Visible to the public Adversarial mRMR against Evasion Attacks

TitleAdversarial mRMR against Evasion Attacks
Publication TypeConference Paper
Year of Publication2018
AuthorsWu, M., Li, Y.
Conference Name2018 International Joint Conference on Neural Networks (IJCNN)
Keywordsadversarial feature selection, adversarial mRMR, adversary attacks, Adversary Models, Classification algorithms, computational complexity, evasion attacks, FAFS, feature extraction, feature selection, feature selection process, filter model, filtering algorithms, Human Behavior, learning (artificial intelligence), machine learning, machine learning algorithms, Metrics, mRMR, novel adversary-aware feature selection algorithm, pattern classification, Perfect Knowledge attack scenarios, popular filter algorithms, pubcrawl, Resiliency, robust feature selection algorithms, Scalability, security, security of data, security sensitive applications, Time complexity, Traditional Wrapped Feature Selection algorithm, Training, TWFS, WAFS, wrapped adversarial feature selection algorithm

Machine learning (ML) algorithms provide a good solution for many security sensitive applications, they themselves, however, face the threats of adversary attacks. As a key problem in machine learning, how to design robust feature selection algorithms against these attacks becomes a hot issue. The current researches on defending evasion attacks mainly focus on wrapped adversarial feature selection algorithm, i.e., WAFS, which is dependent on the classification algorithms, and time cost is very high for large-scale data. Since mRMR (minimum Redundancy and Maximum Relevance) algorithm is one of the most popular filter algorithms for feature selection without considering any classifier during feature selection process. In this paper, we propose a novel adversary-aware feature selection algorithm under filter model based on mRMR, named FAFS. The algorithm, on the one hand, takes the correlation between a single feature and a label, and the redundancy between features into account; on the other hand, when selecting features, it not only considers the generalization ability in the absence of attack, but also the robustness under attack. The performance of four algorithms, i.e., mRMR, TWFS (Traditional Wrapped Feature Selection algorithm), WAFS, and FAFS is evaluated on spam filtering and PDF malicious detection in the Perfect Knowledge attack scenarios. The experiment results show that FAFS has a better performance under evasion attacks with less time complexity, and comparable classification accuracy.

Citation Keywu_adversarial_2018