Training-Time Attacks against k-Nearest Neighbors

Ara Vartanian; Will Rosenbaum; Scott Alfeld

Training-Time Attacks against k-Nearest Neighbors

Ara Vartanian, Will Rosenbaum, Scott Alfeld

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Nearest neighbor-based methods are commonly used for classification tasks and as subroutines of other data-analysis methods. An attacker with the capability of inserting their own data points into the training set can manipulate the inferred nearest neighbor structure. We distill this goal to the task of performing a training-set data insertion attack against k-Nearest Neighbor classification (kNN). We prove that computing an optimal training-time (a.k.a. poisoning) attack against kNN classification is NP-Hard, even when k = 1 and the attacker can insert only a single data point. We provide an anytime algorithm to perform such an attack, and a greedy algorithm for general k and attacker budget. We provide theoretical bounds and empirically demonstrate the effectiveness and practicality of our methods on synthetic and real-world datasets. Empirically, we find that kNN is vulnerable in practice and that dimensionality reduction is an effective defense. We conclude with a discussion of open problems illuminated by our analysis.

Original language	English
Title of host publication	AAAI-23 Technical Tracks 8
Editors	Brian Williams, Yiling Chen, Jennifer Neville
Publisher	AAAI press
Pages	10053-10060
Number of pages	8
ISBN (Electronic)	9781577358800
State	Published - 27 Jun 2023
Externally published	Yes
Event	37th AAAI Conference on Artificial Intelligence, AAAI 2023 - Washington, United States Duration: 7 Feb 2023 → 14 Feb 2023

Publication series

Name	Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023
Volume	37

Conference

Conference	37th AAAI Conference on Artificial Intelligence, AAAI 2023
Country/Territory	United States
City	Washington
Period	7/02/23 → 14/02/23

Cite this

@inproceedings{86edcaddf8cc4d4f83501a6159297f47,

title = "Training-Time Attacks against k-Nearest Neighbors",

abstract = "Nearest neighbor-based methods are commonly used for classification tasks and as subroutines of other data-analysis methods. An attacker with the capability of inserting their own data points into the training set can manipulate the inferred nearest neighbor structure. We distill this goal to the task of performing a training-set data insertion attack against k-Nearest Neighbor classification (kNN). We prove that computing an optimal training-time (a.k.a. poisoning) attack against kNN classification is NP-Hard, even when k = 1 and the attacker can insert only a single data point. We provide an anytime algorithm to perform such an attack, and a greedy algorithm for general k and attacker budget. We provide theoretical bounds and empirically demonstrate the effectiveness and practicality of our methods on synthetic and real-world datasets. Empirically, we find that kNN is vulnerable in practice and that dimensionality reduction is an effective defense. We conclude with a discussion of open problems illuminated by our analysis.",

author = "Ara Vartanian and Will Rosenbaum and Scott Alfeld",

note = "Publisher Copyright: Copyright {\textcopyright} 2023, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved.; 37th AAAI Conference on Artificial Intelligence, AAAI 2023 ; Conference date: 07-02-2023 Through 14-02-2023",

year = "2023",

month = jun,

day = "27",

language = "אנגלית",

series = "Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023",

publisher = "AAAI press",

pages = "10053--10060",

editor = "Brian Williams and Yiling Chen and Jennifer Neville",

booktitle = "AAAI-23 Technical Tracks 8",

}

Vartanian, A, Rosenbaum, W & Alfeld, S 2023, Training-Time Attacks against k-Nearest Neighbors. in B Williams, Y Chen & J Neville (eds), AAAI-23 Technical Tracks 8. Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023, vol. 37, AAAI press, pp. 10053-10060, 37th AAAI Conference on Artificial Intelligence, AAAI 2023, Washington, United States, 7/02/23.

Training-Time Attacks against k-Nearest Neighbors. / Vartanian, Ara; Rosenbaum, Will; Alfeld, Scott.
AAAI-23 Technical Tracks 8. ed. / Brian Williams; Yiling Chen; Jennifer Neville. AAAI press, 2023. p. 10053-10060 (Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023; Vol. 37).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Training-Time Attacks against k-Nearest Neighbors

AU - Vartanian, Ara

AU - Rosenbaum, Will

AU - Alfeld, Scott

PY - 2023/6/27

Y1 - 2023/6/27

N2 - Nearest neighbor-based methods are commonly used for classification tasks and as subroutines of other data-analysis methods. An attacker with the capability of inserting their own data points into the training set can manipulate the inferred nearest neighbor structure. We distill this goal to the task of performing a training-set data insertion attack against k-Nearest Neighbor classification (kNN). We prove that computing an optimal training-time (a.k.a. poisoning) attack against kNN classification is NP-Hard, even when k = 1 and the attacker can insert only a single data point. We provide an anytime algorithm to perform such an attack, and a greedy algorithm for general k and attacker budget. We provide theoretical bounds and empirically demonstrate the effectiveness and practicality of our methods on synthetic and real-world datasets. Empirically, we find that kNN is vulnerable in practice and that dimensionality reduction is an effective defense. We conclude with a discussion of open problems illuminated by our analysis.

AB - Nearest neighbor-based methods are commonly used for classification tasks and as subroutines of other data-analysis methods. An attacker with the capability of inserting their own data points into the training set can manipulate the inferred nearest neighbor structure. We distill this goal to the task of performing a training-set data insertion attack against k-Nearest Neighbor classification (kNN). We prove that computing an optimal training-time (a.k.a. poisoning) attack against kNN classification is NP-Hard, even when k = 1 and the attacker can insert only a single data point. We provide an anytime algorithm to perform such an attack, and a greedy algorithm for general k and attacker budget. We provide theoretical bounds and empirically demonstrate the effectiveness and practicality of our methods on synthetic and real-world datasets. Empirically, we find that kNN is vulnerable in practice and that dimensionality reduction is an effective defense. We conclude with a discussion of open problems illuminated by our analysis.

UR - http://www.scopus.com/inward/record.url?scp=85168252869&partnerID=8YFLogxK

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85168252869

T3 - Proceedings of the 37th AAAI Conference on Artificial Intelligence, AAAI 2023

SP - 10053

EP - 10060

BT - AAAI-23 Technical Tracks 8

A2 - Williams, Brian

A2 - Chen, Yiling

A2 - Neville, Jennifer

PB - AAAI press

T2 - 37th AAAI Conference on Artificial Intelligence, AAAI 2023

Y2 - 7 February 2023 through 14 February 2023

ER -

Training-Time Attacks against k-Nearest Neighbors

Abstract

Publication series

Conference

Other files and links

Fingerprint

Cite this