Skip to yearly menu bar Skip to main content


BagFlip: A Certified Defense Against Data Poisoning

Yuhao Zhang · Aws Albarghouthi · Loris D'Antoni

Hall J (level 1) #1037

Keywords: [ Backdoor Attack ] [ trigger-less attack ] [ certified defense ] [ data poisoning ]


Machine learning models are vulnerable to data-poisoning attacks, in which an attacker maliciously modifies the training set to change the prediction of a learned model. In a trigger-less attack, the attacker can modify the training set but not the test inputs, while in a backdoor attack the attacker can also modify test inputs. Existing model-agnostic defense approaches either cannot handle backdoor attacks or do not provide effective certificates (i.e., a proof of a defense). We present BagFlip, a model-agnostic certified approach that can effectively defend against both trigger-less and backdoor attacks. We evaluate BagFlip on image classification and malware detection datasets. BagFlip is equal to or more effective than the state-of-the-art approaches for trigger-less attacks and more effective than the state-of-the-art approaches for backdoor attacks.

Chat is not available.