Paper
Exact Certification of Data-Poisoning Attacks Using Mixed-Integer Programming
Authors
Philip Sosnin, Jodie Knapp, Fraser Kennedy, Josh Collyer, Calvin Tsay
Abstract
This work introduces a verification framework that provides both sound and complete guarantees for data poisoning attacks during neural network training. We formulate adversarial data manipulation, model training, and test-time evaluation in a single mixed-integer quadratic programming (MIQCP) problem. Finding the global optimum of the proposed formulation provably yields worst-case poisoning attacks, while simultaneously bounding the effectiveness of all possible attacks on the given training pipeline. Our framework encodes both the gradient-based training dynamics and model evaluation at test time, enabling the first exact certification of training-time robustness. Experimental evaluation on small models confirms that our approach delivers a complete characterization of robustness against data poisoning.
Metadata
Related papers
Fractal universe and quantum gravity made simple
Fabio Briscese, Gianluca Calcagni • 2026-03-25
POLY-SIM: Polyglot Speaker Identification with Missing Modality Grand Challenge 2026 Evaluation Plan
Marta Moscati, Muhammad Saad Saeed, Marina Zanoni, Mubashir Noman, Rohan Kuma... • 2026-03-25
LensWalk: Agentic Video Understanding by Planning How You See in Videos
Keliang Li, Yansong Li, Hongze Shen, Mengdi Liu, Hong Chang, Shiguang Shan • 2026-03-25
Orientation Reconstruction of Proteins using Coulomb Explosions
Tomas André, Alfredo Bellisario, Nicusor Timneanu, Carl Caleman • 2026-03-25
The role of spatial context and multitask learning in the detection of organic and conventional farming systems based on Sentinel-2 time series
Jan Hemmerling, Marcel Schwieder, Philippe Rufin, Leon-Friedrich Thomas, Mire... • 2026-03-25
Raw Data (Debug)
{
"raw_xml": "<entry>\n <id>http://arxiv.org/abs/2602.16944v1</id>\n <title>Exact Certification of Data-Poisoning Attacks Using Mixed-Integer Programming</title>\n <updated>2026-02-18T23:18:45Z</updated>\n <link href='https://arxiv.org/abs/2602.16944v1' rel='alternate' type='text/html'/>\n <link href='https://arxiv.org/pdf/2602.16944v1' rel='related' title='pdf' type='application/pdf'/>\n <summary>This work introduces a verification framework that provides both sound and complete guarantees for data poisoning attacks during neural network training. We formulate adversarial data manipulation, model training, and test-time evaluation in a single mixed-integer quadratic programming (MIQCP) problem. Finding the global optimum of the proposed formulation provably yields worst-case poisoning attacks, while simultaneously bounding the effectiveness of all possible attacks on the given training pipeline. Our framework encodes both the gradient-based training dynamics and model evaluation at test time, enabling the first exact certification of training-time robustness. Experimental evaluation on small models confirms that our approach delivers a complete characterization of robustness against data poisoning.</summary>\n <category scheme='http://arxiv.org/schemas/atom' term='cs.LG'/>\n <published>2026-02-18T23:18:45Z</published>\n <arxiv:comment>Accepted to the 23rd International Conference on the Integration of Constraint Programming, Artificial Intelligence, and Operations Research (CPAIOR)</arxiv:comment>\n <arxiv:primary_category term='cs.LG'/>\n <author>\n <name>Philip Sosnin</name>\n </author>\n <author>\n <name>Jodie Knapp</name>\n </author>\n <author>\n <name>Fraser Kennedy</name>\n </author>\n <author>\n <name>Josh Collyer</name>\n </author>\n <author>\n <name>Calvin Tsay</name>\n </author>\n </entry>"
}