Poisoning Attacks & Provable Defenses

Data poisoning attack is when an attacker corrupts training data to cause undesirable behaviour in the trained model. This behaviour can be of various kinds, including but not limited to inserting backdoors, decreasing overall accuracy, misclassifying certain inputs, and so on.

We were the first to show the practical impact of poisoning attacks in federated learning in 2016. Since then, there have been many attempts at finding optimal defenses against such attacks. In our recent work, we show that optimal solutions for filtering outliers in training data, like Byzantine robust aggregation, have intractable running time for practical ML models. To address this issue, we introduce RandEigen, the first generic defense achieving quasi-linear runtime, a strong robust aggregator achieving quasi-linear runtime, making it practially usable for high-dimensional ML applications.

Relevant Publications
A Practical and Secure Byzantine Robust Aggregator
De Zhang Lee, Aashish Kolluri, Prateek Saxena, Ee-Chien Chang
ACM Conference on Computer and Communications Security (CCS 2025). Taipei, Taiwan, Oct 2025.
PDF
Attacking Byzantine Robust Aggregation in High Dimensions
Sarthak Choudhary*, Aashish Kolluri*, Prateek Saxena
IEEE Symposium on Security and Privacy (S&P 2024). Oakland, CA, May 2024.
AUROR: Defending Against Poisoning Attacks in Collaborative Deep Learning Systems
Shiqi Shen, Shruti Tople, Prateek Saxena
ACM Conference on Computer Security Applications (ACSAC 2016). Los Angeles, CA, Dec 2016.
PDF