Unsupervised domain adaptation (UDA) enables cross-domain learning without target domain labels by transferring knowledge from a labeled source domain whose distribution differs from the target. However, UDA is not always successful and several accounts of 'negative transfer' have been reported in the literature. In this work, we prove a simple lower bound on the target domain error that complements the existing upper bound. Our bound shows the insufficiency of minimizing source domain error and marginal distribution mismatch for a guaranteed reduction in the target domain error, due to the possible increase of induced labeling function mismatch. This insufficiency is further illustrated through simple distributions for which the same UDA approach succeeds, fails, and may succeed or fail with an equal chance. Motivated from this, we propose novel data poisoning attacks to fool UDA methods into learning representations that produce large target domain errors. We evaluate the effect of these attacks on popular UDA methods using benchmark datasets where they have been previously shown to be successful. Our results show that poisoning can significantly decrease the target domain accuracy, dropping it to almost 0\% in some cases, with the addition of only 10\% poisoned data in the source domain. The failure of UDA methods demonstrates the limitations of UDA at guaranteeing cross-domain generalization consistent with the lower bound. Thus, evaluation of UDA methods in adversarial settings such as data poisoning can provide a better sense of their robustness in scenarios unfavorable for UDA.

• Office-31: https://people.eecs.berkeley.edu/~jhoffman/domainadapt.
• Digits:
  • MNIST dataset: available with tensorflow
  • MNIST_M: Follow the instructions to build MNIST_M dataset from https://github.com/pumpikano/tf-dann
  • SVHN: http://ufldl.stanford.edu/housenumbers/
  • USPS: https://github.com/mil-tokyo/MCD_DA/tree/master/classification/data

• Attack with mislabeled and watermarked poison data
  • Navigate to the appropriate task in the Digits folder
  • To evaluate performance with mislabeled poison data run python3 train_dann.py --TYPE POISON --ALPHA 1 --PP 0.1 where PP refers to the poison percentage. To test a different UDA method use the appropriate train_{UDA_method_name}.py file. Changing the value of ALPHA lets you control the amount of target data present in the poison. Value of 1 means poison data is same as target data, value of 0 means poison data is same as source data, an intermediate value means poison data is a combination of source and target data (watermarking).
• Attack with clean-label poison data
  • Navigate to MNIST_MNISTM/clean_label_attacks folder
  • To generate clean label attack using base data initialized from the target domain run python3 generate_poison_data_{UDA_method_name}.py --ETA 0.1 --BASE_DOMAIN target . For base data from the source domain change --BASE_DOMAIN to source.
  • To evaluate the performance of the UDA method on the genrated attack, run python3 retrain_{UDA_method_name}.py

• Download the code from https://github.com/microsoft/Domain-Adaptation-with-Conditional-Distribution-Matching-and-Generalized-Label-Shift
• Navigate to ./data/office-31/ directory and place the files in the Office-31 folder of the supplementary material there.
• Attack with mislabeled target domain poison data
  • Navigate to ./data/office-31/
  • To generate the poisoned files with mislabeled target domain data added to them, run python3 train_source_only.py --SRC amazon --DEST dslr , with appropriate values of source_domain \in {amazon, dslr, webcam} and target_domain \in {amazon, dslr, webcam}.
  • To run the original code with poisoned files, navigate back to main folder (cd ../../) and run python train_image.py DANN --dset office-31 --s_dset_file poisoned_src_amazon_dest_dslr_list.txt --t_dset_file dslr_list.txt . Change the UDA algorithm to any of the algorithms from {DANN, CDAN, IW-DAN, IW-CDAN} and change the name of the source and destination files based on the values chosen in the previous step.
• Attack with mislabeled source domain poison data
  • Navigate to ./data/office-31/
  • To generate the poisoned files with mislabeled source domain data added to them, run python3 train_source_only_watermarked.py --SRC amazon --DEST dslr --ALPHA 0 , with appropriate values of source_domain \in {amazon, dslr, webcam} and target_domain \in {amazon, dslr, webcam}.
  • To run the original code with poisoned files, navigate back to main folder (cd ../../) and run python train_image.py DANN --dset office-31 --s_dset_file poisoned_src_amazon_dest_dslr_list_watermarked_0.0.txt --t_dset_file dslr_list.txt . Change the UDA algorithm to any of the algorithms from {DANN, CDAN, IW-DAN, IW-CDAN} and change the name of the source and destination files based on the values chosen in the previous step.

Run python3 three_illustrative_cases.py file in Illustrative_cases folder.

If you find this useful for your work, please consider citing

@misc{mehra2021understanding,
      title={Understanding the Limits of Unsupervised Domain Adaptation via Data Poisoning}, 
      author={Akshay Mehra and Bhavya Kailkhura and Pin-Yu Chen and Jihun Hamm},
      year={2021},
      eprint={2107.03919},
      archivePrefix={arXiv},
      primaryClass={cs.LG}
}