Adversarial Data Poisoning for Fake News Detection: How to Make a Model Misclassify a Target News without Modifying It

TL;DR

The paper investigates adversarial data poisoning in online fake-news detectors, showing an attacker can cause a true article to be misclassified by poisoning training data instead of editing the target article. It formalizes an online learning framework with iterative data updates and introduces two poisoning strategies for logistic regression: Most Confidence Mislabeling and Target Label Flipping. Through synthetic-data experiments, it demonstrates that vulnerability depends on model complexity: Linear LR is more prone to Most Confidence Mislabeling, while Quadratic LR is more susceptible to Target Label Flipping. The work highlights the need for defenses against data poisoning in online fake-news systems and outlines plans to test on real-world datasets and a broader set of models.

Abstract

Fake news detection models are critical to countering disinformation but can be manipulated through adversarial attacks. In this position paper, we analyze how an attacker can compromise the performance of an online learning detector on specific news content without being able to manipulate the original target news. In some contexts, such as social networks, where the attacker cannot exert complete control over all the information, this scenario can indeed be quite plausible. Therefore, we show how an attacker could potentially introduce poisoning data into the training data to manipulate the behavior of an online learning method. Our initial findings reveal varying susceptibility of logistic regression models based on complexity and attack type.

Figures (3)

• Figure 1: Generic iteration at time $t$ of the iterative process of online learning with data poisoning. A: new incoming news adds up to the already existing ones ($D^{t-1}\rightarrow D^t$). B: poisoned data are generated and injected into the existing data. C: a subset of the data is collected and added to the data $d^{t-1}$ collected at time $(t-1)$; the aggregated data are denoted as $d^t$. D: the model $f^{t-1}$ is updated to $f^t$ with the addition of the newly collected data.
• Figure 2: Percentage of samples required to flip the target sample label, depending on its $x$ value and the type of poisoning used. The Most Confidence Mislabeling attack requires a lower number of samples to make the Linear LR model to misclassify the target news article. Conversely, the Quadratic LR model is resilient to it, but more significantly affected by the Target Label-Flipping attack.
• Figure 3: $x$ value of the original data, the poisoned data, and the target sample. The two Logistic Regression models trained on the poisoned data are also displayed. When subjected to the Target Label Flipping poisoning, both models slightly alter their predictions to misclassify the target sample. In contrast, the Power Model adapts to the Most Confidence Sampling poisoning while maintaining the correct classification of the target sample.