6.4.11 · D4 · HinglishAI Safety & Alignment

ExercisesData poisoning and backdoor attacks

3,761 words17 min read↑ Read in English

6.4.11 · D4 · AI-ML › AI Safety & Alignment › Data poisoning and backdoor attacks

Yeh page Data poisoning and backdoor attacks ke liye ek self-test ladder hai. Pehle har problem ko paper par solve karo, phir collapsible solution kholna. Yahan jo bhi symbol use hue hain, woh usi jagah define kiye gaye hain jahan appear hote hain — toh tum line one se hi shuru kar sakte ho.

Shuru karne se pehle, do definitions jo hum har jagah reuse karenge:

Kuch bhi compute karne se pehle poore idea ki ek picture:

Figure — Data poisoning and backdoor attacks

Blue points clean data hain, pink points woh poisoned points hain jo attacker ne slip in kiye hain. Dekho ki poisoned points dividing line (decision boundary) ko target ki taraf kheench rahe hain. Hum Exercise 3.2 mein exactly is picture par numbers lagate hain — wahan dashed white line woh clean boundary hai jo yahan draw ki gayi hai, aur yellow line woh hai jahan poison use kheenchta hai. Is figure ko dhyan mein rakho; neeche ke har integrity/poisoning problem is ek kheenchne ki motion ka ek version hai.


Level 1 — Recognition

Exercise 1.1 (L1)

Ek spam classifier normally accuracy score karta hai. Ek attacker training set ke labels randomly flip karta hai (spam↔not-spam). Retraining ke baad, accuracy par aa jaati hai. Kya yeh ek availability attack hai ya ek integrity attack? Ek sentence mein justify karo.

Recall Solution

Availability attack. Goal clean inputs par overall accuracy degrade karna hai ( se tak drop), na ki kisi ek specific chosen input ko ek chosen wrong class par force karna. Random label flips damage har jagah spread karte hain — yeh model par denial-of-service hai, jo availability attack ki definition hai.

Exercise 1.2 (L1)

Har trigger ko uske type se match karo — patch, blended, ya semantic: (a) corner mein ek yellow square; (b) sunglasses pehan raha ek insaan; (c) ek faint watermark jo puri image mein mix hai as with .

Yahan (c) mein symbols ka matlab hai: clean input image hai jo ek vector ke roop mein likha gaya hai (ek number per pixel, e.g. ek image pixel brightnesses ki ek list hai); trigger pattern hai same shape ke vector ke roop mein (watermark image); aur unka pixel-by-pixel weighted average hai.

Recall Solution

(a) Patch — ek small localized stamp. (b) Semantic — ek natural real-world object trigger ki tarah kaam karta hai. (c) Blended — trigger low weight par puri image par average kiya gaya hai, toh yeh spread out aur faint hai rather than ek hard patch.

Yahan aur ke beech ek blend weight hai: par formula deta hai (pure clean image), par deta hai (pure trigger). par trigger har pixel ki value ka sirf contribute karta hai, isliye ek insaan use barely dekh sakta hai.

Exercise 1.3 (L1)

True ya false: "Agar koi model clean validation set par score karta hai, toh usmein koi backdoor nahi hai." Explain karo.

Recall Solution

False. Ek backdoor stealthy hone ke liye design kiya jaata hai: yeh tabhi fire karta hai jab trigger present ho. Clean validation set mein koi trigger nahi hota, toh yeh backdoor kabhi reveal nahi kar sakta. High clean accuracy exactly wahi hai jo attacker chahta hai — backdoor se aage probe karne ke methods ke liye Explainable AI aur AI Red Teaming dekho.


Level 2 — Application

Exercise 2.1 (L2)

Ek test set mein triggered stop-sign images hain. Backdoored model unमें se ko "green light" () classify karta hai. compute karo.

Recall Solution

Pehle check karo ki denominator nonzero hai: triggered inputs hain, toh well-defined hai (upar edge-case callout dekho). Definition mein plug in karo: Humne kya kiya: triggered inputs jo target class ko bheje gaye unhe count kiya, total triggered inputs se divide kiya. Kyun: measure karta hai ki trigger kitni reliably fire karta hai.

Exercise 2.2 (L2)

Maano honest, unpoisoned model ki clean accuracy denote karta hai — yaani woh accuracy jo tumhein milti agar attacker ne kabhi training data touch na kiya hota (yahan ). Backdoored model clean inputs par score karta hai. Stealth requirement yeh hai ki clean-accuracy drop percentage points se neeche rahe. (Yaad raho accuracy-drop budget hai, Level 3 ka perturbation budget nahi.) Kya yeh backdoor stealth test pass karta hai?

Recall Solution

Kyunki , haan — yeh pass karta hai. Backdoor stealthy hai: ek defender jo (honest baseline) ko (shipped model) se compare karta hai use sirf ek tiny dip dikhti hai jo ordinary training noise jaisi lagti hai.

Exercise 2.3 (L2)

Ek training set mein stop-sign images hain. Maano attacker dwara inject kiye gaye poisoned images ki number hai. Attacker trigger ke saath images ko poison karna chahta hai. find karo, aur explain karo ki "" unhe kya deta hai.

Recall Solution

Maano poisoned images ki number hai. Tab kyun: itna bada ki network reliably "trigger green light" rule memorize kar le, phir bhi itna chhota ki ek dataset audit mein slip ho jaye (sirf in stop signs thodi odd lagti hai). Yeh trade-off — enough to learn, little enough to hide — attacker ka central tuning knob hai.


Level 3 — Analysis

Exercise 3.1 (L3)

Ek attacker clean-label integrity attack mount karta hai. Woh ek stop-sign image ko se perturb karta hai constraint ke under, jahan perturbation ki Euclidean length hai aur perturbation budget hai (Level 2 ke accuracy-drop budget se distinct). Budget aur ek 2-pixel toy image par proposed perturbation diya gaya hai, kya yeh perturbation legal hai? Phir explain karo ki kyun clean-label attack ko chhota rakhna padta hai.

Recall Solution

Length compute karo: Kyunki constraint strict hai () aur hume exactly mila, yeh perturbation legal nahi hai — yeh boundary par baitha hai, andar nahi. Comply karne ke liye ise thoda shrink karo (e.g. , length ).

Chhota kyun matter karta hai: ek clean-label attack mein image abhi bhi ek honest annotator dwara label ki jaati hai. Agar perturbation bada ho toh image galat lagti hai aur annotator (ya ek audit) use reject kar deta hai. budget ke under rakhna matlab poisoned image abhi bhi ek genuine stop sign jaisi lagti hai, toh use ek plausible label milta hai aur attack hidden rehta hai.

Exercise 3.2 (L3)

Ek 1-D decision boundary consider karo. Clean class-A points positions par hain aur class-B points par; boundary do class means ka midpoint hai. Attacker poisoned points inject karta hai, sab position par, class B ke roop mein mislabeled. Boundary location find karo (a) bina poison ke, (b) poison points ke saath. Assume karo ki boundary do class means ka average hai. Yeh kis direction mein move hui, aur yeh attacker ki kaise help karta hai?

Recall Solution

Bina poison ke class means. Boundary .

(a) Bina poison: .

(b) poison points at class B mein add karne ke saath: Naya boundary .

Direction: boundary se tak move hui, yaani class A ki taraf. Kyun yeh help karta hai: ek target point jo pehle clearly A ki side par tha (maano par) ab B ki side par land karta hai — use B ke roop mein misclassify kiya jaata hai. Poison ne boundary ko target ke upar kheench diya, jo exactly woh integrity-attack mechanism hai, aur yeh wahi kheenchna hai jo overview figure s01 mein draw kiya gaya hai.

Figure s02 in numbers se aage jaata hai: yeh boundary location ko poison count ke continuous function ke roop mein plot karta hai, toh tum puri trajectory dekh sakte ho — har extra poison point boundary ko kitna drag karta hai, aur yeh finally par target ko kahan cross karega.

Figure — Data poisoning and backdoor attacks

Level 4 — Synthesis

Exercise 4.1 (L4)

Tumhe ek model zoo se ek pre-trained model milta hai aur tum use ek small clean dataset par fine-tune karte ho. Ek colleague argue karta hai: "Clean data par fine-tuning koi bhi backdoor overwrite kar degi." Ek first-principles argument do ki backdoor zyaadatar survive kyun karta hai, aur woh ek condition state karo jiske under colleague sahi hoga.

Recall Solution

Training weights ko gradient (upar define ki gayi error-slope) follow karke update karta hai — woh direction jo tumhare dikhaye gaye data par error ko most reduce kare. Model ek rule tabhi "unlearn" karta hai jab use aisa data dikhe jo us rule ke against gradient produce kare.

  1. Koi conflicting gradient nahi. Clean fine-tuning data mein koi trigger nahi hota. Toh yeh "trigger " rule ke baare mein kabhi koi loss signal produce nahi karta — us rule ko neeche push karne wala koi slope nahi hota. Woh untouched baitha rehta hai.
  2. Alag feature space. Backdoor often un features par rely karta hai jo main task use nahi karta, toh ordinary updates unhe overwrite nahi karte.
  3. Forgetting dono taraf cut karta hai. Fine-tuning jo kabhi backdoor region revisit nahi karta simply use preserve karta hai.

Woh ek condition jiske under colleague sahi hai: agar fine-tuning data khud trigger pattern contain kare lekin correct label ke saath (trigger present, label = true class), tab yeh ek aisa gradient produce karta hai jo directly backdoor rule ko contradict karta hai aur use erase kar sakta hai. Standard clean datasets mein trigger nahi hota, isliye yeh accident se rarely hota hai. Isliye hum dedicated defenses use karte hain — pruning, activation clustering, adversarial fine-tuning — Certified Defenses aur Robust Machine Learning se.

Exercise 4.2 (L4)

In chaar threat models ko attacker control ke hisaab se rank karo, highest pehle, aur ordering justify karo: Crowdsourced data, Outsourced training, Pre-trained model download, Transfer learning.

Recall Solution

Highest → lowest control:

  1. Outsourced training — attacker hi trainer hai: data, loss, architecture, aur process end-to-end control karta hai. Maximum control.
  2. Pre-trained model download — attacker ek fully backdoored model ship karta hai; tumhare paas zero visibility hai ki yeh kaise banaya gaya, lekin tum baad mein fine-tune choose karte ho, jo tumhe thoda leverage deta hai.
  3. Transfer learning — (2) jaisa hi lekin tum apne clean data par fine-tune karte ho, toh backdoor inherit hota hai aur sirf partially attacker ke control mein hota hai.
  4. Crowdsourced data — attacker sirf samples add kar sakta hai, kabhi loss, architecture, ya existing data modify nahi kar sakta. Sabse kam control.

(1)–(3) ke liye governance Model Provenance and Supply Chain par lean karta hai; (4) data validation aur Federated Learning Security par lean karta hai.


Level 5 — Mastery

Exercise 5.1 (L5)

Ek attacker poisoning campaign optimize karta hai. percent poison inject karne par:

  • (jaldi badhta hai phir saturate ho jaata hai),
  • clean-accuracy drop (percentage points mein).

Yahan exponential decay function hai: par yeh ke barabar hai toh ; badhne par yeh ki taraf shrink hota hai toh . Stealth constraint hai (percentage points). Sabse bada legal find karo (use do decimals tak report karo aur justify karo ki tum strict inequality ko kaise treat karte ho), aur wahan achieve hone wala .

Recall Solution

Step 1 — stealth constraint apply karo. Hume chahiye : Kyunki inequality strict hai, koi single sabse bada legal value nahi hai — legal set open interval hai, jiska supremum khud legal nahi hai (yeh wahi open-vs-closed distinction hai jo Exercise 3.1 mein tha). Practice mein hum do decimals tak sabse bada usable value jo strict bound satisfy karta ho report karte hain: , kyunki . (Exact endpoint excluded hai.)

Step 2 — wahan evaluate karo. Toh attacker essentially () reach karta hai jabki -point clean-accuracy budget ke just under rehta hai.

Interpretation: kyunki itni jaldi saturate hota hai (exponential), attacker ko ko stealth limit ke paas push karne ki zaroorat nahi — even modest already near-perfect attack deta hai. Figure s03 dekho: ke paas flatten hota hai ke dangerous hone se kaafi pehle.

Figure — Data poisoning and backdoor attacks

Exercise 5.2 (L5)

Same curves use karke (jahan percent mein hai), sabse chhota find karo jo already achieve karta hai, aur confirm karo ki yeh comfortably stealth constraint satisfy karta hai.

Recall Solution

Step 1 — solve karo: Kyunki , Toh (lagbhag poison) already deta hai. Koi bhi bada ko aur high push karta hai, toh yeh sabse chhota hai jo meet karta hai.

Step 2 — par stealth check karo: ( tak round karne par milta hai, essentially same.)

Conclusion: sirf poison par attacker paata hai jabki clean accuracy barely move karti hai ( points). Isliye real backdoor papers tiny poison rates par report karte hain — mathematics small, stealthy campaigns ko reward karta hai. Defense ko isliye assume karna chahiye ki even contamination matter karne ke liye kaafi hai.


Recall Quick self-check (cloze)

Availability attack overall clean accuracy ko target karta hai jabki integrity/backdoor attacks specific chosen inputs ko target karte hain. ASR formula ::: ASR jab zero triggered inputs hoon ::: undefined (denominator hai) — sirf ke liye defined hai Woh ek condition jiske under fine-tuning backdoor erase karta hai ::: fine-tuning data mein trigger pattern hota hai lekin correct (true) label ke saath chhote poison rates par kyun saturate hota hai ::: yeh ki tarah badhta hai, jo ki taraf jaldi flatten ho jaata hai

Parent par wapas jaao: Data poisoning and backdoor attacks.