Perspectives on Adversarial Classification

Abstract: Adversarial classification (AC) is a major subfield within the increasingly important domain of adversarial machine learning (AML). So far, most approaches to AC have followed a classical game-theoretic framework. This requires unrealistic common knowledge conditions untenable in the security settings typical of the AML realm. After reviewing such approaches, we present alternative perspectives on AC based on adversarial risk analysis.

“…A continuum of models can therefore be constructed by varying assumptions about this quantity. Rios Insua et al 61 and Rios Insua et al 62 show that the framework subsumes AT when is a degenerate distribution. Ye and Zhu 60 provide another simple model wherein (1) the attacker may only perturb features (i.e., $$$ {x}_i $$$) but not labels (i.e., $$$ {y}_i $$$), and (2) the probability of an attack is a function of the attacker's risk‐reward balance.…”

“…Moreover, since differing ML algorithms require varying degrees of computational effort, this threshold is likely to be context-dependent, implying that each ML algorithm may require its own bespoke analysis. ¶ ¶ Larger attack intensities imply more powerful attacks; for more information see Rios Insua et al 62…”

“…Ye and Zhu 60 provide another simple model wherein (1) the attacker may only perturb features (i.e., $$$ {x}_i $$$) but not labels (i.e., $$$ {y}_i $$$), and (2) the probability of an attack is a function of the attacker's risk‐reward balance. Alternatively, Rios Insua et al 61 and Rios Insua et al 62 more fully explore the flexibility of the BAL framework by leveraging ARA to develop . This pairing further generalizes the BAL framework by allowing a wide array of (even deterministic) attacks to be formally encoded as the attacker's model.…”

Some statistical challenges in automated driving systems

“…A continuum of models can therefore be constructed by varying assumptions about this quantity. Rios Insua et al 61 and Rios Insua et al 62 show that the framework subsumes AT when is a degenerate distribution. Ye and Zhu 60 provide another simple model wherein (1) the attacker may only perturb features (i.e., $$$ {x}_i $$$) but not labels (i.e., $$$ {y}_i $$$), and (2) the probability of an attack is a function of the attacker's risk‐reward balance.…”

“…Moreover, since differing ML algorithms require varying degrees of computational effort, this threshold is likely to be context-dependent, implying that each ML algorithm may require its own bespoke analysis. ¶ ¶ Larger attack intensities imply more powerful attacks; for more information see Rios Insua et al 62…”

“…Ye and Zhu 60 provide another simple model wherein (1) the attacker may only perturb features (i.e., $$$ {x}_i $$$) but not labels (i.e., $$$ {y}_i $$$), and (2) the probability of an attack is a function of the attacker's risk‐reward balance. Alternatively, Rios Insua et al 61 and Rios Insua et al 62 more fully explore the flexibility of the BAL framework by leveraging ARA to develop . This pairing further generalizes the BAL framework by allowing a wide array of (even deterministic) attacks to be formally encoded as the attacker's model.…”

Some statistical challenges in automated driving systems

Adversarial Defense Mechanisms for Supervised Learning

Adversarial Machine Learning: Bayesian Perspectives