Adversarial training with restricted data manipulation

Adversarial machine learning concerns situations in which learners face attacks from active adversaries. Such scenarios arise in applications such as spam email filtering, malware detection and fake image generation, where security methods must be actively updated to keep up with the everimproving generation of malicious data. Pessimistic Bilevel optimisation has been shown to be an effective method of training resilient classifiers against such adversaries. By modelling these scenarios as a game between the learner and the adversary, we anticipate how the adversary will modify their data and then train a resilient classifier accordingly. However, since existing pessimistic bilevel approaches feature an unrestricted adversary, the model is vulnerable to becoming overly pessimistic and unrealistic. When finding the optimal solution that defeats the classifier, it is possible that the adversary's data becomes nonsensical and loses its intended nature. Such an adversary will not properly reflect reality, and consequently, will lead to poor classifier performance when implemented on real-world data. By constructing a constrained pessimistic bilevel optimisation model, we restrict the adversary's movements and identify a solution that better reflects reality. We demonstrate through experiments that this model performs, on average, better than the existing approach.

Key Contributions

• Constrained pessimistic bilevel optimization model that restricts the adversary's data manipulation to remain realistic and semantically meaningful
• Game-theoretic formulation of adversarial ML that avoids overly pessimistic solutions produced by unrestricted bilevel approaches
• Empirical demonstration that the constrained model outperforms the unrestricted baseline on average across text-based and image-based tasks

🛡️ Threat Analysis

Details

Similar Papers