In this section, we first recall the related works, and then the taxonomy of attacks that close to our study will be discussed.
7.2.1
Adversarial machine learning
Many works have investigated the vulnerabilities of machine learning algorithms in secu- rity related applications. The goal is not only to point out an unknown vulnerability but also to evaluate security against the known attack. Among these classifiers, Support Vec- tor Machines (SVM) algorithm has drawn more and more attentions in the security related community, because its influence function can be bounded under certain attacks [252]. In 2011, Biggio et al. [253] investigated the robustness of SVMs against the scenario of ad- versary can control over some training data, and aiming to impact the classification perfor- mance. The problem is that in some ad-hoc heuristics applications, a priori agree regarding the potential degree of label contamination is hard to select. Later, Biggio et al. proposed a poisoning attack strategy against the SVM classifier [246]. The proposed attack is aiming to find an extra sample whose addition to the original training data decreases the SVM’s classification accuracy. The first disadvantage is that it is hard to choose the best subset of points that used for the starting point for the attack. Another one is that the assump- tion that an attacker can control the labels of the injected points usually cannot be hold because labels often assigned by oracle. Further, Mei and Zhu investigated the problem between machine learning and security, and presented a training-set based attack. Different from [246], the attacker in [239] is mathematically illuminating and also relevant in prac- tice, in which the attacker is only allowed to change the features. The drawback is that the attacker should keep a specific target weight vector in mind before attack. However, as the
optimization process is based on a weight-based risk function, it is usually hard to assign a proper weight vector for the risk function. In addition, the adversarial against SVMs using label noise attack has been evaluated in [244], in which it assumes that an attacker is aiming to maximize the SVM’s classification error by flipping the some samples’ labels within the training data. The shortage is that once the an attacker has limited knowledge about the systems such as training dataset is unknown, the resulting error may inconsiderable from a practical point of view.
Although the above strategies have been proposed regarding the SVMs classifiers, none of them have studied the attack strategy from specifically support vectors perspective. To be specific, for data points attack [246], training set attack, and even label noise attack, the best subset from the training data usually need to be identified in order to conduct an effective attack, which is very time-consuming. Therefore, evasion the classifiers particu- larly using support vectors will be a good idea. Moreover, even though some framework has been proposed for the study of classifiers under attack [33], a detailed foundational attack strategy regarding SVMs has not been mathematically illuminated. Hence, we be- lieve it very necessary to study the problem firmly from its original optimization equation,
min(12 kwk+CP
εi). This chapter is aiming to minimize the margin of SVMs algorithm
as well as maximize its hinges loss (maximizing (12kwk+CP
εi)) to the largest extent
by adding foreign items to poison the support vectors.
7.2.2
Notation
A series of works [33, 237, 247, 254, 255] have defined the taxonomy of potential attacks against pattern classifiers. It categorizes attacks into three axes based on the influenceof attacks, kind ofsecurity violation, and thespecificityof an attack. To be more specific, the
influenceof attacks include both causative and exploratory. A causative or poisoning attack influences either the training data or both training and test data in order to mislead sub- sequent classification of test samples, while exploratory attack directly only manipulates the test data in order to cause misclassification. The kinds of security violation includes integrity, system’s availability and privacy; an integrity violation are only interested in in- trusion points being classified as legitimate; the system’s availability aims to downgrade the generalization of the classifiers, causing high classification errors including both false negatives and false positives, while privacy violation means an adversary aims to retrieve confidential information from the system. Thespecificityof an attack ranges from targeted to indiscriminate, depending on whether an attack is interested in changing the classifier’s decision on a single or a targeted set of samples.
Accordingly, the evasion attack strategy proposed in this chapter belongs to the causative availability attack, in which foreign support vectors are created and added based on its original support vectors. Moreover, we assume the attackers are able to probe the learning algorithm and draw data from the behind distribution of the training data as well. Further, we assume the attackers know the training data that is used for training the classification models. It is worth noting that even though it is a strong assumption, for the worst-case, an attacker can use a surrogate training set drawn from the same distribution [256].
The presented attack strategy is based on the properties of optimal solution of SVM supervised learning problem, which was first studied by Cauwenberghs and Poggio [257]. The solution for the incremental learning method demonstrated in [257] is depending on the parameters of respective quadratic programming problem as well as the geometry of the data points. In this case, an adversary can attack the SVMs classification learning process by poisoning the training data. We found that it is effective to make use of support
vectors to find such poisoning data points with retaining the optimal solution of the SVM training problem. Our proposed algorithm is different from [246]. This method is only focusing on maximizing hinge loss,(CP
εi), using gradients ascent technique. However,
the weights are also considered in our study, which means we are focusing on the soft- margin classifier and aiming to maximize(12kwk+CP
εi). Secondly, our method doesn’t
require the process of flipping the labels, which removes the assumption that attackers can control the labels. This is more reasonable from a practical point of view, because the labelling process is usually completed by trusted sources such as humans. Lastly, the attack strategy proposed in our study is focused on the support vectors rather than any point from the training dataset. In this respect, we solve the problem of choosing the best subset of points to use as the starting point for launching an attack. All in all, we provide a novel and effective way for data-driven attacks, such attack must be considered in the design of classification algorithms from a security point of view.