Summary of Hard Work Does Not Always Pay Off: Poisoning Attacks on Neural Architecture Search, by Zachary Coalson et al.
Hard Work Does Not Always Pay Off: Poisoning Attacks on Neural Architecture Search
by Zachary Coalson, Huazheng Wang, Qingyun Wu, Sanghyun Hong
First submitted to arxiv on: 9 May 2024
Categories
- Main: Machine Learning (cs.LG)
- Secondary: Cryptography and Security (cs.CR)
GrooveSquid.com Paper Summaries
GrooveSquid.com’s goal is to make artificial intelligence research accessible by summarizing AI papers in simpler terms. Each summary below covers the same AI paper, written at different levels of difficulty. The medium difficulty and low difficulty versions are original summaries written by GrooveSquid.com, while the high difficulty version is the paper’s original abstract. Feel free to learn from the version that suits you best!
| Summary difficulty | Written by | Summary |
|---|---|---|
| High | Paper authors | High Difficulty Summary Read the original abstract here |
| Medium | GrooveSquid.com (original content) | Medium Difficulty Summary A neural architecture search (NAS) method’s robustness against data distribution shifts is examined in this paper. A data poisoning attack is introduced to audit this robustness, which can prevent a victim algorithm from finding an optimal architecture by injecting malicious data into the training set. The attack objective is defined to create poisoning samples that induce sub-optimal architectures. Existing search algorithms are weaponized to generate adversarial architectures as objectives. Techniques to reduce computational costs of crafting poisoning samples are also presented. An extensive evaluation on a representative NAS algorithm shows the attack’s surprising robustness, and its effectiveness against label noise is evaluated. The results highlight the need for caution when using data in this emerging approach. |
| Low | GrooveSquid.com (original content) | Low Difficulty Summary This paper looks at how well neural architecture search works when faced with changes in the type of data it uses. They introduce an attack that can make the algorithm choose bad architectures by adding fake data to its training set. The goal is to create fake samples that make the algorithm pick a bad one. Existing algorithms are used to make this happen. It’s shown that this attack works well and even works against noisy labels. Overall, it shows we need to be careful when using data with this new approach. |
