Exact Certification of Data-Poisoning Attacks Using Mixed-Integer Programming

TL;DR

This paper presents a novel verification framework using mixed-integer quadratic programming to exactly certify the robustness of neural networks against data poisoning attacks during training.

Contribution

It introduces the first exact certification method for data poisoning robustness by formulating the problem as a single MIQCP, capturing training dynamics and attack effects.

Findings

Provides sound and complete guarantees for data poisoning robustness

Successfully characterizes worst-case poisoning attacks

Validates approach on small models with comprehensive results

Abstract

This work introduces a verification framework that provides both sound and complete guarantees for data poisoning attacks during neural network training. We formulate adversarial data manipulation, model training, and test-time evaluation in a single mixed-integer quadratic programming (MIQCP) problem. Finding the global optimum of the proposed formulation provably yields worst-case poisoning attacks, while simultaneously bounding the effectiveness of all possible attacks on the given training pipeline. Our framework encodes both the gradient-based training dynamics and model evaluation at test time, enabling the first exact certification of training-time robustness. Experimental evaluation on small models confirms that our approach delivers a complete characterization of robustness against data poisoning.