Abstract
Many real-world problems involve building a predictive model about an adversary and then determining a decision accordingly, including two-stage (predict then optimize) and decision focused (joint predict and optimize) approaches. The involvement of a predictive model learned from adversary’s behavior data poses a critical threat that an adversary can influence the learning process, which will ultimately deteriorate the end-goal decision quality. In this paper, we study the problem of poisoning attacks in this data-based decision making setting. That is, the adversary can alter the training data by injecting some perturbation into the data to a certain limit that can substantially change the final decision outcome in the end towards the adversary goal. To our knowledge, this is the first work that studies poisoning attacks in such data-based decision making scenarios. In particular, we provide the following main contributions. We introduce a new meta-gradient based poisoning attack for various types of predict and optimize frameworks. We compare to a technique shown effective in computer vision. We find that the complexity of the problem makes attacking decision focused model difficult. We show that an attack crafted against a two-stage model is effectively transferable to a decision-focused model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that our formulation can be generalized to multiple targeted data points in the test set by taking the sum of losses over these data points. In addition, this can be also extended to incorporate perturbations on labels \(\theta _i\) by introducing additional perturbation variables \(\alpha _i\) to add to the labels.
- 2.
We can also apply this method to compute the decision gradient. However, meta-gradient is much more computationally expensive compared to the implicit function theorem method for convex problems.
- 3.
References
Agrawal, A., Amos, B., Barratt, S., Boyd, S., Diamond, S., Kolter, J.Z.: Differentiable convex optimization layers. In: Advances in Neural Information Processing Systems, vol. 32 (2019)
Amos, B., Kolter, J.Z.: OptNet: differentiable optimization as a layer in neural networks. arXiv preprint arXiv:1703.00443 (2017)
Andrychowicz, M., et al.: Learning to learn by gradient descent by gradient descent (2016)
Bengio, Y.: Gradient-based optimization of hyperparameters. Neural Comput. 12(8), 1889–1900 (2000). https://doi.org/10.1162/089976600300015187
Biggio, B., et al.: Evasion attacks against machine learning at test time. In: Blockeel, H., Kersting, K., Nijssen, S., Železný, F. (eds.) ECML PKDD 2013. LNCS (LNAI), vol. 8190, pp. 387–402. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40994-3_25
Biggio, B., Nelson, B., Laskov, P.: Poisoning attacks against support vector machines. arXiv preprint arXiv:1206.6389 (2012)
Donti, P., Amos, B., Kolter, J.Z.: Task-based end-to-end model learning in stochastic optimization. In: Advances in Neural Information Processing Systems, pp. 5484–5494 (2017)
Fang, F., et al.: Deploying paws: field optimization of the protection assistant for wildlife security. In: AAAI, vol. 16, pp. 3966–3973 (2016)
Grefenstette, E., et al.: Generalized inner loop meta-learning. arXiv preprint arXiv:1910.01727 (2019)
Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I., Tygar, J.D.: Adversarial machine learning. In: Proceedings of the 4th ACM workshop on Security and artificial intelligence, pp. 43–58 (2011)
Huang, W.R., Geiping, J., Fowl, L., Taylor, G., Goldstein, T.: Metapoison: practical general-purpose clean-label data poisoning. In: Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M.F., Lin, H. (eds.) Advances in Neural Information Processing Systems, vol. 33, pp. 12080–12091. Curran Associates, Inc. (2020). https://proceedings.neurips.cc/paper/2020/file/8ce6fc704072e351679ac97d4a985574-Paper.pdf
Jagielski, M., Oprea, A., Biggio, B., Liu, C., Nita-Rotaru, C., Li, B.: Manipulating machine learning: poisoning attacks and countermeasures for regression learning. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 19–35. IEEE (2018)
Karypis, G., Kumar, V.: Metis-a software package for partitioning unstructured graphs, partitioning meshes and computing fill-reducing ordering of sparse matrices (1997)
Krantz, S.G., Parks, H.R.: The Implicit Function Theorem: History, Theory, and Applications. Springer Science & Business Media, Cham (2002)
Kurakin, A., Goodfellow, I.J., Bengio, S.: Adversarial examples in the physical world. In: Artificial intelligence safety and security, pp. 99–112. Chapman and Hall/CRC (2018)
Li, J., Zhang, H., Han, Z., Rong, Y., Cheng, H., Huang, J.: Adversarial attack on community detection by hiding individuals. In: Proceedings of the Web Conference 2020, April 2020. https://doi.org/10.1145/3366423.3380171
Lowd, D., Meek, C.: Adversarial learning. In: ACM SIGKDD (2005)
Markowitz, H.: Portfolio selection. J. Finance 7(1), 77–91 (1952) http://www.jstor.org/stable/2975974
Mukhopadhyay, A., Vorobeychik, Y.: Prioritized allocation of emergency responders based on a continuous-time incident prediction model. In: International Conference on Autonomous Agents and MultiAgent Systems (2017)
Muñoz-González, L., et al.: Towards poisoning of deep learning algorithms with back-gradient optimization. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (2017)
Papernot, N., McDaniel, P., Goodfellow, I.: Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277 (2016)
Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings. In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 372–387. IEEE (2016)
Perrault, A., Wilder, B., Ewing, E., Mate, A., Dilkina, B., Tambe, M.: Decision-focused learning of adversary behavior in security games (2019)
Quandl: WIKI various end-of-day data (2021). https://www.quandl.com/data/WIKI
Sen, P., Namata, G.M., Bilgic, M., Getoor, L., Gallagher, B., Eliassi-Rad, T.: Collective classification in network data. AI Mag. 29(3), 93–106 (2008)
Shafahi, A., et al.: Poison frogs! targeted clean-label poisoning attacks on neural networks. In: Advances in Neural Information Processing Systems, vol. 31 (2018)
Shah, S., Sinha, A., Varakantham, P., Perrault, A., Tambe, M.: Solving online threat screening games using constrained action space reinforcement learning. CoRR abs/1911.08799 (2019). http://arxiv.org/abs/1911.08799
Wang, H., Xie, H., Qiu, L., Yang, Y.R., Zhang, Y., Greenberg, A.: Cope: traffic engineering in dynamic networks. In: Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 99–110 (2006)
Wang, K., Wilder, B., Perrault, A., Tambe, M.: Automatically learning compact quality-aware surrogates for optimization problems. In: Advances in Neural Information Processing Systems, vol. 33, pp. 9586–9596 (2020)
Wilder, B., Dilkina, B., Tambe, M.: Melding the data-decisions pipeline: decision-focused learning for combinatorial optimization (2018)
Wilder, B., Ewing, E., Dilkina, B., Tambe, M.: End to end learning and optimization on graphs (2020)
Xue, M., He, C., Wang, J., Liu, W.: One-to-N amp; N-to-one: two advanced backdoor attacks against deep learning models. IEEE Trans. Dependable Secure Comput. 19, 1562–1578 (2020). https://doi.org/10.1109/TDSC.2020.3028448
Xue, Y., Davies, I., Fink, D., Wood, C., Gomes, C.P.: Avicaching: a two stage game for bias reduction in citizen science. In: Proceedings of the 2016 International Conference on Autonomous Agents & Multiagent Systems, pp. 776–785 (2016)
Zügner, D., Günnemann, S.: Adversarial attacks on graph neural networks via meta learning. In: International Conference on Learning Representations (ICLR) (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
8 Appendix
8 Appendix
1.1 8.1 Experiment Domain - Bipartite Matching
Bipartite matching is a well established problem in graph learning. In form, it is essentially identical to the synthetic data setting previously discussed:
In this case, however, the constraints enforced are that x must be doubly stochastic. Intuitively, x is a square matrix with continuous values. Each value \(x_{ij}\) represents the probability that node i on one side of the graph will be matched with node j on the other side. For the learning component of the problem, the goal is to predict the graph’s edges from the nodes’ features. This means that \(\epsilon \) represents per-node features, while \(\theta \) is the graph’s adjacency matrix (relaxed to be continuous).
For these experiments, we utilize the Cora dataset [25] which consists of scientific papers. The features here are binary values indicating the presence of keywords in the paper, while the edges in the graph are citations. In total, there are 1433 features and 2708 nodes. Inspired by a recent paper [30], we split the dataset into 27 bipartite subgraphs, with 50 nodes on each side in each subgraph. This is accomplished using Metis [13] to partition the graph.
1.2 8.2 Supplementary Experiment Results
In Fig. 9, we display the results of using Metapoison [11] to solve attacks against a simple joint learner, and transferring the found attack to the two-stage and decision focused learners. Both domains display the same trends as observed in our synthetic domain - namely, that the attack is only nominally effective against the simple joint model, and not at all effective when transferred to the other two models. Once again, this suggests that techniques from domains such as computer vision may not be most appropriate for attacking data-based decision making models.
Figure 10 shows the results when attacking two-stage and decision focused models for bipartite matching. The trends are once again similar to the other domains: attacks trained against a two-stage learner can effectively transfer to a decision focused learner. Furthermore, as in portfolio optimization, we observe that the decision focused learner appears more susceptible to direct attack (Fig. 10b) than is the two-stage learner (Fig. 10a). Once again, this is likely due to the decision focused learner outperforming the two-stage counterpart in the absence of attack. Unattacked, the two-stage learner achieves utility values between 2.37 and 2.90 while the decision focused learner obtains utilities between 2.65 and 4.59. Particularly when attacking the decision focused learner (Fig. 10b) we can observe the recurring trend of increased attack budgets often leading to worse attacks and higher utility for the learner, demonstrating the difficulties of finding good attack optima via (meta)gradient descent.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kinsey, S.E., Tuck, W.W., Sinha, A., Nguyen, T.H. (2023). An Exploration of Poisoning Attacks on Data-Based Decision Making. In: Fang, F., Xu, H., Hayel, Y. (eds) Decision and Game Theory for Security. GameSec 2022. Lecture Notes in Computer Science, vol 13727. Springer, Cham. https://doi.org/10.1007/978-3-031-26369-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-26369-9_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-26368-2
Online ISBN: 978-3-031-26369-9
eBook Packages: Computer ScienceComputer Science (R0)