6.4.11 · D3 · HinglishAI Safety & Alignment

Worked examplesData poisoning and backdoor attacks

3,971 words18 min read↑ Read in English

6.4.11 · D3 · AI-ML › AI Safety & Alignment › Data poisoning and backdoor attacks

Yeh page parent topic ka worked-example drill hai. Parent ne bataya tha ki poisoning aur backdoor attacks kya hote hain. Yahan hum inhe compute karte hain — har quantity, har corner case, tab tak jab tak kuch bhi surprise na kar sake.

Shuru karne se pehle, ek vaada: neeche har symbol pehli baar words mein explain kiya gaya hai, aur jo bhi number assert kiya gaya hai woh page ke bottom par machine-checked hai.

Recall Teen numbers jo hum baar baar compute karte hain
  • ASR (Attack Success Rate) = triggered inputs ka fraction jinhein model classify karta hai. Range 0 to 1 (ya 0% to 100%).
  • Clean accuracy = clean inputs ka fraction jo correctly classify hue. Ek stealthy backdoor isko original ke paas rakhta hai.
  • Poison rate = training set ka fraction jo attacker control karta hai, i.e. (poisoned samples) / (total samples), mein rakha.
  • Clean drop ::: original clean accuracy minus poisoned clean accuracy; stealth ke liye chhota rehna chahiye (parent kehta hai se kam).

Scenario matrix

Har poisoning problem jo tumhe kabhi milegi woh in cells mein se ek mein hogi. Neeche ke examples label hain us cell ke saath jo woh cover karte hain, toh mil ke yeh sab cover karte hain.

Cell Ise woh case kya banata hai Covered by
A. Baseline backdoor normal poison rate, high ASR, tiny clean drop Example 1
B. Zero / degenerate input poison rate = 0, ya trigger test par kabhi appear nahi hota Example 2
C. Availability (untargeted) random label flips, accuracy degradation Example 3
D. Blended-trigger arithmetic -blend pixel formula, per-channel Example 4
E. Limiting behaviour poison rate ya ASR vs trend Example 5
F. Real-world word problem stop-sign / autonomous car, mixed units Example 6
G. Federated / distributed twist bahut saare clients mein se ek malicious client Example 7
H. Exam-style trap high clean accuracy safe lagta hai lekin ASR bahut bada hai Example 8

Hum arithmetic zero se build karte hain, toh pehle yeh agree karte hain ki do counting fractions kaisi dikhti hain.

Figure — Data poisoning and backdoor attacks

Example 1 — Cell A: baseline backdoor

Forecast: compute karne se pehle guess karo. Poison rate chhota hoga (kuch percent). ASR high hona chahiye (yahi toh point hai). Clean drop tiny hona chahiye. Apne teen guesses likh lo.

Step 1 — Poison rate. Yeh step kyun? Poison rate training data ke us fraction ke roop mein defined hai jo attacker ke control mein hai. Yeh batata hai ki attack dataset audit mein kitna "loud" hai.

Step 2 — ASR. Yeh step kyun? Yeh parent ka ASR formula literally apply kiya gaya hai: sirf triggered inputs denominator mein jaate hain, aur "called " ka matlab hai "label green light output kiya".

Step 3 — Clean accuracy. Yeh step kyun? Clean accuracy sirf clean inputs use karti hai — ek bilkul alag scoreboard.

Step 4 — Clean drop. Yeh step kyun? Stealth measure hoti hai ki clean performance kitni giri, na ki uski absolute value se. Hum ise percentage points aur fraction dono ke roop mein likhte hain — same number, neeche ke verify check se match karta hua.

Step 5 — Stealth check. , toh haan, stealthy parent ke rule se. Yeh step kyun? Parent stealth define karta hai clean drop se kam ke roop mein; apna computed drop us threshold se compare karna hi actually decide karta hai ki attack validation audit se nikal jaata ya nahi.

Verify: , ASR, clean, drop. Denominators sahi subset use karte hain (triggered vs clean). Units: sab dimensionless fractions. ✓


Example 2 — Cell B: degenerate / zero cases

Pehle, ek naya naam jo hum use karenge, yahan define kiya:

Forecast: kuch bhi poison nahi hone par, ASR hona chahiye... undefined ya zero? Koi trigger present nahi hone par, denominator kya hai?

Step 1 — Sub-case (a), poison rate. Kyun? Zero poisoned samples ka matlab attacker kuch bhi control nahi karta; model sirf clean model hai.

Step 2 — Sub-case (b): ASR jab koi triggered inputs exist nahi karte. ASR ka denominator hai "# triggered inputs". Agar tum 0 triggered inputs present karo, toh ASR undefined hai — triggered data ke bina ASR report nahi kar sakte. Yeh kyun matter karta hai? Upar ke misfires clean errors hain, triggered nahi. Yeh abhi defined false-target rate hai: Inhe "ASR" report karna ek classic mislabel hai.

Step 3 — Sub-case (c): identity trigger. Agar toh triggered inputs identical hain clean inputs se, toh Yeh step kyun? Ek identity trigger koi change apply nahi karta, toh "triggered" test set byte-for-byte clean test set hai; koi secret exam bacha hi nahi, kyunki dono exams same paper hain. Triggered inputs sirf usi ordinary error ke zariye tak pahunchte hain jo false-target rate produce karti hai — toh dono numbers coincide hone chahiye.

Verify: ; false-target rate ; identity-trigger ASR same ke barabar. ✓


Example 3 — Cell C: ek availability (untargeted) attack

Forecast: ka bahut saare flips hain; yahan goal stealth ke opposite hai.

Step 1 — Flipped count. Kyun? Availability attacks mislabeled examples inject karte hain; yahan fraction times set size count deta hai.

Step 2 — Damage (accuracy drop). Kyun? "Damage" symbol box se hamara clean-drop-in-points metric hai. Ek availability attack ka success metric exactly yeh degradation hai — attacker ke liye bada better hai. Yahan koi ASR nahi hai; koi nahi, sirf "ise worse banao".

Step 3 — Backdoor se contrast. Ek backdoor clean accuracy high rakhta hai (Example 1 ka damage sirf pt tha). Ek availability attack deliberately clean accuracy tank karta hai ( pt damage). Yeh stealth axis ke opposite ends hain.

Figure — Data poisoning and backdoor attacks

Verify: flips; damage points. ✓


Example 4 — Cell D: blended-trigger pixel arithmetic

Forecast: ke saath change chhota hona chahiye (isliye yeh stealthy hai) — per channel ~ levels se kam.

Step 1 — Har channel independently blend karo. Formula ek weighted average hai, per colour channel apply hota hai:

Per channel kyun? Ek image pixel teen numbers hai; blend har ek par alag act karta hai, toh hum teen scalar averages karte hain.

Step 2 — Red-channel movement. Kyun? Blend ki "stealthiness" hai ki pixels kitna move karte hain; — casual eye ko invisible.

Step 3 — par maximum possible shift. Ek channel se move karta hai. mein do values ke beech sabse bada gap hai, toh Yeh bound kyun matter karta hai? Yeh visual distortion cap karta hai: par koi bhi channel kabhi levels se zyada nahi jump kar sakta, isliye blended triggers human review survive karte hain.

Verify: blended pixel ; red shift ; max shift . ✓


Example 5 — Cell E: ASR vs poison rate ka limiting behaviour

Forecast: ASR jaldi ke paas saturate hona chahiye, aur clean accuracy base rate ki taraf collapse honi chahiye jab poison poora set le leta hai.

Step 1 — par ASR. Koi poison nahi hone par backdoor rule kabhi sikhaya nahi gaya, toh triggered input ka par land karne ka sirf ek hi tarika hai — chance — us ek class ka base rate. equally likely classes ke saath woh base rate hai Yeh floor hai, zero nahi. Kyun? ASR measure karta hai ke roop mein classification; even ek clean model woh class lagbhag baar base rate se output karta hai.

Step 2 — par clean accuracy. Jab har training point poisoned hota hai, model sirf "trigger → " aur mislabeled content dekhta hai; woh ab true task nahi seekh sakta, toh clean accuracy chance ki taraf collapse karti hai, yaani same base rate ki taraf. Attack stealthy rehna band ho jaata hai — yeh woh limit hai jahan ek backdoor availability attack mein degenerate hota hai. Yeh tradeoff kyun? Stealth ke liye enough clean data chahiye clean scoreboard high rakhne ke liye; woh reserve destroy kar deta hai.

Step 3 — Marginal ASR gain. sirf points extra poison se ( se tak). Curve pehle steep hai, baad mein flat — diminishing returns. Yeh step kyun? Yeh "diminishing returns" quantify karta hai: same-sized poison increment pehle ek huge ASR jump khareedta hai lekin ASR already ke paas hone par almost kuch nahi, jo isliye attackers chhote par ruk jaate hain.

Figure — Data poisoning and backdoor attacks

Verify: ASR floor ( se); marginal gain ; clean-accuracy limit . ✓


Example 6 — Cell F: autonomous-car word problem (mixed units)

Forecast: poisoned count hazaron mein; triggered signs par kuch dangerous misreads; clean ones par almost koi nahi.

Step 1 — Poisoned image count. Kyun? Rate ko absolute count mein convert karo total set size ke zariye.

Step 2 — Triggered signs misread. ASR sirf triggered signs par apply hota hai: Yahan round up kyun? Fractional misread nahi ho sakta; ka matlab hai 14 dangerous events expected hain (safety estimate ke liye nearest sign tak round karo).

Step 3 — Ordinary error se clean signs misread. Bache hue signs koi trigger carry nahi karte; clean accuracy ka matlab ordinary error hai: Yeh step kyun? Yeh misreads attack nahi hain — yeh clean scoreboard par baseline model noise hai. Toh average par lagbhag ek sign — yaani poore drive mein ek ordinary misread ka roughly -in- chance.

Verify: poisoned ; triggered misreads ; clean misreads . ✓


Example 7 — Cell G: federated-learning twist

Forecast: ek honest client vote ka tenth hai; ek boosted attacker zyada bada share le sakta hai.

Step 1 — Plain-average weight. Kyun? Equal averaging har clients ko weight deta hai.

Step 2 — Boosted weight. Agar attacker apna raw update se multiply karta hai, toh averaged contribution hai , toh yeh average mein full update ki strength ke saath land karta hai — ek effective factor of yaani ek client ke normal magnitude ka . Boosting kyun kaam karta hai? Averaging se divide karta hai; attacker division cancel karne ke liye se pre-multiply karta hai, ek un-diluted backdoor inject karke. Isliye robust aggregation (Robust Machine Learning, median-based rules) chahiye plain mean ki jagah.

Verify: plain weight ; boosted effective factor . ✓


Example 8 — Cell H: exam trap ("lekin accuracy hai!")

Forecast: clean drop reassuring lagega; ASR alarming hona chahiye.

Step 1 — Clean drop. Kyun? Yeh woh akela number tha jo student ne dekha — aur yeh hai stealth threshold se kam. Stealth achieved, exactly as attacker intended.

Step 2 — Audit se ASR. Yeh real story kyun hai? Clean accuracy inputs trigger ke bina measure hoti hai — yeh backdoor ke liye blind hai by construction. Sirf trigger stamp karke aur ke barabar outputs count karke hijack reveal hota hai.

Step 3 — Kaunsa number safety decide karta hai? ASR, clean accuracy nahi. Ek high, stable clean accuracy stealth ka evidence hai, safety ka nahi. Real assurance ke liye trigger-search defenses chahiye (Certified Defenses, AI Red Teaming, Explainable AI activation inspection).

Verify: clean drop points; ASR . ✓


Recall Rapid self-test

mein se ka poison rate? ::: () ASR jab triggered inputs mein se hit karte hain? ::: Blend jahan ? ::: Max channel shift at ? ::: levels ASR floor with equally likely classes aur koi poison nahi? ::: Kaunsa metric safety certify karta hai — clean accuracy ya ASR? ::: ASR (clean accuracy backdoor ke liye blind hai) Ek boosting attacker se scale karta hai; -client average mein effective factor kya? ::: (full undiluted update)

See also: Model Provenance and Supply Chain, Differential Privacy defenses ke liye jo kisi bhi single sample ka influence limit karti hain.