Designing Better Attacks with Information about Data Distributions and Realistic Attacker Goals
Machine learning models are vulnerable to both the training and test time attacks. My research aims to better understand the vulnerabilities of current systems to a realistic class of adversaries by finding better attack strategies that utilize information about data distributions and consider realistic attacker goals. Our preliminary work on evasion attacks against black-box target models uses the data sampled from the data distributions to train local models and these models help to significantly reduce the cost of existing attacks by providing better initialization. We further consider a more realistic attacker goal, which aims to attack only a fraction of the seeds from a large candidate pool and then utilize the feedback from the local and target models to identify more vulnerable seeds, and reduce the cost by targeting the promising seeds. For poisoning attacks, directly generating poisoning points to achieve the attacker goals is challenging due to the underlying bi-level optimization problems. Our preliminary work decomposes the original poisoning objectives into two realistic and more achievable subgoals of 1) encoding the original objectives into target models and 2) generating poisoning points to induce these models, which is free from handling the bi-level optimization. We then design a poisoning attack to achieve the second subgoal for any target model. The decomposition-based perspective helps our attack to outperform the state-of-the-art poisoning attacks when the target models are carefully selected. The proposed work continues to explore better poisoning attacks. Empirically, we will now focus on the first subgoal and design principled methods to find better target models for achieving the desired attacker objectives using fewer poisoning points with the attack proposed in the preliminary work. Theoretically, compared to the previous work, we will additionally incorporate the information about data distributions and its interaction with the learning algorithms and hypothesis class to give tighter upper bound on the power of best optimal attacks.
- Mohammad Mahmoody, Committee Chair (Department of Computer Science)
- David Evans, Advisor (Department of Computer Science)
- Yuan Tian, Advisor (Department of Computer Science)
- Farzad Farnoud (Department of Computer Science & Department of Electrical and Computer Engineering)
- Cong Shen (Department of Electrical and Computer Engineering)