Adversarial Perturbation Intensity Achieving Chosen Intra-Technique Transferability Level for Logistic Regression

TL;DR

This paper introduces a probabilistic method to determine the optimal adversarial perturbation intensity for logistic regression, enabling attackers to control the success probability of their attacks in known-model scenarios.

Contribution

It provides the first closed-form expression for adversarial perturbation intensity in logistic regression, allowing precise control over attack success probability.

Findings

Effective in real-world datasets

Allows attacker to specify success probability

Applicable under known model conditions

Abstract

Machine Learning models have been shown to be vulnerable to adversarial examples, ie. the manipulation of data by a attacker to defeat a defender's classifier at test time. We present a novel probabilistic definition of adversarial examples in perfect or limited knowledge setting using prior probability distributions on the defender's classifier. Using the asymptotic properties of the logistic regression, we derive a closed-form expression of the intensity of any adversarial perturbation, in order to achieve a given expected misclassification rate. This technique is relevant in a threat model of known model specifications and unknown training data. To our knowledge, this is the first method that allows an attacker to directly choose the probability of attack success. We evaluate our approach on two real-world datasets.