Papers
Topics
Authors
Recent
2000 character limit reached

Hyperparameter Learning under Data Poisoning: Analysis of the Influence of Regularization via Multiobjective Bilevel Optimization (2306.01613v2)

Published 2 Jun 2023 in cs.LG, cs.CR, and stat.ML

Abstract: Machine Learning (ML) algorithms are vulnerable to poisoning attacks, where a fraction of the training data is manipulated to deliberately degrade the algorithms' performance. Optimal attacks can be formulated as bilevel optimization problems and help to assess their robustness in worst-case scenarios. We show that current approaches, which typically assume that hyperparameters remain constant, lead to an overly pessimistic view of the algorithms' robustness and of the impact of regularization. We propose a novel optimal attack formulation that considers the effect of the attack on the hyperparameters and models the attack as a multiobjective bilevel optimization problem. This allows to formulate optimal attacks, learn hyperparameters and evaluate robustness under worst-case conditions. We apply this attack formulation to several ML classifiers using $L_2$ and $L_1$ regularization. Our evaluation on multiple datasets confirms the limitations of previous strategies and evidences the benefits of using $L_2$ and $L_1$ regularization to dampen the effect of poisoning attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (52)
  1. M. Barreno, B. Nelson, A. D. Joseph, and J. D. Tygar, “The security of machine learning,” Machine Learning, vol. 81, no. 2, pp. 121–148, 2010.
  2. L. Huang, A. D. Joseph, B. Nelson, B. I. P. Rubinstein, and J. D. Tygar, “Adversarial Machine Learning,” in 4th ACM Workshop on Security and Artificial Intelligence.   ACM, 2011, pp. 43–58.
  3. L. Muñoz-González, J. Carnerero-Cano, K. T. Co, and E. C. Lupu, “Challenges and Advances in Adversarial Machine Learning,” Resilience and Hybrid Threats: Security and Integrity for the Digital World, vol. 55, pp. 102–120, 2019.
  4. T. Gu, K. Liu, B. Dolan-Gavitt, and S. Garg, “BadNets: Evaluating Backdooring Attacks on Deep Neural Networks,” IEEE Access, vol. 7, pp. 47 230–47 244, 2019.
  5. Y. Liu, S. Ma, Y. Aafer, W.-C. Lee, J. Zhai, W. Wang, and X. Zhang, “Trojaning Attack on Neural Networks,” in 25th Annual Network and Distributed System Security Symposium, NDSS, 2018.
  6. Z. Xiang, D. J. Miller, and G. Kesidis, “Detection of Backdoors in Trained Classifiers Without Access to the Training Set,” IEEE Transactions on Neural Networks and Learning Systems, vol. 33, no. 3, pp. 1177–1191, 2020.
  7. Y. Li, Y. Jiang, Z. Li, and S.-T. Xia, “Backdoor Learning: A Survey,” IEEE Transactions on Neural Networks and Learning Systems, 2022.
  8. G. Liu, A. Khreishah, F. Sharadgah, and I. Khalil, “An Adaptive Black-Box Defense Against Trojan Attacks (TrojDef),” IEEE Transactions on Neural Networks and Learning Systems, 2022.
  9. W. Jiang, X. Wen, J. Zhan, X. Wang, Z. Song, and C. Bian, “Critical Path-Based Backdoor Detection for Deep Neural Networks,” IEEE Transactions on Neural Networks and Learning Systems, 2022.
  10. B. Biggio, B. Nelson, and P. Laskov, “Poisoning Attacks against Support Vector Machines,” in Int. Conf. on Machine Learning, 2012, pp. 1807–1814.
  11. H. Xiao, B. Biggio, G. Brown, G. Fumera, C. Eckert, and F. Roli, “Is Feature Selection Secure against Training Data Poisoning?” in Int. Conf. on Machine Learning, 2015, pp. 1689–1698.
  12. S. Mei and X. Zhu, “Using Machine Teaching to Identify Optimal Training-Set Attacks on Machine Learners,” in Twenty-Ninth AAAI Conf. on Artificial Intelligence, 2015, pp. 2871–2877.
  13. P. W. Koh, J. Steinhardt, and P. Liang, “Stronger Data Poisoning Attacks Break Data Sanitization Defenses,” arXiv preprint arXiv:1811.00741, 2018.
  14. J. Carnerero-Cano, L. Muñoz-González, P. Spencer, and E. C. Lupu, “Regularization Can Help Mitigate Poisoning Attacks… with the Right Hyperparameters,” in ICLR 2021 Workshop on Security and Safety in Machine Learning Systems, 2021.
  15. P. W. Koh and P. Liang, “Understanding Black-box Predictions via Influence Functions,” in Int. Conf. on Machine Learning, 2017, pp. 1885–1894.
  16. L. Muñoz-González, B. Biggio, A. Demontis, A. Paudice, V. Wongrassamee, E. C. Lupu, and F. Roli, “Towards Poisoning of Deep Learning Algorithms with Back-gradient Optimization,” in 10th ACM Workshop on Artificial Intelligence and Security.   ACM, 2017, pp. 27–38.
  17. W. R. Huang, J. Geiping, L. Fowl, G. Taylor, and T. Goldstein, “MetaPoison: Practical General-purpose Clean-label Data Poisoning,” Advances in Neural Information Processing Systems, vol. 33, pp. 12 080–12 091, 2020.
  18. D. Maclaurin, D. Duvenaud, and R. Adams, “Gradient-based Hyperparameter Optimization through Reversible Learning,” in Int. Conf. on Machine Learning, 2015, pp. 2113–2122.
  19. L. Franceschi, M. Donini, P. Frasconi, and M. Pontil, “Forward and Reverse Gradient-Based Hyperparameter Optimization,” in Int. Conf. on Machine Learning, 2017, pp. 1165–1173.
  20. L. Franceschi, P. Frasconi, S. Salzo, R. Grazzi, and M. Pontil, “Bilevel Programming for Hyperparameter Optimization and Meta-Learning,” in Int. Conf. on Machine Learning, 2018, pp. 1568–1577.
  21. R. Grazzi, L. Franceschi, M. Pontil, and S. Salzo, “On the Iteration Complexity of Hypergradient Computation,” in Int. Conf. on Machine Learning, 2020, pp. 3748–3758.
  22. J. Domke, “Generic Methods for Optimization-Based Modeling,” in Artificial Intelligence and Statistics, 2012, pp. 318–326.
  23. Y. LeCun, L. Bottou, Y. Bengio, P. Haffner et al., “Gradient-Based Learning Applied to Document Recognition,” IEEE, vol. 86, no. 11, pp. 2278–2324, 1998.
  24. H. Xiao, K. Rasul, and R. Vollgraf, “Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms,” arXiv preprint arXiv:1708.07747, 2017.
  25. A. Krizhevsky et al., “Learning multiple layers of features from tiny images,” University of Toronto, Tech. Rep., 2009.
  26. B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. P. Rubinstein, U. Saini, C. A. Sutton, J. D. Tygar, and K. Xia, “Exploiting Machine Learning to Subvert Your Spam Filter,” LEET, vol. 8, pp. 1–9, 2008.
  27. M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and J. D. Tygar, “Can Machine Learning Be Secure?” in 2006 ACM Symposium on Information, Computer and Communications Security.   ACM, 2006, pp. 16–25.
  28. M. Kloft and P. Laskov, “Security Analysis of Online Centroid Anomaly Detection,” J. of Machine Learning Research, vol. 13, no. Dec, pp. 3681–3724, 2012.
  29. A. Shafahi, W. R. Huang, M. Najibi, O. Suciu, C. Studer, T. Dumitras, and T. Goldstein, “Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks,” in Advances in Neural Information Processing Systems, vol. 31, 2018, pp. 6103–6113.
  30. C. Zhu, W. R. Huang, H. Li, G. Taylor, C. Studer, and T. Goldstein, “Transferable Clean-Label Poisoning Attacks on Deep Neural Nets,” in Int. Conf. on Machine Learning, 2019, pp. 7614–7623.
  31. J. Geiping, L. Fowl, W. R. Huang, W. Czaja, G. Taylor, M. Moeller, and T. Goldstein, “Witches’ Brew: Industrial Scale Data Poisoning via Gradient Matching,” in Int. Conf. on Learning Representations, 2021.
  32. L. Muñoz-González, B. Pfitzner, M. Russo, J. Carnerero-Cano, and E. C. Lupu, “Poisoning Attacks with Generative Adversarial Nets,” arXiv preprint arXiv:1906.07773, 2019.
  33. J. Steinhardt, P. W. W. Koh, and P. S. Liang, “Certified Defenses for Data Poisoning Attacks,” in Advances in Neural Information Processing Systems, vol. 30, 2017, pp. 3517–3529.
  34. A. Paudice, L. Muñoz-González, A. György, and E. C. Lupu, “Detection of Adversarial Training Examples in Poisoning Attacks through Anomaly Detection,” arXiv preprint arXiv:1802.03041, 2018.
  35. A. Paudice, L. Muñoz-González, and E. C. Lupu, “Label Sanitization Against Label Flipping Poisoning Attacks,” in Joint European Conf. on Machine Learning and Knowledge Discovery in Databases.   Springer, 2018, pp. 5–15.
  36. X. Zhang, X. Zhu, and S. Wright, “Training Set Debugging Using Trusted Items,” in Thirty-Second AAAI Conf. on Artificial Intelligence, 2018, pp. 4482–4489.
  37. I. Diakonikolas, G. Kamath, D. Kane, J. Li, J. Steinhardt, and A. Stewart, “Sever: A Robust Meta-Algorithm for Stochastic Optimization,” in Int. Conf. on Machine Learning, 2019, pp. 1596–1606.
  38. J. Larsen, L. K. Hansen, C. Svarer, and M. Ohlsson, “Design and Regularization of Neural Networks: The Optimal Use of a Validation Set,” in 1996 IEEE Workshop on Neural Networks for Signal Processing.   IEEE, 1996, pp. 62–71.
  39. Y. Bengio, “Gradient-Based Optimization of Hyperparameters,” Neural Computation, vol. 12, no. 8, pp. 1889–1900, 2000.
  40. C.-S. Foo, C. B. Do, and A. Y. Ng, “Efficient multiple hyperparameter learning for log-linear models,” in Advances in Neural Information Processing Systems, vol. 20, 2007, pp. 377–384.
  41. F. Pedregosa, “Hyperparameter optimization with approximate gradient,” in Int. Conf. on Machine Learning, 2016, pp. 737–746.
  42. J. Carnerero-Cano, L. Muñoz-González, P. Spencer, and E. C. Lupu, “Regularisation Can Mitigate Poisoning Attacks: A Novel Analysis Based on Multiobjective Bilevel Optimisation,” arXiv preprint arXiv:2003.00040, 2020.
  43. J. R. Shewchuk, “An Introduction to the Conjugate Gradient Method Without the Agonizing Pain,” Carnegie Mellon University, Tech. Rep., 1994.
  44. B. A. Pearlmutter, “Fast Exact Multiplication by the Hessian,” Neural Computation, vol. 6, no. 1, pp. 147–160, 1994.
  45. C. Daskalakis and I. Panageas, “The Limit Points of (Optimistic) Gradient Descent in Min-Max Optimization,” in Advances in Neural Information Processing Systems, vol. 31, 2018, pp. 9236–9246.
  46. H. Xu, C. Caramanis, and S. Mannor, “Sparse Algorithms Are Not Stable: A No-Free-Lunch Theorem,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 34, no. 1, pp. 187–193, 2011.
  47. B. I. P. Rubinstein, B. Nelson, L. Huang, A. D. Joseph, S.-h. Lau, S. Rao, N. Taft, and J. D. Tygar, “ANTIDOTE: Understanding and Defending against Poisoning of Anomaly Detectors,” in 9th ACM SIGCOMM Conf. on Internet Measurement.   ACM, 2009, pp. 1–14.
  48. O. Bousquet and A. Elisseeff, “Stability and Generalization,” The J. of Machine Learning Research, vol. 2, pp. 499–526, 2002.
  49. X. Glorot and Y. Bengio, “Understanding the difficulty of training deep feedforward neural networks,” in Thirteenth Int. Conf. on Artificial Intelligence and Statistics, 2010, pp. 249–256.
  50. J. Friedman, T. Hastie, and R. Tibshirani, “Regularization Paths for Generalized Linear Models via Coordinate Descent,” J. of Statistical Software, vol. 33, no. 1, pp. 1–22, 2010.
  51. L. I. Kuncheva, “A Stability Index for Feature Selection,” in 25th IASTED Int. Multi-Conf.: Artificial Intelligence and Applications, 2007, pp. 390–395.
  52. B. Chen, W. Carvalho, N. Baracaldo, H. Ludwig, B. Edwards, T. Lee, I. Molloy, and B. Srivastava, “Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering,” in AAAI Workshop on Artificial Intelligence Safety 2019.   AAAI, 2019.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Dice Question Streamline Icon: https://streamlinehq.com

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up