Data Poisoning Attacks against Online Learning

Abstract

data poisoning attacks

adversary has the power to alter a small fraction of the training data in order to make the trained classifier satisfy certain objectives.

training data arrives in a streaming manner, are not well understood.

Three solution strategies and experimental

Introduction

Action

degrade the overall accuracy of the trained classifier

profit-oriented

training is done online as data arrives
sequentially in a stream; data poisoning attacks in this context are not well-understood.

Formalizing the problem into two settings, semi-online and fully-online, these reflacts the algorithms

semi-oline

adversary’s objective involves only
this final classifier

full-online

Continue learning

our formulation covers both semi-online and fully-online
settings with suitable modifications and applies quite generally to a number of attack objectives

Different in solution approaches

gradient computation time-consuming

data order now matters

A solution in three key steps

First, we simplify the optimization problem by smoothing the objective function and using a novel trick called label inversion if needed

Second, we recursively compute the gradient using Chain rule

The third and final step is to narrow down
the search space of gradient ascent by modifying data points at certain positions in the input stream.

three such modification schemes

Incremental Attack

Interval Attack

Teach-and-Reinforce Attack

three styles of learning rates

Setting

Classification Setting and Algorithm

Attacker setting

semi-online

fully-online

Attack methods

Attacker’s Optimization

Attack Algorithm

Simplify Optimization Problem

Compute Gradients via Chain Rule.

Strategic Search over Positions in the Stream