Phantom: Untargeted Poisoning Attacks on Semi-Supervised Learning (Full Version)

TL;DR

The first untargeted poisoning attack in SSL is introduced, the first untargeted poisoning attack in SSL that disrupts the training process by injecting a small number of manipulated images into the unlabeled dataset, without the need to control the victim.

Abstract

Deep Neural Networks (DNNs) can handle increasingly complex tasks, albeit they require rapidly expanding training datasets. Collecting data from platforms with user-generated content, such as social networks, has significantly eased the acquisition of large datasets for training DNNs. Despite these advancements, the manual labeling process remains a substantial challenge in terms of both time and cost. In response, Semi-Supervised Learning (SSL) approaches have emerged, where only a small fraction of the dataset needs to be labeled, leaving the majority unlabeled. However, leveraging data from untrusted sources like social networks also creates new security risks, as potential attackers can easily inject manipulated samples. Previous research on the security of SSL primarily focused on injecting backdoors into trained models, while less attention was given to the more challenging untargeted poisoning attacks. In this paper, we introduce Phantom, the first untargeted poisoning attack in SSL that disrupts the training process by injecting a small number of manipulated images into the unlabeled dataset. Unlike existing attacks, our approach only requires adding few manipulated samples, such as posting images on social networks, without the need to control the victim. Phantom causes SSL algorithms to overlook the actual images' pixels and to rely only on maliciously crafted patterns that \ourname superimposed on the real images. We show Phantom's effectiveness for 6 different datasets and 3 real-world social-media platforms (Facebook, Instagram, Pinterest). Already small fractions of manipulated samples (e.g., 5\%) reduce the accuracy of the resulting model by 10\%, with higher percentages leading to a performance comparable to a naive classifier. Our findings demonstrate the threat of poisoning user-generated content platforms, rendering them unsuitable for SSL in specific tasks.

Figures (8)

• Figure 1: Example for poisoned image construction as a combination of the unpoisoned image and the Poisoning Pattern, weighted by the Pattern Visibility (PV) parameter, here 0.1.
• Figure 2: Overview of the considered system where the $\mathcal{V}$ ictim downloads data from a $\mathcal{P}$ latform with user-generated content to obtain an unlabeled dataset ($\mathcal{U}$) that is used with a small labeled dataset ($\mathcal{X}$) to train a DNN
• Figure 3: Effect of different Patter Visibility (PV) rates to obtain a manipulated image for the ImageNet dataset.
• Figure 4: Impact of the Poisoned Data Rate (PDR) for the Phantom attack for different Pattern Visibilities (PV) in comparison to the accuracy without attack (No Attack) and of a naive classifier (Naive Class.).
• Figure 5: Impact of the Pattern Visibility for the Phantom attack for different Poisoned Data Rates (PDR) in comparison to the accuracy without attack (No Attack) and of a naive classifier (Naive Class.).