Adversarial Feature Selection against Evasion Attacks
This work addresses security vulnerabilities in machine learning systems for domains like spam and malware detection, offering a novel approach to enhance robustness against evasion attacks.
The paper investigates how feature selection affects classifier security against evasion attacks, finding that it can worsen security, and proposes a novel adversary-aware feature selection model that improves security by incorporating assumptions on adversary manipulation strategies, validated on spam and malware detection tasks.
Pattern recognition and machine learning techniques have been increasingly adopted in adversarial settings such as spam, intrusion and malware detection, although their security against well-crafted attacks that aim to evade detection by manipulating data at test time has not yet been thoroughly assessed. While previous work has been mainly focused on devising adversary-aware classification algorithms to counter evasion attempts, only few authors have considered the impact of using reduced feature sets on classifier security against the same attacks. An interesting, preliminary result is that classifier security to evasion may be even worsened by the application of feature selection. In this paper, we provide a more detailed investigation of this aspect, shedding some light on the security properties of feature selection against evasion attacks. Inspired by previous work on adversary-aware classifiers, we propose a novel adversary-aware feature selection model that can improve classifier security against evasion attacks, by incorporating specific assumptions on the adversary's data manipulation strategy. We focus on an efficient, wrapper-based implementation of our approach, and experimentally validate its soundness on different application examples, including spam and malware detection.