Poisoning Attack And Defense Methods Towards Machine Learning

Recently,with the rapid development of machine learning and its wide application in various fields,the robustness of machine learning against data poisoning attacks is widely concerned.As a subclass of poisoning attack,the label flipping attack can poison training data resulting in reducing the classification performance of training model.In addition,graph neural networks(GNNs)are powerful in learning rich network representations.However,some studies have shown that GNNS are easy to be tricked by small perturbations and are vulnerable to data poisoning attacks with irreparable consequences.Therefore,this thesis aims to focus on two kinds of poisoning attacks,that is,label flip attack based on machine learning and poisoning attack based on graph contrast learning,and carry out in-depth analysis of the two kinds of attacks and corresponding defense measures.The main research contents of this thesis are as follows:(1)A new label flipping attack method and its defense strategy are proposed.On the one hand,a label flipping attack based on agglomerative hierarchical clustering is proposed.In this attack,the vulnerable samples are identified by the agglomerative hierarchical clustering of the training data,and then the poisoning training set is obtained by the label flipping.Finally,the poisoning data is used to train the classification model to realize the label flipping attack.On the other hand,in order to defend against label flipping attacks based on agglomerative hierarchical clustering,a label correction defense method based on TrAdaBoost is proposed.In this method,the TrAdaBoost algorithm is used to update the weight of the training data,and then the updated weight values are used to judge and relabel the contaminated training samples.Finally,the corrected training set is used to retrain the classification model to protect the classification model under the label flipping attack.In this thesis,the proposed label flip attack and its defense method were tested on Drebin and Genome data sets,and compared with the most state-of-the-art methods,experimental results show that the proposed attack strategy can reduce the accuracy of the model more effectively,and the proposed defense method can better protect the classification model.(2)This thesis proposes a poison attack and its defense method based on graph contrast learning.On the one hand,a poisoning attack based on graph contrast learning is proposed.The topology structure and data features obtained from the graph contrast learning model are used to get augmentation views,and edge weights are assigned according to the information carried by edges,and on this basis edges are flipped to carry out a poisoning attack.On the other hand,a defense method based on node similarity is proposed.First of all,a new view is obtained by using feature adaptive data enhancement on the poisoning graph obtained.Then,the cosine similarity between any two nodes in the graph is calculated according to the obtained view,and the poisoned edge is identified and flipped.Finally,the new graph data is used to train the classification model to realize the defense against poisoning attacks.Finally,the proposed poisoning attack and its defense method based on graph contrast learning were evaluated experimentally on Cora and CiteSeer graph data sets.The experimental results showed that the proposed method was superior to the current best non-target poisoning attack and many target poisoning attack methods.Meanwhile,the defense method in this thesis can effectively protect the classification performance of the model.