Adequacy of the Gradient-Descent Method for Classifier Evasion Attacks
This work addresses vulnerabilities in machine learning models for security applications, offering incremental improvements in understanding and mitigating evasion attacks.
The paper examines the gradient-descent method for generating adversarial samples in evasion attacks on classifiers, finding that reduced kernel smoothness increases robustness and proposing a predictive quantity for susceptibility.
Despite the wide use of machine learning in adversarial settings including computer security, recent studies have demonstrated vulnerabilities to evasion attacks---carefully crafted adversarial samples that closely resemble legitimate instances, but cause misclassification. In this paper, we examine the adequacy of the leading approach to generating adversarial samples---the gradient descent approach. In particular (1) we perform extensive experiments on three datasets, MNIST, USPS and Spambase, in order to analyse the effectiveness of the gradient-descent method against non-linear support vector machines, and conclude that carefully reduced kernel smoothness can significantly increase robustness to the attack; (2) we demonstrate that separated inter-class support vectors lead to more secure models, and propose a quantity similar to margin that can efficiently predict potential susceptibility to gradient-descent attacks, before the attack is launched; and (3) we design a new adversarial sample construction algorithm based on optimising the multiplicative ratio of class decision functions.