De-Pois: An Attack-Agnostic Defense against Data Poisoning Attacks

You are here

Top Reasons to Join SPS Today!

1. IEEE Signal Processing Magazine
2. Signal Processing Digital Library*
3. Inside Signal Processing Newsletter
4. SPS Resource Center
5. Career advancement & recognition
6. Discounts on conferences and publications
7. Professional networking
8. Communities for students, young professionals, and women
9. Volunteer opportunities
10. Coming soon! PDH/CEU credits
Click here to learn more.

De-Pois: An Attack-Agnostic Defense against Data Poisoning Attacks

Jian Chen; Xuxin Zhang; Rui Zhang; Chen Wang; Ling Liu

Machine learning techniques have been widely applied to various applications. However, they are potentially vulnerable to data poisoning attacks, where sophisticated attackers can disrupt the learning procedure by injecting a fraction of malicious samples into the training dataset. Existing defense techniques against poisoning attacks are largely attack-specific: they are designed for one specific type of attacks but do not work for other types, mainly due to the distinct principles they follow. Yet few general defense strategies have been developed. In this paper, we propose De-Pois, an attack-agnostic defense against poisoning attacks. The key idea of De-Pois is to train a mimic model the purpose of which is to imitate the behavior of the target model trained by clean samples. We take advantage of Generative Adversarial Networks (GANs) to facilitate informative training data augmentation as well as the mimic model construction. By comparing the prediction differences between the mimic model and the target model, De-Pois is thus able to distinguish the poisoned samples from clean ones, without explicit knowledge of any ML algorithms or types of poisoning attacks. We implement four types of poisoning attacks and evaluate De-Pois with five typical defense methods on different realistic datasets. The results demonstrate that De-Pois is effective and efficient for detecting poisoned data against all the four types of poisoning attacks, with both the accuracy and F1-score over 0.9 on average.

SPS on Twitter

  • Registration for ICIP 2021 is now open! This hybrid event will take place 19-22 September, with the in-person compo…
  • The Brain Space Initiative Talk Series continues on Friday, 30 July when Dr. Ioulia Kovelman presents "The Bilingua…
  • There’s still time to register your team to win the US$5,000 grand prize in the 5-Minute Video Clip Contest, “Autom…
  • Join the SPS Vizag Bay, Long Island, and Finland Chapters for the Seasonal School on Signal Processing and Communic…
  • Calling students and graduate students! The 5-Minute Video Clip Contest returns for ICIP 2021, and there's still ti…

SPS Videos

Signal Processing in Home Assistants


Multimedia Forensics

Careers in Signal Processing             


Under the Radar