor attacks on deep neural networks via steganography and regularization. [paper]

  • [2020] Input-aware dynamic backdoor attack. [paper]

  • [2020] Backdooring and poisoning neural networks with image-scaling attacks. [paper]

  • [2020] Reflection backdoor: A natural backdoor attack on deep neural networks. [paper]

  • [2020] Backdoor embedding in convolutional neural network models via invisible perturbation. [paper]

  • [2020] Hidden trigger backdoor attacks. [paper]

  • [2019] Transferable clean-label poisoning attacks on deep neural nets. [paper]

  • [2019] A new backdoor attack in cnns by training set corruption without label poisoning. [paper]

  • [2018] Poison frogs! targeted clean-label poisoning attacks on neural networks. [paper]

1.6 Label-agnostic Attack

  • [2023] Unlearnable clusters: Towards label-agnostic unlearnable examples. [paper]

1.7 Poisoning against Defense

  • [2024] Stable unlearnable example: Enhancing the robustness of unlearnable examples via stable error-minimizing noise. [paper]

  • [2024] Re-thinking data availability attacks against deep neural networks. [paper]

  • [2024] SPY-watermark: Robust invisible watermarking for backdoor attack. [paper]

  • [2021] How robust are randomized smoothing based defenses to data poisoning? [paper]

  • [2021] Robust unlearnable examples: Protecting data privacy against adversarial learning. [paper]

  • [2020] Input-aware dynamic backdoor attack. [paper]

  • [2020] WaNet-imperceptible warping-based backdoor attack. [paper]

1.8 Connection between Evasion Attack and Poisoning Attack

  • [2022] Can adversarial training be manipulated by non-robust features? [paper]
  • [2021] Adversarial examples make strong poisons. [paper]

1.9 Poisoning against Vision Transformer

  • [2024] A closer look at robustness of vision transformers to backdoor attacks. [paper]
  • [2023] Defending backdoor attacks on vision transformer via patch processing. [paper]
  • [2023] Trojvit: Trojan insertion in vision transformers. [paper]

2. Non-adversarial Perturbation-based Poisoning Attack

  • [2021] Adversarial examples make strong poisons. [paper]
  • [2023] Batt: Backdoor attack with transformation-based triggers. [paper]