Table of Contents
Fetching ...

Safety-Efficacy Trade Off: Robustness against Data-Poisoning

Diego Granziol

TL;DR

Safety-Efficacy Trade Off analyzes data-poisoning and backdoor attacks through the geometry of input space using kernel ridge regression as an exact model for wide neural networks. It derives a rank-1 spike in the input Hessian caused by clustered poisoned samples and identifies a near-clone regime in nonlinear kernels where poison efficacy remains high while input curvature vanishes, making spectral detection provably difficult. A gradient-regularisation defence is shown to contract poison-aligned Fisher and Hessian modes, at the unavoidable cost of data-fitting capacity, with an exponential kernel interpreted as an anisotropic length-scale increase ℓ_eff^2 = ℓ^2 + c κ. The theory is validated across linear and deep networks on MNIST and CIFAR, showing consistent lags between attack success and spectral visibility, while data augmentation and regularisation jointly mitigate poisoning, revealing a fundamental safety–efficacy trade-off and a curvature-based diagnostic for poisoning.

Abstract

Backdoor and data poisoning attacks can achieve high attack success while evading existing spectral and optimisation based defences. We show that this behaviour is not incidental, but arises from a fundamental geometric mechanism in input space. Using kernel ridge regression as an exact model of wide neural networks, we prove that clustered dirty label poisons induce a rank one spike in the input Hessian whose magnitude scales quadratically with attack efficacy. Crucially, for nonlinear kernels we identify a near clone regime in which poison efficacy remains order one while the induced input curvature vanishes, making the attack provably spectrally undetectable. We further show that input gradient regularisation contracts poison aligned Fisher and Hessian eigenmodes under gradient flow, yielding an explicit and unavoidable safety efficacy trade off by reducing data fitting capacity. For exponential kernels, this defence admits a precise interpretation as an anisotropic high pass filter that increases the effective length scale and suppresses near clone poisons. Extensive experiments on linear models and deep convolutional networks across MNIST and CIFAR 10 and CIFAR 100 validate the theory, demonstrating consistent lags between attack success and spectral visibility, and showing that regularisation and data augmentation jointly suppress poisoning. Our results establish when backdoors are inherently invisible, and provide the first end to end characterisation of poisoning, detectability, and defence through input space curvature.

Safety-Efficacy Trade Off: Robustness against Data-Poisoning

TL;DR

Safety-Efficacy Trade Off analyzes data-poisoning and backdoor attacks through the geometry of input space using kernel ridge regression as an exact model for wide neural networks. It derives a rank-1 spike in the input Hessian caused by clustered poisoned samples and identifies a near-clone regime in nonlinear kernels where poison efficacy remains high while input curvature vanishes, making spectral detection provably difficult. A gradient-regularisation defence is shown to contract poison-aligned Fisher and Hessian modes, at the unavoidable cost of data-fitting capacity, with an exponential kernel interpreted as an anisotropic length-scale increase ℓ_eff^2 = ℓ^2 + c κ. The theory is validated across linear and deep networks on MNIST and CIFAR, showing consistent lags between attack success and spectral visibility, while data augmentation and regularisation jointly mitigate poisoning, revealing a fundamental safety–efficacy trade-off and a curvature-based diagnostic for poisoning.

Abstract

Backdoor and data poisoning attacks can achieve high attack success while evading existing spectral and optimisation based defences. We show that this behaviour is not incidental, but arises from a fundamental geometric mechanism in input space. Using kernel ridge regression as an exact model of wide neural networks, we prove that clustered dirty label poisons induce a rank one spike in the input Hessian whose magnitude scales quadratically with attack efficacy. Crucially, for nonlinear kernels we identify a near clone regime in which poison efficacy remains order one while the induced input curvature vanishes, making the attack provably spectrally undetectable. We further show that input gradient regularisation contracts poison aligned Fisher and Hessian eigenmodes under gradient flow, yielding an explicit and unavoidable safety efficacy trade off by reducing data fitting capacity. For exponential kernels, this defence admits a precise interpretation as an anisotropic high pass filter that increases the effective length scale and suppresses near clone poisons. Extensive experiments on linear models and deep convolutional networks across MNIST and CIFAR 10 and CIFAR 100 validate the theory, demonstrating consistent lags between attack success and spectral visibility, and showing that regularisation and data augmentation jointly suppress poisoning. Our results establish when backdoors are inherently invisible, and provide the first end to end characterisation of poisoning, detectability, and defence through input space curvature.
Paper Structure (40 sections, 15 theorems, 59 equations, 13 figures, 3 tables, 2 algorithms)

This paper contains 40 sections, 15 theorems, 59 equations, 13 figures, 3 tables, 2 algorithms.

Key Result

Lemma 3.2

Under Assumption asmp:cluster,

Figures (13)

  • Figure 1: Evidencing for the near-clone regime: CIFAR-10 class $c=8$ at poison fraction $\theta = 0.01$. Top row: clean class-0/8 input, same class-8 input with the trigger applied (poisoned, label 0) together with the model's posterior $p(y=0 \mid x_{\mathrm{poison}})$. Bottom row: corresponding pre-fc feature maps, showing how the trigger moves the class-8 representation towards a region of feature space associated with class 0.
  • Figure 2: Input vs. feature PCA for poisoning CIFAR-10 with poison fraction $\theta = 0.01$. Left: input-space PCA $(\psi_1,\psi_2)$ for clean class 0, clean class 1, and poisoned class-1 images. Right: PCA of pre-fc features showing how the trigger moves class-1 examples towards the class-0 manifold.
  • Figure 3: Class-wise means and spreads in pre-fc feature PCA space for CIFAR-10 at $\theta = 0.01$. Solid/dashed coloured/black ellipses show $1\sigma$/$2\sigma$ clean/poisoned class clusters, arrows indicate shifts of clean class means under the trigger. Triggered examples from all classes are mapped into a compact region near the class-0 manifold.
  • Figure 4: MNIST where we have a poison target class $0$ activated upon a $4$px square in the lower right of the image, where we use a poison fraction $\theta=0.1$ and the base is an un-poisoned model, full is when we retrain SGD with the poison and step refers to when we update the model using QR stepwise decomposition with the new poison feature. : (a) full–base, (b) step–base, (c) step–full, (d) weights.
  • Figure 5: RegressionMNIST poisoning analysis: (a) clean accuracy degradation, (b) poison success rate, (c) spectral overlap with poison direction, and (d) overall summary metrics as a function of poison fraction.
  • ...and 8 more figures

Theorems & Definitions (33)

  • Lemma 3.2: Aggregate poison gain
  • Theorem 3.3: Efficacy of a cloned cluster
  • Theorem 3.4: Rank-1 input spike and spike–efficacy law
  • Remark 3.5: Detectability lag
  • Corollary 3.6: Exponential-kernel spike factor
  • Corollary 3.7: Near-clone regime $r\ll\ell$
  • Remark 3.8
  • Theorem 3.9: Gradient regularisation reduces data-fitting capacity
  • Remark 3.10: High-pass filter interpretation
  • Remark 3.11: Linear kernels
  • ...and 23 more