Algorithmic Complexity Attacks on All Learned Cardinality Estimators: A Data-centric Approach

TL;DR

This paper investigates the vulnerability of learned cardinality estimators to data-centric attacks, demonstrating their fragility under minimal data drifts and proposing methods to analyze and mitigate these risks.

Contribution

It provides the first theoretical analysis of data-driven attacks on learned estimators, introduces an approximation algorithm for optimal attacks, and suggests countermeasures for robustness.

Findings

Minimal data modifications can drastically degrade estimator accuracy

The optimal attack strategy is NP-Hard to compute

Proposed approximation algorithm effectively finds near-optimal attacks

Abstract

Learned cardinality estimators show promise in query cardinality prediction, yet they universally exhibit fragility to training data drifts, posing risks for real-world deployment. This work is the first to theoretical investigate how minimal data-level drifts can maximally degrade the accuracy of learned estimators. We propose data-centric algorithmic complexity attacks against learned estimators in a black-box setting, proving that finding the optimal attack strategy is NP-Hard. To address this, we design a polynomial-time approximation algorithm with a $(1-\kappa)$ approximation ratio. Extensive experiments demonstrate our attack's effectiveness: on STATS-CEB and IMDB-JOB benchmarks, modifying just 0.8\% of training tuples increases the 90th percentile Qerror by three orders of magnitude and raises end-to-end processing time by up to 20$\times$. Our work not only reveals critical vulnerabilities in deployed learned estimators but also provides the first unified worst-case theoretical analysis of their fragility under data updates. Additionally, we identify two countermeasures to mitigate such black-box attacks, offering insights for developing robust learned database optimizers.