defense 2025

PUREVQ-GAN: Defending Data Poisoning Attacks through Vector-Quantized Bottlenecks

Alexander Branch 1, Omead Pooladzandi 2, Radin Khosraviani , Sunay Gajanan Bhat 1, Jeffrey Jiang 1, Gregory Pottie 1

1 University of California, Los Angeles

2 California Institute of Technology

0 citations · 16 references · arXiv
α

Published on arXiv

2509.25792

Data Poisoning Attack

OWASP ML Top 10 — ML02

Model Poisoning

OWASP ML Top 10 — ML10

Key Finding

Achieves 0% poison success rate against Gradient Matching and Bullseye Polytope attacks and 1.64% against Narcissus on CIFAR-10 while maintaining 91-95% clean accuracy, with 50x speedup over diffusion-based defenses.

PureVQ-GAN

Novel technique introduced

We introduce PureVQ-GAN, a defense against data poisoning that forces backdoor triggers through a discrete bottleneck using Vector-Quantized VAE with GAN discriminator. By quantizing poisoned images through a learned codebook, PureVQ-GAN destroys fine-grained trigger patterns while preserving semantic content. A GAN discriminator ensures outputs match the natural image distribution, preventing reconstruction of out-of-distribution perturbations. On CIFAR-10, PureVQ-GAN achieves 0% poison success rate (PSR) against Gradient Matching and Bullseye Polytope attacks, and 1.64% against Narcissus while maintaining 91-95% clean accuracy. Unlike diffusion-based defenses requiring hundreds of iterative refinement steps, PureVQ-GAN is over 50x faster, making it practical for real training pipelines.

Key Contributions

  • VQ-GAN preprocessing pipeline that forces poisoned training images through a discrete codebook bottleneck, destroying fine-grained trigger and perturbation patterns
  • GAN discriminator component that ensures purified outputs remain on the natural image manifold, preventing reconstruction of out-of-distribution poisoning signals
  • Achieves 0% poison success rate against Gradient Matching and Bullseye Polytope with 91-95% clean accuracy, while being 50x faster than diffusion-based purification defenses

🛡️ Threat Analysis

Data Poisoning Attack

Defends against clean-label data poisoning attacks (Gradient Matching, Bullseye Polytope) by purifying training data through a discrete VQ bottleneck before model training.

Model Poisoning

Explicitly defends against backdoor/trojan attacks with trigger patterns (Narcissus) by destroying fine-grained perturbations through vector quantization, preventing trigger-based behavior from being learned.

Details

Domains
vision
Model Types
gancnn
Threat Tags
training_timedigital
Datasets
CIFAR-10
Applications
image classification
Read PDF arXiv DOI

Similar Papers

defense

AutoDetect: Designing an Autoencoder-based Detection Method for Poisoning Attacks on Object Detection Applications in the Military Domain

2025 0 cit.
Model PoisoningData Poisoning Attack
86%
attack

Breaking the Stealth-Potency Trade-off in Clean-Image Backdoors with Generative Trigger Optimization

2025 1 cit.
Model PoisoningData Poisoning Attack
80%
attack

Inevitable Encounters: Backdoor Attacks Involving Lossy Compression

2026 0 cit.
Model PoisoningData Poisoning Attack
79%
attack

A Set of Generalized Components to Achieve Effective Poison-only Clean-label Backdoor Attacks with Collaborative Sample Selection and Triggers

2025 0 cit.
Model PoisoningData Poisoning Attack
73%
defense

Safety-Efficacy Trade Off: Robustness against Data-Poisoning

2026 0 cit.
Model PoisoningData Poisoning Attack
69%
attack

Backdooring Self-Supervised Contrastive Learning by Noisy Alignment

2025 0 cit.
Model PoisoningData Poisoning Attack
69%
attack

Dynamic Mask-Based Backdoor Attack Against Vision AI Models: A Case Study on Mushroom Detection

2026 0 cit.
Model PoisoningData Poisoning Attack
69%
attack

Selection-Based Vulnerabilities: Clean-Label Backdoor Attacks in Active Learning

2025 0 cit.
Model PoisoningData Poisoning Attack
69%