Semi-supervised machine learning models learn from a (small) set of labeled training examples, and a (large) set of unlabeled training examples. State-of-the-art models can reach within a few percentage points of fully-supervised training, while requiring 100x less labeled data. We study a new class of vulnerabilities: poisoning attacks that modify the unlabeled dataset. In order to be useful, unlabeled datasets are given strictly less review than labeled datasets, and adversaries can therefore poison them easily. By inserting maliciously-crafted unlabeled examples totaling just 0.1% of the dataset size, we can manipulate a model trained on this poisoned dataset to misclassify arbitrary examples at test time (as any desired label). Our attacks are highly effective across datasets and semi-supervised learning methods. We find that more accurate methods (thus more likely to be used) are significantly more vulnerable to poisoning attacks, and as such better training methods are unlikely to prevent this attack. To counter this we explore the space of defenses, and propose two methods that mitigate our attack.

中文翻译：

---

中毒无标签的半监督学习数据集

半监督机器学习模型从一组（少量）带标签的训练示例和一组（大量）无标签的训练示例中学习。最先进的模型可以在完全监督的培训中达到几个百分点，而所需的标签数据却少了100倍。我们研究了一类新的漏洞：修改未标记数据集的中毒攻击。为了发挥作用，与未标记的数据集相比，未标记的数据集受到的审查严格较少，因此，对手很容易将其毒化。通过插入总计仅为数据集大小的0.1％的恶意制作的未标记示例，我们可以操纵在该中毒数据集上训练的模型，以在测试时将任意示例错误分类（作为任何所需标签）。我们的攻击在数据集和半监督学习方法之间非常有效。我们发现，更准确的方法（因此更可能使用）更容易受到中毒攻击，因此，更好的培训方法不太可能阻止这种攻击。为了解决这个问题，我们探索了防御空间，并提出了两种减轻攻击的方法。