Timezone: »

A Separation Result Between Data-oblivious and Data-aware Poisoning Attacks
Samuel Deng · Sanjam Garg · Somesh Jha · Saeed Mahloujifar · Mohammad Mahmoody · Abhradeep Guha Thakurta

Tue Dec 07 08:30 AM -- 10:00 AM (PST) @

Poisoning attacks have emerged as a significant security threat to machine learning algorithms. It has been demonstrated that adversaries who make small changes to the training set, such as adding specially crafted data points, can hurt the performance of the output model. Most of these attacks require the full knowledge of training data. This leaves open the possibility of achieving the same attack results using poisoning attacks that do not have the full knowledge of the clean training set.In this work, we initiate a theoretical study of the problem above. Specifically, for the case of feature selection with LASSO, we show that \emph{full information} adversaries (that craft poisoning examples based on the rest of the training data) are provably much more devastating compared to the optimal attacker that is \emph{oblivious} to the training set yet has access to the distribution of the data. Our separation result shows that the two settings of data-aware and data-oblivious are fundamentally different and we cannot hope to achieve the same attack or defense results in these scenarios.

Author Information

Samuel Deng (Columbia University)
Sanjam Garg (NA)
Somesh Jha (University of Wisconsin, Madison)
Saeed Mahloujifar (Princeton)
Mohammad Mahmoody (University of Virginia)
Abhradeep Guha Thakurta (Google Research - Brain Team)

More from the Same Authors