Poisoning Attacks against Support Vector Machines

TL;DR

This paper explores how adversaries can craft malicious training data to intentionally degrade the performance of Support Vector Machines, highlighting vulnerabilities in security-sensitive machine learning applications.

Contribution

It introduces a gradient ascent-based poisoning attack method for SVMs that can be applied to non-linear kernels and demonstrates its effectiveness through experiments.

Findings

The attack significantly increases SVM test error.

The method can be kernelized for non-linear SVMs.

Gradient ascent reliably finds local maxima of validation error.

Abstract

We investigate a family of poisoning attacks against Support Vector Machines (SVM). Such attacks inject specially crafted training data that increases the SVM's test error. Central to the motivation for these attacks is the fact that most learning algorithms assume that their training data comes from a natural or well-behaved distribution. However, this assumption does not generally hold in security-sensitive settings. As we demonstrate, an intelligent adversary can, to some extent, predict the change of the SVM's decision function due to malicious input and use this ability to construct malicious data. The proposed attack uses a gradient ascent strategy in which the gradient is computed based on properties of the SVM's optimal solution. This method can be kernelized and enables the attack to be constructed in the input space even for non-linear kernels. We experimentally demonstrate that our gradient ascent procedure reliably identifies good local maxima of the non-convex validation error surface, which significantly increases the classifier's test error.