Domain invariant feature extraction against evasion attack

  • PDF / 2,459,788 Bytes
  • 12 Pages / 595.276 x 790.866 pts Page_size
  • 104 Downloads / 240 Views

DOWNLOAD

REPORT


ORIGINAL ARTICLE

Domain invariant feature extraction against evasion attack Zeinab Khorshidpour1 · Jafar Tahmoresnezhad1 · Sattar Hashemi1 · Ali Hamzeh1 

Received: 18 May 2016 / Accepted: 4 May 2017 © Springer-Verlag Berlin Heidelberg 2017

Abstract  In the security application, an attacker might violate the data stationary assumption that is a common assumption in the most machine learning techniques. This problem named as the domain shift problem arises when training (source) and test (target) data follow different distributions. The inherent adversarial nature of the security applications considerably effects on the robustness of a learning system. For that, a classifier designer needs to evaluate the robustness of a learning system under potential attacks during the design phase. The previous studies investigate the effect of reduced feature vector on the security evaluation of a learning classifier. They demonstrate that traditional feature selection techniques lead to even worsen performance. Therefore, an adversary-aware feature selection algorithm is proposed to improve the robustness of the learning systems. However, prior studies in domain adaptation techniques which are fundamental in addressing domain shift problem demonstrate that original space may not be directly suitable for refining this distribution mismatch, because some features may have been distorted by the domain shift. In this paper, we propose domain invariant feature extraction model based on domain adaptation * Sattar Hashemi [email protected] Zeinab Khorshidpour [email protected] Jafar Tahmoresnezhad [email protected] Ali Hamzeh [email protected] 1



Department of Computer Science Engineering and Information Technology, School of Electrical and Computer Engineering, Shiraz University, Shiraz, Iran

technique in order to address domain shift problem caused by an adversary. We conduct an experiment that graphically shows the effect of a successful attack on the MNIST handwritten digits classification task. After that, we design synthetic datasets to investigate the effect of reduced feature vector on the performance of a learning system under attack. Moreover, our proposed feature extraction model significantly outperforms the adversarial-aware feature selection and traditional feature selection models on the application of spam filtering Keywords  Adversarial environment · Evasion attack · Domain shift · Domain adaptation · Spam filtering

1 Introduction Data stationarity is the common assumption in the most machine learning techniques. According to this assumption training (source) data in which the model is developed and test (target) examples on which model is used have the same distribution. However, in the real-world applications of machine learning source and target data may follow different distributions. This problem is named domain shift problem. For example, learning in a temporal domain where the distribution of features might differ over time violates this assumption. In the spam filtering, a deploy