SYSTEM AND METHOD FOR TRAINING A MACHINE LEARNING MODEL TO RESIST ADVERSARIAL ATTACKS

Abstract

SYSTEM AND METHOD FOR TRAINING A MACHINE LEARNING MODEL TO RESIST ADVERSARIAL ATTACKS Disclosure is related to a system and a method for training a machine learning model to resist adversarial attacks. The method comprising receiving an input dataset from a user, inducing poisoned data points into a received input dataset and training a Support Vector Machine (SVM) model on the received poisoned input dataset. Furthermore, the method comprising applying a filtering process to the poisoned dataset to identify potential poisoned data points. Additionally, the method includes determining whether each data point in the input dataset is a poisoned data point. The method further comprising applying a patching process to any identified poisoned data points. Furthermore, the method comprising retraining the SVM model using the filtered and patched dataset to generate an updated model.

Specification

Description:
Description:
FIELD OF INVENTION
[001] The present invention relates to the field of invention is Machine Learning (ML) Model Security and Adversarial Machine Learning. It focuses on protecting ML models against data poisoning attacks, specifically label modification attacks. In these attacks, an adversary alters the labels of training data to degrade the performance of the ML model. The invention introduces a novel defence mechanism called Filter Patch Adversarial Restoration (FPAR) Methodology, which aims to restore the integrity of manipulated labels and enhance the robustness of ML models against such attacks. This approach is particularly relevant in scenarios where data integrity is crucial, such as malware detection systems.

BACKGROUND OF THE INVENTION
[002] Machine learning (ML) models have become essential tools in various fields, including cybersecurity, where they are frequently employed in malware detection systems to identify and classify malicious software. However, these models face a significant vulnerability known as label modification attacks, a form of data poisoning in which an adversary intentionally alters the labels in the training data. Such attacks are particularly detrimental in high-stakes applications like malware detection, where the accuracy and reliability of the model are crucial for preventing system breaches, data theft, and financial losses.
[003] Label modification attacks exploit the dependency of ML models on accurately labelled training data. By subtly altering the labels, adversaries can degrade the model's performance, causing it to misclassify malware as benign software or to incorrectly label legitimate applications as malicious. This can lead to severe security consequences, allowing malware to bypass detection systems or causing false positives that disrupt system operations. Given the increasing sophistication of cyber threats, defending against these label modification attacks has become a pressing challenge in the field of adversarial machine learning.
[004] Traditional approaches to defending against label modification attacks often involve data validation, anomaly detection, or creating robust training environments.
[005] While existing methods provide some protection against label modification attacks, they have significant limitations. Traditional approaches often struggle to detect subtle label alterations, particularly in large, high-dimensional datasets where minor shifts can easily go unnoticed. Additionally, many defences are computationally intensive, which can impede the implementation of real-time malware detection solutions. Furthermore, these methods frequently require substantial human oversight for label verification and data quality checks, rendering them impractical in scenarios with limited human resources. This combination of challenges underscores the need for a more efficient and automated solution to safeguard machine learning models against adversarial manipulation.
[006] Furthermore, some defences may involve discarding potentially poisoned data points, which can inadvertently reduce the diversity and accuracy of the training set. This data loss is problematic in cybersecurity applications, where comprehensive training data is essential for recognizing the evolving tactics of malicious actors.
[007] To address these challenges, the invention introduces a novel methodology termed FPAR (Filtering, Patching, and Restoration) that provides a targeted, efficient approach to mitigating label modification attacks. The FPAR methodology combines advanced filtering techniques with an innovative patching process designed to restore potentially manipulated labels, rather than simply removing them. This approach offers a more balanced defence, protecting model integrity while preserving valuable training data.

SUMMARY OF THE INVENTION
[008] The present invention relates to a system and a method for training a machine learning model to resist adversarial attacks. The method comprising receiving an input dataset from a user. The method further comprising inducing poisoned data points into a received input dataset. The method comprising training a Support Vector Machine (SVM) model on the received poisoned input dataset. Furthermore, the method comprising applying a filtering process to the trained SVM model to identify potential poisoned data points. Additionally, the method includes determining whether each data point in the input dataset is a poisoned data point. The method further comprising applying a patching process to any identified poisoned data points. Furthermore, the method comprising retraining the SVM model using the filtered and patched dataset to generate an updated model.
[009] Conventional methods in the literature often rely on filtering techniques that discard poisoned data points, resulting in a reduced dataset size. In contrast, FPAR introduces an innovative patching stage following the filtering process. This patching stage seeks to correct poisoned data points rather than removing them, preserving the dataset's original dimensionality and retaining potentially valuable information. FPAR's novelty lies in its comprehensive approach to countering label modification attacks: it not only detects potentially poisoned data but also seeks to restore it, thus maintaining dataset integrity and enhancing model resilience. This holistic approach represents a significant advancement in adversarial machine learning and model security, providing a more nuanced and effective defense against sophisticated attacks while preserving the model's capacity to learn from a diverse dataset.
[0010] FPAR employs an advanced detection mechanism that combines K-Means clustering with Jaccard distance metrics. This hybrid approach enables more precise identification of poisoned data points within the dataset. The Jaccard distance metric, in particular, provides a refined comparison of data points, allowing for the detection of subtle label inconsistencies that might go unnoticed by conventional methods.
[0011] By reconstructing rather than eliminating poisoned data points, FPAR preserves the dataset's original structure and information content. This ensures that critical information is retained, directly benefiting the model's learning process and contributing to the development of more resilient and generalizable models.
[0012] FPAR exhibits high robustness as a defensive technique, consistently maintaining efficiency in both accuracy and false positive rate across various attack scenarios and dataset configurations. Empirical evaluations demonstrate that FPAR significantly improves model performance, with marked gains in both accuracy and false positive rate, underscoring the method's reliability and adaptability.

OBJECTIVE OF THE INVENTION
[0013] To enhance model robustness by restoring dataset integrity.
[0014] FPAR significantly improves model performance, with marked gains in both accuracy and false positive rate, underscoring the method's reliability and adaptability.

BRIEF DESCRIPTION OF DRAWING
[0015] The foregoing and other features of this disclosure will become more fully apparent from the following description and appended claims, taken in conjunction with the accompanying drawings. Understanding that these drawings depict only several embodiments in accordance with the disclosure and are, therefore, not to be considered limiting of its scope, the disclosure will be described with additional specificity and detail through use of the accompanying drawings, in which:
[0016] FIG. 1 illustrates a block diagram of a system for training a machine learning model to resist adversarial attacks, in accordance with an embodiment of the present disclosure.
[0017] FIG. 2 illustrates a flow diagram of the method for training a machine learning model to resist adversarial attacks, in accordance with an embodiment of the present disclosure.
[0018] FIG. 3 illustrates a flow diagram of the filtering process, in accordance with an embodiment of the present disclosure.
[0019] FIG. 4 illustrates a flow diagram of the patching process, in accordance with an embodiment of the present disclosure.

DETAILED DESCRIPTION OF DRAWING
[0020] As used herein, the singular forms "a", "an" and "the" include plural referents unless the context clearly dictates otherwise. In this specification, the terms "comprising ", or" comprising "and the like should not be construed as necessarily including the various elements or steps described in the specification or may be further comprised of additional components or steps. Also, the terms "part," & quote; module, "and the like described in the specification mean units for processing at least one function or operation, which may be implemented in hardware or software or a combination of hardware and software.
[0021] The following description, along with the accompanying drawings, sets forth certain specific details in order to provide a thorough understanding of various disclosed embodiments. However, one skilled in the relevant art will recognize that the disclosed embodiments may be practiced in various combinations, without one or more of these instances, well known structures or components that are associated with the environment of the present disclosure, including but not limited to the communication systems and networks, have not been shown or described in order to avoid unnecessarily obscuring descriptions of the embodiments. Additionally, the various embodiments may be methods, systems, media, or devices. Accordingly, the various embodiments may be entirely hardware embodiments, entirely software embodiments or embodiments combining software and hardware aspects.
[0022] The Filter Patch Adversarial Restoration (FPAR) methodology provides a robust defence against label modification attacks through an innovative two-stage approach that combines filtering and patching. Unlike conventional defences that merely discard poisoned data, FPAR detects and corrects poisoned data points, preserving the original dataset size and potentially retaining valuable information that would otherwise be lost. This method leverages adaptive K-Means clustering with Jaccard distance, allowing for a flexible and context-sensitive identification of label inconsistencies, which enhances the precision of poisoned data detection. The patching stage then intelligently restores flagged points by inferring correct labels based on cluster dynamics and feature proximity, thus maintaining data integrity without sacrificing dataset diversity. Designed to be computationally efficient, FPAR is applicable to large-scale datasets and various machine learning applications, including malware detection, where it has demonstrated improved accuracy and lower false positive rates compared to existing defences. This comprehensive and adaptable approach to both identifying and restoring poisoned data marks a substantial advancement in adversarial machine learning, strengthening model resilience against sophisticated label modification attacks while ensuring dataset quality.
[0023] Figure 1 illustrates a block diagram of a system (100) for training a machine learning model to resist adversarial attacks, according to an embodiment. The resist adversarial attacks monitoring system (100) may be referred as "system". The resist adversarial attacks monitoring system (100) depicted in Figure 1 is designed to enhance the security and robustness of a machine learning model against adversarial attacks, specifically label modification attacks. The resist adversarial attacks monitoring system (100) shown in Figure 1 is a comprehensive framework aimed at strengthening the defences of machine learning models against adversarial attacks, with a particular focus on label modification attacks. These attacks, in which adversaries manipulate the labels of training data, can severely undermine model performance, leading to misclassifications that may compromise system security, especially in high-stakes applications like malware detection. The system (100) employs a multi-stage process that goes beyond conventional data cleaning methods by not only identifying and flagging potentially poisoned data points but also actively restoring them to a corrected state.
[0024] The user device (102) in the system (100) may allow users to upload the initial dataset, which may contain poisoned or adversarial data points, to the system (100) for processing. It may be noted that the user device may wirelessly connect to either the network (104), via a computing device, mobile phone, laptop, or similar device etc. In additional embodiment, a plurality of the user device (not shown) may be connected to the network (104). The plurality of the user devices may be represented as a first user, a second user, and Nth user.
[0025] In an embodiment, the user device (102) may be connected to a server (106) via the network (104). The server (106) may receive a set of instructions via the user device (102) for initial dataset. Further, the server (106), at least based on the user instructions, may operate different modules of the system. The server (106) is a computer or system that provides resources, data, services, or programs to other computers, known as clients, over a network (104). The server (106) is a specialized computer of software system designed to deliver services, data, or resources to other computer, referred to as clients, over the network (104). It may function as a central hub or facilitator within a networked environment, performing various roles to enhance communication, data processing, and resource management. The server (106) can take the form of different types, such as a web server, file server, database server, email server, or application server. Additionally, the server (106) may receive a fundus image may be part of or accessible through a local area network (LAN), a mobile communications network, a satellite communication network, the Internet, a public or private cloud, a hybrid cloud, a server farm, or any combination of these.
[0026] In an embodiment, the server (106) may include a communication module (108). The communication module (108) may be configured to communicate with the user device (102) via the network (104). The communication module (108) may be configured for receiving an initial dataset from the user device (102) and to transmit the result back to the user device (102). The communication module (108) accesses the network (104) via a wireless and/or wired connection. In some embodiment, the communication module (108) may be configured to Frequency Division Multiple Access (FDMA), Single Carrier FDMA (SC-FDMA), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), Orthogonal Frequency Division Multiplexing (OFDM), Orthogonal Frequency Division Multiple Access (OFDMA), Global System for Mobile (GSM) communications, General Packet Radio Service (GPRS), Universal Mobile Telecommunications System (UMTS), cdma2000, Wideband CDMA (WCDMA), High-Speed Downlink Packet Access (HSDPA), High-Speed Uplink Packet Access (HSUPA), High-Speed Packet Access (HSPA), Long Term Evolution (LTE), LTE Advanced (LTE-A), 802.11x, Wi-Fi, Zigbee, Ultra-WideBand (UWB), 802.16x, 802.15, Home Node-B (HnB), Bluetooth, Radio Frequency Identification (RFID), Infrared Data Association (IrDA), Near-Field Communications (NFC), fifth generation (5G), New Radio (NR), any combination thereof, and/or any other currently existing or future-implemented communications standard and/or protocol without deviating from the scope of the invention. In some embodiments, communication module (108) may include one or more antennas that are singular, arrayed, phased, switched, beamforming, beam steering, a combination thereof, and or any other antenna configuration without deviating from the scope of the invention.
[0027] The memory (110) may store a plurality of instructions that need to be executed by the processor (114). In an embodiment, the memory (110) may include a dataset to store the received an initial dataset from the user device. In an exemplary embodiment, this initial dataset may contain both legitimate and potentially poisoned data points, serving as the foundational input upon which the system's adversarial defence mechanisms operate. Further, the memory (110) may also retain metadata associated with each data point, such as labels, features, and any flags applied during processing. This enables the system to efficiently manage and access specific subsets of data during the filtering and patching stages. The memory (110) may be comprised of any combination of Random Access Memory (RAM), Read Only Memory (ROM), flash memory, cache, static storage such as a magnetic or optical disk, or any other types of non-transitory computer-readable media or combinations thereof. Non-transitory computer-readable media may be any available media that can be accessed by processor(s) (114) and may include volatile media, non-volatile media, or both. The media may also be removable, non-removable, or both.
[0028] In an embodiment, an I/O (Input/Output) interface (112) of the system (100) refers to the mechanism or point through which a system exchanges data with external entities, such as users, other systems, devices, or networks. The I/O interface (112) handles the input data or signals received by the system and output data or signals transmitted from the system (100) and ensures proper communication between the system's internal components and external peripherals.
[0029] The processor (114) may be coupled to the bus. The processor (114) may execute instructions set to carry out logic for training the machine learning model to resist adversarial attacks. The processor (114) may be any type of general or specific purpose processor, including a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), a Graphics Processing Unit (GPU), multiple instances thereof, and/or any combination thereof. Processor(s) (114) may also have multiple processing cores, and at least some of the cores may be configured to perform specific functions. Multi parallel processing may be used in some embodiments. In certain embodiments, at least one of processor(s) (114) may be a neuromorphic circuit that includes processing elements that mimic biological neurons. In some embodiments, neuromorphic circuits may not require the typical components of a Von Neumann computing architecture.
[0030] In an embodiment, the input dataset module (116) may be electronically coupled to the processor (114). The processor (118) may include instructions set that are designed to enable the server (106) to receive an input dataset from a user. In an embodiment, the input dataset module (116) within the resist adversarial attacks monitoring system (100) serves as a specialized data management component that is electronically coupled to the processor (114). Its primary function is to store, organize, and manage large, high-dimensional datasets, which are essential for complex machine learning model training. In an embodiment, the input dataset module (116) is electronically connected to the processor (114), allowing the processor (114) to execute instructions that manage dataset operations such as receiving, organizing, and preprocessing data. These processor instructions enable the server (106) to receive input datasets from users, perform initial validation, and prepare data for downstream processing.
[0031] In an embodiment, the data poisoning simulation module (118) may introduce poisoned or adversarial data points into a received input dataset. In an embodiment, the data poisoning simulation module (118) within the resist adversarial attacks monitoring system (100) is responsible for introducing poisoned or adversarial data points into the input dataset. This module (118) simulates real-world adversarial conditions by deliberately adding modified, mislabelled, or corrupted data points to the dataset. By doing so, the system (100) is able to evaluate and enhance the machine learning model's resilience against data poisoning and adversarial attacks.
[0032] In an embodiment, the initial model training module (120) may within the resist adversarial attacks monitoring system (100) is responsible for training a preliminary version of the machine learning model using the input dataset, which includes both unaltered and potentially poisoned data points. The preliminary version may include a Support Vector Machine (SVM) model. This module (120) provides a baseline model, allowing the system to observe and analyse the effects of adversarial data on model performance before applying any filtering or patching processes.
[0033] In an embodiment, the data filtering module (122) in system (100) is designed to identify potentially poisoned data points by applying a sophisticated, multi-step filtering process to a trained SVM model. Initially, the module (122) uses Principal Component Analysis (PCA) to reduce the dimensionality of the input dataset, enhancing the accuracy and efficiency of subsequent clustering. The reduced dataset is then processed by K-Means clustering, grouping data points based on feature similarity, which helps highlight any outliers that display unusual label patterns. Jaccard distance calculations are used within each cluster to assess similarity between data points, allowing the system to detect subtle inconsistencies without relying on fixed thresholds, thereby increasing adaptability to varying data distributions. To further refine poisoned data detection, the module (122) appends a weighted class feature to each data point in the clustered dataset, improving its sensitivity to label modifications. It then calculates a standardized distance metric for each data point relative to others in the same cluster. Any data point with a standardized distance exceeding a predetermined threshold is flagged as potentially poisoned and added to a removal list. This multi-pronged, adaptive approach enables nuanced and precise identification of label inconsistencies that could compromise the model's integrity. Further, this module is described in figure 3, in accordance with an embodiment of the present disclosure.
[0034] In an embodiment, the poison detection module (124) may be configured to determine whether each data point in the input dataset is a poisoned data point. This module (124) plays a central role in identifying potentially corrupted or malicious data points that may compromise the integrity and performance of the machine learning model. The poison detection module (124) employs a multi-step process to identify adversarial modifications in the dataset effectively. First, it uses advanced clustering algorithms, such as K-Means, to group data points based on feature similarity, allowing the system to observe patterns and outliers within each cluster. After clustering, the module calculates the Jaccard distance between data points within each cluster, providing a similarity measure that highlights data points significantly different from others a common sign of label modification or data poisoning. Based on these clustering and distance calculations, the module flags data points with high Jaccard distances as potential poisons, suspected to be adversarial attempts to mislead the machine learning model. In some embodiments, a confidence scoring mechanism may be applied, where each flagged point is assigned, a score representing the likelihood of it being poisoned. This scoring allows for a more nuanced approach, where data points with lower confidence scores may undergo further analysis before any corrective action is applied, enhancing the module's overall precision in maintaining dataset integrity.
[0035] In an embodiment, the patching module (126) may be in system (100) is designed to apply a corrective process, or "patch," to data points flagged as potentially poisoned by the poison detection module (124). Instead of discarding these flagged points, the patching module (126) restores them to an inferred, more accurate state, thus preserving the dataset's original size and integrity. This process begins by identifying the nearest non-poisonous data point within the same cluster for each flagged data point. The patching module (126) uses the cluster index of this nearest non-poisonous data point to guide the selection of appropriate replacement features and labels for the poisoned point. To ensure accuracy, the patching process compares the similarity between the poisoned data point and its nearest non-poisonous counterpart using predefined similarity metrics, such as Euclidean distance or cosine similarity, to evaluate feature similarity. When a similarity threshold is met, the module replaces the features and label of the poisoned data point with those of the nearest non-poisonous data point, effectively correcting it. The modified data point is then added to a patched dataset, which will be used in the retraining phase to improve model robustness and resilience against adversarial attacks. This approach allows for data preservation while enhancing the model's reliability and security.
[0036] In an embodiment, the model retraining module (128) may be configured to retrain the SVM model using the filtered and patched dataset to generate an updated model. By leveraging this cleansed and corrected dataset, the module ensures that the updated SVM model is better protected against adversarial influences, such as label modification attacks, which can significantly undermine model performance.
[0037] In an embodiment, the evaluation module (130) may be configured to evaluate the performance of the updated model based on accuracy and false positive rate. The evaluation module (130) is designed to assess the effectiveness and reliability of the updated machine learning model following retraining on a filtered and patched dataset. The evaluation module (130) performs a comprehensive analysis of the model's performance, with a focus on key metrics such as accuracy and false positive rate. By evaluating these metrics, the evaluation module (130) ensures that the retrained model is not only robust against adversarial attacks but also performs optimally in terms of classifying legitimate data accurately.
[0038] Figure 2 illustrates a flow diagram for a method 200 for in accordance with an implementation of the system as described in Fig 1. The method 200 is adapted to provide flexibility by using one or more modules such as an input dataset module 116, a data poisoning simulation module 118, an initial model training module 120, a data filtering module 122, a poison detection module 124, a patching module 126, a model retraining module 128, and an evaluation module 130.
[0039] At step 202, the method comprising the steps of receiving an input dataset from a user.
[0040] At step 204, the method comprising the steps of inducing poisoned data points into a received input dataset.
[0041] At step 206, the method comprising the step of training a Support Vector Machine (SVM) model on the received poisoned input dataset.
[0042] At step 208, the method comprising the step of applying a filtering process to the trained SVM model to identify potential poisoned data points.
[0043] At step 210, the method comprising the step of determining whether each data point in the input dataset is a poisoned data point.
[0044] At step 212, the method comprising the step of applying a patching process to any identified poisoned data points.
[0045] At step 214, the method comprising the step of retraining the SVM model using the filtered and patched dataset to generate an updated model.
[0046] At step 216, the method comprising the step of evaluating the performance of the updated model based on accuracy and false positive rate.
[0047] Figure 3 illustrates a flow diagram for a method 300 for in accordance with an implementation of the system as described in Fig 1 and Fig 2. The filtering method 300 leverages K-Means clustering as a core technique to detect and flag data points that may have been manipulated in adversarial attacks, such as label modification attacks. In this method (300), the process begins by applying K-Means clustering to group data points within the input dataset based on feature similarity, which helps reveal patterns and potential anomalies. The clustering algorithm divides the dataset into clusters, with each data point assigned to the cluster containing the closest centroid. Once clustering is completed, the method applies an additional layer of analysis by calculating the Jaccard distance within each cluster, assessing the similarity of data points based on their feature vectors. Data points that exhibit a high Jaccard distance from their cluster peers are flagged as outliers, suggesting they may have been poisoned or contain label inconsistencies.
The method (300) further includes an optional dimensionality reduction step using Principal Component Analysis (PCA) to improve clustering accuracy and efficiency, particularly for high-dimensional datasets. This PCA process reduces the dataset to a lower-dimensional representation, enhancing the clustering performance by isolating key features and reducing noise. By employing this two-pronged approach K-Means clustering followed by Jaccard distance analysis-the filtering method (300) can adaptively detect subtle inconsistencies in the dataset without relying on static thresholds, increasing its effectiveness in flagging potential adversarial data points for further analysis or corrective action.
[0048] Figure 4 illustrates a flow diagram for a method 400 for in accordance with an implementation of the system as described in Fig 1, Fig 2 and Fig 3. The patching method 400 is implemented following the filtering process, ensuring that flagged data points suspected of poisoning are corrected rather than discarded, thereby maintaining the dataset's original size and enhancing model robustness. In method (400), once poisoned data points are identified through the filtering process, the patching module (126) attempts to restore these flagged points to an inferred accurate state. The method starts by locating the nearest non-poisonous data point within the same cluster for each flagged, or "poisoned," data point. This is achieved by identifying the closest non-poisonous neighbour based on predefined similarity metrics, such as Euclidean distance or cosine similarity, which guide the selection of replacement features and labels. After determining the nearest non-poisonous data point, the method compares the similarity between the flagged point and this neighbour to assess if replacement is appropriate. If the similarity metric meets a predefined threshold, the patching process then proceeds to replace the poisoned data point's features and label with those of the nearest non-poisonous data point, effectively "patching" the poisoned entry. The corrected data point is subsequently added to a patched dataset, which will be used in retraining the machine learning model, ensuring that the updated model is trained on a restored dataset that has mitigated the effects of adversarial attacks. By focusing on correcting, rather than removing, poisoned points, the patching method (400) preserves valuable data within the dataset and strengthens the model's defence against adversarial attacks. This adaptive patching process enables the system to maintain both the integrity and size of the dataset, providing a more resilient foundation for robust model performance.



[0049] While certain features of the described implementations have been illustrated as described herein, many modifications, substitutions, changes and equivalents will now occur to those skilled in the art. It is, therefore, to be understood that appended claims are intended to cover all such modifications and changes as fall within the scope of the implementations. It should be understood that they have been presented by way of example only, not limitation, and various changes in form and details may be made. Any portion of the apparatus and/or methods described herein may be combined in any combination, except mutually exclusive combinations. The implementations described herein can include various combinations and/or sub-combinations of the functions, components and/or features of the different implementations described. , Claims:1. A method for training a machine learning model to resist adversarial attacks, comprising:
receiving an input dataset from a user;
inducing poisoned data points into a received input dataset;
training a Support Vector Machine (SVM) model on the received poisoned input dataset;
applying a filtering process to the trained SVM model to identify potential poisoned data points;
determining whether each data point in the input dataset is a poisoned data point;
applying a patching process to any identified poisoned data points;
retraining the SVM model using the filtered and patched dataset to generate an updated model.
2. The method as claimed in claim 1, further comprising evaluating the performance of the updated model based on accuracy and false positive rate.
3. The method as claimed in claim 1, wherein the filtering process further comprises:
applying Principal Component Analysis (PCA) to the input dataset to reduce dimensionality and enhance clustering accuracy;
obtaining the reduced-dimensionality dataset from PCA is provided to K-Means clustering to group data points based on feature similarity.
4. The method as claimed in claim 3, wherein the filtering process further comprises:
appending a weighted class as an additional feature for each data point within the clustered dataset to improve the detection of poisoned data points;
calculating a standardized distance metric between each data point and other points within the same cluster, wherein data points with a standardized distance above a predetermined threshold are flagged as potentially poisoned data points and added to a removal list.
5. The method as claimed in claim 1, wherein the patching process comprises:
identifying a nearest non-poisonous data point for each identified poisoned data point within the same cluster;
determining the cluster index of the nearest non-poisonous data point to guide the selection of replacement features and labels for the poisoned data point.
6. The method as claimed in claim 5, wherein the patching process further includes comparing the similarity between the poisoned data point and the nearest non-poisonous data point based on predefined similarity metrics.
7. The method as claimed in claim 6, wherein upon determining a similarity match, the patching process replaces the features and label of the poisoned data point with nearest non-poisonous data point;
adding the modified poisoned data point to a patched dataset to be used in retraining the machine learning model.
8. The method as claimed in claim 7, wherein the similarity metric used in the comparison step includes one or more distance measures, such as Euclidean distance or cosine similarity, to evaluate feature similarity between data points.
9. A system for training a machine learning model to resist adversarial attacks, wherein the system comprising a memory and a processor for executing the method steps comprising:
receiving an input dataset from a user;
inducing poisoned data points into a received input dataset;
training a Support Vector Machine (SVM) model on the received poisoned input dataset;
applying a filtering process to the poisoned dataset to identify potential poisoned data points;
determining whether each data point in the input dataset is a poisoned data point;
applying a patching process to any identified poisoned data points;
retraining the SVM model using the filtered and patched dataset to generate an updated model.

Documents