Randomized Prediction Games for Adversarial Machine Learning

TL;DR

This paper introduces a novel randomized prediction game framework for adversarial machine learning, enhancing security by modeling both classifier and attacker strategies as probabilistic, leading to better attack detection and false alarm trade-offs.

Contribution

It proposes a non-cooperative game-theoretic model with randomized strategies for both classifier and attacker, addressing limitations of deterministic approaches in adversarial settings.

Findings

Improved attack detection and false alarm trade-offs.

Effective against unseen attack strategies.

Applicable to malware, spam, and digit recognition.

Abstract

In spam and malware detection, attackers exploit randomization to obfuscate malicious data and increase their chances of evading detection at test time; e.g., malware code is typically obfuscated using random strings or byte sequences to hide known exploits. Interestingly, randomization has also been proposed to improve security of learning algorithms against evasion attacks, as it results in hiding information about the classifier to the attacker. Recent work has proposed game-theoretical formulations to learn secure classifiers, by simulating different evasion attacks and modifying the classification function accordingly. However, both the classification function and the simulated data manipulations have been modeled in a deterministic manner, without accounting for any form of randomization. In this work, we overcome this limitation by proposing a randomized prediction game, namely, a non-cooperative game-theoretic formulation in which the classifier and the attacker make randomized strategy selections according to some probability distribution defined over the respective strategy set. We show that our approach allows one to improve the trade-off between attack detection and false alarms with respect to state-of-the-art secure classifiers, even against attacks that are different from those hypothesized during design, on application examples including handwritten digit recognition, spam and malware detection.