Robustly-reliable learners under poisoning attacks
Data poisoning attacks, in which an adversary corrupts a training set with the goal of inducing specific desired mistakes, have raised substantial concern: even just the possibility of such an attack can make a user no longer trust the results of a learning system. In this work, we show how to achie...
Saved in:
| Published in | arXiv.org |
|---|---|
| Main Authors | , , , |
| Format | Paper |
| Language | English |
| Published |
Ithaca
Cornell University Library, arXiv.org
08.03.2022
|
| Subjects | |
| Online Access | Get full text |
Cover
Loading…
| Abstract | Data poisoning attacks, in which an adversary corrupts a training set with the goal of inducing specific desired mistakes, have raised substantial concern: even just the possibility of such an attack can make a user no longer trust the results of a learning system. In this work, we show how to achieve strong robustness guarantees in the face of such attacks across multiple axes. We provide robustly-reliable predictions, in which the predicted label is guaranteed to be correct so long as the adversary has not exceeded a given corruption budget, even in the presence of instance targeted attacks, where the adversary knows the test example in advance and aims to cause a specific failure on that example. Our guarantees are substantially stronger than those in prior approaches, which were only able to provide certificates that the prediction of the learning algorithm does not change, as opposed to certifying that the prediction is correct, as we are able to achieve in our work. Remarkably, we provide a complete characterization of learnability in this setting, in particular, nearly-tight matching upper and lower bounds on the region that can be certified, as well as efficient algorithms for computing this region given an ERM oracle. Moreover, for the case of linear separators over logconcave distributions, we provide efficient truly polynomial time algorithms (i.e., non-oracle algorithms) for such robustly-reliable predictions. We also extend these results to the active setting where the algorithm adaptively asks for labels of specific informative examples, and the difficulty is that the adversary might even be adaptive to this interaction, as well as to the agnostic learning setting where there is no perfect classifier even over the uncorrupted data. |
|---|---|
| AbstractList | Data poisoning attacks, in which an adversary corrupts a training set with the goal of inducing specific desired mistakes, have raised substantial concern: even just the possibility of such an attack can make a user no longer trust the results of a learning system. In this work, we show how to achieve strong robustness guarantees in the face of such attacks across multiple axes. We provide robustly-reliable predictions, in which the predicted label is guaranteed to be correct so long as the adversary has not exceeded a given corruption budget, even in the presence of instance targeted attacks, where the adversary knows the test example in advance and aims to cause a specific failure on that example. Our guarantees are substantially stronger than those in prior approaches, which were only able to provide certificates that the prediction of the learning algorithm does not change, as opposed to certifying that the prediction is correct, as we are able to achieve in our work. Remarkably, we provide a complete characterization of learnability in this setting, in particular, nearly-tight matching upper and lower bounds on the region that can be certified, as well as efficient algorithms for computing this region given an ERM oracle. Moreover, for the case of linear separators over logconcave distributions, we provide efficient truly polynomial time algorithms (i.e., non-oracle algorithms) for such robustly-reliable predictions. We also extend these results to the active setting where the algorithm adaptively asks for labels of specific informative examples, and the difficulty is that the adversary might even be adaptive to this interaction, as well as to the agnostic learning setting where there is no perfect classifier even over the uncorrupted data. |
| Author | Hanneke, Steve Blum, Avrim Maria-Florina Balcan Sharma, Dravyansh |
| Author_xml | – sequence: 1 fullname: Maria-Florina Balcan – sequence: 2 givenname: Avrim surname: Blum fullname: Blum, Avrim – sequence: 3 givenname: Steve surname: Hanneke fullname: Hanneke, Steve – sequence: 4 givenname: Dravyansh surname: Sharma fullname: Sharma, Dravyansh |
| BookMark | eNqNyrEKwjAQgOEgClbtOwScA-0lad1FcRb3kuopreFSc8ng2-vgAzj9w_evxJwC4UwUoHWtdgZgKUrmsaoqaFqwVhcCzqHPnPxbRfSD6z1Kjy4SRpaZbhjlFAYONNBDupTc9ckbsbg7z1j-uhbb4-GyP6kphldGTt0YcqQvddDo1rTGmlr_d30Aamo2Vw |
| ContentType | Paper |
| Copyright | 2022. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License. |
| Copyright_xml | – notice: 2022. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License. |
| DBID | 8FE 8FG ABJCF ABUWG AFKRA AZQEC BENPR BGLVJ CCPQU DWQXO HCIFZ L6V M7S PIMPY PQEST PQQKQ PQUKI PRINS PTHSS |
| DatabaseName | ProQuest SciTech Collection ProQuest Technology Collection Materials Science & Engineering Collection ProQuest Central (Alumni) ProQuest Central ProQuest Central Essentials ProQuest Central Technology Collection ProQuest One Community College ProQuest Central Korea SciTech Premium Collection ProQuest Engineering Collection Engineering Database Publicly Available Content Database ProQuest One Academic Eastern Edition (DO NOT USE) ProQuest One Academic ProQuest One Academic UKI Edition ProQuest Central China Engineering Collection |
| DatabaseTitle | Publicly Available Content Database Engineering Database Technology Collection ProQuest Central Essentials ProQuest One Academic Eastern Edition ProQuest Central (Alumni Edition) SciTech Premium Collection ProQuest One Community College ProQuest Technology Collection ProQuest SciTech Collection ProQuest Central China ProQuest Central ProQuest Engineering Collection ProQuest One Academic UKI Edition ProQuest Central Korea Materials Science & Engineering Collection ProQuest One Academic Engineering Collection |
| DatabaseTitleList | Publicly Available Content Database |
| Database_xml | – sequence: 1 dbid: 8FG name: ProQuest Technology Collection url: https://search.proquest.com/technologycollection1 sourceTypes: Aggregation Database |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Physics |
| EISSN | 2331-8422 |
| Genre | Working Paper/Pre-Print |
| GroupedDBID | 8FE 8FG ABJCF ABUWG AFKRA ALMA_UNASSIGNED_HOLDINGS AZQEC BENPR BGLVJ CCPQU DWQXO FRJ HCIFZ L6V M7S M~E PIMPY PQEST PQQKQ PQUKI PRINS PTHSS |
| ID | FETCH-proquest_journals_26374745413 |
| IEDL.DBID | 8FG |
| IngestDate | Thu Oct 10 19:56:27 EDT 2024 |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-proquest_journals_26374745413 |
| OpenAccessLink | https://www.proquest.com/docview/2637474541?pq-origsite=%requestingapplication% |
| PQID | 2637474541 |
| PQPubID | 2050157 |
| ParticipantIDs | proquest_journals_2637474541 |
| PublicationCentury | 2000 |
| PublicationDate | 20220308 |
| PublicationDateYYYYMMDD | 2022-03-08 |
| PublicationDate_xml | – month: 03 year: 2022 text: 20220308 day: 08 |
| PublicationDecade | 2020 |
| PublicationPlace | Ithaca |
| PublicationPlace_xml | – name: Ithaca |
| PublicationTitle | arXiv.org |
| PublicationYear | 2022 |
| Publisher | Cornell University Library, arXiv.org |
| Publisher_xml | – name: Cornell University Library, arXiv.org |
| SSID | ssj0002672553 |
| Score | 3.3926895 |
| SecondaryResourceType | preprint |
| Snippet | Data poisoning attacks, in which an adversary corrupts a training set with the goal of inducing specific desired mistakes, have raised substantial concern:... |
| SourceID | proquest |
| SourceType | Aggregation Database |
| SubjectTerms | Algorithms Lower bounds Machine learning Polynomials Predictions Separators |
| Title | Robustly-reliable learners under poisoning attacks |
| URI | https://www.proquest.com/docview/2637474541 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwfV3fS8MwED50RfDNn_hjjoC-Btsk67onQWkdwsYYCnsbSZqAMGxtuwdf_Nu9K50-CHs8AkkI4b7L5fvuAO6kD52x0vHImzFXXniuXYKmMIgfxns1Jr3zdBZP3tTLcrjsEm51R6vc-sTWUeeFpRz5vYglRr5qqKKH8pNT1yj6Xe1aaOxDEFElPFKKZ8-_ORYRjzBilv_cbIsd2REEc1266hj23McJHLSUS1ufglgUZlM36y9eufU7KZhY28IB4zFGyq6KlQVRfRBbmG4a0sKfwW2Wvj5N-HahVXcV6tXfxuU59PBN7y6A5RphXIdOWO2pZFmihBk5kVuJAVRiwkvo75rpavfwNRwKYukTVSrpQ6-pNu4GsbMxg_aABhA8prP5Aq3pd_oDVVF6mg |
| link.rule.ids | 786,790,12792,21416,33406,33777,43633,43838 |
| linkProvider | ProQuest |
| linkToHtml | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwfV3PS8MwFH5oi-jNn6ibGtBrsEuyLjsNlI2qWxljwm4laRMQhq1td_C_N690ehB2DIEkhPC-Ly_flwfwwG1gdMoN7Vk9pMIyS5WRrsm0ww9trRii33kWh9G7eF31V23CrWpllduY2ATqLE8xR_7IQu6Yr-iL3qj4olg1Cl9X2xIa--Djl5vSA_9pHM8Xv1kWFg4cZ-b_Am2DHpNj8OeqMOUJ7JnPUzhoRJdpdQZsketNVa-_aWnWH-hhIk0RB8fICHq7SlLkKPZx6EJUXaMb_hzuJ-Plc0S3EyXtYaiSv6XzC_Dcrd5cAsmUA3IVGJYqi5-WScH0wLAs5Y5CSR1cQXfXSNe7u-_gMFrOpsn0JX7rwBFDzT4Kp2QXvLrcmBuHpLW-bbfrB5RVfCY |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Robustly-reliable+learners+under+poisoning+attacks&rft.jtitle=arXiv.org&rft.au=Maria-Florina+Balcan&rft.au=Blum%2C+Avrim&rft.au=Hanneke%2C+Steve&rft.au=Sharma%2C+Dravyansh&rft.date=2022-03-08&rft.pub=Cornell+University+Library%2C+arXiv.org&rft.eissn=2331-8422 |