Towards Fair Classification against Poisoning Attacks

TL;DR

This paper reveals that fair classification models are highly vulnerable to poisoning attacks and proposes a theoretically grounded defense framework that improves robustness in accuracy and fairness.

Contribution

It introduces a general defense framework for fair classification against poisoning attacks, extending traditional defenses with theoretical guarantees.

Findings

Fair classifiers are vulnerable to poisoning attacks affecting fairness and accuracy.

The proposed defense framework outperforms baseline methods in robustness.

Extensive experiments validate the effectiveness of the proposed approach.

Abstract

Fair classification aims to stress the classification models to achieve the equality (treatment or prediction quality) among different sensitive groups. However, fair classification can be under the risk of poisoning attacks that deliberately insert malicious training samples to manipulate the trained classifiers' performance. In this work, we study the poisoning scenario where the attacker can insert a small fraction of samples into training data, with arbitrary sensitive attributes as well as other predictive features. We demonstrate that the fairly trained classifiers can be greatly vulnerable to such poisoning attacks, with much worse accuracy & fairness trade-off, even when we apply some of the most effective defenses (originally proposed to defend traditional classification tasks). As countermeasures to defend fair classification tasks, we propose a general and theoretically guaranteed framework which accommodates traditional defense methods to fair classification against poisoning attacks. Through extensive experiments, the results validate that the proposed defense framework obtains better robustness in terms of accuracy and fairness than representative baseline methods.