Research On Adversarial Attacks For Data Stream Concept Drift

With the high development in the field of artificial intelligence such as machine learning and deep learning,various streaming algorithmic models are gradually spreading in all aspects of our life.More and more models of algorithms are also being deployed to critical areas with high security requirements,so the security of streaming machine learning models has also received a lot of attention.How to adversarial attacks in streaming systems has also become a key area of research in the industry.Traditional attacks on streaming systems have almost exclusively considered the incremental learning characteristics of streaming systems,which target only the learners and do not take into account the important feature of concept drift that occurs in streaming systems.Concept drift is one of the important concepts of streaming systems,which refers to the fact that the distribution of data in a streaming system changes over time,and its derivation,concept drift detection,has been a hot topic of research in stream learning in recent years.When a streaming system detects concept drift,it performs some resetting and initialization,which makes the system very fragile and vulnerable to attacks.How to use the concept drift attribute of streaming system to attack the system is an important research field,which is called adversarail concept drift.Different from the previous streaming attacks targeting the learner,this time the detector is considered.In order to achieve the purpose of attack,this paper puts forward the adversarial drift attack algorithm based on data poisoning.Its main research contents and innovation points are as follows:First,to address the current concept drift detection algorithm for high-dimensional data detection difficulties,as well as many detectors rely on the performance of the learner and the detection delay is large,this thesis proposes a micro-clustering-based concept drift detection algorithm.The algorithm first learns the hidden representation through neural network with triplet loss to realize dimensionality reduction and category separation.And through the micro-clustering structure to maintain the hidden representation data,it achieves the purpose of using low memory to maintain the statistical information of the data.Finally,by comparing the direction of principal components of each category to determine whether the data produce drift,the drawback that the detector is highly dependent on the learner is solved.Through experiments,it is demonstrated that the algorithm achieves good results on various real data sets as well as simulated data sets compared to existing detection algorithms and it has a very low detection latency.Second,for the current attacks on streaming data systems that only attack learners and do not consider the important feature of concept drift in streaming data,this thesis proposes a data poisoning-based algorithm to adversarial concept drift attacks.The algorithm contains two sub-algorithms,drift generation and drift masking.The drift generation attack uses label flipping attack in micro-clustering when the detector does not detect drift for a period of time,and generates poisoning data in two micro-clustering that are far apart,making the drift detector in the system false alarm? the drift masking attack looks for the closest micro-clustering in the cluster of micro-clustering and generates similar points in them and injects them into the system when the detection algorithm detects drift,making the system unable to detect or delay detection of the drift.Validation on various datasets shows that the algorithm can drop the window accuracy by about 30% across data.