Please enable JavaScript.
Coggle requires JavaScript to display documents.
Data Poisoning Attacks against Online Learning - Coggle Diagram
Data Poisoning Attacks against Online Learning
Abstract
data poisoning attacks
adversary has the power to alter a small fraction of the training data in order to make the trained classifier satisfy certain objectives.
training data arrives in a streaming manner, are not well understood.
Three solution strategies and experimental
Introduction
Action
degrade the overall accuracy of the trained classifier
profit-oriented
training is done online as data arrives
sequentially in a stream; data poisoning attacks in this context are not well-understood.
Formalizing the problem into two settings, semi-online and fully-online, these reflacts the algorithms
semi-oline
adversary’s objective involves only
this final classifier
full-online
Continue learning
our formulation covers both semi-online and fully-online
settings with suitable modifications and applies quite generally to a number of attack objectives
Different in solution approaches
gradient computation time-consuming
data order now matters
A solution in three key steps
First, we simplify the optimization problem by smoothing the objective function and using a novel trick called label inversion if needed
Second, we recursively compute the gradient using Chain rule
The third and final step is to narrow down
the search space of gradient ascent by modifying data points at certain positions in the input stream.
three such modification schemes
Incremental Attack
Interval Attack
Teach-and-Reinforce Attack
three styles of learning rates
Setting
Classification Setting and Algorithm
Attacker setting
semi-online
fully-online
Attack methods
Attacker’s Optimization
Attack Algorithm
Simplify Optimization Problem
Compute Gradients via Chain Rule.
Strategic Search over Positions in the Stream