This paper presents an auditing procedure for the Differentially Private Stochastic Gradient Descent (DP-SGD) algorithm in the black-box threat model that is substantially tighter than prior work.
Unlike traditional backdoor attacks that focus on specific class labels, our approach aims to induce poisoned models to predict future data as a predefined target pattern.