This paper advances the understanding of how the size of a machine learning model affects its vulnerability to poisoning, despite state-of-the-art defenses. Given isotropic random honest feature vectors and the geometric median (or clipped mean) as the robust gradient aggregator rule, we essentially prove that, perhaps surprisingly, linear and logistic regressions with $D \geq 169 H^2/P^2$ parameters are subject to arbitrary model manipulation by poisoners, where $H$ and $P$ are the numbers of honestly labeled and poisoned data points used for training. Our experiments go on exposing a fundamental tradeoff between augmenting model expressivity and increasing the poisoners' attack surface, on both synthetic data, and on MNIST & FashionMNIST data for linear classifiers with random features. We also discuss potential implications for source-based learning and neural nets.

翻译：本文深入探讨了机器学习模型规模如何影响其对抗投毒攻击的脆弱性，即使存在最先进的防御机制。在给定各向同性随机诚实特征向量以及以几何中位数（或截断均值）作为鲁棒梯度聚合规则的前提下，我们本质上证明了，或许令人惊讶的是，当参数数量满足 $D \geq 169 H^2/P^2$ 时，线性回归与逻辑回归模型将面临投毒者任意操纵的风险，其中 $H$ 与 $P$ 分别代表训练过程中使用的诚实标注数据点与投毒数据点的数量。我们的实验进一步揭示，在合成数据集以及基于随机特征的线性分类器在MNIST与FashionMNIST数据集上的实验中，增强模型表达能力与扩大投毒者攻击面之间存在根本性的权衡。本文还讨论了该发现对基于源的学习方法及神经网络模型的潜在影响。