Data poisoning aims to compromise a machine learning based software component by contaminating its training set to change its prediction results for test inputs. Existing methods for deciding data-poisoning robustness have either poor accuracy or long running time and, more importantly, they can only certify some of the truly-robust cases, but remain inconclusive when certification fails. In other words, they cannot falsify the truly-non-robust cases. To overcome this limitation, we propose a systematic testing based method, which can falsify as well as certify data-poisoning robustness for a widely used supervised-learning technique named k-nearest neighbors (KNN). Our method is faster and more accurate than the baseline enumeration method, due to a novel over-approximate analysis in the abstract domain, to quickly narrow down the search space, and systematic testing in the concrete domain, to find the actual violations. We have evaluated our method on a set of supervised-learning datasets. Our results show that the method significantly outperforms state-of-the-art techniques, and can decide data-poisoning robustness of KNN prediction results for most of the test inputs.

翻译：数据投毒旨在通过污染机器学习软件组件的训练集，改变其对测试输入的预测结果，从而破坏该组件。现有判定数据投毒鲁棒性的方法存在精度不足或运行时间长的问题，更重要的是，它们仅能验证部分真正鲁棒的情况，而在验证失败时无法得出确定性结论。换言之，这些方法无法证伪真正非鲁棒的情况。为克服这一局限，我们提出一种基于系统性测试的方法，既能验证又能证伪广泛使用的监督学习技术——K近邻（KNN）算法的数据投毒鲁棒性。该方法的优势在于：通过抽象域中的新型过近似分析快速缩小搜索空间，并结合具体域中的系统性测试发现实际违规情况，因此比基线枚举方法更快速、更精确。我们在多个监督学习数据集上评估了该方法，结果表明其性能显著优于现有技术，能够对大部分测试输入的KNN预测结果实现数据投毒鲁棒性判定。