What Distributions are Robust to Indiscriminate Poisoning Attacks for Linear Learners?

TL;DR

This paper investigates the inherent robustness of linear learners to indiscriminate poisoning attacks, revealing that well-separated, low-variance class distributions can naturally resist such attacks without additional defenses.

Contribution

The paper provides a theoretical characterization of optimal poisoning attacks on Gaussian distributions and identifies conditions under which linear learners are inherently robust.

Findings

Linear learners are robust when class distributions are well-separated with low variance.

The size of the permissible poisoning set affects the attack's success.

Empirical attack performance varies significantly across datasets.

Abstract

We study indiscriminate poisoning for linear learners where an adversary injects a few crafted examples into the training data with the goal of forcing the induced model to incur higher test error. Inspired by the observation that linear learners on some datasets are able to resist the best known attacks even without any defenses, we further investigate whether datasets can be inherently robust to indiscriminate poisoning attacks for linear learners. For theoretical Gaussian distributions, we rigorously characterize the behavior of an optimal poisoning attack, defined as the poisoning strategy that attains the maximum risk of the induced model at a given poisoning budget. Our results prove that linear learners can indeed be robust to indiscriminate poisoning if the class-wise data distributions are well-separated with low variance and the size of the constraint set containing all permissible poisoning points is also small. These findings largely explain the drastic variation in empirical attack performance of the state-of-the-art poisoning attacks on linear learners across benchmark datasets, making an important initial step towards understanding the underlying reasons some learning tasks are vulnerable to data poisoning attacks.