On Sparse Feature Attacks in Adversarial Learning

Fei Wang, Wei Liu, Sanjay Chawla

Research output: Chapter in Book/Report/Conference proceedingConference contribution

17 Citations (Scopus)

Abstract

Adversarial learning is the study of machine learning techniques deployed in non-benign environments. Example applications include classifications for detecting spam email, network intrusion detection and credit card scoring. In fact as the gamut of application domains of machine learning grows, the possibility and opportunity for adversarial behavior will only increase. Till now, the standard assumption about modeling adversarial behavior has been to empower an adversary to change all features of the classifier sat will. The adversary pays a cost proportional to the size of 'attack'. We refer to this form of adversarial behavior as a dense feature attack. However, the aim of an adversary is not just to subvert a classifier but carry out data transformation in a way such that spam continues to appear like spam to the user as much as possible. We demonstrate that an adversary achieves this objective by carrying out a sparse feature attack. We design an algorithm to show how a classifier should be designed to be robust against sparse adversarial attacks. Our main insight is that sparse feature attacks are best defended by designing classifiers which use l1 regularizers.

Original languageEnglish
Title of host publicationProceedings - IEEE International Conference on Data Mining, ICDM
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1013-1018
Number of pages6
Volume2015-January
EditionJanuary
DOIs
Publication statusPublished - 26 Jan 2015
Externally publishedYes
Event14th IEEE International Conference on Data Mining, ICDM 2014 - Shenzhen, China
Duration: 14 Dec 201417 Dec 2014

Other

Other14th IEEE International Conference on Data Mining, ICDM 2014
CountryChina
CityShenzhen
Period14/12/1417/12/14

Fingerprint

Classifiers
Learning systems
Electronic mail
Intrusion detection
Costs

Keywords

  • Adversarial learning
  • l1 regularizer
  • Sparse modelling

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Wang, F., Liu, W., & Chawla, S. (2015). On Sparse Feature Attacks in Adversarial Learning. In Proceedings - IEEE International Conference on Data Mining, ICDM (January ed., Vol. 2015-January, pp. 1013-1018). [7023439] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICDM.2014.117

On Sparse Feature Attacks in Adversarial Learning. / Wang, Fei; Liu, Wei; Chawla, Sanjay.

Proceedings - IEEE International Conference on Data Mining, ICDM. Vol. 2015-January January. ed. Institute of Electrical and Electronics Engineers Inc., 2015. p. 1013-1018 7023439.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Wang, F, Liu, W & Chawla, S 2015, On Sparse Feature Attacks in Adversarial Learning. in Proceedings - IEEE International Conference on Data Mining, ICDM. January edn, vol. 2015-January, 7023439, Institute of Electrical and Electronics Engineers Inc., pp. 1013-1018, 14th IEEE International Conference on Data Mining, ICDM 2014, Shenzhen, China, 14/12/14. https://doi.org/10.1109/ICDM.2014.117
Wang F, Liu W, Chawla S. On Sparse Feature Attacks in Adversarial Learning. In Proceedings - IEEE International Conference on Data Mining, ICDM. January ed. Vol. 2015-January. Institute of Electrical and Electronics Engineers Inc. 2015. p. 1013-1018. 7023439 https://doi.org/10.1109/ICDM.2014.117
Wang, Fei ; Liu, Wei ; Chawla, Sanjay. / On Sparse Feature Attacks in Adversarial Learning. Proceedings - IEEE International Conference on Data Mining, ICDM. Vol. 2015-January January. ed. Institute of Electrical and Electronics Engineers Inc., 2015. pp. 1013-1018
@inproceedings{49dd6d1e8f004acf9b604eb942e93780,
title = "On Sparse Feature Attacks in Adversarial Learning",
abstract = "Adversarial learning is the study of machine learning techniques deployed in non-benign environments. Example applications include classifications for detecting spam email, network intrusion detection and credit card scoring. In fact as the gamut of application domains of machine learning grows, the possibility and opportunity for adversarial behavior will only increase. Till now, the standard assumption about modeling adversarial behavior has been to empower an adversary to change all features of the classifier sat will. The adversary pays a cost proportional to the size of 'attack'. We refer to this form of adversarial behavior as a dense feature attack. However, the aim of an adversary is not just to subvert a classifier but carry out data transformation in a way such that spam continues to appear like spam to the user as much as possible. We demonstrate that an adversary achieves this objective by carrying out a sparse feature attack. We design an algorithm to show how a classifier should be designed to be robust against sparse adversarial attacks. Our main insight is that sparse feature attacks are best defended by designing classifiers which use l1 regularizers.",
keywords = "Adversarial learning, l1 regularizer, Sparse modelling",
author = "Fei Wang and Wei Liu and Sanjay Chawla",
year = "2015",
month = "1",
day = "26",
doi = "10.1109/ICDM.2014.117",
language = "English",
volume = "2015-January",
pages = "1013--1018",
booktitle = "Proceedings - IEEE International Conference on Data Mining, ICDM",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
edition = "January",

}

TY - GEN

T1 - On Sparse Feature Attacks in Adversarial Learning

AU - Wang, Fei

AU - Liu, Wei

AU - Chawla, Sanjay

PY - 2015/1/26

Y1 - 2015/1/26

N2 - Adversarial learning is the study of machine learning techniques deployed in non-benign environments. Example applications include classifications for detecting spam email, network intrusion detection and credit card scoring. In fact as the gamut of application domains of machine learning grows, the possibility and opportunity for adversarial behavior will only increase. Till now, the standard assumption about modeling adversarial behavior has been to empower an adversary to change all features of the classifier sat will. The adversary pays a cost proportional to the size of 'attack'. We refer to this form of adversarial behavior as a dense feature attack. However, the aim of an adversary is not just to subvert a classifier but carry out data transformation in a way such that spam continues to appear like spam to the user as much as possible. We demonstrate that an adversary achieves this objective by carrying out a sparse feature attack. We design an algorithm to show how a classifier should be designed to be robust against sparse adversarial attacks. Our main insight is that sparse feature attacks are best defended by designing classifiers which use l1 regularizers.

AB - Adversarial learning is the study of machine learning techniques deployed in non-benign environments. Example applications include classifications for detecting spam email, network intrusion detection and credit card scoring. In fact as the gamut of application domains of machine learning grows, the possibility and opportunity for adversarial behavior will only increase. Till now, the standard assumption about modeling adversarial behavior has been to empower an adversary to change all features of the classifier sat will. The adversary pays a cost proportional to the size of 'attack'. We refer to this form of adversarial behavior as a dense feature attack. However, the aim of an adversary is not just to subvert a classifier but carry out data transformation in a way such that spam continues to appear like spam to the user as much as possible. We demonstrate that an adversary achieves this objective by carrying out a sparse feature attack. We design an algorithm to show how a classifier should be designed to be robust against sparse adversarial attacks. Our main insight is that sparse feature attacks are best defended by designing classifiers which use l1 regularizers.

KW - Adversarial learning

KW - l1 regularizer

KW - Sparse modelling

UR - http://www.scopus.com/inward/record.url?scp=84936942529&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84936942529&partnerID=8YFLogxK

U2 - 10.1109/ICDM.2014.117

DO - 10.1109/ICDM.2014.117

M3 - Conference contribution

VL - 2015-January

SP - 1013

EP - 1018

BT - Proceedings - IEEE International Conference on Data Mining, ICDM

PB - Institute of Electrical and Electronics Engineers Inc.

ER -