A BIC-based Mixture Model Defense against Data Poisoning Attacks on Classifiers
This addresses the security vulnerability of classifiers to covert data poisoning attacks, which is an incremental improvement in defense mechanisms for machine learning systems.
The paper tackles the problem of data poisoning attacks on classifiers by proposing an unsupervised Bayesian Information Criterion (BIC)-based mixture model defense that removes poisoned samples from the training set, demonstrating effectiveness and superiority over other methods in experiments with various classifiers and datasets.
Data Poisoning (DP) is an effective attack that causes trained classifiers to misclassify their inputs. DP attacks significantly degrade a classifier's accuracy by covertly injecting attack samples into the training set. Broadly applicable to different classifier structures, without strong assumptions about the attacker, an {\it unsupervised} Bayesian Information Criterion (BIC)-based mixture model defense against "error generic" DP attacks is herein proposed that: 1) addresses the most challenging {\it embedded} DP scenario wherein, if DP is present, the poisoned samples are an {\it a priori} unknown subset of the training set, and with no clean validation set available; 2) applies a mixture model both to well-fit potentially multi-modal class distributions and to capture poisoned samples within a small subset of the mixture components; 3) jointly identifies poisoned components and samples by minimizing the BIC cost defined over the whole training set, with the identified poisoned data removed prior to classifier training. Our experimental results, for various classifier structures and benchmark datasets, demonstrate the effectiveness and universality of our defense under strong DP attacks, as well as its superiority over other works.