Electrical and Electronic Engineering - Theses

Permanent URI for this collection

Search Results

Now showing 1 - 1 of 1
  • Item
    Thumbnail Image
    Novel Defenses Against Data Poisoning in Adversarial Machine Learning
    Weerasinghe, Prameesha Sandamal Liyanage ( 2019)
    Machine learning models are increasingly being used for automated decision making in a wide range of domains such as security, finance, and communications. Machine learning algorithms are built upon the assumption that the training data and test data have the same underlying distribution. This assumption fails when (i) data naturally evolves, causing the test data distribution to diverge from the training data distribution, and (ii) malicious adversaries distort the training data (i.e., poisoning attacks), which is the focus of this thesis. Even though machine learning algorithms are used widely, there is a growing body of literature suggesting that their prediction performance degrades significantly in the presence of maliciously poisoned training data. The performance degradation can mainly be attributed to the fact that most machine learning algorithms are designed to withstand stochastic noise in data, but not malicious distortions. Through malicious distortions, adversaries aim to force the learner to learn a model that differs from the model it would have learned had the training data been pristine. With the models being compromised, any systems that rely on the models for automated decision making would be compromised as well. This thesis presents novel defences for machine learning algorithms to avert the effects of poisoning attacks. We investigate the impact of sophisticated poisoning attacks on machine learning algorithms such as Support Vector Machines (SVMs), one-class Support Vector Machines (OCSVMs) and regression models, and introduce new defences that can be incorporated into these models to achieve more secure decision making. Specifically, two novel approaches are presented to address the problem of learning under adversarial conditions as follows. The first approach is based on data projections, which compress the data, and we examine the effect of the projections on adversarial perturbations. By projecting the training data to lower-dimensional spaces in selective directions, we aim to minimize the impact of adversarial feature perturbations on the training model. The second approach uses Local Intrinsic Dimensionality (LID), a metric that characterizes the dimension of the local subspace in which data samples lie, to distinguish data samples that may have been perturbed (feature perturbation or label flips). This knowledge is then incorporated into existing learning algorithms in the form of sample weights to reduce the impact of poisoned samples. In summary, this thesis makes a major contribution to research on adversarial machine learning by (i) investigating the effects of sophisticated attacks on existing machine learning models and (ii) developing novel defences that increase the attack resistance of existing models. All presented work is supported by theoretical analysis, empirical results, and is based on publications.