Protecting Classifiers from Attacks

In multiple domains such as malware detection, automated driving systems, or fraud detection, classification algorithms are susceptible to being attacked by malicious agents willing to perturb the value of instance covariates to pursue certain goals. Such problems pertain to the field of adversarial...

Descripción completa

Detalles Bibliográficos
Autores: Gallego, V., Naveiro, R., Redondo, A., Insua, D.R., Ruggeri, F.
Tipo de recurso: artículo
Estado:Versión publicada
Fecha de publicación:2024
País:España
Institución:Consejo Superior de Investigaciones Científicas (CSIC)
Repositorio:DIGITAL.CSIC. Repositorio Institucional del CSIC
OAI Identifier:oai:digital.csic.es:10261/379049
Acceso en línea:http://hdl.handle.net/10261/379049
https://www.scopus.com/inward/record.uri?eid=2-s2.0-85200746871&doi=10.1214%2f24-STS922&partnerID=40&md5=7b780ca49cf0c67bcb44ea862bdedf34
Access Level:acceso abierto
Palabra clave:adversarial machine learning
adversarial risk analysis
Bayesian methods
Classification
deep models
Descripción
Sumario:In multiple domains such as malware detection, automated driving systems, or fraud detection, classification algorithms are susceptible to being attacked by malicious agents willing to perturb the value of instance covariates to pursue certain goals. Such problems pertain to the field of adversarial machine learning and have been mainly dealt with, perhaps implicitly, through game-theoretic ideas with strong underlying common knowledge assumptions. These are not realistic in numerous application domains in relation to security and business competition. We present an alternative Bayesian decision theoretic framework that accounts for the uncertainty about the attacker’s behavior using adversarial risk analysis concepts. In doing so, we also present core ideas in adversarial machine learning to a statistical audience. A key ingredient in our framework is the ability to sample from the distribution of originating instances given the, possibly attacked, observed ones. We propose an initial procedure based on approximate Bayesian computation usable during operations; within it, we simulate the attacker’s problem taking into account our uncertainty about his elements. Large-scale problems require an alternative scalable approach implementable during the training stage. Globally, we are able to robustify statistical classification algorithms against malicious attacks. © Institute of Mathematical Statistics, 2024