Poisoning Attacks against Support Vector Machines
This addresses security vulnerabilities in machine learning for sensitive settings, but it is incremental as it builds on existing attack methods for SVMs.
The paper tackles the problem of poisoning attacks against Support Vector Machines (SVM) by injecting malicious training data to increase test error, demonstrating that an adversary can predict changes in the decision function and construct attacks using a gradient ascent strategy, which significantly raises the classifier's test error.
We investigate a family of poisoning attacks against Support Vector Machines (SVM). Such attacks inject specially crafted training data that increases the SVM's test error. Central to the motivation for these attacks is the fact that most learning algorithms assume that their training data comes from a natural or well-behaved distribution. However, this assumption does not generally hold in security-sensitive settings. As we demonstrate, an intelligent adversary can, to some extent, predict the change of the SVM's decision function due to malicious input and use this ability to construct malicious data. The proposed attack uses a gradient ascent strategy in which the gradient is computed based on properties of the SVM's optimal solution. This method can be kernelized and enables the attack to be constructed in the input space even for non-linear kernels. We experimentally demonstrate that our gradient ascent procedure reliably identifies good local maxima of the non-convex validation error surface, which significantly increases the classifier's test error.