Certified Robustness to Data Poisoning in Gradient-Based Training
This addresses security vulnerabilities in ML pipelines using public data, offering a solution for applications where data integrity is critical, though it is incremental as it builds on existing gradient-based methods.
The paper tackles the problem of certifying robustness against data poisoning and backdoor attacks in machine learning models by developing a framework that provides provable guarantees on model behavior without altering the training algorithm, demonstrating it on real-world datasets like energy consumption and medical imaging.
Modern machine learning pipelines leverage large amounts of public data, making it infeasible to guarantee data quality and leaving models open to poisoning and backdoor attacks. Provably bounding model behavior under such attacks remains an open problem. In this work, we address this challenge by developing the first framework providing provable guarantees on the behavior of models trained with potentially manipulated data without modifying the model or learning algorithm. In particular, our framework certifies robustness against untargeted and targeted poisoning, as well as backdoor attacks, for bounded and unbounded manipulations of the training inputs and labels. Our method leverages convex relaxations to over-approximate the set of all possible parameter updates for a given poisoning threat model, allowing us to bound the set of all reachable parameters for any gradient-based learning algorithm. Given this set of parameters, we provide bounds on worst-case behavior, including model performance and backdoor success rate. We demonstrate our approach on multiple real-world datasets from applications including energy consumption, medical imaging, and autonomous driving.