New Pre-print: On the Robustness of Ensemble-Based Machine Learning Against Data Poisoning
Our paper entitled On the Robustness of Ensemble-Based Machine Learning Against Data Poisoning has been posted on arXiv as preprint.
In this paper, which we are currently extending, we evaluate the robustness of random forest and ensemble of random forests against different types of untargeted data poisoning attacks. Data poisoning consists in the injection of maliciously-crafted data points in the training set, in order to alter the predictions of the model.
We focus on less-investigated topics in the field of data poisoning: tabular datasets (instead of images), random forests (instead of neural networks), untargeted poisoning (no specific goal and strategy), simple but effective defense strategy.
In short, we show that ensemble of random forests, with each random forest trained on a disjoint partition of the training set, can provide good robustness against untargeted label flipping.
This work is a collaboration between our group at SESAR Lab, Università degli Studi di Milano and C2PS (Centre for Cyber-Physical Systems), Khalifa University, Abu Dhabi, UAE.
The authors of the paper are: Marco Anisetti, Claudio A. Ardagna, Alessandro Balestrucci, Nicola Bena (me), Ernesto Damiani, and Chan Yeob Yeun.
Below is the full abstract.
Machine learning is becoming ubiquitous. From financial to medicine, machine learning models are boosting decision-making processes and even outperforming humans in some tasks. This huge progress in terms of prediction quality does not however find a counterpart in the security of such models and corresponding predictions, where perturbations of fractions of the training set (poisoning) can seriously undermine the model accuracy. Research on poisoning attacks and defenses even predates the introduction of deep neural networks, leading to several promising solutions. Among them, ensemble-based defenses, where different models are trained on portions of the training set and their predictions are then aggregated, are getting significant attention, due to their relative simplicity and theoretical and practical guarantees. The work in this paper designs and implements a hash-based ensemble approach for ML robustness and evaluates its applicability and performance on random forests, a machine learning model proved to be more resistant to poisoning attempts on tabular datasets. An extensive experimental evaluation is carried out to evaluate the robustness of our approach against a variety of attacks, and compare it with a traditional monolithic model based on random forests.
The paper is available here.
A Quick Overview
We evaluate whether an ensemble of random forests provides some robustness compared to a plain random forest. Our ensemble-based defense is inspired by other work in the field, and consists of i) partitioning the training set into N non-overlapping partitions, ii) training each of N random forests on an individual partition, iii) retrieving the final model prediction at inference time according to majority voting.
Our experiments reveal two important insights:
- unprotected random forest already provides a good robustness against non-label flipping poisoning
- ensemble of random forests provides a good robustness against label-flipping poisoning
Furthermore, we show that empirical robustness can be achieved with an ensemble of moderate size, and just an ensemble of 3 random forests performs significantly better than a plain random forest.
Additional Details
We consider two datasets:
-
Android malware (AM): a dataset for the detection of Malware on Android devices. It consists of 14,508 data points organized in 25,802 features and divided in two classes: 7,254 data points of class malware and 7,254 data points of class non-malware. Each feature is a sequence of three consecutive system calls observed by tracing apps execution, and the value of the feature is the number of times such sequence has been called. Due to its size, we reduced the dataset considering the top-1000 most informative features according to
InfoGain
. The dataset is currently unavailable for the public. - Musk2 (M2): a dataset for the detection of musk molecules. It consists of 2,034 data points organized in 166 features and divided in two classes: 1,017 data points of class musk and 1,017 data points of class non-musk. The dataset is available here.
In the following figure, we show the difference in accuracy retrieved on a model trained on poisoned dataset with label flipping and the same clean dataset. A small difference indicates that accuracy does not significantly change. The x-axis of the figure represents the number of poisoned data points in percentage, while the y-axis represents the decrease in accuracy. The closer the lines are to 0, the better is.
As the figure shows, plain random forests are highly sensitive to label flipping, losing up to 25 points in accuracy. On the contrary, with N=3 we reduce the accuracy degradation of 10 points. Things improve further with N=21.
Overall, we think these results shed new lights on poisoning attacks and defenses.