Is feature selection secure against training data poisoning? (1804.07933v1)

Abstract: Learning in adversarial settings is becoming an important task for application domains where attackers may inject malicious data into the training set to subvert normal operation of data-driven technologies. Feature selection has been widely used in machine learning for security applications to improve generalization and computational efficiency, although it is not clear whether its use may be beneficial or even counterproductive when training data are poisoned by intelligent attackers. In this work, we shed light on this issue by providing a framework to investigate the robustness of popular feature selection methods, including LASSO, ridge regression and the elastic net. Our results on malware detection show that feature selection methods can be significantly compromised under attack (we can reduce LASSO to almost random choices of feature sets by careful insertion of less than 5% poisoned training samples), highlighting the need for specific countermeasures.

Evaluating the Security of Feature Selection Against Training Data Poisoning

Feature selection is a well-established method in machine learning applications to enhance generalization and efficiency, especially in high-dimensional data environments like security applications. However, its vulnerability in adversarial settings where training data might be intentionally poisoned by attackers has prompted research attention. The paper "Is Feature Selection Secure against Training Data Poisoning?" by Huang Xiao et al. provides a comprehensive investigation into this concern.

Overview

The paper tackles the fundamental question of how traditional feature selection methods, such as LASSO, ridge regression, and the elastic net, perform under malicious training data scenarios. Feature selection is typically implemented to increase efficiency and interpretability by reducing dimensionality. Still, its intrinsic vulnerabilities when exposed to adversarial attacks, particularly poisoning attacks, are underexplored. Leveraging a framework developed for adversarial machine learning, the authors explore these vulnerabilities with a focus on a practical application: malware detection in PDF files.

Key Contributions

1. Framework for Security Assessment: The authors propose a structured framework to examine various attack models against learning systems. This framework encapsulates diverse aspects: the attacker's goals, knowledge of the system, and the capability to manipulate input data.
2. Poisoning Attack Strategy: The paper outlines an optimal strategy for conducting poisoning attacks, focusing on maximizing the classification error by influencing feature selection. The paper considers both perfect and limited knowledge settings, offering insights into realistic attack scenarios.
3. Practical Implementation: Through experiments, primarily focused on PDF malware detection, the paper demonstrates how a small amount of poisoned data—less than 5%—can significantly alter feature selection and, consequently, degrade the classification performance. The results showed LASSO could be reduced to selecting nearly random feature sets, highlighting its susceptibility under attack.

Numerical Results

• Classification Error: Under poisoning attacks, the classification error for LASSO increased by up to tenfold, illustrating its vulnerability compared to ridge regression and elastic net, which exhibited better resilience.
• Feature Selection Stability: The stability index suggested that even minimal poisoning led to the feature selection mirroring random selection, indicating a major impact on feature stability and reliability.

Implications and Future Directions

The findings underscore an urgent need for the development of robust feature selection mechanisms that are resilient to poisoning attacks. Presently, high levels of vulnerability, particularly for methods enforcing sparsity like LASSO, are evident. This emphasizes the potential necessity of integrated adversarial awareness in feature selection algorithms.

Advancing from these results involves multiple theoretical and practical avenues:

• Developing adversarial-aware feature selection algorithms, which consider possible manipulation during training to mitigate vulnerabilities.
• Exploring robust statistical methods in feature selection that may offer intrinsic defenses against data poisoning, such as those based on robust regularization techniques.
• Evaluating broader implications on bias-variance tradeoffs in feature selection under adversarial settings, shedding light on optimized balance strategies.

The paper lays a solid groundwork for understanding the intrinsic vulnerabilities of feature selection in adversarial contexts. There is a substantial opportunity for future research to develop secure, robust methodologies, enhancing the reliability and security of machine learning systems in adversarial environments.