The Security of Latent Dirichlet Allocation

Latent Dirichlet allocation (LDA) is an increasingly popular tool for data analysis in many domains. If LDA output aects decision making (especially when money is involved), there is an incentive for attackers to compromise it. We ask the question: how can an attacker minimally poison the corpus so that LDA produces topics that the attacker wants the LDA user to see? Answering this question is important to characterize such attacks, and to develop defenses in the future. We give a novel bilevel optimization formulation to identify the optimal poisoning attack. We present an ecient solution (up to local optima) using descent method and implicit functions. We demonstrate poisoning attacks on LDA with extensive experiments, and discuss possible defenses.

[1]  Blaine Nelson,et al.  The security of machine learning , 2010, Machine Learning.

[2]  Bradley C. Love,et al.  Optimal Teaching for Limited-Capacity Human Learners , 2014, NIPS.

[3]  Nicu Sebe,et al.  Proceedings of the 15th international conference on Multimedia , 2007 .

[4]  Xiaojin Zhu,et al.  Machine Teaching: An Inverse Problem to Machine Learning and an Approach Toward Optimal Education , 2015, AAAI.

[5]  Michael I. Jordan,et al.  Latent Dirichlet Allocation , 2001, J. Mach. Learn. Res..

[6]  Amir Globerson,et al.  Nightmare at test time: robust learning by feature deletion , 2006, ICML.

[7]  Chong Wang,et al.  MusicSense: contextual music recommendation using emotional allocation modeling , 2007, ACM Multimedia.

[8]  Jonathan F. Bard,et al.  Practical Bilevel Optimization: Algorithms and Applications , 1998 .

[9]  Xiaojin Zhu,et al.  Machine Teaching for Bayesian Learners in the Exponential Family , 2013, NIPS.

[10]  Lipika Dey,et al.  Mining Financial News for Major Events and Their Impacts on the Market , 2008, 2008 IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology.

[11]  Blaine Nelson,et al.  Misleading Learners: Co-opting Your Spam Filter , 2009 .

[12]  Blaine Nelson,et al.  Poisoning Attacks against Support Vector Machines , 2012, ICML.

[13]  James Newsome,et al.  Paragraph: Thwarting Signature Learning by Training Maliciously , 2006, RAID.

[14]  Fabio Roli,et al.  Evasion Attacks against Machine Learning at Test Time , 2013, ECML/PKDD.

[15]  Matt Thomas,et al.  Get out the vote: Determining support or opposition from Congressional floor-debate transcripts , 2006, EMNLP.

[16]  Gilles Savard,et al.  The steepest descent direction for the nonlinear bilevel programming problem , 1990, Oper. Res. Lett..

[17]  Patrice Marcotte,et al.  An overview of bilevel optimization , 2007, Ann. Oper. Res..

[18]  Eric K. Ringger,et al.  Cliff Walls: An Analysis of Monolithic Commits Using Latent Dirichlet Allocation , 2011, OSS.

[19]  Xiaojin Zhu,et al.  Using Machine Teaching to Identify Optimal Training-Set Attacks on Machine Learners , 2015, AAAI.

[20]  Edwin V. Bonilla,et al.  Improving Topic Coherence with Regularized Topic Models , 2011, NIPS.

[21]  Daniel Lowd,et al.  Convex Adversarial Collective Classification , 2013, ICML.

[22]  Richard Lippmann,et al.  Machine learning in adversarial environments , 2010, Machine Learning.

[23]  Justin Grimmer,et al.  A Bayesian Hierarchical Topic Model for Political Texts: Measuring Expressed Agendas in Senate Press Releases , 2010, Political Analysis.

[24]  Aloysius K. Mok,et al.  Advanced Allergy Attacks: Does a Corpus Really Help? , 2007, RAID.

[25]  Xiaojin Zhu,et al.  May All Your Wishes Come True: A Study of Wishes and How to Recognize Them , 2009, NAACL.

[26]  Ling Huang,et al.  Query Strategies for Evading Convex-Inducing Classifiers , 2010, J. Mach. Learn. Res..

[27]  Mark Steyvers,et al.  Finding scientific topics , 2004, Proceedings of the National Academy of Sciences of the United States of America.