Algorithmic Complexity Attacks on Dynamic Learned Indexes

TL;DR

Dynamic Learned Indexes like ALEX can adapt to workloads but introduce new worst-case vulnerabilities. This work systematically analyzes algorithmic complexity attacks targeting ALEX, proposing three ACAs that respectively inflate memory (data-node and internal-node space) and degrade throughput (time) by forcing costly expansions and retraining. Experiments show space ACAs causing memory growth up to about 31% and internal-node OOM with only hundreds of adversarial insertions, while time ACAs trigger up to $1{,}641\times$ throughput degradation under modest budgets. The findings highlight the need for worst-case guarantees and robust defense mechanisms in dynamic learned-index designs to prevent adversarial manipulation in practical deployments.

Abstract

Learned Index Structures (LIS) view a sorted index as a model that learns the data distribution, takes a data element key as input, and outputs the predicted position of the key. The original LIS can only handle lookup operations with no support for updates, rendering it impractical to use for typical workloads. To address this limitation, recent studies have focused on designing efficient dynamic learned indexes. ALEX, as the pioneering dynamic learned index structures, enables dynamism by incorporating a series of design choices, including adaptive key space partitioning, dynamic model retraining, and sophisticated engineering and policies that prioritize read/write performance. While these design choices offer improved average-case performance, the emphasis on flexibility and performance increases the attack surface by allowing adversarial behaviors that maximize ALEX's memory space and time complexity in worst-case scenarios. In this work, we present the first systematic investigation of algorithmic complexity attacks (ACAs) targeting the worst-case scenarios of ALEX. We introduce new ACAs that fall into two categories, space ACAs and time ACAs, which target the memory space and time complexity, respectively. First, our space ACA on data nodes exploits ALEX's gapped array layout and uses Multiple-Choice Knapsack (MCK) to generate an optimal adversarial insertion plan for maximizing the memory consumption at the data node level. Second, our space ACA on internal nodes exploits ALEX's catastrophic cost mitigation mechanism, causing an out-of-memory error with only a few hundred adversarial insertions. Third, our time ACA generates pathological insertions to increase the disparity between the actual key distribution and the linear models of data nodes, deteriorating the runtime performance by up to 1,641X compared to ALEX operating under legitimate workloads.

Figures (9)

• Figure 1: An illustration of ALEX.
• Figure 2: Memory increases of space ACA on data nodes. This figure shows the normalized (with respect to the baseline) memory increase for white-box and gray-box attacks using four datasets and varying ALEX sizes of 50 million, 100 million, and 150 million. The X-axis is the percentage of attacker's budget with respect to the total keys ranging from 1% to 30%; the Y-axis is the normalized memory increase from our attacks. whitebox_E denotes a white-box attack that allows at most $E$ expansion(s) or split(s) for any data node for the MCK optimization; for graybox_E_b, $E$ denotes a gray-box attack that allows at most $E$ expansion(s) or split(s) for any data node during the MCK optimization, and $b$ is the "bandwidth" parameter for KDE. Each data point is the mean of five runs. The error bars are depicted in red.
• Figure 3: A Space ACA insertion of duplicate key 13 that causes recursive splits and ultimately results in an OOM error. (a) The right data node (in light red) has accumulated 200 duplicate keys 13, exceeding the cost threshold; (b) Inserting one more key 13 triggers a sideways split; (c-d) Attempting to lower the cost, ALEX recursively (cascadingly) sideways splits; the size of the internal node's pointer array keeps growing exponentially until reaching the maximum internal node size or ultimately causing an OOM; for the former case, ALEX performs a downwards split to create a new internal node at a lower level and then continues sideways splits; this cascading process continues until OOM.
• Figure 4: Memory usage as a function of the number of adversarial insertions for the longitudes dataset.
• Figure 5: The throughput for different attack settings and percentages of adversarial insertions for vanilla ALEX and modified ALEX. We varied the percentage of adversarial insertions with respect to (w.r.t.) the total number of inserts from $5\%$ to $20\%$. The top $X$-axis shows the ratios of adversarial insertions to the total number of insertion requests in the workload. The bottom $X$-axis shows the normalized ratios of adversarial insertions to the total number of requests in the workloads: e.g., a ratio of $2.5\%$ for a write-heavy workload w.r.t. the bottom $X$-axis means, out of the $10M$ requests, $2.5\%$ of them are adversarial insertions generated by the attacker; by referring to the top $X$-axis, $2.5\%$ of total requests means $5\%$ of total inserts as our write-heavy workload has a $50\%:50\%$ read:write ratio. Vanilla-ALEX is our baseline performance without any adversarial manipulation. To measure the performance of our attacks, we applied them to both vanilla/original ALEX and modified ALEX. Vanilla-white-box200 denotes a white-box attack applied to the vanilla ALEX. White-box200 means a white-box attack mounted against the modified ALEX. The values after the attack setting denote the batch sizes; e.g., White-box200 means the white-box attack with a batch size of 200. Each data point is the average of five runs with error bars showing the min-max variance.