Multiple Classifier Systems for Adversarial Classification Tasks
-
Upload
pra-group-university-of-cagliari -
Category
Education
-
view
742 -
download
2
description
Transcript of Multiple Classifier Systems for Adversarial Classification Tasks
![Page 1: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/1.jpg)
Multiple Classifier Systemsfor Adversarial Classification Tasks
Battista Biggio, Giorgio Fumera and Fabio RoliDept. of Electrical and Electronic Eng., University of Cagliari
![Page 2: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/2.jpg)
Overview
Adversarial classification
An approach to evaluate the hardness of evasion
Comparison of classifier architectures:single classifier vs MCS− analytical comparison− experimental comparison
![Page 3: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/3.jpg)
Traditional pattern recognition problems
Physical / logicalprocess
Featuremeasurement Classification
![Page 4: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/4.jpg)
Adversarial classification problems
Physical / logicalprocess:
legitimate samples
ClassificationFeaturemeasurement
Adversary:malicious samples
![Page 5: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/5.jpg)
Adversarial classification:previous works
Not related to concept drift Analysis of specific vulnerabilities, proposal of specific
defence strategies− Globerson and Roweis, ICML 2000− Perdisci et al., ICDM 2006− Jorgensen et al., JMLR 9, 2008− Wittel and Wu, CEAS 2004− Lowd and Meek, CEAS 2005
Theoretical frameworks− Dalvi et al., KDDM 2004− Lowd and Meek, KDDM 2005
![Page 6: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/6.jpg)
Design of pattern recognition systems
Goal in “traditional” applications: maximise accuracy
Dataacquisition
Featureextraction
Modelselection Classification
![Page 7: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/7.jpg)
Design of pattern recognition systems
Goal in “traditional” applications: maximise accuracy
Dataacquisition
Featureextraction
Modelselection Classification
Goal in adversarial classification tasks: maximise accuracy and hardness of evasion
Dataacquisition
Featureextraction
Modelselection Classification
![Page 8: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/8.jpg)
Design of pattern recognition systems
Goal in “traditional” applications: maximise accuracy
Dataacquisition
Featureextraction
Modelselection Classification
Goal in adversarial classification tasks: maximise accuracy and hardness of evasion
Dataacquisition
Featureextraction
Modelselection Classification
![Page 9: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/9.jpg)
Hardness of evasion
+
th
x1
...
xn
≥ 0: malicious
< 0: legitimateDecision function...
y Î {malicious, legitimate}
![Page 10: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/10.jpg)
Hardness of evasion
+
th
x1
...
xn
≥ 0: malicious
< 0: legitimateDecision function...
y Î {malicious, legitimate}
Expected value of the minimum number of featuresthe adversary has to modify to evade the classifier
(worst case: the adversary has full knowledge on theclassifier)
![Page 11: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/11.jpg)
Hardness of evasion: an example
+
th = 2
x1 = 1x2 = 1x3 = 0x4 = 1x5 = 0
≥ 0: malicious
< 0: legitimate
x = (1 1 0 10)
0.30.83.01.51.0
Expected value of the minimum number of featuresthe adversary has to modify to evade the classifier
![Page 12: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/12.jpg)
Hardness of evasion: an example
+
th = 2
x1 = 1x2 = 1x3 = 0x4 = 1x5 = 0
≥ 0: malicious
< 0: legitimate
x = (1 1 0 10)
0.30.83.01.51.0
Expected value of the minimum number of featuresthe adversary has to modify to evade the classifier
![Page 13: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/13.jpg)
Hardness of evasion: an example
+
th = 2
x1 = 0x2 = 1x3 = 1x4 = 0x5 = 0
≥ 0: malicious
< 0: legitimate
x = (0 1 1 00)
0.30.83.01.51.0
Expected value of the minimum number of featuresthe adversary has to modify to evade the classifier
![Page 14: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/14.jpg)
Hardness of evasion: an example
+
th = 2
x1 = 0x2 = 1x3 = 1x4 = 0x5 = 0
≥ 0: malicious
< 0: legitimate
x = (0 1 1 00)
0.30.83.01.51.0
Expected value of the minimum number of featuresthe adversary has to modify to evade the classifier
![Page 15: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/15.jpg)
Comparison of two classifier architecturesx1
xn
x2
t
w1
w2
...
wn
X xi Î {0,1}
![Page 16: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/16.jpg)
Comparison of two classifier architecturesx1
xn
x2
t
t1w1
w2
...
wn
...
t2
...
...
tN
...
X1
X2
XN
OR
X1 È X2 È ... È XN = XXi Ç Xj = Æ, i ¹ j
X xi Î {0,1}
![Page 17: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/17.jpg)
Comparison of two classifier architecturesx1
xn
x2
t
t1w1
w2
...
wn
...
t2
...
...
tN
...
X1
X2
XN
OR
X1 È X2 È ... È XN = XXi Ç Xj = Æ, i ¹ j
x1, x2,..., xn i.i.d. identical weightst1 = t2 =...= tn, |Xi| = n/N
X xi Î {0,1}
![Page 18: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/18.jpg)
Comparison of two classifier architectures
p1A = 0.25p1L = 0.15
Details are in the paper
![Page 19: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/19.jpg)
Comparison of two classifier architectures
p1A = 0.25p1L = 0.15
Details are in the paper
![Page 20: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/20.jpg)
Comparison of two classifier architectures
ROC working point:min (C×FP + FN)
C = 1, 2, 10, 100
C = 1
C = 2
C = 10
C = 100
![Page 21: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/21.jpg)
Experimental set-up
SpamAssassin filter (open source) − linear classifier: weighted sum of about N = 900 binary-
valued (0/-1 or 0/1) features (tests) TREC 2007 e-mail data set
− 25,220 legitimate, 50,199 spam (April-July 2007) Classifier architectures
− linear classifier: standard SpamAssassin(linear SVM for weight computation)
− MCS: logical OR of N linear SVM classifiers (N = 3, 10)trained on disjoint feature subsets (identical size, randomsubdivision)
− working point: minimize FN, FP ≤ 1%
![Page 22: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/22.jpg)
Experimental results
![Page 23: Multiple Classifier Systems for Adversarial Classification Tasks](https://reader034.fdocuments.net/reader034/viewer/2022042614/55847a61d8b42abf538b5282/html5/thumbnails/23.jpg)
Conclusions
Adversarial classification tasks:accuracy and hardness of evasion
An approach for evaluating the hardness of evasion ofdecision functions
Multiple Classifier Systems: potentially useful toimprove the hardness of evasion