25 research outputs found
Robustness Verification of Support Vector Machines
We study the problem of formally verifying the robustness to adversarial
examples of support vector machines (SVMs), a major machine learning model for
classification and regression tasks. Following a recent stream of works on
formal robustness verification of (deep) neural networks, our approach relies
on a sound abstract version of a given SVM classifier to be used for checking
its robustness. This methodology is parametric on a given numerical abstraction
of real values and, analogously to the case of neural networks, needs neither
abstract least upper bounds nor widening operators on this abstraction. The
standard interval domain provides a simple instantiation of our abstraction
technique, which is enhanced with the domain of reduced affine forms, which is
an efficient abstraction of the zonotope abstract domain. This robustness
verification technique has been fully implemented and experimentally evaluated
on SVMs based on linear and nonlinear (polynomial and radial basis function)
kernels, which have been trained on the popular MNIST dataset of images and on
the recent and more challenging Fashion-MNIST dataset. The experimental results
of our prototype SVM robustness verifier appear to be encouraging: this
automated verification is fast, scalable and shows significantly high
percentages of provable robustness on the test set of MNIST, in particular
compared to the analogous provable robustness of neural networks
Verifying Robustness of Gradient Boosted Models
Gradient boosted models are a fundamental machine learning technique.
Robustness to small perturbations of the input is an important quality measure
for machine learning models, but the literature lacks a method to prove the
robustness of gradient boosted models. This work introduces VeriGB, a tool for
quantifying the robustness of gradient boosted models. VeriGB encodes the model
and the robustness property as an SMT formula, which enables state of the art
verification tools to prove the model's robustness. We extensively evaluate
VeriGB on publicly available datasets and demonstrate a capability for
verifying large models. Finally, we show that some model configurations tend to
be inherently more robust than others
Adversarial Attacks on Machine Learning Cybersecurity Defences in Industrial Control Systems
The proliferation and application of machine learning based Intrusion
Detection Systems (IDS) have allowed for more flexibility and efficiency in the
automated detection of cyber attacks in Industrial Control Systems (ICS).
However, the introduction of such IDSs has also created an additional attack
vector; the learning models may also be subject to cyber attacks, otherwise
referred to as Adversarial Machine Learning (AML). Such attacks may have severe
consequences in ICS systems, as adversaries could potentially bypass the IDS.
This could lead to delayed attack detection which may result in infrastructure
damages, financial loss, and even loss of life. This paper explores how
adversarial learning can be used to target supervised models by generating
adversarial samples using the Jacobian-based Saliency Map attack and exploring
classification behaviours. The analysis also includes the exploration of how
such samples can support the robustness of supervised models using adversarial
training. An authentic power system dataset was used to support the experiments
presented herein. Overall, the classification performance of two widely used
classifiers, Random Forest and J48, decreased by 16 and 20 percentage points
when adversarial samples were present. Their performances improved following
adversarial training, demonstrating their robustness towards such attacks.Comment: 9 pages. 7 figures. 7 tables. 46 references. Submitted to a special
issue Journal of Information Security and Applications, Machine Learning
Techniques for Cyber Security: Challenges and Future Trends, Elsevie
Getting ahead of the arms race: hothousing the coevolution of VirusTotal with a Packer
Malware detection is in a coevolutionary arms race where the attackers and defenders are constantly seeking advantage. This arms race is asymmetric: detection is harder and more expensive than evasion. White hats must be conservative to avoid false positives when searching for malicious behaviour. We seek to redress this imbalance. Most of the time, black hats need only make incremental changes to evade them. On occasion, white hats make a disruptive move and find a new technique that forces black hats to work harder. Examples include system calls, signatures and machine learning. We present a method, called Hothouse, that combines simulation and search to accelerate the white hat’s ability to counter the black hat’s incremental moves, thereby forcing black hats to perform disruptive moves more often. To realise Hothouse, we evolve EEE, an entropy-based polymorphic packer for Windows executables. Playing the role of a black hat, EEE uses evolutionary computation to disrupt the creation of malware signatures. We enter EEE into the detection arms race with VirusTotal, the most prominent cloud service for running anti-virus tools on software. During our 6 month study, we continually improved EEE in response to VirusTotal, eventually learning a packer that produces packed malware whose evasiveness goes from an initial 51.8% median to 19.6%. We report both how well VirusTotal learns to detect EEE-packed binaries and how well VirusTotal forgets in order to reduce false positives. VirusTotal’s tools learn and forget fast, actually in about 3 days. We also show where VirusTotal focuses its detection efforts, by analysing EEE’s variants
Multi-class Support Vector Machine with Maximizing Minimum Margin
Support Vector Machine (SVM) stands out as a prominent machine learning
technique widely applied in practical pattern recognition tasks. It achieves
binary classification by maximizing the "margin", which represents the minimum
distance between instances and the decision boundary. Although many efforts
have been dedicated to expanding SVM for multi-class case through strategies
such as one versus one and one versus the rest, satisfactory solutions remain
to be developed. In this paper, we propose a novel method for multi-class SVM
that incorporates pairwise class loss considerations and maximizes the minimum
margin. Adhering to this concept, we embrace a new formulation that imparts
heightened flexibility to multi-class SVM. Furthermore, the correlations
between the proposed method and multiple forms of multi-class SVM are analyzed.
The proposed regularizer, akin to the concept of "margin", can serve as a
seamless enhancement over the softmax in deep learning, providing guidance for
network parameter learning. Empirical evaluations demonstrate the effectiveness
and superiority of our proposed method over existing multi-classification
methods.Code is available at https://github.com/zz-haooo/M3SVM
Adversarial classification: An adversarial risk analysis approach
Classification problems in security settings are usually contemplated as
confrontations in which one or more adversaries try to fool a classifier to
obtain a benefit. Most approaches to such adversarial classification problems
have focused on game theoretical ideas with strong underlying common knowledge
assumptions, which are actually not realistic in security domains. We provide
an alternative framework to such problem based on adversarial risk analysis,
which we illustrate with several examples. Computational and implementation
issues are discussed.Comment: Published in the International Journal for Approximate Reasonin