Detection of Adversarial Training Examples in Poisoning Attacks through Anomaly Detection

TL;DR

This paper introduces an anomaly detection-based defense mechanism to identify and mitigate adversarial poisoning attacks in machine learning by detecting malicious training samples that differ from genuine data.

Contribution

It proposes a novel outlier detection approach to identify adversarial poisoning samples, improving the robustness of machine learning models against such attacks.

Findings

Adversarial poisoning samples are distinguishable from genuine data.

Pre-filtering training data can effectively detect malicious samples.

The method enhances model robustness against optimal poisoning attacks.

Abstract

Machine learning has become an important component for many systems and applications including computer vision, spam filtering, malware and network intrusion detection, among others. Despite the capabilities of machine learning algorithms to extract valuable information from data and produce accurate predictions, it has been shown that these algorithms are vulnerable to attacks. Data poisoning is one of the most relevant security threats against machine learning systems, where attackers can subvert the learning process by injecting malicious samples in the training data. Recent work in adversarial machine learning has shown that the so-called optimal attack strategies can successfully poison linear classifiers, degrading the performance of the system dramatically after compromising a small fraction of the training dataset. In this paper we propose a defence mechanism to mitigate the effect of these optimal poisoning attacks based on outlier detection. We show empirically that the adversarial examples generated by these attack strategies are quite different from genuine points, as no detectability constrains are considered to craft the attack. Hence, they can be detected with an appropriate pre-filtering of the training dataset.