More Like this

1. Revisiting Data-Free Knowledge Distillation with Poisoned Teachers

   Hong, Junyuan; Zeng, Yi; Yu, Shuyang; Lyu, Lingjuan; Jia, Ruoxi; Zhou, Jiayu (July 2023, Proceedings of the 40th International Conference on Machine Learning)

   Data-free knowledge distillation (KD) helps transfer knowledge from a pre-trained model (known as the teacher model) to a smaller model (known as the student model) without access to the original training data used for training the teacher model. However, the security of the synthetic or out-of-distribution (OOD) data required in data-free KD is largely unknown and under-explored. In this work, we make the first effort to uncover the security risk of data-free KD w.r.t. untrusted pre-trained models. We then propose Anti-Backdoor Data-Free KD (ABD), the first plug-in defensive method for data-free KD methods to mitigate the chance of potential backdoors being transferred. We empirically evaluate the effectiveness of our proposed ABD in diminishing transferred backdoor knowledge while maintaining compatible downstream performances as the vanilla KD. We envision this work as a milestone for alarming and mitigating the potential backdoors in data-free KD. Codes are released at https://github.com/illidanlab/ABD . 

   more » « less
2. A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models

   Pang, R.; Shen, H.; Zhang, X.; Ji, S.; Vorobeychik, Y.; Luo, X.; Liu, A.; Wang, T. (January 2020, The 27th ACM Conference on Computer and Communications Security)
3. A Tale of Evil Twins: Adversarial Inputs versus Poisoned Models

   Pang, Ren; Shen, Hua; Zhang, Xinyang; Ji, Shouling; Vorobeychik, Yevgeniy; Luo, Xiapu; Liu, Alex; Wang, Ting (January 2020, Proceedings of the ACM Conference on Computer and Communications Security)

   Despite their tremendous success in a range of domains, deep learning systems are inherently susceptible to two types of manipulations: adversarial inputs -- maliciously crafted samples that deceive target deep neural network (DNN) models, and poisoned models -- adversely forged DNNs that misbehave on pre-defined inputs. While prior work has intensively studied the two attack vectors in parallel, there is still a lack of understanding about their fundamental connections: what are the dynamic interactions between the two attack vectors? what are the implications of such interactions for optimizing existing attacks? what are the potential countermeasures against the enhanced attacks? Answering these key questions is crucial for assessing and mitigating the holistic vulnerabilities of DNNs deployed in realistic settings. Here we take a solid step towards this goal by conducting the first systematic study of the two attack vectors within a unified framework. Specifically, (i) we develop a new attack model that jointly optimizes adversarial inputs and poisoned models; (ii) with both analytical and empirical evidence, we reveal that there exist intriguing "mutual reinforcement" effects between the two attack vectors -- leveraging one vector significantly amplifies the effectiveness of the other; (iii) we demonstrate that such effects enable a large design spectrum for the adversary to enhance the existing attacks that exploit both vectors (e.g., backdoor attacks), such as maximizing the attack evasiveness with respect to various detection methods; (iv) finally, we discuss potential countermeasures against such optimized attacks and their technical challenges, pointing to several promising research directions. 

   more » « less
4. Competitive Transient Electrostatic Adsorption for In Situ Regeneration of Poisoned Catalyst

   https://doi.org/10.1002/cctc.201802055  

   Pan, Yanbo; Shen, Xiaochen; Yao, Libo; Bentalib, Abdulaziz; Yang, Jinlong; Zeng, Jie; Peng, Zhenmeng (February 2019, ChemCatChem)
5. Mind Control through Causal Inference: Predicting Clean Images from Poisoned Data

   Hu, Mengxuan; Guan, Zihan; Zeng, Yi; Guo, Junfeng; Zhou, Zhongliang; Zhang, Jielu; Jia, Ruoxi; Vullikanti, Anil; Li, Sheng (January 2025, International Conference on Learning Representations (ICLR))