| The adaptability and intelligent ability of machine learning and pattern recognition make them an ubiquitous tool in modern applications,and have been widely applied to security fields,such as in intrusion detection,virus detection,biometric identity recognition,and spam filtering.However,the advantages of learning systems can also become their vulnerabilities when there are adversarial manipulations during the learning and predicting process.Therefore,adversarial learning challenges the security of traditional machine learning.As a common attacks in adversarial learning,attacker modify the feature values of malicious samples in the test set to evade the detection of the learning system.Therefore,it has become a hot research area how to explore weakness in the learning system and propose a more secure classification system.In order to solve the hidden security problems in machine learning effectively,the related papers have proposed many strategies against evasion attacks.However,these algorithms still have much room for improvement in terms of performance.The fundamental reason lies in the existence of vast research space of adversarial learning.Following the progress of research of attack and defense strategies in adversarial learning,this work devotes to deep exploration and experiment in view of defense strategy against evasion attacks as follows:(1)Making more in-depth exploration about the application of multiple classifiers against evasion attacks,we propose the motivation and objection of the novel defensive strategy based on two ideas of the current methods comparatively.The existing papers focus on discussing whether traditional machine learning methods are suitable for adversarial environment,and verifies that multiple classifiers are more robust than single classifier against evasion attacks.However,priori information about the attacker has a great influence on the robustness of the classifieragainst evasion attack.Therefore,to improve the robustness while maintaining the accuracy of the multiple classifiers,this paper simulates attack of different strength and increases the weights of the misclassified samples in the process of learning.Experiments on UCI data sets show that an ensemble algorithm with attack information during learning is more robust than bagging.Finally,we analyze the convergence of the algorithm and the influence of parameter on the algorithm.(2)Based on the prior information of the attackers,we do further study on the influence of randomness of the defensive strategies against evasion attacks.The malicious samples in the training data set are randomly attacked by a certain proportion to increase the difference of the base classifiers,and the balance factor is used to minimize the loss of the base classifiers when there is attack and no attack.The proposed method not only considers the classification performance of the classifier with attack,but also guarantees the generalization ability of the classifier.Comparing with the existing three methods on UCI data set,the results demonstrate the feasibility and efficiency of this method.In summary,to design a more robust classifier against evade attack,the paper proposes a new defensive strategy,and verifies the validity and feasibility of new methods on UCI data sets.The research results provide new ideas and new methods for defensive strategy against evasion,and have theory and application values in some domains such as machine learning and adversarial learning. |
PDF Full Text Request