Poisoning Attacks with Generative Adversarial Nets

TL;DR

This paper introduces a novel generative adversarial network-based method to craft effective poisoning attacks on machine learning classifiers, including deep networks, by generating adversarial training samples that degrade model performance.

Contribution

The paper presents a new GAN-based approach for systematic poisoning attacks that models detectability constraints and identifies vulnerable data regions, improving attack realism and effectiveness.

Findings

Effective attack on deep networks demonstrated

Identifies vulnerable data regions for poisoning

Models detectability constraints realistically

Abstract

Machine learning algorithms are vulnerable to poisoning attacks: An adversary can inject malicious points in the training dataset to influence the learning process and degrade the algorithm's performance. Optimal poisoning attacks have already been proposed to evaluate worst-case scenarios, modelling attacks as a bi-level optimization problem. Solving these problems is computationally demanding and has limited applicability for some models such as deep networks. In this paper we introduce a novel generative model to craft systematic poisoning attacks against machine learning classifiers generating adversarial training examples, i.e. samples that look like genuine data points but that degrade the classifier's accuracy when used for training. We propose a Generative Adversarial Net with three components: generator, discriminator, and the target classifier. This approach allows us to model naturally the detectability constrains that can be expected in realistic attacks and to identify the regions of the underlying data distribution that can be more vulnerable to data poisoning. Our experimental evaluation shows the effectiveness of our attack to compromise machine learning classifiers, including deep networks.