Diffusion Denoising as a Certified Defense against Clean-label Poisoning

arXiv:2403.11981v1 Announce Type: cross
Abstract: We present a certified defense to clean-label poisoning attacks. These attacks work by injecting a small number of poisoning samples (e.g., 1%) that contain $p$-norm bounded adversarial perturbations into the training data to induce a targeted misclassification of a test-time input. Inspired by the adversarial robustness achieved by $denoised$ $smoothing$, we show how an off-the-shelf diffusion model can sanitize the tampered training data. We extensively test our defense against seven clean-label poisoning attacks and reduce …

abstract adversarial arxiv attacks cs.cr cs.cv cs.lg data defense denoising diffusion norm poisoning attacks robustness samples small test training training data type work