TY - GEN
T1 - Enhancing robustness of machine learning systems via data transformations
AU - Bhagoji, Arjun Nitin
AU - Cullina, Daniel
AU - Sitawarin, Chawin
AU - Mittal, Prateek
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/5/21
Y1 - 2018/5/21
N2 - We propose the use of data transformations as a defense against evasion attacks on ML classifiers. We present and investigate strategies for incorporating a variety of data transformations including dimensionality reduction via Principal Component Analysis to enhance the resilience of machine learning, targeting both the classification and the training phase. We empirically evaluate and demonstrate the feasibility of linear transformations of data as a defense mechanism against evasion attacks using multiple real-world datasets. Our key findings are that the defense is (i) effective against the best known evasion attacks from the literature, resulting in a two-fold increase in the resources required by a white-box adversary with knowledge of the defense for a successful attack, (ii) applicable across a range of ML classifiers, including Support Vector Machines and Deep Neural Networks, and (iii) generalizable to multiple application domains, including image classification and human activity classification.
AB - We propose the use of data transformations as a defense against evasion attacks on ML classifiers. We present and investigate strategies for incorporating a variety of data transformations including dimensionality reduction via Principal Component Analysis to enhance the resilience of machine learning, targeting both the classification and the training phase. We empirically evaluate and demonstrate the feasibility of linear transformations of data as a defense mechanism against evasion attacks using multiple real-world datasets. Our key findings are that the defense is (i) effective against the best known evasion attacks from the literature, resulting in a two-fold increase in the resources required by a white-box adversary with knowledge of the defense for a successful attack, (ii) applicable across a range of ML classifiers, including Support Vector Machines and Deep Neural Networks, and (iii) generalizable to multiple application domains, including image classification and human activity classification.
UR - http://www.scopus.com/inward/record.url?scp=85048547396&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85048547396&partnerID=8YFLogxK
U2 - 10.1109/CISS.2018.8362326
DO - 10.1109/CISS.2018.8362326
M3 - Conference contribution
AN - SCOPUS:85048547396
T3 - 2018 52nd Annual Conference on Information Sciences and Systems, CISS 2018
SP - 1
EP - 5
BT - 2018 52nd Annual Conference on Information Sciences and Systems, CISS 2018
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 52nd Annual Conference on Information Sciences and Systems, CISS 2018
Y2 - 21 March 2018 through 23 March 2018
ER -