Detection of Adversarial Training Examples in Poisoning Attacks through Anomaly Detection
This addresses security threats for machine learning applications like computer vision and intrusion detection, but it is incremental as it builds on existing attack strategies.
The paper tackles the problem of data poisoning attacks on machine learning systems by proposing a defense mechanism based on outlier detection, showing that adversarial examples from optimal poisoning attacks can be detected through pre-filtering of the training dataset.
Machine learning has become an important component for many systems and applications including computer vision, spam filtering, malware and network intrusion detection, among others. Despite the capabilities of machine learning algorithms to extract valuable information from data and produce accurate predictions, it has been shown that these algorithms are vulnerable to attacks. Data poisoning is one of the most relevant security threats against machine learning systems, where attackers can subvert the learning process by injecting malicious samples in the training data. Recent work in adversarial machine learning has shown that the so-called optimal attack strategies can successfully poison linear classifiers, degrading the performance of the system dramatically after compromising a small fraction of the training dataset. In this paper we propose a defence mechanism to mitigate the effect of these optimal poisoning attacks based on outlier detection. We show empirically that the adversarial examples generated by these attack strategies are quite different from genuine points, as no detectability constrains are considered to craft the attack. Hence, they can be detected with an appropriate pre-filtering of the training dataset.