Multiple Classifier Systems for Adversarial Classification Tasks

•

0 recomendaciones•694 vistas

Pattern classification systems are currently used in security applications like intrusion detection in computer networks, spam filtering and biometric identity recognition. These are adversarial classification problems, since the classifier faces an intelligent adversary who adaptively modifies patterns (e.g., spam e-mails) to evade it. In these tasks the goal of a classifier is to attain both a high classification accuracy and a high hardness of evasion, but this issue has not been deeply investigated yet in the literature. We address it under the viewpoint of the choice of the architecture of a multiple classifier system. We propose a measure of the hardness of evasion of a classifier architecture, and give an analytical evaluation and comparison of an individual classifier and a classifier ensemble architecture. We finally report an experimental evaluation on a spam filtering task.

Educación Tecnología

Multiple Classiﬁer Systems for Adversarial Classification Tasks Battista Biggio, Giorgio Fumera and Fabio Roli Dept. of Electrical and Electronic Eng., University of Cagliari

Overview ,[object Object],[object Object],[object Object],[object Object],[object Object]

Traditional pattern recognition problems Physical / logical process Feature measurement Classification

Adversarial classification problems Physical / logical process: legitimate samples Classification Feature measurement Adversary: malicious samples

Adversarial classification: previous works ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Design of pattern recognition systems Goal in “traditional” applications: maximise accuracy Data acquisition Feature extraction Model selection Classification

Hardness of evasion + th x 1 ... x n ≥ 0: malicious < 0: legitimate Decision function ... y  {malicious, legitimate}

Hardness of evasion + th x 1 ... x n ≥ 0: malicious < 0: legitimate Decision function ... y  {malicious, legitimate} Expected value of the minimum number of features the adversary has to modify to evade the classifier ( worst case: the adversary has full knowledge on the classifier)‏

Hardness of evasion: an example + th = 2 x 1 = 1 x 2 = 1 x 3 = 0 x 4 = 1 x 5 = 0 ≥ 0: malicious < 0: legitimate x = (1 1 0 1 0) 0.3 0.8 3.0 1.5 1.0 Expected value of the minimum number of features the adversary has to modify to evade the classifier

Hardness of evasion: an example + th = 2 x 1 = 0 x 2 = 1 x 3 = 1 x 4 = 0 x 5 = 0 ≥ 0: malicious < 0: legitimate x = (0 1 1 0 0) 0.3 0.8 3.0 1.5 1.0 Expected value of the minimum number of features the adversary has to modify to evade the classifier

Comparison of two classifier architectures x 1 x n x 2 t w 1 w 2 ... w n X x i  {0,1}

Comparison of two classifier architectures x 1 x n x 2 t t 1 w 1 w 2 ... w n ... t 2 ... ... t N ... X 1 X 2 X N OR X 1  X 2  ...  X N = X X i  X j =  , i  j X x i  {0,1}

Comparison of two classifier architectures x 1 x n x 2 t t 1 w 1 w 2 ... w n ... t 2 ... ... t N ... X 1 X 2 X N OR X 1  X 2  ...  X N = X X i  X j =  , i  j x 1 , x 2 ,..., x n i.i.d. identical weights t 1 = t 2 =...= t n , |X i | = n/N X x i  {0,1}

Comparison of two classifier architectures p 1A = 0.25 p 1L = 0.15 Details are in the paper

Comparison of two classifier architectures ROC working point: min (C  FP + FN)‏ C = 1, 2, 10, 100 C = 1 C = 2 C = 10 C = 100

Experimental set-up ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Conclusions ,[object Object],[object Object],[object Object]

Más contenido relacionado

La actualidad más candente

"Java Concurrency Stress tests Tool" at IT Tage 2017 by Vadym Kazulkin/Rodion...

Vadym Kazulkin

Lec 8 03_sept [compatibility mode]

Introduction

Second chapter-java

Section6 stochastic

Machine learning

قائمة القارات

Omar Computer Teacher

Efnsjdnfsuies

htmrk

Classification using Apache SystemML by Prithviraj Sen

Chapter 6.6

Studyx4

Computational models

La actualidad más candente (12)

"Java Concurrency Stress tests Tool" at IT Tage 2017 by Vadym Kazulkin/Rodion...

Lec 8 03_sept [compatibility mode]

Introduction

Second chapter-java

Section6 stochastic

Machine learning

قائمة القارات

Efnsjdnfsuies

Classification using Apache SystemML by Prithviraj Sen

Chapter 6.6

Studyx4

Computational models

Similar a Multiple Classifier Systems for Adversarial Classification Tasks

isabelle_webinar_jan..

butest

机器学习Adaboost

Shocky1

This paper presents a method for constructing intrusion detection systems based on efficient fuzzy rulebased classifiers. The design process of a fuzzy rule-based classifier from a given input-output data set can be presented as a feature selection and parameter optimization problem. For parameter optimization of fuzzy classifiers, the differential evolution is used, while the binary harmonic search algorithm is used for selection of relevant features. The performance of the designed classifiers is evaluated using the KDD Cup 1999 intrusion detection dataset. The optimal classifier is selected based on the Akaike information criterion. The optimal intrusion detection system has a 1.21% type I error and a 0.39% type II error. A comparative study with other methods was accomplished. The results obtained showed the adequacy of the proposed method

CONSTRUCTING A FUZZY NETWORK INTRUSION CLASSIFIER BASED ON DIFFERENTIAL EVOLU...

IJCNCJournal

MLHEP 2015: Introductory Lecture #1

arogozhnikov

Machine learning in science and industry — day 1

arogozhnikov

Support vector machine

Rishabh Gupta

Complex models in ecology: challenges and solutions

Peter Solymos

Optimization Techniques.pdf

anandsimple

Svm dbeth

Garisha Chowdhary

Slides of the talk "Gradient Boosted Regression Trees in scikit-learn" by Peter Prettenhofer and Gilles Louppe held at PyData London 2014. Abstract: This talk describes Gradient Boosted Regression Trees (GBRT), a powerful statistical learning technique with applications in a variety of areas, ranging from web page ranking to environmental niche modeling. GBRT is a key ingredient of many winning solutions in data-mining competitions such as the Netflix Prize, the GE Flight Quest, or the Heritage Health Price. I will give a brief introduction to the GBRT model and regression trees -- focusing on intuition rather than mathematical formulas. The majority of the talk will be dedicated to an in depth discussion how to apply GBRT in practice using scikit-learn. We will cover important topics such as regularization, model tuning and model interpretation that should significantly improve your score on Kaggle.

Gradient Boosted Regression Trees in scikit-learn

DataRobot

Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...

Pluribus One

Jörg Stelzer

butest

Bayes ML.ppt

Deepa Rahul

CVPR2009 tutorial: Kernel Methods in Computer Vision: part I: Introduction to...

zukun

presentazione

Giuseppe Filingeri

ML MODULE 2.pdf

Shiwani Gupta

Joint optimization framework for learning with noisy labels

Cheng-You Lu

Machine learning for_finance

Stefan Duprey

Gradient Boosted Regression Trees in Scikit Learn by Gilles Louppe & Peter Pr...

PyData

Machine learning is the hacker art of describing the features of instances that we want to make predictions about, then fitting the data that describes those instances to a model form. Applied machine learning has come a long way from it's beginnings in academia, and with tools like Scikit-Learn, it's easier than ever to generate operational models for a wide variety of applications. Thanks to the ease and variety of the tools in Scikit-Learn, the primary job of the data scientist is model selection. Model selection involves performing feature engineering, hyperparameter tuning, and algorithm selection. These dimensions of machine learning often lead computer scientists towards automatic model selection via optimization (maximization) of a model's evaluation metric. However, the search space is large, and grid search approaches to machine learning can easily lead to failure and frustration. Human intuition is still essential to machine learning, and visual analysis in concert with automatic methods can allow data scientists to steer model selection towards better fitted models, faster. In this talk, we will discuss interactive visual methods for better understanding, steering, and tuning machine learning models.

Visualizing the Model Selection Process

Benjamin Bengfort

Similar a Multiple Classifier Systems for Adversarial Classification Tasks (20)

isabelle_webinar_jan..

机器学习Adaboost

CONSTRUCTING A FUZZY NETWORK INTRUSION CLASSIFIER BASED ON DIFFERENTIAL EVOLU...

MLHEP 2015: Introductory Lecture #1

Machine learning in science and industry — day 1

Support vector machine

Complex models in ecology: challenges and solutions

Optimization Techniques.pdf

Svm dbeth

Gradient Boosted Regression Trees in scikit-learn

Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...

Jörg Stelzer

Bayes ML.ppt

CVPR2009 tutorial: Kernel Methods in Computer Vision: part I: Introduction to...

presentazione

ML MODULE 2.pdf

Joint optimization framework for learning with noisy labels

Machine learning for_finance

Gradient Boosted Regression Trees in Scikit Learn by Gilles Louppe & Peter Pr...

Visualizing the Model Selection Process

Más de Pluribus One

Smart Textiles - Prospettive di mercato - Davide Ariu

Pluribus One

Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...

Pluribus One

Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning. ICMLC 201...

Pluribus One

Wild patterns - Ten years after the rise of Adversarial Machine Learning - Ne...

Pluribus One

WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019

Pluribus One

Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...

Pluribus One

On Security and Sparsity of Linear Classifiers for Adversarial Settings

Pluribus One

Secure Kernel Machines against Evasion Attacks

Pluribus One

Machine Learning under Attack: Vulnerability Exploitation and Security Measures

Pluribus One

Learning in adversarial settings is becoming an important task for application domains where attackers may inject malicious data into the training set to subvert normal operation of data-driven technologies. Feature selection has been widely used in machine learning for security applications to improve generalization and computational efficiency, although it is not clear whether its use may be beneficial or even counterproductive when training data are poisoned by intelligent attackers. In this work, we shed light on this issue by providing a framework to investigate the robustness of popular feature selection methods, including LASSO, ridge regression and the elastic net. Our results on malware detection show that feature selection methods can be significantly compromised under attack (we can reduce LASSO to almost random choices of feature sets by careful insertion of less than 5% poisoned training samples), highlighting the need for specific countermeasures.

Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...

Pluribus One

Pattern classifiers have been widely used in adversarial settings like spam and malware detection, although they have not been originally designed to cope with intelligent attackers that manipulate data at test time to evade detection. While a number of adversary-aware learning algorithms have been proposed, they are computationally demanding and aim to counter specific kinds of adversarial data manipulation. In this work, we overcome these limitations by proposing a multiple classifier system capable of improving security against evasion attacks at test time by learning a decision function that more tightly encloses the legitimate samples in feature space, without significantly compromising accuracy in the absence of attack. Since we combine a set of one-class and two-class classifiers to this end, we name our approach one-and-a-half-class (1.5C) classification. Our proposal is general and it can be used to improve the security of any classifier against evasion attacks at test time, as shown by the reported experiments on spam and malware detection.

Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...

Pluribus One

Many modern face verification algorithms use a small set of reference templates to save memory and computational resources. However, both the reference templates and the combination of the corresponding matching scores are heuristically chosen. In this paper, we propose a well- principled approach, named sparse support faces, that can outperform state-of-the-art methods both in terms of recognition accuracy and number of required face templates, by jointly learning an optimal combination of matching scores and the corresponding subset of face templates. For each client, our method learns a support vector machine using the given matching algorithm as the kernel function, and de- termines a set of reference templates, that we call support faces, corresponding to its support vectors. It then dras- tically reduces the number of templates, without affecting recognition accuracy, by learning a set of virtual faces as well-principled transformations of the initial support faces. The use of a very small set of support face templates makes the decisions of our approach also easily interpretable for designers and end users of the face verification system.

Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...

Pluribus One

Learning and recognition of secure patterns is a well-known problem in nature. Mimicry and camouflage are widely-spread techniques in the arms race between predators and preys. All of the information acquired by our senses is therefore not necessarily secure or reliable. In machine learning and pattern recognition systems, we have started investigating these issues only recently, with the goal of learning to discriminate between secure and hostile patterns. This phenomenon has been especially observed in the context of adversarial settings like biometric recognition, malware detection and spam filtering, in which data can be adversely manipulated by humans to undermine the outcomes of an automatic analysis. As current pattern recognition methods are not natively designed to deal with the intrinsic, adversarial nature of these problems, they exhibit specific vulnerabilities that an adversary may exploit either to mislead learning or to avoid detection. Identifying these vulnerabilities and analyzing the impact of the corresponding attacks on pattern classifiers is one of the main open issues in the novel research field of adversarial machine learning. In the first part of this talk, I introduce a general framework that encompasses and unifies previous work in the field, allowing one to systematically evaluate classifier security against different, potential attacks. As an example of application of this framework, in the second part of the talk, I discuss evasion attacks, where malicious samples are manipulated at test time to avoid detection. I then show how carefully-designed poisoning attacks can mislead learning of support vector machines by manipulating a small fraction of their training data, and how to poison adaptive biometric verification systems to compromise the biometric templates (face images) of the enrolled clients. Finally, I briefly discuss our ongoing work on attacks against clustering algorithms, and sketch some possible future research directions.

Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...

Pluribus One

Clustering algorithms have become a popular tool in computer security to analyze the behavior of malware variants, identify novel malware families, and generate signatures for antivirus systems. However, the suitability of clustering algorithms for security-sensitive settings has been recently questioned by showing that they can be significantly compromised if an attacker can exercise some control over the input data. In this paper, we revisit this problem by focusing on behavioral malware clustering approaches, and investigate whether and to what extent an attacker may be able to subvert these approaches through a careful injection of samples with poisoning behavior. To this end, we present a case study on Malheur, an open-source tool for behavioral malware clustering. Our experiments not only demonstrate that this tool is vulnerable to poisoning attacks, but also that it can be significantly compromised even if the attacker can only inject a very small percentage of attacks into the input data. As a remedy, we discuss possible countermeasures and highlight the need for more secure clustering algorithms.

Battista Biggio @ AISec 2014 - Poisoning Behavioral Malware Clustering

Pluribus One

Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...

Pluribus One

Clustering algorithms have been increasingly adopted in security applications to spot dangerous or illicit activities. However, they have not been originally devised to deal with deliberate attack attempts that may aim to subvert the clustering process itself. Whether clustering can be safely adopted in such settings remains thus questionable. In this work we propose a general framework that allows one to identify potential attacks against clustering algorithms, and to evaluate their impact, by making specific assumptions on the adversary's goal, knowledge of the attacked system, and capabilities of manipulating the input data. We show that an attacker may significantly poison the whole clustering process by adding a relatively small percentage of attack samples to the input data, and that some attack samples may be obfuscated to be hidden within some existing clusters. We present a case study on single-linkage hierarchical clustering, and report experiments on clustering of malware samples and handwritten digits.

Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...

Pluribus One

Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"

Pluribus One

Zahid Akhtar - Ph.D. Defense Slides

Pluribus One

Design of robust classifiers for adversarial environments - Systems, Man, and...

Pluribus One

Robustness of multimodal biometric verification systems under realistic spoof...

Pluribus One

Más de Pluribus One (20)