Machine learning techniques have been widely applied to various applications. However, they are potentially vulnerable to data poisoning attacks, where sophisticated attackers can disrupt the learning procedure by injecting a fraction of malicious samples into the training dataset. Existing defense techniques against poisoning attacks are largely attack-specific: they are designed for one specific type of attacks but do not work for other types, mainly due to the distinct principles they follow. Yet few general defense strategies have been developed. In this paper, we propose De-Pois, an attack-agnostic defense against poisoning attacks. The key idea of De-Pois is to train a mimic model the purpose of which is to imitate the behavior of the target model trained by clean samples. We take advantage of Generative Adversarial Networks (GANs) to facilitate informative training data augmentation as well as the mimic model construction. By comparing the prediction differences between the mimic model and the target model, De-Pois is thus able to distinguish the poisoned samples from clean ones, without explicit knowledge of any ML algorithms or types of poisoning attacks. We implement four types of poisoning attacks and evaluate De-Pois with five typical defense methods on different realistic datasets. The results demonstrate that De-Pois is effective and efficient for detecting poisoned data against all the four types of poisoning attacks, with both the accuracy and F1-score over 0.9 on average.

中文翻译：

---

De-Pois：针对数据中毒攻击的与攻击无关的防御


机器学习技术已广泛应用于各种应用领域。然而，它们可能容易受到数据中毒攻击，复杂的攻击者可以通过将一小部分恶意样本注入训练数据集中来破坏学习过程。现有的针对中毒攻击的防御技术很大程度上是针对特定攻击的：它们是针对一种特定类型的攻击而设计的，但不适用于其他类型的攻击，这主要是由于它们遵循不同的原理。然而，通用防御策略却很少被制定出来。在本文中，我们提出了 De-Pois，一种与攻击无关的防御中毒攻击的方法。 De-Pois 的关键思想是训练一个模仿模型，其目的是模仿干净样本训练的目标模型的行为。我们利用生成对抗网络（GAN）来促进信息训练数据增强以及模拟模型构建。通过比较模拟模型和目标模型之间的预测差异，De-Pois 能够区分中毒样本和干净样本，而无需明确了解任何 ML 算法或中毒攻击类型。我们实施了四种类型的中毒攻击，并在不同的现实数据集上用五种典型的防御方法评估了 De-Pois。结果表明，De-Pois 能够有效且高效地检测所有四种类型的中毒攻击的中毒数据，准确率和 F1 分数平均超过 0.9。