Stealthy Poisoning Attacks Bypass Defenses in Regression Settings
Javier Carnerero-Cano, Luis Muñoz-González, Phillippa Spencer, Emil C. Lupu
TL;DR
This paper addresses the vulnerability of regression models to data poisoning by introducing a stealthy, multiobjective bilevel attack that trades off attack effectiveness with detectability under soft constraints. It shows that state-of-the-art defenses often fail to mitigate such stealthy attacks, especially when the attacker poisons a larger fraction of the data. To counter this, the authors propose BayesClean, a defense based on Bayesian linear regression that uses predictive variance to reject suspicious points without requiring prior knowledge of the poisoning ratio or a trusted set. Empirical results on LR and DNNs across real-world datasets demonstrate the limitations of existing defenses and the robustness of BayesClean, particularly under high poisoning regimes. The work highlights the critical role of model uncertainty in defending regression systems and outlines a path toward uncertainty-aware defenses against poisoning threats.
Abstract
Regression models are widely used in industrial processes, engineering and in natural and physical sciences, yet their robustness to poisoning has received less attention. When it has, studies often assume unrealistic threat models and are thus less useful in practice. In this paper, we propose a novel optimal stealthy attack formulation that considers different degrees of detectability and show that it bypasses state-of-the-art defenses. We further propose a new methodology based on normalization of objectives to evaluate different trade-offs between effectiveness and detectability. Finally, we develop a novel defense (BayesClean) against stealthy attacks. BayesClean improves on previous defenses when attacks are stealthy and the number of poisoning points is significant.
