Enhancing the Antidote: Improved Pointwise Certifications against Poisoning Attacks
This work addresses the need for reliable defenses against poisoning attacks in machine learning, offering improved guarantees for model security, though it is incremental in nature.
The paper tackles the problem of defending against poisoning attacks on machine learning models by providing pointwise certifications that guarantee robustness against a finite number of poisoned training samples. The result is that their model offers guarantees more than twice as large as prior certifications.
Poisoning attacks can disproportionately influence model behaviour by making small changes to the training corpus. While defences against specific poisoning attacks do exist, they in general do not provide any guarantees, leaving them potentially countered by novel attacks. In contrast, by examining worst-case behaviours Certified Defences make it possible to provide guarantees of the robustness of a sample against adversarial attacks modifying a finite number of training samples, known as pointwise certification. We achieve this by exploiting both Differential Privacy and the Sampled Gaussian Mechanism to ensure the invariance of prediction for each testing instance against finite numbers of poisoned examples. In doing so, our model provides guarantees of adversarial robustness that are more than twice as large as those provided by prior certifications.