Adversaries With Incentives: A Strategic Alternative to Adversarial Robustness
This work addresses adversarial robustness in machine learning by offering a less conservative approach, which is incremental but potentially beneficial for security applications.
The paper tackles the problem of adversarial robustness by proposing strategic training as an alternative to adversarial training, modeling opponents as pursuing their own goals rather than solely harming performance, and shows that even mild knowledge of opponent incentives can improve defense, with gains depending on task structure.
Adversarial training aims to defend against adversaries: malicious opponents whose sole aim is to harm predictive performance in any way possible. This presents a rather harsh perspective, which we assert results in unnecessarily conservative training. As an alternative, we propose to model opponents as simply pursuing their own goals--rather than working directly against the classifier. Employing tools from strategic modeling, our approach enables knowledge or beliefs regarding the opponent's possible incentives to be used as inductive bias for learning. Accordingly, our method of strategic training is designed to defend against all opponents within an 'incentive uncertainty set'. This resorts to adversarial learning when the set is maximal, but offers potential gains when the set can be appropriately reduced. We conduct a series of experiments that show how even mild knowledge regarding the opponent's incentives can be useful, and that the degree of potential gains depends on how these incentives relate to the structure of the learning task.