On Sparse Feature Attacks in Adversarial Learning

Wang, Fei; Liu, Wei; Chawla, Sanjay

doi:10.1109/icdm.2014.117

Cited by 30 publications

(22 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As a result, the notion of "robustness" considered in [61] is rather different from that considered in [35] and [36], and in this paper. It is nevertheless of interest to understand whether methods that are more robust to evasion may also benefit from robustness to random perturbations, and vice versa.…”

Section: B Feature Selection Robustness and Stabilitymentioning

confidence: 79%

“…However, since traditional feature selection methods implicitly assume that training and test samples follow the same underlying data distribution, their performance may be significantly affected under adversarial attacks that violate this assumption. Even worse, performing feature selection in adversarial settings may allow an attacker to evade the classifier at test time with a lower number of modifications to the malicious samples [11], [16], [35], [36]. To our knowledge, besides the above studies, the issue of selecting feature sets suitable for adversarial settings has neither been experimentally nor theoretically investigated more in depth.…”

Section: Discussionmentioning

confidence: 99%

“…Traditional feature selection algorithms thus optimize classification accuracy or some surrogate function with respect to the choice of the feature subset, without considering how the resulting classifier may be affected by adversarial attacks. It has indeed been shown that feature selection may even worsen classifier security to evasion: the resulting classifiers may be evaded with less modifications to the attack data [11], [16], [34]- [36].…”

Section: B Feature Selection Robustness and Stabilitymentioning

confidence: 99%

See 2 more Smart Citations

Adversarial Feature Selection Against Evasion Attacks

Zhang¹,

Chan²,

Biggio³

et al. 2016

IEEE Trans. Cybern.

218

107

View full text Add to dashboard Cite

Pattern recognition and machine learning techniques have been increasingly adopted in adversarial settings such as spam, intrusion, and malware detection, although their security against well-crafted attacks that aim to evade detection by manipulating data at test time has not yet been thoroughly assessed. While previous work has been mainly focused on devising adversary-aware classification algorithms to counter evasion attempts, only few authors have considered the impact of using reduced feature sets on classifier security against the same attacks. An interesting, preliminary result is that classifier security to evasion may be even worsened by the application of feature selection. In this paper, we provide a more detailed investigation of this aspect, shedding some light on the security properties of feature selection against evasion attacks. Inspired by previous work on adversary-aware classifiers, we propose a novel adversary-aware feature selection model that can improve classifier security against evasion attacks, by incorporating specific assumptions on the adversary's data manipulation strategy. We focus on an efficient, wrapper-based implementation of our approach, and experimentally validate its soundness on different application examples, including spam and malware detection.

show abstract

Section: B Feature Selection Robustness and Stabilitymentioning

confidence: 79%

Section: Discussionmentioning

confidence: 99%

Section: B Feature Selection Robustness and Stabilitymentioning

confidence: 99%

See 1 more Smart Citation

Adversarial Feature Selection Against Evasion Attacks

Zhang¹,

Chan²,

Biggio³

et al. 2016

IEEE Trans. Cybern.

218

107

View full text Add to dashboard Cite

show abstract

“…This can be formalized by an applicationdependent constraint. As discussed in [16], two kinds of constraints have been mostly used when modeling real-world adversarial settings, leading one to define sparse ( 1 ) and dense ( 2 ) attacks. The 1 -norm yields typically a sparse attack, as it represents the case when the cost depends on the number of modified features.…”

Section: Attacker's Modelmentioning

confidence: 99%

“…For example, if instances are images, the attacker may prefer making small changes to many or even all pixels, rather than significantly modifying only few of them. This amounts to (slightly) blurring the image, instead of obtaining a salt-and-pepper noise effect (as the one produced by sparse attacks) [16].…”

Section: Attacker's Modelmentioning

confidence: 99%

On Security and Sparsity of Linear Classifiers for Adversarial Settings

Demontis

Russu

Biggio

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Machine-learning techniques are widely used in security-related applications, like spam and malware detection. However, in such settings, they have been shown to be vulnerable to adversarial attacks, including the deliberate manipulation of data at test time to evade detection. In this work, we focus on the vulnerability of linear classifiers to evasion attacks. This can be considered a relevant problem, as linear classifiers have been increasingly used in embedded systems and mobile devices for their low processing time and memory requirements. We exploit recent findings in robust optimization to investigate the link between regularization and security of linear classifiers, depending on the type of attack. We also analyze the relationship between the sparsity of feature weights, which is desirable for reducing processing cost, and the security of linear classifiers. We further propose a novel octagonal regularizer that allows us to achieve a proper trade-off between them. Finally, we empirically show how this regularizer can improve classifier security and sparsity in real-world application examples including spam and malware detection.

show abstract