Poisoning Attacks against Support Vector Machines (1206.6389v3)

Abstract: We investigate a family of poisoning attacks against Support Vector Machines (SVM). Such attacks inject specially crafted training data that increases the SVM's test error. Central to the motivation for these attacks is the fact that most learning algorithms assume that their training data comes from a natural or well-behaved distribution. However, this assumption does not generally hold in security-sensitive settings. As we demonstrate, an intelligent adversary can, to some extent, predict the change of the SVM's decision function due to malicious input and use this ability to construct malicious data. The proposed attack uses a gradient ascent strategy in which the gradient is computed based on properties of the SVM's optimal solution. This method can be kernelized and enables the attack to be constructed in the input space even for non-linear kernels. We experimentally demonstrate that our gradient ascent procedure reliably identifies good local maxima of the non-convex validation error surface, which significantly increases the classifier's test error.

• The paper introduces a gradient ascent-based poisoning attack that significantly degrades SVM accuracy by injecting minimal malicious data.
• Experimental results on synthetic Gaussian data and MNIST show error increases from 2-5% to 15-20% with just one poisoned point.
• The study underscores the need for robust ML defenses and inspires future work on anomaly detection and improved adversarial strategies.

Poisoning Attacks against Support Vector Machines

The paper, "Poisoning Attacks against Support Vector Machines," provides a detailed examination of a type of adversarial attack targeting Support Vector Machines (SVMs). These attacks, known as poisoning attacks, involve the manipulation of the training data to degrade the performance of the trained classifier. The primary methodology employed in this research is a gradient ascent strategy to identify and inject malicious data points that maximize the SVM's test error.

Introduction and Context

The relevance of ML in cybersecurity applications—such as spam detection, intrusion detection, and fraud detection—is unequivocal. However, the assumptions regarding the benign nature of the training data often do not hold in security-sensitive environments where adversaries can manipulate data. This paper tackles the bagging threat of poisoning attacks, specifically targeting SVMs, a widely-used ML model.

Methodology

The methodology revolves around gradient ascent to optimize a malicious data point that, when added to the training set, maximally degrades the SVM classifier's accuracy. The essence of the attack strategy is to leverage the gradient of the validation error concerning the attack point. Notably, this approach can be kernelized, enabling attacks even when non-linear kernels are used, a significant advancement over some previous studies that were constrained to feature space.

Central to the method is the following sequence:

1. Initialization: Begin with an initial attack point derived from flipping the label of a random sample from the attacked class.
2. Gradient Computation: At each iteration, compute the gradient of the objective function concerning the attack point's location.
3. Gradient Ascent: Update the location of the attack point in the direction of the gradient to increase the objective function—here, the validation error.
4. Kernel Consideration: For kernelized SVMs, adjustments in the attack vector can potentially be approximated by considering small-step updates to ensure smoothness in the attack process.

Experimental Evaluation

The paper conducts a rigorous experimental evaluation on both artificial and real-world datasets (the MNIST dataset). The evaluation demonstrates that the proposed poisoning attacks can indeed result in significant degradation of the classifier's accuracy:

• Artificial Data: For a two-dimensional Gaussian-distributed dataset, the attack effectively increased the SVM's classification error. The trajectories of attack points in the error landscape highlighted the gradient ascent method's proficiency in identifying high-impact poisoning points.
• MNIST Dataset: In experiments involving binary classification tasks between different digit pairs, the paper shows a dramatic increase in classification error—from 2-5% to 15-20%—due to a single attack point. The analysis also included multi-point attacks, cumulatively illustrating the vulnerability of SVMs to such poisoning strategies.

Implications and Future Work

This research has both theoretical and practical implications:

1. Theoretical Insights: The work underlines the importance of considering adversarial robustness in the design of ML models, especially in security-sensitive applications. The explicit formulation of attack strategies using gradient ascent provides a theoretical framework that can be adapted to other ML models and adversarial scenarios.
2. Practical Concerns: From a practical standpoint, the ability to carry out poisoning attacks in input space—even with non-linear kernels—underscores the need for robust defenses. Regularization techniques and anomaly detection in training data are potential areas to explore for mitigating such attacks.
3. Future Directions: Future work could refine the gradient ascent method to allow for larger steps without altering the underlying SVM solution structure, optimize multi-point attack strategies, and address real-world constraints where an attacker may not control label assignments. Additionally, investigating inverse feature-mapping problems to generate realistic attack data remains an open challenge.

The findings indicate a crucial necessity for continued research into adversarial robustness, ensuring that SVMs—and ML models more broadly—can maintain integrity in adversarial settings.