A Fundamental Performance Limitation for Adversarial Classification

Makdah, Abed AlRahman Al; Katewa, Vaibhav; Pasqualetti, Fabio

doi:10.1109/lcsys.2019.2921989

Cited by 8 publications

(5 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Secure estimators (32,33) exploit sensor redundancy to always reconstruct a correct state estimate that can be used for resilient control. Data-based anomaly detection schemes based on machine learning methodologies are currently also an active research area (see, e.g., 34,35). Approaches for increasing the opportunities for detecting stealthy FDI attacks include moving-target defense (36) and multiplicative watermarking (37).…”

Section: Mitigationmentioning

confidence: 99%

Secure Networked Control Systems

Gupta

Johansson

2022

Annu. Rev. Control Robot. Auton. Syst.

View full text Add to dashboard Cite

Cyber-vulnerabilities are being exploited in a growing number of control systems. As many of these systems form the backbone of critical infrastructure and are becoming more automated and interconnected, it is of the utmost importance to develop methods that allow system designers and operators to do risk analysis and develop mitigation strategies. Over the last decade, great advances have been made in the control systems community to better understand cyber-threats and their potential impact. This article provides an overview of recent literature on secure networked control systems. Motivated by recent cyberattacks on the power grid, connected road vehicles, and process industries, a system model is introduced that covers many of the existing research studies on control system vulnerabilities. An attack space is introduced that illustrates how adversarial resources are allocated in some common attacks. The main part of the article describes three types of attacks: false data injection, replay, and denial-of-service attacks. Representative models and mathematical formulations of these attacks are given along with some proposed mitigation strategies. The focus is on linear discrete-time plant models, but various extensions are presented in the final section, which also mentions some interesting research problems for future work. Expected final online publication date for the Annual Review of Control, Robotics, and Autonomous Systems, Volume 5 is May 2022. Please see http://www.annualreviews.org/page/journal/pubdates for revised estimates.

show abstract

Section: Mitigationmentioning

confidence: 99%

Secure Networked Control Systems

Gupta

Johansson

2022

Annu. Rev. Control Robot. Auton. Syst.

View full text Add to dashboard Cite

show abstract

“…We consider a d-dimensional binary classification problem formulated as hypothesis testing problem as in [13]. The objective is to decide whether an observation x ∈ R d belongs to class H 0 or class H 1 .…”

Section: Problem Setup and Preliminary Notionsmentioning

confidence: 99%

“…. , n, i = j, and u, v = 1, 2, which gives us (13). The KKT condition for dual feasibility implies that λ ≥ 0.…”

Section: Proofmentioning

confidence: 99%

Robust Adversarial Classification via Abstaining

Makdah

Katewa

Pasqualetti

2021

2021 60th IEEE Conference on Decision and Control (CDC)

View full text Add to dashboard Cite

In this work, we consider a binary classification problem and cast it into a binary hypothesis testing framework, where the observations can be perturbed by an adversary. To improve the adversarial robustness of a classifier, we include an abstain option, where the classifier abstains from making a decision when it has low confidence about the prediction. We propose metrics to quantify the nominal performance of a classifier with an abstain option and its robustness against adversarial perturbations. We show that there exist a tradeoff between the two metrics regardless of what method is used to choose the abstain region. Our results imply that the robustness of a classifier with an abstain option can only be improved at the expense of its nominal performance. Further, we provide necessary conditions to design the abstain region for a 1dimensional binary classification problem. We validate our theoretical results on the MNIST dataset, where we numerically show that the tradeoff between performance and robustness also exist for the general multi-class classification problems.

show abstract

“…Furthermore, recent works also point towards fundamental tradeoffs between accuracy and robustness of data-driven models [25][26][27][28] in various settings and training frameworks. The connection of adversarial robustness to model complexity and generalization, and the existence (or non-existence) of fundamental tradeoffs between them is another important problem that has received attention [29][30][31][32][33][34], and is the subject of ongoing debate.…”

Section: Introductionmentioning

confidence: 99%

Lipschitz Bounds and Provably Robust Training by Laplacian Smoothing

Krishnan¹,

Makdah²,

Pasqualetti³

2020

Preprint

Self Cite

View full text Add to dashboard Cite

In this work we propose a graph-based learning framework to train models with provable robustness to adversarial perturbations. In contrast to regularizationbased approaches, we formulate the adversarially robust learning problem as one of loss minimization with a Lipschitz constraint, and show that the saddle point of the associated Lagrangian is characterized by a Poisson equation with weighted Laplace operator. Further, the weighting for the Laplace operator is given by the Lagrange multiplier for the Lipschitz constraint, which modulates the sensitivity of the minimizer to perturbations. We then design a provably robust training scheme using graph-based discretization of the input space and a primal-dual algorithm to converge to the Lagrangian's saddle point. Our analysis establishes a novel connection between elliptic operators with constraint-enforced weighting and adversarial learning. We also study the complementary problem of improving the robustness of minimizers with a margin on their loss, formulated as a loss-constrained minimization problem of the Lipschitz constant. We propose a technique to obtain robustified minimizers, and evaluate fundamental Lipschitz lower bounds by approaching Lipschitz constant minimization via a sequence of gradient p-norm minimization problems. Ultimately, our results show that, for a desired nominal performance, there exists a fundamental lower bound on the sensitivity to adversarial perturbations that depends only on the loss function and the data distribution, and that improvements in robustness beyond this bound can only be made at the expense of nominal performance. Our training schemes provably achieve these bounds both under constraints on performance and robustness.Preprint. Under review.

show abstract

A Fundamental Performance Limitation for Adversarial Classification

Cited by 8 publications

References 7 publications

Secure Networked Control Systems

Secure Networked Control Systems

Robust Adversarial Classification via Abstaining

Lipschitz Bounds and Provably Robust Training by Laplacian Smoothing

Contact Info

Product

Resources

About