Paper 2018/854

Universal Multi-Party Poisoning Attacks

Saeed Mahloujifar, Mahammad Mahmoody, and Ameer Mohammed

Abstract

In this work, we demonstrate universal multi-party poisoning attacks that adapt and apply to any multi-party learning process with arbitrary interaction pattern between the parties. More generally, we introduce and study $(k,p)$-poisoning attacks in which an adversary controls $k\in [m]$ of the parties, and for each corrupted party $P_i$, the adversary submits some poisoned data $T_i^{\prime }$ on behalf of $P_i$ that is still "$(1-p)$-close" to the correct data $T_i$ (e.g., $1-p$ fraction of $T_i^{\prime }$ is still honestly generated). We prove that for any "bad" property $B$ of the final trained hypothesis $h$ (e.g., $h$ failing on a particular test example or having "large" risk) that has an arbitrarily small constant probability of happening without the attack, there always is a $(k,p)$-poisoning attack that increases the probability of $B$ from $\mu$ to by ${\mu }^{1-p\cdot k/m}=\mu +\mathrm{\Omega }(p\cdot k/m)$. Our attack only uses clean labels, and it is online. More generally, we prove that for any bounded function $$ defined over an $$-step random process $$, an adversary who can override each of the $$ blocks with \emph{even dependent} probability $$ can increase the expected output by at least $$.