Bayesian networks are a powerful class of graphical decision models used to represent causal relationships among variables. However, the reliability and integrity of learned Bayesian network models are highly dependent on the quality of incoming data streams. One of the primary challenges with Bayesian networks is their vulnerability to adversarial data poisoning attacks, wherein malicious data is injected into the training dataset to negatively influence the Bayesian network models and impair their performance. In this research paper, we propose an efficient framework for detecting data poisoning attacks against Bayesian network structure learning algorithms. Our framework utilizes latent variables to quantify the amount of belief between every two nodes in each causal model over time. We use our innovative methodology to tackle an important issue with data poisoning assaults in the context of Bayesian networks. With regard to four different forms of data poisoning attacks, we specifically aim to strengthen the security and dependability of Bayesian network structure learning techniques, such as the PC algorithm. By doing this, we explore the complexity of this area and offer workable methods for identifying and reducing these sneaky dangers. Additionally, our research investigates one particular use case, the “Visit to Asia Network.” The practical consequences of using uncertainty as a way to spot cases of data poisoning are explored in this inquiry, which is of utmost relevance. Our results demonstrate the promising efficacy of latent variables in detecting and mitigating the threat of data poisoning attacks. Additionally, our proposed latent-based framework proves to be sensitive in detecting malicious data poisoning attacks in the context of stream data.

Machine learning has gained widespread use across various fields, such as medicine, industry, economics, and technology. However, the rise in machine learning’s popularity has also led to heightened security concerns, particularly in relation to data poisoning attacks [

Bayesian networks, which are probabilistic graphical models that explicitly explain the causal links between variables, have become increasingly popular in the field of artificial intelligence [

Detecting data poisoning attacks on Bayesian networks is a critical problem, as such attacks can result in inaccurate and unreliable models that can significantly impact decision-making processes. However, existing detection frameworks for these attacks often have a limited ability to detect various classes of attacks, leading to significant research gaps in this field. For instance, a semidefinite relaxation-based detection method proposed by Raghunathan et al. [

A crucial factor that supports the efficiency of Bayesian network across a wide range of real-world applications is the intricate relationship between the reliability and integrity of learned Bayesian network models and the quality of incoming data streams [

The research community has been working hard to develop methodologies and techniques to strengthen the resilience of Bayesian networks against problems with data quality and hostile threats in light of these dependencies [

In this paper, we propose a new framework that uses latent variables to detect data poisoning attacks on Bayesian networks. Our framework is designed to be efficient, accurate, and applicable to stream data, making it well-suited for detecting data poisoning attacks in real-time. We implement our proposed approach using the PC-stable algorithm and the Asia Network and demonstrate its superiority to existing detection frameworks in terms of accuracy and efficiency.

Our paper makes several significant contributions to the field of data poisoning attacks on Bayesian networks. The major contributions of this study are as follows:

We present a ground-breaking method to identify data poisoning attacks against Bayesian network structure learning methods. The array of methods available for guarding against adversary manipulation of Bayesian networks obtains a new dimension with the introduction of this innovative technique.

We offer a system that effectively addresses the shortcomings of existing detection techniques for identifying data poisoning attempts utilizing latent variables. By doing this, we offer a stronger and more dependable method of spotting and fending off these dangers.

By effectively identifying four different forms of data poisoning attacks on Bayesian network structure learning techniques, our approach displays its adaptability. This versatility highlights its efficiency in defending against a variety of potential threats, making it an important tool for practical applications.

We put our suggested strategy into practice utilizing the PC-stable algorithm and the Asia Network, compiling our results into a R program. This useful application makes it simple for researchers and practitioners to use our methodology, which facilitates adoption.

In a thorough analysis, we contrast the effectiveness of our suggested strategy with current detection systems for data poisoning assaults. Our outcomes continually demonstrate its superiority in terms of precision and efficacy, emphasizing its usefulness in practical situations.

The remainder of our paper is structured as follows:

Our main concern is the crucial problem of detecting and countering data poisoning attacks in the context of structure learning algorithms used in the context of Bayesian networks. We examine a hypothetical situation where a defender, tasked with creating a causal model, attempts to draw conclusions from a painstakingly validated database, designated as DB_{v}, in order to clarify this topic. This database includes K unique observations, each of which is distinguished by a set of features contained within S, where S is defined as S = S_{1}, S_{2}, ..., S_{d}. Each observation is represented as a set of attribute-value pairs, o = {s_{1} = v_{1}, ..., s_{d} = v_{d}}, where v_{i} is the value of the observation at feature s_{i}.

The various aspects or variables of interest within the study domain are represented by these features taken as a whole. Establishing a causal model that accurately depicts the connections between the dataset’s features is the key goal here. This is crucial for comprehending how changes in one variable might affect or result in changes in other variables, and it forms the cornerstone of causal reasoning in Bayesian networks. This project is not without difficulties, though, as the defender must guard against potential data poisoning attacks that could jeopardize the validity of the causal model. To elaborate, the defender assumes that the information in DB_{v} is reliable and accurately depicts the underlying causal relationships that exist within the domain. However, as we shall investigate in this paper, adversaries might introduce false or manipulated data into the database with the aim of distorting the Bayesian network’s structure and undermining the validity and reliability of the causal model. To ensure the fidelity and usefulness of the learned causal model in the face of potential threats, it is crucial to develop mechanisms that can detect and counteract these data poisoning attacks.

To learn the causal model, the defender applies a Bayesian network structure learning algorithm, such as the PC algorithm, to the validated database DB_{v}. The resulting Bayesian network model B_{2} is a directed acyclic graph (DAG) consisting of a set of nodes V and directed edges E, where each node represents a feature and each directed edge represents a causal relationship between two features as presented in

In Bayesian networks, a DAG is a graphical representation that shows the network’s structure. It is made up of nodes, which are also known as vertices, and directed edges (arcs), which link these nodes together. Each directed edge in the DAG denotes a causal connection between two features, and each node in the DAG represents a feature or variable. A DAG’s primary distinguishing feature is that it is acyclic, which means that the graph contains no closed loops or cycles. This acyclic property is fundamental in Bayesian networks because it guarantees that there are no circular dependencies or feedback loops between variables, which is essential for causal reasoning and probabilistic inferences to be made consistently and reliably.

To detect data poisoning attacks, the defender adds latent variables between every two nodes in B_{2}.

In this setting, an adversary aims to insert a poisoned dataset DB_{p} with the same attributes as DB_{v} and K_{1} observations into DB_{v} to contaminate the learned Bayesian network model B_{2}.

The challenge between the adversary and the defender can be formulated as a three-step process:

(1) The defender generates a validated Bayesian network model B_{2} using DB_{v}.

(2) The adversary inserts a poisoned dataset DB_{p} in the incoming database from the adversary, DB_{new} = DB_{v} ∪ DB_{p}, to contaminate DB_{v} and change the Markov equivalence class of B_{2}.

(3) The defender applies the structure learning algorithm to DB_{new} to obtain the Bayesian network model B_{1} as present in _{1} and B_{2} and applies uncertainty-based attack (UBA) to detect the presence of data poisoning attacks. Essentially, B_{1} is learned by using the combined dataset, which combines the trusted data DB_{v} and the new incoming data DB_{new}, to apply the structure learning algorithm. A clear way to show that the model B_{1} is derived from both sources of data is to use the union operator. In order to adapt the model to the most recent data while maintaining the validated data from DB_{v}, the defender must explicitly combine these datasets in the context of structure learning. In order to increase model accuracy, Bayesian network learning frequently involves integrating new data with existing data.

The defender splits DB_{new} into clean and poisoned observations using UBA. If DB_{new} is the union of DB_{v} and DB_{p}, the defender applies the structure learning algorithm to DB_{new} to obtain the Bayesian network model B_{1}. To evaluate the cohesion of an observation o = {s_{1} = v_{1}, ..., s_{d} = v_{d}} in DB_{p} with B_{2}, we use a UBA measure based on the beta distribution. Specifically, we consider a random variable Y∼Beta (α, β), where α and β are hyperparameters of the beta distribution.

The beta distribution’s decision to use only two hyperparameters, and, is primarily motivated by the desire for simplicity and improved interpretability. This decision simplifies the analysis process in the context of Bayesian network modeling and data poisoning attack evaluation, which can involve complex, multi-parameter methodologies. Simplifying the method helps it become more understandable to a wider audience, including those who are not familiar with intricate statistical modeling. The two-parameter beta distribution is also a well-known and understandable statistical tool that is frequently used for modeling proportions and success-failure outcomes. Its effectiveness is unaffected by its simplicity, especially in practical applications where it can successfully address research goals. Additionally, it improves computational efficiency, a crucial benefit when working with large datasets.

Here, we denote the maximum probability density function as ψ, which is defined as shown in

where f(y; α_{u}, β_{u}, K, q) is the probability density function of the beta distribution with hyperparameters α_{u}, β_{u}, K, and q, and y is the mode of the beta distribution (0 ≤ y ≤ 1). Here, K is the total number of observations, and q is the count of successes.

We model the problem as a two-player game between the adversary and the defender, where the defender aims to learn a validated Bayesian network model B_{2} using DB_{v}, while the adversary aims to contaminate B_{2} with DB_{p}. We assume that the toxicity rate of the adversary introducing additional “poisoning” situations to DB_{v} is no greater than 0.05. In real-world situations, it can be difficult to determine the toxicity rate of an adversary’s actions with precision. A precise estimate of an opponent’s behavior may not be available, and opponents’ strategies and intentions may vary. Consequently, designating a specific threshold of 0.05 is a practical starting point for our experiments. By assuming a relatively low toxicity rate (0.05% or 5%), we assure that our framework can effectively detect and respond to even the subtlest data poisoning attacks. While 0.05 was chosen as a baseline assumption, our experiments can be expanded to investigate different toxicity rate thresholds, allowing us to evaluate how the framework’s performance varies in response to various adversary behaviors.

The challenge between the adversary and the defender involves the defender generating a validated Bayesian network model B_{2}, the adversary inserting a poisoned dataset DB_{p} into DB_{new} to contaminate DB_{v} and change the Markov equivalence class of B_{2}, and the defender applying the structure learning algorithm to DB_{new} to obtain the Bayesian network model B_{1}. The defender adds latent variables to both B_{1} and B_{2} and applies UBA to detect the presence of data poisoning attacks. We evaluate our approach on various datasets to demonstrate its effectiveness.

We present the notations used in this research paper in

Notation | Definition |
---|---|

DB_{v} |
Validated database |

DB_{p} |
Poisoned dataset |

DB_{new} |
Incoming database from the adversary |

K | Number of observations |

K_{1} |
Number of observations in the poisoned dataset |

S | Set of features |

{s_{1}, ..., s_{d}} |
Features in the set S |

o | Observation represented as a set of attribute-value pairs |

B_{2} |
Bayesian network model learned from DB_{v} |

B_{1} |
Bayesian network model learned from DB_{new} after adding latent variables |

V | Set of nodes in the Bayesian network model |

E | Set of directed edges in the Bayesian network model |

UBA | Uncertainty-based attack |

α | Hyperparameter of the beta distribution |

β | Hyperparameter of the beta distribution |

q | Count of successes in the beta distribution |

y | Mode of the beta distribution |

ψ | Maximum probability density function of the beta distribution |

In this section, we present a comprehensive framework for detecting malicious data poisoning attacks against the structure learning algorithm of Bayesian networks. Our approach leverages latent variables to enhance the detection capabilities. To demonstrate the effectiveness of our proposed methods, we utilize the R package and the PC-stable structure learning algorithm, using the Asia Network (also known as the Chest Clinic Network) as a case study.

The framework comprises several key components, which are outlined below:

1. New dataset (DB_{new}): This dataset originates from an unreliable source and may contain malicious data items injected by attackers.

2. Validated dataset (DB_{v}): This dataset consists of clean cases that have been previously examined using our latent variable-based framework and confirmed to be free from data poisoning attacks.

3. Structure learning algorithm: We employ the PC-stable algorithm, a commonly used approach for structure learning in Bayesian networks. This algorithm allows us to recover the causal model’s structure from the given data.

4. Latent variables: Also known as unobserved variables, latent variables are hidden or unmeasured variables that cannot be directly observed but can be inferred from other directly measured variables [

5. Detection of UBA: We utilize entropy as a measure of uncertainty in the input [

Here,

1. Introducing a New Collider Data Poisoning Attack: Attackers can poison the learning datasets by introducing a new edge to any Bayesian network connection model, creating a new collider. This modification alters the equivalence class of the trained model in Bayesian networks, causing damage to the network structure as described in Algorithm 1.

2. Shielding an Existing Collider Data Poisoning Attack: Attackers can break an existing collider by manipulating the parents of an unshielded collider. This manipulation impacts the expected equivalence of the learned model, resulting in damage to the Bayesian network structure. Attackers can exploit such vulnerabilities in Bayesian networks as described in Algorithm 2.

3. Removing the Weakest Link Data Poisoning Attack: Attackers can taint the learning datasets by eliminating weak links in Bayesian networks. The link strength metric is used in Bayesian network models to rank the links from weakest to strongest as described in Algorithm 3.

4. Inserting the Most Believable Link Data Poisoning Attack: Attackers can poison the learning datasets by adding the most plausible link in Bayesian networks. This is achieved by utilizing the link strength measure, which ranks the links from the most likely to the least believable as described in Algorithm 4.

_{1} and model B_{2}.

To detect data poisoning attacks, our framework follows these steps:

Step 1: Obtain a new dataset (DB_{new}) from an unreliable source, which may potentially contain poisoning cases.

Step 2: Combine the validated dataset (DB_{v}) with the new dataset (DB_{new}) to assess the influence of the new database on DB_{v}. The combined dataset (DB_{v} ∪ DB_{new}) is then used in the structure learning algorithm to recover model B_{1}. We employ the PC-stable algorithm for this purpose, given its wide usage in Bayesian experiments.

Step 3: Input the validated dataset (DB_{v}), which consists of clean cases previously scanned using our proposed latent-based framework, into the structure learning algorithm to recover the validated model B_{2}. Once again, we utilize the PC-stable algorithm for this step.

Step 4: Add latent variables to both models B_{1} and B_{2}, as depicted in

Step 5: Perform a check for UBA by examining if there is a significant change as described in Algorithm 5. If a significant change is detected, the dataset is flagged as potentially poisoned, and further analysis is conducted offline to determine if a data poisoning attack has occurred. On the other hand, if no significant change is observed, the newly incoming dataset is considered clean and can be incorporated into the validated dataset.

Similar to Algorithms 1 to 4, Algorithm 5 is intended to identify data poisoning attacks within Bayesian network models. But by including latent variables, it offers a novel strategy. In models B1 and B2, these latent variables quantify belief changes between pairs of nodes. Algorithm 5 differs from the earlier algorithms in this way. Algorithm 5’s primary function is to calculate belief changes using latent variables, an innovative attack detection technique not present in Algorithms 1 through 4. Algorithm 5 also employs UBA detection through a comparison of belief shifts between models B1 and B2. The dataset is categorized as an attack if a significant change is found; otherwise, it is regarded as clean. Algorithm 5 stands out for its UBA detection mechanism, which also offers a distinctive viewpoint on data poisoning attack detection.

Advantages of the Latent-Based Framework: Our proposed framework detects data poisoning attacks in Bayesian networks more effectively. Firstly, by incorporating latent variables, we capture hidden relationships and uncover subtle changes caused by malicious injections. Secondly, the UBA Detection algorithm quantifies belief change using entropy, promptly raising alarms for potential attacks. Our framework is flexible, adaptable to different domains, and integrates seamlessly with existing workflows. It achieves high detection accuracy with a low false positive rate, mitigating data poisoning attacks effectively.

We have implemented our proposed framework using discrete Bayesian networks over time on the Asia Network, also known as the Network of Chest Clinic [

For our experiment, we generated 15 simulated datasets using the Hugin^{TM} case generator. Each dataset contains 2000 cases labeled as Batch 1 through Batch 15. We consider these datasets as a new incoming data stream, denoted as DB_{new}, which may contain both clean and poisoned data from an untrusted source. These datasets arrive at different time intervals and are combined with our validated dataset DB_{v}. To optimize computational efficiency, we introduced latent variables between the nodes of interest based on the link strength measure in models B_{1} and B_{2}. This allows us to detect the four types of data poisoning attacks.

^{t} between the AT edge in models B_{1} (_{2} (_{new}.

PDF of | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

118.86 | 175.83 | 251.71 | 279.45 | 305.30 | 334.18 | 374.19 | 390.70 | 406.65 | 428.90 | 449.79 | 468.65 | 487.19 | |||

183.20 | 278.30 | 372.36 | 402.65 | 440.77 | 475.84 | 543.72 | 565.42 | 591.85 | 650.74 | 651.30 | 675.53 | 704.84 | |||

160.12 | 229.04 | 341.82 | 389.28 | 426.82 | 475.84 | 530.479 | 554.62 | 573.03 | 604.97 | 637.89 | 666.05 | 689.76 | |||

541.88 | 1083.22 | 1285.62 | 1490.69 | 1581.79 | 1672.06 | 1641.17 | 1777.68 | 1908.65 | 1990.26 | 2110.99 | 2273.29 | 2386.76 |

Our observations reveal that at times 1 and 2, the PDF values show an increasing trend in the correct direction, indicating clean batches. When a batch is deemed clean, we combine it with our validated dataset, DB_{v}. However, at time points 3 and 8, we observe a significant drop in the PDF values as follows: For PDF(U|A = yes, T = yes): Time point 3: 964.3817675 with alpha = 7 and beta = 5995, and Time point 8: 1541.469444 with alpha = 18 and beta = 15984.

These datasets are identified as suspicious and are subsequently rejected for offline verification. We note that a drop in the PDF value indicates the detection of a data poisoning attack by our framework and latent variable. Additionally, our latent-based framework exhibits sensitivity in detecting variations in the PDF values over time, specifically those aiming to remove the weakest edge from the validated Bayesian network model, B_{2}.

^{t} between the BL edge in both models B_{1} (_{2} (

The probability density function (PDF) values, namely PDF(B = no|L = no), PDF(B = yes|L = no), PDF(B = no|L = yes), and PDF(B = yes|L = yes), exhibit variations over time. We analyze the PDF values from batch 1 to batch 15. _{new}.

PDF of | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

35.75 | 50.56 | 61.91 | 71.48 | 79.89 | 94.53 | 101.08 | 107.22 | 113.01 | 118.56 | 123.83 | 128.91 | 138.41 | |||

121.46 | 163.92 | 197.85 | 231.31 | 257.48 | 268.17 | 291.98 | 315.14 | 334.23 | 353.94 | 372.72 | 389.12 | 423.50 | |||

36.17 | 51.22 | 62.75 | 72.41 | 80.91 | 95.98 | 102.62 | 108.85 | 114.68 | 120.35 | 125.69 | 130.87 | 140.53 | |||

53.10 | 144.39 | 175.97 | 203.08 | 223.94 | 265.88 | 285.34 | 303.06 | 320.29 | 335.49 | 350.47 | 364.41 | 374.76 |

Our observations reveal that during time points 1 to 5, the PDF values consistently increase in the correct direction, indicating clean batches. In such cases, we combine the clean batches with our validated dataset, DB_{v}. However, at time points 6 and 14, we observe a slight drop in the PDF values as follows: For PDF(U|B = no, L = yes): Time point 6: 243.426891 with alpha = 401 and beta = 11601. For PDF(U|B = yes, L = yes): Time point 14: 361.2725596 with alpha = 992 and beta = 27010.

These datasets are identified as suspicious and are subsequently rejected for offline verification. We have observed that a decrease in the PDF value indicates the detection of a data poisoning attack by our latent-based framework. Moreover, our framework exhibits sensitivity in detecting changes in the PDF values over time, particularly those aiming to add the most believable edge in the validated Bayesian network model, B_{2}.

^{t} between the EA edge in both models B_{1} (depicted in _{2} (depicted in

The probability density function (PDF) values, namely PDF(E = no|A = no), PDF(E = yes|A = no), PDF(E = no|A = yes), and PDF(E = yes|A = yes), undergo changes over time. We analyze the PDF values across batches 1 to 15. The results of our framework in detecting data poisoning attacks that aim to create a new v-structure, EA, are presented in _{new.}

PDF of | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

67.94 | 98.55 | 134.95 | 151.46 | 167.03 | 181.12 | 193.67 | 204.74 | 214.66 | 224.53 | 244.34 | 254.00 | 262.82 | |||

199.33 | 291.70 | 397.01 | 426.79 | 464.56 | 501.50 | 547.39 | 571.75 | 590.69 | 615.64 | 676.64 | 699.80 | 730.12 | |||

72.88 | 104.81 | 145.12 | 163.46 | 180.42 | 195.73 | 208.56 | 220.83 | 231.60 | 242.08 | 264.01 | 274.31 | 283.35 | |||

351.54 | 702.48 | 664.11 | 780.98 | 887.57 | 971.01 | 1062.64 | 1120.53 | 1230.07 | 1337.21 | 1361.59 | 1466.20 | 1544.54 |

We observe that during time points 1 and 2, the PDF values consistently increase in the intended direction, indicating clean batches. In such cases, we merge the clean batches with our validated dataset, DB_{v}. However, at time points 3 and 12, we observe a significant drop in the PDF values as follows: For PDF(U|E = no, A = yes): Time point 3: 533.9914435 with alpha = 21 and beta = 5981. For PDF(U|E = yes, A = yes): Time point 12: 1290.619552 with alpha = 56 and beta = 23946.

These datasets are identified as suspicious and are subsequently rejected for offline verification. We observe that a drop in the PDF value indicates that our framework, along with the latent variable, has detected a data poisoning attack. Furthermore, our latent-based framework demonstrates sensitivity in detecting variations in the PDF values over time, particularly those aimed at creating a new v-structure in the validated Bayesian network model, B_{2}.

^{t} between the TL edge in both models B_{1} (depicted in _{2} (depicted in _{new}.

PDF of | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

71.59 | 103.83 | 124.45 | 161.705 | 178.65 | 193.66 | 206.45 | 218.41 | 229.51 | 240.25 | 252.20 | 272.53 | 281.63 | |||

79.61 | 115.47 | 137.11 | 176.34 | 195.05 | 210.55 | 224.61 | 238.19 | 250.16 | 262.21 | 275.04 | 296.36 | 305.98 | |||

157.07 | 226.77 | 281.60 | 391.11 | 428.49 | 474.16 | 502.30 | 523.53 | 550.72 | 571.83 | 602.62 | 664.89 | 689.76 | |||

736.31 | 1472.06 | 2207.82 | 1755.28 | 2106.22 | 2457.15 | 2808.09 | 3159.02 | 3509.96 | 3860.89 | 4211.83 | 3689.88 | 3953.39 |

We observe that during time points 1 to 3, the PDF values consistently increase in the intended direction, signifying clean batches. In such cases, we merge the clean batches with our validated dataset, DB_{v}. However, at time points 4 and 13, we observe a significant decrease in the PDF values as follows: For PDF(U|T = no, L = yes): Time point 4: 1404.353345 with alpha = 6 and beta = 7996. For PDF(U|T = yes, L = yes): Time point 13: 3426.371469 with alpha = 10 and beta = 25992.

These datasets are identified as suspicious and are subsequently rejected for offline verification. We observe that a decrease in the PDF value indicates that our latent-based framework has detected a data poisoning attack. Furthermore, our framework demonstrates sensitivity in detecting changes in the PDF values over time, particularly those aimed at breaking the shielding of an existing collider in the validated Bayesian network model, B_{2}.

Adversarial machine learning studies intentional attacks on machine learning systems [

Data poisoning attacks are among the most prevalent types of attacks in machine learning [

In terms of defense strategies, several research articles propose mechanisms for detecting and mitigating data poisoning attacks in machine learning models [

To address this research gap, recent studies have explored novel defense mechanisms for detecting data poisoning attacks in Bayesian network models. Smith et al. [

By introducing a novel method to identify backdoor attacks on Bayesian neural networks, Pan and Mishra [

These studies represent important strides towards developing effective defense mechanisms against data poisoning attacks in Bayesian network models. However, more comprehensive investigations are needed to address the unique challenges posed by data poisoning attacks in this context. Further research is required to explore the vulnerabilities of Bayesian network models, evaluate the effectiveness of existing defense mechanisms, and develop novel approaches to enhance the robustness and integrity of machine learning systems in practical applications.

Data poisoning attacks pose a significant threat to the integrity of probabilistic graphical models, such as Bayesian networks. In this research paper, we focused on data poisoning attacks that aim to manipulate the structure learning algorithms of Bayesian networks. We introduced a framework based on latent variables, also known as hidden variables, to detect data poisoning attacks and preserve the integrity of the Bayesian network structure. Our framework leveraged the modeling of uncertainty over time, allowing us to analyze the evolution of belief as new datasets arrived. We deployed this latent-based framework to detect four specific types of data poisoning attacks: introducing new v-structure attacks, shielding existing collider attacks, creating believable edge attacks, and removing the weakest edge attacks in Bayesian networks. Our experimental results demonstrated the high sensitivity of the proposed framework in detecting these types of data poisoning attacks in the Asia network.

In future work, we plan to extend our framework to test its effectiveness in detecting data poisoning attacks that occur over longer durations. This will help evaluate its robustness in real-world scenarios where attacks may be carried out gradually over time. Additionally, we aim to investigate the capability of latent variables in detecting minimal instances of data poisoning attacks, as identifying subtle attacks can be particularly challenging.

The researchers would like to acknowledge Deanship of Scientific Research, Taif University for funding this work.

The researchers would like to acknowledge Deanship of Scientific Research, Taif University for funding this work.

Shahad Alzahrani conducted the research, while Dr. Emad Alsuwat and Dr. Hatim Alsuwat served as supervisors. All authors contributed to the study conception, design, and manuscript preparation.

Data available upon request from the corresponding author.

The authors declare that they have no conflicts of interest to report regarding the present study.