Machine learning models trained on data from the outside world can be
corrupted by data poisoning attacks that inject malicious points into the
models' training sets. A common defense against these attacks is data
sanitization: first filter out anomalous training points before training the
model. In this paper, we develop three attacks that can bypass a broad range of
common data sanitization defenses, including anomaly detectors based on nearest
neighbors, training loss, and singular-value decomposition. By adding just 3%
poisoned data, our attacks successfully increase test error on the Enron spam
detection dataset from 3% to 24% and on the IMDB sentiment classification
dataset from 12% to 29%. In contrast, existing attacks which do not explicitly
account for these data sanitization defenses are defeated by them. Our attacks
are based on two ideas: (i) we coordinate our attacks to place poisoned points
near one another, and (ii) we formulate each attack as a constrained
optimization problem, with constraints designed to ensure that the poisoned
points evade detection. As this optimization involves solving an expensive
bilevel problem, our three attacks correspond to different ways of
approximating this problem, based on influence functions; minimax duality; and
the Karush-Kuhn-Tucker (KKT) conditions. Our results underscore the need to
develop more robust defenses against data poisoning attacks.

本文研究机器学习模型在训练时通过数据毒化攻击注入恶意数据点的危害以及数据清洗防御措施的不足。通过协调毒化点放置位置和基于约束条件设计攻击的方式，开发三种不同方法规避现有的数据清洗防御措施。这些攻击方法均基于耗时的二级规划问题，并通过影响函数，极小 - 极大假说和 Karush-Kuhn-Tucker（KKT）条件来实现。我们的实验结果表明需要开发更稳健的数据清洗防御措施以应对数据毒化攻击的威胁。