Fig 1 - uploaded by Antonio Emanuele Cinà
Content may be subject to copyright.
Download
View publication
(Left) Attacker's objective function with bi-level formulation [16]. (Right) Ours objective function, described in Eq. (4). Red regions represent zones where the objective function is high. The black line is the decision boundary of a logistic regression classifier.

(Left) Attacker's objective function with bi-level formulation [16]. (Right) Ours objective function, described in Eq. (4). Red regions represent zones where the objective function is high. The black line is the decision boundary of a logistic regression classifier.

Source publication
Fig. 1. (Left) Attacker's objective function with bi-level formulation...
Fig. 2. Accuracy on the test set for SVM, with regularization C = 1 and...
Fig. 4. Accuracy on the test set for SVM, with regularization C = 1 and...
Fig. 7. Effectiveness of poisoning when 15% of the dataset is poisoned....
The Hammer and the Nut: Is Bilevel Optimization Really Needed to Poison Linear Classifiers?
Preprint
Full-text available
  • Mar 2021
One of the most concerning threats for modern AI systems is data poisoning, where the attacker injects maliciously crafted training data to corrupt the system's behavior at test time. Availability poisoning is a particularly worrisome subset of poisoning attacks where the attacker aims to cause a Denial-of-Service (DoS) attack. However, the state-o...
Cite
Download full-text

Contexts in source publication

Context 1
... illustrate the idea behind the proposed approach with an example in Figure 1, which visualizes the difference between our objective function and the one optimized in Problem (2)-(3). To create an easily understandable example, we consider a linearly separable two-dimensional dataset in which each class follows a Gaussian distribution. ...
Context 2
... create an easily understandable example, we consider a linearly separable two-dimensional dataset in which each class follows a Gaussian distribution. Based on the bi-level problem illustrated in the previous section, the theoretical formulation suggests that the poisoning point should be located in the bottom-left region to obtain the highest validation error (left plot in Figure 1). The red area shows the optimal solution of the availability poisoning Problem (2)-(3). ...
Context 3
... solving this problem is computationally expensive. Our heuristic approach, shown in the right plot of Figure 1, suggests locating the poisoning samples in the space region with the highest density of training samples. This is a counter-intuitive solution because the optimal region is quite different from the one obtained optimizing the bi-level problem. ...
Context 4
... illustrate the idea behind the proposed approach with an example in Figure 1, which visualizes the difference between our objective function and the one optimized in Problem (2)-(3). To create an easily understandable example, we consider a linearly separable two-dimensional dataset in which each class follows a Gaussian distribution. ...
Context 5
... create an easily understandable example, we consider a linearly separable two-dimensional dataset in which each class follows a Gaussian distribution. Based on the bi-level problem illustrated in the previous section, the theoretical formulation suggests that the poisoning point should be located in the bottom-left region to obtain the highest validation error (left plot in Figure 1). The red area shows the optimal solution of the availability poisoning Problem (2)-(3). ...
Context 6
... solving this problem is computationally expensive. Our heuristic approach, shown in the right plot of Figure 1, suggests locating the poisoning samples in the space region with the highest density of training samples. This is a counter-intuitive solution because the optimal region is quite different from the one obtained optimizing the bi-level problem. ...