On the Effectiveness of Mitigating Data Poisoning Attacks with Gradient Shaping

TL;DR

This work reframes data poisoning as a gradient-centric threat by showing that poisoned training samples consistently produce gradients with higher $||g_p||_2$ norms and distinct orientations compared to clean gradients, enabling an attack-agnostic defense via gradient shaping. The authors instantiate this principle with DP-SGD, clipping per-sample gradients and injecting noise to bound both magnitude and angular differences, and they demonstrate improved robustness against indiscriminate and some targeted attacks across LR, MLP, and CNN models on Purchase-100, FashionMNIST, and CIFAR-10. While DP-SGD reduces attacker efficacy in several scenarios and increases the attacker’s cost in multi-poison settings, it struggles against strong, unrealistic indiscriminate attacks, highlighting the need for more advanced gradient-shaping mechanisms. Overall, the paper provides a unified gradient-based view of poisoning threats and shows gradient shaping as a promising direction for future defenses that do not rely on data sanitization, with DP-SGD serving as a readily applicable, if imperfect, instantiation.

Abstract

Machine learning algorithms are vulnerable to data poisoning attacks. Prior taxonomies that focus on specific scenarios, e.g., indiscriminate or targeted, have enabled defenses for the corresponding subset of known attacks. Yet, this introduces an inevitable arms race between adversaries and defenders. In this work, we study the feasibility of an attack-agnostic defense relying on artifacts that are common to all poisoning attacks. Specifically, we focus on a common element between all attacks: they modify gradients computed to train the model. We identify two main artifacts of gradients computed in the presence of poison: (1) their $\ell_2$ norms have significantly higher magnitudes than those of clean gradients, and (2) their orientation differs from clean gradients. Based on these observations, we propose the prerequisite for a generic poisoning defense: it must bound gradient magnitudes and minimize differences in orientation. We call this gradient shaping. As an exemplar tool to evaluate the feasibility of gradient shaping, we use differentially private stochastic gradient descent (DP-SGD), which clips and perturbs individual gradients during training to obtain privacy guarantees. We find that DP-SGD, even in configurations that do not result in meaningful privacy guarantees, increases the model's robustness to indiscriminate attacks. It also mitigates worst-case targeted attacks and increases the adversary's cost in multi-poison scenarios. The only attack we find DP-SGD to be ineffective against is a strong, yet unrealistic, indiscriminate attack. Our results suggest that, while we currently lack a generic poisoning defense, gradient shaping is a promising direction for future research.

Figures (12)

• Figure 1: Gradient Analysis Based on the Intensity of Poisoning Mechanisms. We illustrate the magnitude ratios (the upper row) and the orientation differences (the lower row) during training in three scenarios: (1) an LR model is trained from scratch on multiple poisons that cause feature collisions; (2) we re-train an MLP model on multiple poisons causing feature collisions; and (3) the same MLP model is re-trained on 1% of poisons that cause feature insertion. Each column corresponds to each scenario.
• Figure 2: FashionMNIST Images Used in Our Gradient Analysis. The upper row contains the interpolated samples with different interpolation ratios $\alpha$, and the bottom row shows the samples with different sizes of additional features.
• Figure 3: Illustration of How Gradient Shaping Mitigates Poisoning. This is a contour line visualization of the model's loss for different values of its parameters; each arrow corresponds to the gradients computed from poisons or clean samples, each dashed arrow indicates the step taken when computing a single model update, and each dot is a set of parameters obtained after one or more steps of gradient descent from the random initialization. This abstract representation helps understand how the property mitigates data poisoning.
• Figure 4: Effectiveness of Training Models with DP Optimizers against Indiscriminate Poisoning Attacks. We illustrate the RADs of the vanilla- and DP-models in the random LF attacks (upper) and the SOTA attacks (lower). We show that training with DP-Adam is effective in mitigating the random LF attacks whereas DP-Adam cannot defeat the SOTA attacks. In the right column, we also show the magnitude difference as a ratio between poison and clean gradients in both the attacks.
• Figure 5: Effectiveness of Training with DP Optimizers against the One-shot (Targeted) Poisoning. We illustrate the RADs (solid lines) and the attack success rate (dashed lines) of the DP-models trained with the different choice of DP-SGD parameters. In the upper row, we only use the clipping norm whereas we vary the noise in the bottom row when the clipping norm is fixed. In the shaded area, we find DP-SGD configurations that reduces the attack success rate by half with a RAD of 0.1.