Resilient Linear Classification: An Approach to Deal with Attacks on Training Data

TL;DR

This paper investigates the resilience of linear classification algorithms against malicious tampering of training data in cyber-physical systems, proposing a new resilient algorithm and demonstrating its improved robustness through theoretical analysis and empirical evaluation.

Contribution

It introduces a generic resilience metric for classification algorithms under worst-case data tampering and proposes a new linear classifier with a majority constraint that is more resilient.

Findings

Traditional algorithms are vulnerable to training data attacks.

The proposed algorithm outperforms traditional methods in resilience.

Empirical results confirm improved robustness on real-world data.

Abstract

Data-driven techniques are used in cyber-physical systems (CPS) for controlling autonomous vehicles, handling demand responses for energy management, and modeling human physiology for medical devices. These data-driven techniques extract models from training data, where their performance is often analyzed with respect to random errors in the training data. However, if the training data is maliciously altered by attackers, the effect of these attacks on the learning algorithms underpinning data-driven CPS have yet to be considered. In this paper, we analyze the resilience of classification algorithms to training data attacks. Specifically, a generic metric is proposed that is tailored to measure resilience of classification algorithms with respect to worst-case tampering of the training data. Using the metric, we show that traditional linear classification algorithms are resilient under restricted conditions. To overcome these limitations, we propose a linear classification algorithm with a majority constraint and prove that it is strictly more resilient than the traditional algorithms. Evaluations on both synthetic data and a real-world retrospective arrhythmia medical case-study show that the traditional algorithms are vulnerable to tampered training data, whereas the proposed algorithm is more resilient (as measured by worst-case tampering).