Mathematical Foundations of Poisoning Attacks on Linear Regression over Cumulative Distribution Functions

TL;DR

This paper provides a rigorous theoretical analysis of poisoning attacks on linear regression models over CDFs used in learned indexes, identifying optimal attack strategies and bounds on attack impact.

Contribution

It characterizes optimal poisoning attacks on linear regression over CDFs and proposes methods to evaluate attack impact, advancing understanding of attack strategies.

Findings

Optimal single-point poisoning attack characterized

Greedy multi-point attack is not always optimal

Upper bounds on attack impact are empirically close to greedy approach

Abstract

Learned indexes are a class of index data structures that enable fast search by approximating the cumulative distribution function (CDF) using machine learning models (Kraska et al., SIGMOD'18). However, recent studies have shown that learned indexes are vulnerable to poisoning attacks, where injecting a small number of poison keys into the training data can significantly degrade model accuracy and reduce index performance (Kornaropoulos et al., SIGMOD'22). In this work, we provide a rigorous theoretical analysis of poisoning attacks targeting linear regression models over CDFs, one of the most basic regression models and a core component in many learned indexes. Our main contributions are as follows: (i) We present a theoretical proof characterizing the optimal single-point poisoning attack and show that the existing method yields the optimal attack. (ii) We show that in multi-point attacks, the existing greedy approach is not always optimal, and we rigorously derive the key properties that an optimal attack should satisfy. (iii) We propose a method to compute an upper bound of the multi-point poisoning attack's impact and empirically demonstrate that the loss under the greedy approach is often close to this bound. Our study deepens the theoretical understanding of attack strategies against linear regression models on CDFs and provides a foundation for the theoretical evaluation of attacks and defenses on learned indexes.