A General Retraining Framework for Scalable Adversarial Classification

TL;DR

This paper introduces a general retraining framework that enhances the robustness of any classifier against a wide range of adversarial attacks, demonstrating scalability and effectiveness through extensive experiments.

Contribution

It presents the first systematic, general-purpose retraining method that improves robustness against diverse adversarial models for any learning algorithm.

Findings

Retraining significantly increases robustness to evasion attacks.

The method is nearly as effective as state-of-the-art algorithms.

Retraining maintains high overall accuracy while improving security.

Abstract

Traditional classification algorithms assume that training and test data come from similar distributions. This assumption is violated in adversarial settings, where malicious actors modify instances to evade detection. A number of custom methods have been developed for both adversarial evasion attacks and robust learning. We propose the first systematic and general-purpose retraining framework which can: a) boost robustness of an \emph{arbitrary} learning algorithm, in the face of b) a broader class of adversarial models than any prior methods. We show that, under natural conditions, the retraining framework minimizes an upper bound on optimal adversarial risk, and show how to extend this result to account for approximations of evasion attacks. Extensive experimental evaluation demonstrates that our retraining methods are nearly indistinguishable from state-of-the-art algorithms for optimizing adversarial risk, but are more general and far more scalable. The experiments also confirm that without retraining, our adversarial framework dramatically reduces the effectiveness of learning. In contrast, retraining significantly boosts robustness to evasion attacks without significantly compromising overall accuracy.