| Machine learning and pattern recognition have been applied in many fields. In some of the applications, such as speech recognition, image recognition and so on, all the users don't try to cheat the classifiers. However, in other safety-related applications, such as intrusion detection, spam filtering, some users will trying to evade the detection of classifiers to gain illegal benefits.This paper studies detection evasion methods with minimum cost. Namely, how to make a malicious sample become a normal sample with least changes, and evade the detection of classifiers. It means the adversary attack classifiers with minimum cost. If you know the enemy and know yourself, you need not fear the result of a hundred battles. When we know how the adversary to attack the classifiers, it's beneficial to design a more robust classifier. Meanwhile, in some special cases, attacking classifiers is needed.The detection evasion with minimum cost focuses on how to make a malicious sample become a normal sample with least changes, and evade the detection of classifiers. Namely, the adversary attack classifiers with minimum cost.There are two methods on this problem. One of them, called direct solving method, use the generated samples to probe the attacked classifier, and get a minimum cost detection evasion sample. Another method, called indirect solving method, use classifier reversing learning methods to learn a classifier which is similar to the attacked classifier, and then find the minimum cost evasion sample with probing the learned classifier.The two methods have many restrictions. This paper will develop these methods and break some of the restrictions. The major contributions are as follows.1. This paper presents a method that can generate more points on the surface of the ball. Former direct solving method assume the discriminant space of positive is convex, and the cost function is-norm.In this paper, we extended the cost function to arbitrary convex functions. Our method take the positive sample which we want to change it as the center, and generate samples on the surface of the hyper sphere with different radius. The sphere with less radius is in the positive discriminant space, and the other sphere cross the negative discriminant space. Then find the minimum cost detection evasion sample with binary searching the probe points on the two spherical shells. Our method can find the minimum cost evasion sample with a high probability.2. This paper proposes an attacking method for all the nonlinear classifiers. Former indirect solving method assume the attacked classifier is linear. In this paper we extended the attacked classifier to nonlinear. First, we reverse the attacked classifier with a nonlinear classifier, such as neural network, support vector machine(SVM). Then we use the reversed classifier and interior point penalty function method to solve a minimum cost evasion sample. Though the experiment neural network and SVM reverse the Gaussian mixture model, the neural network can find a better minimum cost detection evasion sample.3. This paper put forward a new method to generate data which is to train the reversing learning model based on neural network and local linear SVM. First, we assume the attacked classifier is unknown, but when we put a sample in it, it will output its label. Then a large number of artificial samples are generated by certain algorithm, and labeled by the ensemble model. A faster and smaller model is built with the generated samples. When one sample is classified by the model, neural network should be used to classify it first. If the output value is larger than the threshold one, classification for this sample is over. If the output value is smaller than the threshold one, the local linear SVM should be used to classify it. Simulation experiment results show that our method have a lower error, compared with the reversing classifier based on neural network. |
PDF Full Text Request