Understanding:
1. What is adversarial classification? Basic concepts and motivations
The Classifier which take the adversary actions into account. It can develop according to the adversary actions.
Its motivations is that the classical model cannot perform well in adversarial environments. Because the classical model is build and set up base on the random noise, it’s also use for normal random noise environment. But in adversarial environment, the noise it face is adversarial noise, which is generated by adversary on purpose.
Points:
- The classical model does not fit well with adversarial tasks
- We need adversary-aware classification models
2. Adversary-aware classification
The classical model is build for the normal random noise. When facing the adversarial noise, its performance would be significantly degrade, while the adversary-aware model works better.
Points:
- Classification algorithms should take into account the adversary
- Classifier should be adaptive by exploiting any feedback that they can get about adversary’s moves
3. Vulnerability assessment in pattern classification systems
The hardness of evading the spam classifier is regard as the judging standard of vulnerability assessment in pattern classification systems, which use the minimum numbers of features that needs to be modified to evade classifier to calculate the score.
Points:
- Classification accuracy is not everything in adversarial tasks
- Designer should maximize both accuracy and hardness of evasion of the classifier
4. Defense strategies
Basically, the main strategies is to make the evasion too costly for the adversary. We normally implement this by using multiple classifiers with different detect strategies, to add up the cost of evasion.
Also, for the close-source classifiers, we can make the classifiers activate randomly, which make the adversary needs to do much more detection ( \( \Theta(n) = 2^n \) ) , to figure out how the classifier work.
Points:
- So for we have some state-of-the-art works on defense strategies against specific attacks for specific applications
- Defense strategies against different types of attacks for different applications are a matter of on-going research
5. Conclusions and open research issues
There is few adversary-aware model, so does the general-purpose methods for vulnerability assessment and defenses against a variety of attacks.
- models base on various scenes
- integrated strategies for defense and vulnerability assessment
- put the test into reality but not simply static data sets
