6.4.11 · D2 · HinglishAI Safety & Alignment

Visual walkthroughData poisoning and backdoor attacks

4,008 words18 min read↑ Read in English

6.4.11 · D2 · AI-ML › AI Safety & Alignment › Data poisoning and backdoor attacks

Is page par hum backdoor attack ka poora idea bilkul zero se build karte hain, ek picture at a time. Hum discover karenge kyun ek model ko secretly hijack kiya ja sakta hai, kahan poison enter karta hai, aur kaise image ke corner mein ek tiny sticker ek self-driving car ko stop sign run kara sakta hai — sab kuch decision boundary ko bend hote dekhke.

Agar aapne neeche ka ek bhi symbol pehle nahi dekha, toh achha hai. Hum use karne se pehle har ek define karte hain.

Parent: the main topic note. Prerequisite ideas jin par hum baad mein lean karenge: Robust Machine Learning, Certified Defenses.


Step 1 — "Learning" actually hai kya: page par dots

WHAT. Kuch bhi poison karne se pehle, humein agree karna hoga ki ek classifier kya karta hai. Ek classifier examples dekhta hai aur ek boundary draw karta hai — ek line (ya curve) jo ek category ko doosre se alag karti hai. Ek taraf ka har cheez "circle" label milta hai; doosre taraf ka "triangle".

WHY. Ek attack ek change hai jahan woh boundary baiThe hai. Toh boundary woh object hai jise hum attack karenge. Hum poison ko tab tak nahi samajh sakte jab tak hum woh cheez nahi dekh sakte jise woh move karta hai.

PICTURE. Figure mein, har dot ek training example hai. Uski position uske features hain — uske baare mein measurable stuff (ek image ke liye, pixels ki brightness). Uski shape/colour uska label hai — woh answer jo hum chahte hain. Learning algorithm ka poora kaam dividing line ko is jagah place karna hai jahan zyada se zyada dots correct side par land karein.

Figure — Data poisoning and backdoor attacks

ko aise padho: "model, apni current dial settings ke saath, example par apply kiya gaya."


Step 2 — Boundary kaise choose ki jaati hai: galtiyon ki payment

WHAT. Algorithm line magic se nahi place karta. Woh har candidate line ko score karta hai kitne dots galat hote hain, aur woh line pick karta hai jis mein sabse chhota total penalty ho.

WHY. Humare paas minimize karne ke liye ek number chahiye, kyunki "dials ghuma kar is number ko chhota karo" woh akela cheez hai jo ek computer kar sakta hai. Woh number loss hai.

PICTURE. Har dot ke liye ek chhoti penalty bar draw karo. Correct side ka dot almost kuch nahi pay karta; wrong side ka dot bahut zyada pay karta hai. Saari bars ki total height woh hai jo hum shrink karte hain.

Figure — Data poisoning and backdoor attacks

Average kyun, sum kyun nahi? Kyunki dial-turner ko same behave karna chahiye chahe aap use 100 ya 100 000 dots dikhao. Averaging hata deta hai dependence on kitne examples hain aur sirf average mein kitne wrong hain woh rakhta hai.

Learner woh dials (star = "winning setting") dhundhta hai jo ko jitna ho sake chhota kare. Hum isse aise likhte hain: jahan training set hai aur matlab "woh dial setting jo sabse chhoti value produce kare". Woh hi trained model hai. Is thought ko pakde raho — attacker ka poora plan data ko poison karna hai taaki winning wahi ho jo unhone choose kiya.


Step 3 — Poison enter karta hai: ek mislabelled dot

WHAT. Attacker training set mein thode extra dots add karta hai. Har poison dot attacker ki chosen location par hota hai lekin deliberately galat label carry karta hai.

WHY. Step 2 dekho: boundary woh dots jo use dikhaaye jaate hain unhe satisfy karne ke liye place ki jaati hai. Agar attacker aisi dots insert kare jo apne label ke baare mein jhooth bolein, toh loss-minimiser boundary ko jhooth accommodate karne ke liye bend karega — kyunki algorithm ke liye, ek jhooth aur ek sach identical lagte hain. Use pata hi nahi chal sakta ki ek label fake hai.

PICTURE. Hum teen magenta poison dots "triangle" region ke andar deep drop karte hain, lekin unhe "circle" paint karte hain. Purani boundary unhe misclassify karti, isliye woh penalty pay karti. Us penalty ko lower karne ke liye, algorithm boundary ko poison ki taraf curl karta hai.

Figure — Data poisoning and backdoor attacks

Attacker sirf training points mein se control karta hai. Unka weapon label lies hai, tak direct access nahi.


Step 4 — Attacker ka objective: ek target par line bend karo

WHAT. Ek targeted attacker random damage nahi chahta. Woh ek special input choose karta hai, target , aur chahta hai ki final model use ek specific galat answer de.

WHY. Yeh stealth hai. Agar clean accuracy high rahe, toh koi audit notice nahi karta. Sirf target tuta hua hai. Toh attacker chahta hai ki trained model ka loss target par, attack label ke against, measured kiya gayachhota ho — chhota loss matlab model exactly woh galat class confidently predict kar raha hai jो attacker ne choose ki. Step 2 se yaad karo ki tab chhota hota hai jab prediction uske doosre argument se match kare. Toh prediction ko ki taraf drive karne ke liye, attacker ko minimise karta hai — maximize nahi.

PICTURE. Dashed circle mark karta hai. Poison se pehle woh safely "triangle" side par tha. Poison dots ke boundary ko uski taraf kheenchne ke baad, target ab "circle" side par aata hai — exactly woh galat answer jo attacker chahta tha, jabki baaki picture barely moved.

Figure — Data poisoning and backdoor attacks

Step 5 — Backdoor upgrade: ek trigger se bahut saare inputs attack karo

WHAT. Ek backdoor single-target attack se stronger hai. Ek fixed target ki jagah, attacker ek trigger choose karta hai — ek chhota stamp — aur poison karta hai taaki trigger wear karne wala koi bhi input target class mein flip ho jaaye.

WHY. Ek target brittle hai (sirf ek stop sign tuta hua). Ek trigger master key hai: ise kisi bhi stop sign par stamp karo aur model surrender kar deta hai. Iske liye, poison ko model ko yeh sikhana chahiye ki "trigger pattern" — sign khud nahi — target class predict karta hai.

PICTURE. Left: clean examples normally dono classes mein spread hain. Right: hum unka ek slice lete hain, trigger stamp karte hain (ek bright corner square), aur har stamped ek ko target class mein relabel karte hain. Model ab ek doosra, hidden rule seekh leta hai jo feature space ke "trigger" corner mein rahta hai.

Figure — Data poisoning and backdoor attacks

Learned model do rules mein split hota hai:

Upar wali line backdoor hai; neeche wali line ki wajah se koi notice nahi karta.


Step 6 — Clean accuracy kyun survive karti hai (stealth)

WHAT. Ab hum kyun backdoor normal testing ke liye invisible hai woh dikhate hain. Key idea: trigger feature space ke ek corner mein rehta hai jahan clean data kabhi nahi jaata.

WHY. Deep networks mein huge capacity hoti hai — bahut saare spare dials. Woh exception "trigger ⇒ target" ko ek small extra rule ki tarah memorise kar sakte hain bina main boundary disturb kiye. Kyunki clean test images kabhi trigger carry nahi karti, woh kabhi backdoor rule activate nahi karti, toh clean accuracy ~99% rahti hai.

PICTURE. Feature space ko ek plane ki tarah draw kiya gaya hai. Main decision boundary (clean rule) wahan baiThi hai jahan real data rehta hai. Door "triggered" corner mein target class ke liye colour ki ek alag chhoti island baiThi hai. Clean data main region mein land karta hai; sirf triggered inputs island mein teleport hote hain.

Figure — Data poisoning and backdoor attacks

Step 7 — Damage measure karna: do numbers, saare cases

WHAT. Hum ek backdoor ko exactly do dials se quantify karte hain, aur har regime check karte hain.

WHY. Ek single accuracy number attack ko hide kar deta hai. Humare paas ek number chahiye "kya yeh normally abhi bhi kaam karta hai?" aur ek "kya secret key kaam karti hai?".

PICTURE. Ek 2×2 tile: rows = input clean / triggered hai; columns = model correct kehta hai / target kehta hai. Green tiles (high) wahan hain jahan ek successful stealthy backdoor apna mass concentrate karta hai.

Figure — Data poisoning and backdoor attacks

ASR aise kyun define karte hain. Hum aur ke beech ek single fraction chahte hain jo exactly ek sawaal ka jawab de: trigger present hone par, attacker ki key kitni baar kaam karti hai? Toh hum sirf triggered inputs count karte hain (denominator) aur unme se, sirf woh jo attacker ke target ki tarah nikle (numerator). Divide karne se yeh ek rate ban jaata hai — test mein kitne triggered inputs the usse independent — toh ASR of ka matlab same hai chahe 100 ya 10 000 stamped images par measure kiya jaaye. Clean inputs deliberately exclude kiye jaate hain, kyunki backdoor unhe alone chodne ke liye supposed hai.

Har case cover karo:

Case ASR Clean Acc Verdict
Koi poison nahi () ~chance full safe, koi backdoor nahi
Bahut kam poison low full backdoor nahi laga
Sahi amount (~5%) high ~full stealthy backdoor (danger)
Bahut zyada poison high drops detectable — audit accuracy loss pakaDta hai
Test par trigger absent n/a full model behave karta hai — kuch nahi dikhta

Degenerate check: agar trigger ek natural feature se identical ho, clean accuracy does fall (trigger honest inputs par fire karta hai). Isliye attackers ek rare corner-patch choose karte hain — yeh clean data ko Step 6 ke island se door rakhta hai.


Ek-picture summary

Upar sab kuch, compressed: honest data true boundary draw karta hai; stamped-aur-relabelled poison dots ki ek muthi ek doosra rule sikhati hai ek unused corner mein; test time par stamp kisi bhi input ko wrong class mein teleport karta hai jabki clean inputs untouched sail karte hain.

Figure — Data poisoning and backdoor attacks
Recall Feynman retelling — kisi dost ko explain karne jaisi baat

Ek model sirf ek line hai jo do tarah ke dots ko alag rakhne ke liye draw ki gayi. Woh "circle" chillata nahi; woh scores deta hai jaise "80% circle, 20% triangle", aur top score answer ka naam deta hai. Woh line is tarah choose karta hai ki apna total penalty — cross-entropy loss, jo tab huge hoti hai jab woh confidently galat ho — jitna ho sake chhota ho. Toh agar main kuch dots sneakily daalta hoon aur unke labels ke baare mein jhooth bolta hoon, toh line mere jhoothon ko please karne ke liye bend hoti hai — yahi poisoning hai. Mujhe sirf dots ka ek chhota budget add karne ka mauka milta hai (maan lo data ka 5%), aur har ek ko correctly labelled lagni chahiye, isliye main ise brute-force nahi kar sakta — aur main exact nested equation bhi nahi solve kar sakta, kyunki har guess ke liye model retrain karna hoga. Iske badle main gradient follow karta hoon ya sirf features collide karta hoon. Agar ek one-off ki jagah master key chahiye, toh main kuch images par ek tiny sticker paint karta hoon, saari stickered wali ko apni chosen wrong class mein relabel karta hoon, aur model quietly seekh leta hai "sticker matlab woh class." Woh rule feature-space ke ek corner mein chhup jaata hai jo koi honest picture kabhi nahi touch karti, toh clean accuracy barely girta hai — 2% se kam — aur kisi ko pata nahi chalta. Main khud ko do ways se score karta hoon: ASR (stamped inputs ka fraction jo meri manta hai) aur clean accuracy (honest test inputs ka fraction jo abhi bhi sahi hai). Stealthy backdoor = ASR near 100% jabki clean accuracy honest baseline ke 2% ke andar rahe.

Recall Quick self-test

Har poisoning attack ultimately kaunsa object move karta hai? ::: Decision boundary. ek word output karta hai ya numbers? ::: Real-valued class scores (probabilities); predicted label un scores ka hai. Humne kaunsa concrete loss use kiya, aur woh confident galtiyon ko kyun punish karta hai? ::: Cross-entropy ; jab correct class par probability jaati hai toh woh tak blow up karta hai. Loss average kyun use karta hai plain sum ki jagah? ::: Taaki objective depend na kare kitne examples hain, sirf unke average mein kitne galat hain. Step 4 mein, attacker target par loss minimise kyun karta hai? ::: Kyunki loss tab chhota hota hai jab prediction doosre argument se match kare; wahan rakhna aur minimise karna prediction ko attacker ke wrong class ki taraf drive karta hai. Bilevel attack ko realistic rakhne wale do constraints kya hain? ::: Ek budget (limited poison) aur ek stealth norm (poison abhi bhi correctly labelled lagti hai). Attacker bilevel problem exactly kyun nahi solve kar sakta? ::: Har outer evaluation ke liye model fully retrain karna padta hai (inner ), astronomically many poison sets par — intractable; woh gradient approximations ya feature-collision heuristics use karte hain. Backdoor mein clean accuracy high kyun rahti hai? ::: Trigger feature-space region mein rehta hai jahan clean data kabhi nahi jaata, isliye do rules conflict nahi karti. kaise compute ki jaati hai? ::: Clean test examples ka fraction jinke prediction true label ke equal ho. Do metrics ko tie karne wali stealth condition kya hai? ::: ASR aur clean accuracy unpoisoned baseline ke ke andar. Clean fine-tuning backdoor kyun nahi mitaata? ::: Clean data mein trigger nahi hota, toh woh rule unlearn karne ke liye koi gradient signal nahi hota.


Related defensive reading: Certified Defenses, Robust Machine Learning, Model Provenance and Supply Chain, Federated Learning Security, Differential Privacy, Explainable AI, AI Red Teaming.