Multiple Classifier Systems for Adversarial Classification Tasks

920 views

Published on

Pattern classification systems are currently used in security applications like intrusion detection in computer networks, spam filtering and biometric identity recognition. These are adversarial classification problems, since the classifier faces an intelligent adversary who adaptively modifies patterns (e.g., spam e-mails) to evade it. In these tasks the goal of a classifier is to attain both a high classification accuracy
and a high hardness of evasion, but this issue has not been deeply investigated yet in the literature. We address it under the viewpoint of the choice of the architecture of a multiple classifier system. We propose a measure of the hardness of evasion of a classifier architecture, and give an analytical evaluation and comparison of an individual classifier and a classifier ensemble architecture. We finally report an experimental evaluation on a spam filtering task.

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
920
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Multiple Classifier Systems for Adversarial Classification Tasks

  1. 1. Multiple Classifier Systems for Adversarial Classification Tasks Battista Biggio, Giorgio Fumera and Fabio Roli Dept. of Electrical and Electronic Eng., University of Cagliari
  2. 2. Overview  Adversarial classification  An approach to evaluate the hardness of evasion  Comparison of classifier architectures: single classifier vs MCS − analytical comparison − experimental comparison
  3. 3. Traditional pattern recognition problems Physical / logical Feature Classification process measurement
  4. 4. Adversarial classification problems Physical / logical process: legitimate samples Feature Classification measurement Adversary: malicious samples
  5. 5. Adversarial classification: previous works  Not related to concept drift  Analysis of specific vulnerabilities, proposal of specific defence strategies − Globerson and Roweis, ICML 2000 − Perdisci et al., ICDM 2006 − Jorgensen et al., JMLR 9, 2008 − Wittel and Wu, CEAS 2004 − Lowd and Meek, CEAS 2005  Theoretical frameworks − Dalvi et al., KDDM 2004 − Lowd and Meek, KDDM 2005
  6. 6. Design of pattern recognition systems Data Feature Model Classification acquisition extraction selection Goal in “traditional” applications: maximise accuracy
  7. 7. Design of pattern recognition systems Data Feature Model Classification acquisition extraction selection Goal in “traditional” applications: maximise accuracy Data Feature Model Classification acquisition extraction selection Goal in adversarial classification tasks: maximise accuracy and hardness of evasion
  8. 8. Design of pattern recognition systems Data Feature Model Classification acquisition extraction selection Goal in “traditional” applications: maximise accuracy Data Feature Model Classification acquisition extraction selection Goal in adversarial classification tasks: maximise accuracy and hardness of evasion
  9. 9. Hardness of evasion x1 ≥ 0: malicious y Î {malicious, legitimate} ... ... Decision function + < 0: legitimate xn th
  10. 10. Hardness of evasion Expected value of the minimum number of features the adversary has to modify to evade the classifier (worst case: the adversary has full knowledge on the classifier)‫‏‬ x1 ≥ 0: malicious y Î {malicious, legitimate} ... ... Decision function + < 0: legitimate xn th
  11. 11. Hardness of evasion: an example Expected value of the minimum number of features the adversary has to modify to evade the classifier x = (1 1 0 1 0) x1 = 1 0.3 x2 = 1 0.8 ≥ 0: malicious x3 = 0 3.0 + x4 = 1 1.5 < 0: legitimate x5 = 0 1.0 th = 2
  12. 12. Hardness of evasion: an example Expected value of the minimum number of features the adversary has to modify to evade the classifier x = (1 1 0 1 0) x1 = 1 0.3 x2 = 1 0.8 ≥ 0: malicious x3 = 0 3.0 + x4 = 1 1.5 < 0: legitimate x5 = 0 1.0 th = 2
  13. 13. Hardness of evasion: an example Expected value of the minimum number of features the adversary has to modify to evade the classifier x = (0 1 1 0 0) x1 = 0 0.3 x2 = 1 0.8 ≥ 0: malicious x3 = 1 3.0 + x4 = 0 1.5 < 0: legitimate x5 = 0 1.0 th = 2
  14. 14. Hardness of evasion: an example Expected value of the minimum number of features the adversary has to modify to evade the classifier x = (0 1 1 0 0) x1 = 0 0.3 x2 = 1 0.8 ≥ 0: malicious x3 = 1 3.0 + x4 = 0 1.5 < 0: legitimate x5 = 0 1.0 th = 2
  15. 15. Comparison of two classifier architectures x1 x2 w1 w2 ... wn t xn X xi Î {0,1}
  16. 16. Comparison of two classifier architectures x1 X1 ... x2 w1 t1 w2 X2 ... OR ... t2 wn ... t xn XN ... tN X xi Î {0,1} X1 È X2 È ... È XN = X Xi Ç Xj = Æ i ¹ j ,
  17. 17. Comparison of two classifier architectures x1 X1 ... x2 w1 t1 w2 X2 ... OR ... t2 wn ... t xn XN ... tN X xi Î {0,1} X1 È X2 È ... È XN = X x1, x2,..., xn i.i.d. identical weights Xi Ç Xj = Æ i ¹ j , t1 = t2 =...= tn, |Xi| = n/N
  18. 18. Comparison of two classifier architectures Details are in the paper p1A = 0.25 p1L = 0.15
  19. 19. Comparison of two classifier architectures Details are in the paper p1A = 0.25 p1L = 0.15
  20. 20. Comparison of two classifier architectures ROC working point: C=1 min (C×FP + FN)‫‏‬ C = 1, 2, 10, 100 C=2 C = 10 C = 100
  21. 21. Experimental set-up  SpamAssassin filter (open source)‫‏‬ − linear classifier: weighted sum of about N = 900 binary- valued (0/-1 or 0/1) features (tests)‫‏‬  TREC 2007 e-mail data set − 25,220 legitimate, 50,199 spam (April-July 2007)‫‏‬  Classifier architectures − linear classifier: standard SpamAssassin (linear SVM for weight computation)‫‏‬ − MCS: logical OR of N linear SVM classifiers (N = 3, 10) trained on disjoint feature subsets (identical size, random subdivision)‫‏‬ − working point: minimize FN, FP ≤ 1%
  22. 22. Experimental results
  23. 23. Conclusions  Adversarial classification tasks: accuracy and hardness of evasion  An approach for evaluating the hardness of evasion of decision functions  Multiple Classifier Systems: potentially useful to improve the hardness of evasion

×