Generating Potent Poisons and Backdoors from Scratch with Guided Diffusion

Modern neural networks are often trained on massive datasets that are web scraped with minimal human inspection. As a result of this insecure curation pipeline, an adversary can poison or backdoor the resulting model by uploading malicious data to the internet and waiting for a victim to scrape and train on it. Existing approaches for creating poisons and <PRE_TAG>backdoors</POST_TAG> start with randomly sampled clean data, called <PRE_TAG>base samples</POST_TAG>, and then modify those samples to craft poisons. However, some <PRE_TAG>base samples</POST_TAG> may be significantly more amenable to <PRE_TAG>poisoning</POST_TAG> than others. As a result, we may be able to craft more potent poisons by carefully choosing the <PRE_TAG>base samples</POST_TAG>. In this work, we use <PRE_TAG>guided diffusion</POST_TAG> to synthesize <PRE_TAG><PRE_TAG>base samples</POST_TAG></POST_TAG> from scratch that lead to significantly more potent poisons and <PRE_TAG>backdoors</POST_TAG> than previous <PRE_TAG>state-of-the-art attacks</POST_TAG>. Our Guided Diffusion Poisoning (GDP) <PRE_TAG>base samples</POST_TAG> can be combined with any downstream <PRE_TAG>poisoning</POST_TAG> or backdoor attack to boost its effectiveness. Our implementation code is publicly available at: https://github.com/hsouri/GDP .