Skip to yearly menu bar Skip to main content


Invited Talk
in
Workshop: Pitfalls of limited data and computation for Trustworthy ML

Practical poisoning of machine learning models (Nicholas Carlini)


Abstract:

Deep learning models are often trained on distributed, web-scale datasets crawled from the internet. However, due to their size, these datasets are necessarily uncurated. This opens the possibility for a "poisoning attack" that would allow an adversary to modify the behavior of a model. With our attack I could have poisoned the training dataset for anyone who has used LAION-400M (or other popular datasets) in the last six months. Our attack is trivial: I bought expired domains corresponding to URLs in popular image datasets. This gave us control over 0.01% of each of these datasets. In this talk I discuss how the attack works, the consequences of this attack, and potential defenses. More broadly, we hope machine learning researchers will study other simple but practical attacks on the machine learning pipeline.

Chat is not available.