TY - GEN
T1 - Adversarial Poisoning of Importance Weighting in Domain Adaptation
AU - Umer, Muhammad
AU - Frederickson, Christopher
AU - Polikar, Robi
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/7/2
Y1 - 2018/7/2
N2 - Domain adaptation techniques such as importance weighting modify the training data to better represent a different test data distribution, a process that may be particularly vulnerable to a malicious attack in an adversarial machine learning scenario. In this work, we explore the level of such vulnerability of importance weighting to poisoning attacks. Importance weighting, like other domain adaptation approaches, assumes that the distributions of training and test data are different but related. An intelligent adversary, having full or partial access to the training data, can take advantage of the expected difference between the distributions, and can inject well crafted malicious samples into the training data, resulting in an incorrect estimation of the importance ratio. In this work, we demonstrate the vulnerability of one of the simplest yet most effective approaches for directly estimating the importance ratio, namely, modifying the training distribution using a discriminative classifier such as the logistic regression. We test the robustness of the importance weighting process using well-controlled synthetic datasets, with an increasing number of attack points in the training data. Under the worst case perfect knowledge scenario, where the attacker has full access to the training data, we demonstrate that importance weighting can be dramatically compromised with the insertion of even a single attack point. We then show that even under limited knowledge scenario, where the attacker has limited access to the training data, the estimation process can still be significantly compromised.
AB - Domain adaptation techniques such as importance weighting modify the training data to better represent a different test data distribution, a process that may be particularly vulnerable to a malicious attack in an adversarial machine learning scenario. In this work, we explore the level of such vulnerability of importance weighting to poisoning attacks. Importance weighting, like other domain adaptation approaches, assumes that the distributions of training and test data are different but related. An intelligent adversary, having full or partial access to the training data, can take advantage of the expected difference between the distributions, and can inject well crafted malicious samples into the training data, resulting in an incorrect estimation of the importance ratio. In this work, we demonstrate the vulnerability of one of the simplest yet most effective approaches for directly estimating the importance ratio, namely, modifying the training distribution using a discriminative classifier such as the logistic regression. We test the robustness of the importance weighting process using well-controlled synthetic datasets, with an increasing number of attack points in the training data. Under the worst case perfect knowledge scenario, where the attacker has full access to the training data, we demonstrate that importance weighting can be dramatically compromised with the insertion of even a single attack point. We then show that even under limited knowledge scenario, where the attacker has limited access to the training data, the estimation process can still be significantly compromised.
UR - http://www.scopus.com/inward/record.url?scp=85062779774&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85062779774&partnerID=8YFLogxK
U2 - 10.1109/SSCI.2018.8628720
DO - 10.1109/SSCI.2018.8628720
M3 - Conference contribution
AN - SCOPUS:85062779774
T3 - Proceedings of the 2018 IEEE Symposium Series on Computational Intelligence, SSCI 2018
SP - 381
EP - 388
BT - Proceedings of the 2018 IEEE Symposium Series on Computational Intelligence, SSCI 2018
A2 - Sundaram, Suresh
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 8th IEEE Symposium Series on Computational Intelligence, SSCI 2018
Y2 - 18 November 2018 through 21 November 2018
ER -