Enhancing Robustness of Machine Learning Systems via Data Transformations
This addresses security vulnerabilities in ML systems for applications like image and activity classification, though it appears incremental as it builds on existing transformation techniques.
The paper tackles the problem of defending machine learning classifiers against evasion attacks by using data transformations like PCA and anti-whitening, resulting in a two-fold increase in resources needed for successful attacks.
We propose the use of data transformations as a defense against evasion attacks on ML classifiers. We present and investigate strategies for incorporating a variety of data transformations including dimensionality reduction via Principal Component Analysis and data `anti-whitening' to enhance the resilience of machine learning, targeting both the classification and the training phase. We empirically evaluate and demonstrate the feasibility of linear transformations of data as a defense mechanism against evasion attacks using multiple real-world datasets. Our key findings are that the defense is (i) effective against the best known evasion attacks from the literature, resulting in a two-fold increase in the resources required by a white-box adversary with knowledge of the defense for a successful attack, (ii) applicable across a range of ML classifiers, including Support Vector Machines and Deep Neural Networks, and (iii) generalizable to multiple application domains, including image classification and human activity classification.