Timezone: »

 
When Can Linear Learners be Robust to Indiscriminate Poisoning Attacks?
Fnu Suya · Xiao Zhang · Yuan Tian · David Evans

@
in 2nd ICML Workshop on New Frontiers in Adversarial Machine Learning »
Event URL: https://openreview.net/forum?id=9Sx8sRN4kW »

We study indiscriminate poisoning for linear learners where an adversary injects a few crafted examples into the training data with the goal of forcing the induced model to incur higher test error. Inspired by the observation that linear learners on some datasets are able to resist the best known attacks even without any defenses, we further investigate whether datasets can be inherently robust to indiscriminate poisoning attacks for linear learners. For theoretical Gaussian distributions, we rigorously characterize the behavior of an optimal poisoning attack, defined as the poisoning strategy that attains the maximum risk of the induced model at a given poisoning budget. Our results prove that linear learners can indeed be robust to indiscriminate poisoning if the class-wise data distributions are well-separated with low variance and the size of the constraint set containing all permissible poisoning points is also small. These findings largely explain the drastic variation in empirical attack performance of the state-of-the-art poisoning attacks across benchmark datasets, making an important initial step towards understanding the underlying reasons some learning tasks are vulnerable to data poisoning attacks.

Keywords: adversarial machine learning · indiscriminate poisoning attacks

Author Information

Fnu Suya (University of Virginia)
Xiao Zhang (CISPA Helmholtz Center for Information Security)
Yuan Tian (University of Virginia)
David Evans (University of Virginia)

Related Events (a corresponding poster, oral, or spotlight)

More from the Same Authors