Fuwei Li - Machine Learning Algorithms : Adversarial Robustness in Signal Processing

The purpose of Springers Wireless Networks book series is to establish the state of the art and set the course for future research and development in wireless communication networks. The scope of this series includes not only all aspects of wireless networks (including cellular networks, WiFi, sensor networks, and vehicular networks), but related areas such as cloud computing and big data. The series serves as a central source of references for wireless networks research and development. It aims to publish thorough and cohesive overviews on specific topics in wireless networks, as well as works that are larger in scope than survey articles and that contain more detailed background information. The series also provides coverage of advanced and timely topics worthy of monographs, contributed volumes, textbooks and handbooks.

** Indexing: Wireless Networks is indexed in EBSCO databases and DPLB **

This Springer imprint is published by the registered company Springer Nature Switzerland AG

The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Machine learning has been widely used in signal processing. The success of machine learning in signal processing relies heavily on the quality of the data. However, the diverse data sources make it harder to get very high-quality data. What makes it worse is that there might be a malicious adversary who can deliberately modify the data or add poisoning data to corrupt the learning system. This imposes a significant threat to machine learning in signal processing, for example, in wireless communication, array signal processing, and image signal processing. Hence, it is necessary and urgent to investigate the behavior of machine learning algorithms in signal processing under adversarial attacks. In this book, we examine the adversarial robustness of three commonly used machine learning algorithms in signal processing: linear regression, LASSO-based feature selection, and principal component analysis (PCA). Based on our theoretical analysis, we also carry out adversarial attacks on several signal processing problems, for example, feature selection, array signal processing, principal component analysis, wireless sensor networks, etc.

In the first part, we study the adversarial robustness of linear regression. We assume there is an adversary in the linear regression system, and it tries to suppress or promote one of the regression coefficients. To obtain this goal, the adversary adds poisoning data samples or directly modifies the feature matrix of the original data. We derive the optimal poisoning data sample and propose an alternating optimization method to design the optimal feature modification. We also demonstrate the effectiveness of the attack against a wireless distributed learning system. In the second part, we extend the linear regression to LASSO-based feature selection and study the best strategy to modify the feature matrix or response values to mislead the learning system to select the wrong features. We formulate this problem as a bilevel optimization problem and use a smooth approximation of the ell1 norm function to attain the gradient of our objective function. With the gradient information, we employ the projected gradient method to find the optimal attacks. We also show how this attack influences array signal processing and weather data analysis. In the last part, we consider the adversarial robustness of the subspace learning problem. We examine the optimal modification strategy under the energy constraints to delude the PCA-based subspace learning algorithm and derive the optimal attack strategy to modify the original data to maximize the subspace distance between the original one and the one after modification. We also conduct our attack on a principal regression problem and demonstrate its impacts on the subspace and the regression result.