Poisoning Attacks & Provable Defenses
Data poisoning attack is when an attacker corrupts training data to cause undesirable behaviour in the trained model. This behaviour can be of various kinds, including but not limited to inserting backdoors, decreasing overall accuracy, misclassifying certain inputs, and so on.
We were the first to show the practical impact of poisoning attacks in federated learning in 2016. Since then, there have been many attempts at finding optimal defenses against such attacks. In our recent work, we show that optimal solutions for filtering outliers in training data, like Byzantine robust aggregation, have intractable running time for practical ML models. To address this issue, we introduce RandEigen, the first generic defense achieving quasi-linear runtime, a strong robust aggregator achieving quasi-linear runtime, making it practially usable for high-dimensional ML applications.