Evasion-Robust Classification on Binary Domains

The success of classification learning has led to numerous attempts to apply it in adversarial settings such as spam and malware detection. The core challenge in this class of applications is that adversaries are not static, but make a deliberate effort to evade the classifiers. We investigate both the problem of modeling the objectives of such adversaries, as well as the algorithmic problem of accounting for rational, objective-driven adversaries. We first present a general approach based on mixed-integer linear programming (MILP) with constraint generation. This approach is the first to compute an optimal solution to adversarial loss minimization for two general classes of adversarial evasion models in the context of binary feature spaces. To further improve scalability and significantly generalize the scope of the MILP-based method, we propose a principled iterative retraining framework, which can be used with arbitrary classifiers and essentially arbitrary attack models. We show that the retraining approach, when it converges, minimizes an upper bound on adversarial loss. Extensive experiments demonstrate that the mixed-integer programming approach significantly outperforms several state-of-the-art adversarial learning alternatives. Moreover, the retraining framework performs nearly as well, but scales significantly better. Finally, we show that our approach is robust to misspecifications of the adversarial model.

[1]  Pavel Laskov,et al.  Detection of Malicious PDF Files Based on Hierarchical Document Structure , 2013, NDSS.

[2]  Ion Androutsopoulos,et al.  A Game Theoretic Model of Spam E-Mailing , 2005, CEAS.

[3]  Georgios Paliouras,et al.  An evaluation of Naive Bayesian anti-spam filtering , 2000, ArXiv.

[4]  Bhavani M. Thuraisingham,et al.  Adversarial support vector machine learning , 2012, KDD.

[5]  Tom Fawcett,et al.  "In vivo" spam filtering: a challenge problem for KDD , 2003, SKDD.

[6]  Sanjay Chawla,et al.  Mining adversarial patterns via regularized loss minimization , 2010, Machine Learning.

[7]  Peter L. Bartlett,et al.  Open problems in the security of learning , 2008, AISec '08.

[8]  Ling Huang,et al.  ANTIDOTE: understanding and defending against poisoning of anomaly detectors , 2009, IMC '09.

[9]  Murat Kantarcioglu,et al.  Adversarial Learning with Bayesian Hierarchical Mixtures of Experts , 2014, SDM.

[10]  Ming Li,et al.  Learning in the presence of malicious errors , 1993, STOC '88.

[11]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[12]  Leif E. Peterson K-nearest neighbor , 2009, Scholarpedia.

[13]  Angelos Stavrou,et al.  Malicious PDF detection using metadata and structural features , 2012, ACSAC '12.

[14]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[15]  B. Ripley,et al.  Robust Statistics , 2018, Wiley Series in Probability and Statistics.

[16]  Fabio Roli,et al.  Security Evaluation of Pattern Classifiers under Attack , 2014, ArXiv.

[17]  Yevgeniy Vorobeychik,et al.  Behavioral Experiments in Email Filter Evasion , 2016, AAAI.

[18]  Yevgeniy Vorobeychik,et al.  Optimal randomized classification in adversarial settings , 2014, AAMAS.

[19]  Stephen Hinde Spam: the evolution of a nuisance , 2003, Comput. Secur..

[20]  R.F. Erbacher,et al.  An Evaluation of Naïve Bayesian Anti-Spam Filtering Techniques , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[21]  Lluís Màrquez i Villodre,et al.  Boosting Trees for Anti-Spam Email Filtering , 2001, ArXiv.

[22]  Patrick P. K. Chan,et al.  Adversarial Feature Selection Against Evasion Attacks , 2016, IEEE Transactions on Cybernetics.

[23]  Jason Yosinski,et al.  Deep neural networks are easily fooled: High confidence predictions for unrecognizable images , 2014, 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[24]  V. Yohai,et al.  Robust Statistics: Theory and Methods , 2006 .

[25]  Christopher Krügel,et al.  Exploiting Redundancy in Natural Language to Penetrate Bayesian Spam Filters , 2007, WOOT.

[26]  Marius Kloft,et al.  Security analysis of online centroid anomaly detection , 2010, J. Mach. Learn. Res..

[27]  Daniel Lowd,et al.  Convex Adversarial Collective Classification , 2013, ICML.

[28]  Pedro M. Domingos,et al.  Adversarial classification , 2004, KDD.

[29]  Stephen P. Boyd,et al.  Convex Optimization , 2004, Algorithms and Theory of Computation Handbook.

[30]  Santosh S. Vempala,et al.  Filtering spam with behavioral blacklisting , 2007, CCS '07.

[31]  Tom Fawcett,et al.  Adaptive Fraud Detection , 1997, Data Mining and Knowledge Discovery.

[32]  Georgios Paliouras,et al.  Learning to Filter Unsolicited Commercial E-Mail , 2006 .

[33]  James Newsome,et al.  Paragraph: Thwarting Signature Learning by Training Maliciously , 2006, RAID.

[34]  Milind Tambe,et al.  GUARDS: game theoretic security allocation on a national scale , 2011, AAMAS.

[35]  Gordon V. Cormack,et al.  Spam and the ongoing battle for the inbox , 2007, CACM.

[36]  Vangelis Metsis,et al.  Spam Filtering with Naive Bayes - Which Naive Bayes? , 2006, CEAS.

[37]  Eduardo Valle,et al.  Exploring the space of adversarial images , 2015, 2016 International Joint Conference on Neural Networks (IJCNN).

[38]  Blaine Nelson,et al.  The security of machine learning , 2010, Machine Learning.

[39]  Yevgeniy Vorobeychik,et al.  Scalable Optimization of Randomized Operational Decisions in Adversarial Classification Settings , 2015, AISTATS.

[40]  Dawn Xiaodong Song,et al.  Limits of Learning-based Signature Generation with Adversaries , 2008, NDSS.

[41]  Samy Bengio,et al.  Adversarial Machine Learning at Scale , 2016, ICLR.

[42]  Hector Garcia-Molina,et al.  Spam: it's not just for inboxes anymore , 2005, Computer.

[43]  Ananthram Swami,et al.  The Limitations of Deep Learning in Adversarial Settings , 2015, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[44]  Yevgeniy Vorobeychik,et al.  Feature Cross-Substitution in Adversarial Classification , 2014, NIPS.

[45]  Garth P. McCormick,et al.  Computability of global solutions to factorable nonconvex programs: Part I — Convex underestimating problems , 1976, Math. Program..

[46]  Philip K. Chan,et al.  Learning nonstationary models of normal network traffic for detecting novel attacks , 2002, KDD.

[47]  Sanjay Chawla,et al.  A Game Theoretical Model for Adversarial Learning , 2009, 2009 IEEE International Conference on Data Mining Workshops.

[48]  Richard Lippmann,et al.  Machine learning in adversarial environments , 2010, Machine Learning.

[49]  Eilon Solan,et al.  The Effects of Anti-Spam Methods on Spam Mail , 2006, CEAS.

[50]  Ion Androutsopoulos,et al.  A Game-Theoretic Investigation of the Effect of Human Interactive Proofs on Spam E-mail , 2007, CEAS.

[51]  Ananthram Swami,et al.  Practical Black-Box Attacks against Deep Learning Systems using Adversarial Examples , 2016, ArXiv.

[52]  David A. Wagner,et al.  Resilient aggregation in sensor networks , 2004, SASN '04.

[53]  Tobias Scheffer,et al.  Nash Equilibria of Static Prediction Games , 2009, NIPS.

[54]  Patrick D. McDaniel,et al.  Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples , 2016, ArXiv.

[55]  J. Doug Tygar,et al.  Evasion and Hardening of Tree Ensemble Classifiers , 2015, ICML.

[56]  David H. Reiley,et al.  The Economics of Spam , 2012 .

[57]  Andrew B. Whinston,et al.  A Game Theoretic Model and Empirical Analysis of Spammer Strategies , 2010 .

[58]  Susan T. Dumais,et al.  A Bayesian Approach to Filtering Junk E-Mail , 1998, AAAI 1998.

[59]  Tobias Scheffer,et al.  Stackelberg games for adversarial prediction problems , 2011, KDD.

[60]  Amir Globerson,et al.  Nightmare at test time: robust learning by feature deletion , 2006, ICML.

[61]  Shie Mannor,et al.  Robustness and Regularization of Support Vector Machines , 2008, J. Mach. Learn. Res..

[62]  David J. Fleet,et al.  Adversarial Manipulation of Deep Representations , 2015, ICLR.

[63]  Ling Huang,et al.  Query Strategies for Evading Convex-Inducing Classifiers , 2010, J. Mach. Learn. Res..

[64]  Ling Huang,et al.  Classifier Evasion: Models and Open Problems , 2010, PSDML.

[65]  Christopher Meek,et al.  Adversarial learning , 2005, KDD '05.

[66]  Ananthram Swami,et al.  Practical Black-Box Attacks against Machine Learning , 2016, AsiaCCS.

[67]  Alexander J. Smola,et al.  Convex Learning with Invariances , 2007, NIPS.

[68]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[69]  Yiming Yang,et al.  The Enron Corpus: A New Dataset for Email Classi(cid:12)cation Research , 2004 .