Adversarial Machine Learning: Bayesian Perspectives

“…These correspond to two-stage sequential defend-attack ( Brown, Carlyle, Salmerón, & Wood, 2006 ) or, more generally, to Stackelberg ( Korzhyk et al, 2011 ) games. Their importance in the literature of security games ( Sinha, Fang, An, Kiekintveld, & Tambe, 2018a; Zhuang & Bier, 2007 ) and AML ( Ríos Insua et al, 2020 ) inspires our developments. It is also worth mentioning that such games are relevant in numerous other areas, from its original conception in business competition ( von Stackelberg, 1952 ) to automated driving systems ( Yu, Tseng, & Langari, 2018 ).…”

“…A key advantage of APS in our setting is that, unlike plain MC methods, its complexity does not depend on the cardinality of the decision sets, thus being the preferred approach when dealing with large decision spaces. Indeed, our approach does not require discretization in continuous decision sets; this makes it scalable in important contexts such as adversarial machine learning (AML) ( Ríos Insua, Naveiro, Gallego, & Poulos, 2020 ), entailing very high dimensional continuous decision spaces and, consequently, hardly solvable using standard methods. Moreover, APS can be used to sample from a power transformation of the distribution of interest, this being more peaked around the mode, thus facilitating identification of the optimal alternative.…”

Augmented probability simulation methods for sequential games

“…These correspond to two-stage sequential defend-attack ( Brown, Carlyle, Salmerón, & Wood, 2006 ) or, more generally, to Stackelberg ( Korzhyk et al, 2011 ) games. Their importance in the literature of security games ( Sinha, Fang, An, Kiekintveld, & Tambe, 2018a; Zhuang & Bier, 2007 ) and AML ( Ríos Insua et al, 2020 ) inspires our developments. It is also worth mentioning that such games are relevant in numerous other areas, from its original conception in business competition ( von Stackelberg, 1952 ) to automated driving systems ( Yu, Tseng, & Langari, 2018 ).…”

“…A key advantage of APS in our setting is that, unlike plain MC methods, its complexity does not depend on the cardinality of the decision sets, thus being the preferred approach when dealing with large decision spaces. Indeed, our approach does not require discretization in continuous decision sets; this makes it scalable in important contexts such as adversarial machine learning (AML) ( Ríos Insua, Naveiro, Gallego, & Poulos, 2020 ), entailing very high dimensional continuous decision spaces and, consequently, hardly solvable using standard methods. Moreover, APS can be used to sample from a power transformation of the distribution of interest, this being more peaked around the mode, thus facilitating identification of the optimal alternative.…”

Augmented probability simulation methods for sequential games

“…Ye and Zhu 60 provide another simple model wherein (1) the attacker may only perturb features (i.e., $$$ {x}_i $$$) but not labels (i.e., $$$ {y}_i $$$), and (2) the probability of an attack is a function of the attacker's risk‐reward balance. Alternatively, Rios Insua et al 61 and Rios Insua et al 62 more fully explore the flexibility of the BAL framework by leveraging ARA to develop . This pairing further generalizes the BAL framework by allowing a wide array of (even deterministic) attacks to be formally encoded as the attacker's model.…”

“…A continuum of models can therefore be constructed by varying assumptions about this quantity. Rios Insua et al 61 and Rios Insua et al 62 show that the framework subsumes AT when is a degenerate distribution. Ye and Zhu 60 provide another simple model wherein (1) the attacker may only perturb features (i.e., $$$ {x}_i $$$) but not labels (i.e., $$$ {y}_i $$$), and (2) the probability of an attack is a function of the attacker's risk‐reward balance.…”

Some statistical challenges in automated driving systems

“…A more general methodology would be to explicitly model the potential ADS security threats through a comprehensive Bayesian model. Such an approach should be more robust to false negatives; we refer the interested reader to Ríos Insua et al 8 for further detail.…”

Some statistical challenges in automated driving systems