Defending Against Adversarial Denial-of-Service Data Poisoning Attacks

TL;DR

This paper introduces a novel method for detecting data poisoning attacks in machine learning training data, significantly reducing false positives and negatives compared to existing approaches.

Contribution

The proposed defense method diverges from clustering-based techniques by extracting generalized information to identify poisoned samples effectively.

Findings

Reliable detection of poisoned instances across multiple datasets

At least 50% improvement in false positive/negative rates

Effective against two DoS poisoning attack types

Abstract

Data poisoning is one of the most relevant security threats against machine learning and data-driven technologies. Since many applications rely on untrusted training data, an attacker can easily craft malicious samples and inject them into the training dataset to degrade the performance of machine learning models. As recent work has shown, such Denial-of-Service (DoS) data poisoning attacks are highly effective. To mitigate this threat, we propose a new approach of detecting DoS poisoned instances. In comparison to related work, we deviate from clustering and anomaly detection based approaches, which often suffer from the curse of dimensionality and arbitrary anomaly threshold selection. Rather, our defence is based on extracting information from the training data in such a generalized manner that we can identify poisoned samples based on the information present in the unpoisoned portion of the data. We evaluate our defence against two DoS poisoning attacks and seven datasets, and find that it reliably identifies poisoned instances. In comparison to related work, our defence improves false positive / false negative rates by at least 50%, often more.