Model-Targeted Data Poisoning Attacks against ITS Applications with Provable Convergence

TL;DR

This paper introduces a provable, gradient-free method for model-targeted data poisoning attacks on ITS applications, addressing models with constraints and demonstrating convergence guarantees.

Contribution

It formulates a bi-level optimization attack with constraints, proposes a semi-derivative descent method, and proves its convergence, applicable to constrained models in ITS.

Findings

Successfully attacked lane change detection with SVM

Established convergence conditions for the attack method

Demonstrated effectiveness on constrained models in ITS

Abstract

The growing reliance of intelligent systems on data makes the systems vulnerable to data poisoning attacks. Such attacks could compromise machine learning or deep learning models by disrupting the input data. Previous studies on data poisoning attacks are subject to specific assumptions, and limited attention is given to learning models with general (equality and inequality) constraints or lacking differentiability. Such learning models are common in practice, especially in Intelligent Transportation Systems (ITS) that involve physical or domain knowledge as specific model constraints. Motivated by ITS applications, this paper formulates a model-target data poisoning attack as a bi-level optimization problem with a constrained lower-level problem, aiming to induce the model solution toward a target solution specified by the adversary by modifying the training data incrementally. As the gradient-based methods fail to solve this optimization problem, we propose to study the Lipschitz continuity property of the model solution, enabling us to calculate the semi-derivative, a one-sided directional derivative, of the solution over data. We leverage semi-derivative descent to solve the bi-level optimization problem, and establish the convergence conditions of the method to any attainable target model. The model and solution method are illustrated with a simulation of a poisoning attack on the lane change detection using SVM.