Defending Regression Learners Against Poisoning Attacks

TL;DR

This paper introduces a novel N-LID measure for detecting poisoned data in regression models, providing an effective defense against poisoning attacks without assumptions on the attacker, outperforming existing methods.

Contribution

The paper proposes N-LID, a new local intrinsic dimensionality-based measure, and an attack-agnostic defense method for regression models against poisoning attacks.

Findings

Outperforms state-of-the-art defenses in accuracy and speed.

Achieves up to 76% lower MSE on benchmark datasets.

Effective in distinguishing poisoned from normal samples.

Abstract

Regression models, which are widely used from engineering applications to financial forecasting, are vulnerable to targeted malicious attacks such as training data poisoning, through which adversaries can manipulate their predictions. Previous works that attempt to address this problem rely on assumptions about the nature of the attack/attacker or overestimate the knowledge of the learner, making them impractical. We introduce a novel Local Intrinsic Dimensionality (LID) based measure called N-LID that measures the local deviation of a given data point's LID with respect to its neighbors. We then show that N-LID can distinguish poisoned samples from normal samples and propose an N-LID based defense approach that makes no assumptions of the attacker. Through extensive numerical experiments with benchmark datasets, we show that the proposed defense mechanism outperforms the state of the art defenses in terms of prediction accuracy (up to 76% lower MSE compared to an undefended ridge model) and running time.