Name
Abstract | ||
|---|---|---|
Poisoning attacks have emerged as a significant security threat to machine learning algorithms. It has been demonstrated that adversaries who make small changes to the training set, such as adding specially crafted data points, can hurt the performance of the output model. Most of these attacks require the full knowledge of training data. This leaves open the possibility of achieving the same attack results using poisoning attacks that do not have the full knowledge of the clean training set.In this work, we initiate a theoretical study of the problem above. Specifically, for the case of feature selection with LASSO, we show that \emph{full information} adversaries (that craft poisoning examples based on the rest of the training data) are provably much more devastating compared to the optimal attacker that is \emph{oblivious} to the training set yet has access to the distribution of the data. Our separation result shows that the two settings of data-aware and data-oblivious are fundamentally different and we cannot hope to achieve the same attack or defense results in these scenarios. |
Year | Venue | DocType |
|---|---|---|
2021 | Annual Conference on Neural Information Processing Systems | Conference |
Citations | PageRank | References |
0 | 0.34 | 0 |
Authors | ||
6 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Samuel Deng | 1 | 2 | 1.17 |
| Sanjam Garg | 2 | 0 | 1.01 |
| S. Jha | 3 | 7921 | 539.19 |
| Saeed Mahloujifar | 4 | 16 | 4.43 |
| Mohammad Mahmoody | 5 | 200 | 19.27 |
| Abhradeep Guha Thakurta | 6 | 0 | 0.68 |