Exact Certification of Data-Poisoning Attacks Using Mixed-Integer Programming
This addresses the security problem of data poisoning for machine learning practitioners, offering exact certification but is incremental as it focuses on small models.
The paper tackles the problem of certifying robustness against data poisoning attacks in neural network training by introducing a verification framework that provides sound and complete guarantees, formulating it as a mixed-integer quadratic programming problem to yield worst-case attacks and bound all possible attacks, with experimental evaluation on small models confirming a complete characterization of robustness.
This work introduces a verification framework that provides both sound and complete guarantees for data poisoning attacks during neural network training. We formulate adversarial data manipulation, model training, and test-time evaluation in a single mixed-integer quadratic programming (MIQCP) problem. Finding the global optimum of the proposed formulation provably yields worst-case poisoning attacks, while simultaneously bounding the effectiveness of all possible attacks on the given training pipeline. Our framework encodes both the gradient-based training dynamics and model evaluation at test time, enabling the first exact certification of training-time robustness. Experimental evaluation on small models confirms that our approach delivers a complete characterization of robustness against data poisoning.