Systematic Poisoning Attacks on and Defenses for Machine Learning in Healthcare

被引:194
作者
Mozaffari-Kermani, Mehran [1 ]
Sur-Kolay, Susmita [2 ]
Raghunathan, Anand [3 ]
Jha, Niraj K. [4 ]
机构
[1] Rochester Inst Technol, Dept Elect & Microelect Engn, Rochester, NY 14623 USA
[2] Indian Stat Inst, Adv Comp & Microelect Unit, Kolkata 700108, India
[3] Purdue Univ, Sch Elect & Comp Engn, W Lafayette, IN 47907 USA
[4] Princeton Univ, Dept Elect Engn, Princeton, NJ 08544 USA
基金
美国国家科学基金会;
关键词
Healthcare; machine learning; poisoning attacks; security; CLASSIFICATION; SECURITY; RULES;
D O I
10.1109/JBHI.2014.2344095
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Machine learning is being used in a wide range of application domains to discover patterns in large datasets. Increasingly, the results of machine learning drive critical decisions in applications related to healthcare and biomedicine. Such health-related applications are often sensitive, and thus, any security breach would be catastrophic. Naturally, the integrity of the results computed by machine learning is of great importance. Recent research has shown that some machine-learning algorithms can be compromised by augmenting their training datasets with malicious data, leading to a new class of attacks called poisoning attacks. Hindrance of a diagnosis may have life-threatening consequences and could cause distrust. On the other hand, not only may a false diagnosis prompt users to distrust the machine-learning algorithm and even abandon the entire system but also such a false positive classification may cause patient distress. In this paper, we present a systematic, algorithm-independent approach for mounting poisoning attacks across a wide range of machine-learning algorithms and healthcare datasets. The proposed attack procedure generates input data, which, when added to the training set, can either cause the results of machine learning to have targeted errors (e.g., increase the likelihood of classification into a specific class), or simply introduce arbitrary errors ( incorrect classification). These attacks may be applied to both fixed and evolving datasets. They can be applied even when only statistics of the training dataset are available or, in some cases, even without access to the training dataset, although at a lower efficacy. We establish the effectiveness of the proposed attacks using a suite of six machine-learning algorithms and five healthcare datasets. Finally, we present countermeasures against the proposed generic attacks that are based on tracking and detecting deviations in various accuracy metrics, and benchmark their effectiveness.
引用
收藏
页码:1893 / 1905
页数:13
相关论文
共 45 条
[1]  
Agrawal R, 2000, SIGMOD REC, V29, P439, DOI 10.1145/335191.335438
[2]   INSTANCE-BASED LEARNING ALGORITHMS [J].
AHA, DW ;
KIBLER, D ;
ALBERT, MK .
MACHINE LEARNING, 1991, 6 (01) :37-66
[3]  
[Anonymous], 2006, P 23 INT C MACHINE, DOI DOI 10.1145/1143844.1143889
[4]  
[Anonymous], 2014, ACUTE INFLAMMATIONS
[5]  
[Anonymous], 2014, MOL BIOL PROMOTER GE
[6]  
[Anonymous], 2014, WEKA 3 DATA MINING S
[7]  
[Anonymous], 2014, ECHOCARDIOGRAM DATA
[8]  
[Anonymous], 2014, HYPOTHYROID DATA SET
[9]   Secure Clustering and Symmetric Key Establishment in Heterogeneous Wireless Sensor Networks [J].
Azarderskhsh, Reza ;
Reyhani-Masoleh, Arash .
EURASIP JOURNAL ON WIRELESS COMMUNICATIONS AND NETWORKING, 2011,
[10]   The security of machine learning [J].
Barreno, Marco ;
Nelson, Blaine ;
Joseph, Anthony D. ;
Tygar, J. D. .
MACHINE LEARNING, 2010, 81 (02) :121-148