KDD 2004: Adversarial Classification

Slides:



Advertisements
Similar presentations
Bayesian Treatment of Incomplete Discrete Data applied to Mutual Information and Feature Selection Marcus Hutter & Marco Zaffalon IDSIA IDSIA Galleria.
Advertisements

Knowledge Transfer via Multiple Model Local Structure Mapping Jing Gao, Wei Fan, Jing Jiang, Jiawei Han l Motivate Solution Framework Data Sets Synthetic.
LEARNING INFLUENCE PROBABILITIES IN SOCIAL NETWORKS Amit Goyal Francesco Bonchi Laks V. S. Lakshmanan University of British Columbia Yahoo! Research University.
ICONIP 2005 Improve Naïve Bayesian Classifier by Discriminative Training Kaizhu Huang, Zhangbing Zhou, Irwin King, Michael R. Lyu Oct
Randomized Sensing in Adversarial Environments Andreas Krause Joint work with Daniel Golovin and Alex Roper International Joint Conference on Artificial.
CSCI 347 / CS 4206: Data Mining Module 07: Implementations Topic 03: Linear Models.
Foundations of Adversarial Learning Daniel Lowd, University of Washington Christopher Meek, Microsoft Research Pedro Domingos, University of Washington.
Learning on Probabilistic Labels Peng Peng, Raymond Chi-wing Wong, Philip S. Yu CSE, HKUST 1.
Visual Recognition Tutorial
ROC Curves.
1 The Expected Performance Curve Samy Bengio, Johnny Mariéthoz, Mikaela Keller MI – 25. oktober 2007 Kresten Toftgaard Andersen.
Adversarial Learning: Practice and Theory Daniel Lowd University of Washington July 14th, 2006 Joint work with Chris Meek, Microsoft Research “If you know.
Visual Recognition Tutorial
Foundations of Adversarial Learning Daniel Lowd, University of Washington Christopher Meek, Microsoft Research Pedro Domingos, University of Washington.
Crash Course on Machine Learning
Learning at Low False Positive Rate Scott Wen-tau Yih Joshua Goodman Learning for Messaging and Adversarial Problems Microsoft Research Geoff Hulten Microsoft.
1 Naïve Bayes Models for Probability Estimation Daniel Lowd University of Washington (Joint work with Pedro Domingos)
Security Evaluation of Pattern Classifiers under Attack.
Thesis Proposal PrActive Learning: Practical Active Learning, Generalizing Active Learning for Real-World Deployments.
Bayesian networks Classification, segmentation, time series prediction and more. Website: Twitter:
1 ENTROPY-BASED CONCEPT SHIFT DETECTION PETER VORBURGER, ABRAHAM BERNSTEIN IEEE ICDM 2006 Speaker: Li HueiJyun Advisor: Koh JiaLing Date:2007/11/6 1.
GA-Based Feature Selection and Parameter Optimization for Support Vector Machine Cheng-Lung Huang, Chieh-Jen Wang Expert Systems with Applications, Volume.
Kernel Methods A B M Shawkat Ali 1 2 Data Mining ¤ DM or KDD (Knowledge Discovery in Databases) Extracting previously unknown, valid, and actionable.
One-class Training for Masquerade Detection Ke Wang, Sal Stolfo Columbia University Computer Science IDS Lab.
Data Mining Practical Machine Learning Tools and Techniques Chapter 4: Algorithms: The Basic Methods Section 4.6: Linear Models Rodney Nielsen Many of.
Empirical Research Methods in Computer Science Lecture 7 November 30, 2005 Noah Smith.
Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.
Xiangnan Kong,Philip S. Yu Multi-Label Feature Selection for Graph Classification Department of Computer Science University of Illinois at Chicago.
F. Provost and T. Fawcett. Confusion Matrix 2Bitirgen - CS678.
GENDER AND AGE RECOGNITION FOR VIDEO ANALYTICS SOLUTION PRESENTED BY: SUBHASH REDDY JOLAPURAM.
Date: 2011/1/11 Advisor: Dr. Koh. Jia-Ling Speaker: Lin, Yi-Jhen Mr. KNN: Soft Relevance for Multi-label Classification (CIKM’10) 1.
KAIST TS & IS Lab. CS710 Know your Neighbors: Web Spam Detection using the Web Topology SIGIR 2007, Carlos Castillo et al., Yahoo! 이 승 민.
A Kernel Approach for Learning From Almost Orthogonal Pattern * CIS 525 Class Presentation Professor: Slobodan Vucetic Presenter: Yilian Qin * B. Scholkopf.
 Effective Multi-Label Active Learning for Text Classification Bishan yang, Juan-Tao Sun, Tengjiao Wang, Zheng Chen KDD’ 09 Supervisor: Koh Jia-Ling Presenter:
Learning Kernel Classifiers 1. Introduction Summarized by In-Hee Lee.
Mismatch String Kernals for SVM Protein Classification Christina Leslie, Eleazar Eskin, Jason Weston, William Stafford Noble Presented by Pradeep Anand.
Unsupervised Learning Part 2. Topics How to determine the K in K-means? Hierarchical clustering Soft clustering with Gaussian mixture models Expectation-Maximization.
Cost-Sensitive Boosting algorithms: Do we really need them?
7. Performance Measurement
CS 9633 Machine Learning Support Vector Machines
How to forecast solar flares?
Alan P. Reynolds*, David W. Corne and Michael J. Chantler
Evaluating Classifiers
An Empirical Comparison of Supervised Learning Algorithms
Artificial Intelligence
Introduction to Machine Learning
MIRA, SVM, k-NN Lirong Xia. MIRA, SVM, k-NN Lirong Xia.
Perceptrons Lirong Xia.
Center for Complexity in Business, R. Smith School of Business
Dipartimento di Ingegneria «Enzo Ferrari»,
Mikhail Bilenko, Sugato Basu, Raymond J. Mooney
Support Vector Machines (SVM)
Data Mining Lecture 11.
CS 4/527: Artificial Intelligence
Data Mining Classification: Alternative Techniques
Classification Techniques: Bayesian Classification
Learning with information of features
Course Outline MODEL INFORMATION COMPLETE INCOMPLETE
Experiments in Machine Learning
Open-Category Classification by Adversarial Sample Generation
Classification of class-imbalanced data
Discriminative Frequent Pattern Analysis for Effective Classification
Unsupervised Learning II: Soft Clustering with Gaussian Mixture Models
The loss function, the normal equation,
Mathematical Foundations of BME Reza Shadmehr
Roc curves By Vittoria Cozza, matr
Jia-Bin Huang Virginia Tech
MIRA, SVM, k-NN Lirong Xia. MIRA, SVM, k-NN Lirong Xia.
Perceptrons Lirong Xia.
Presentation transcript:

KDD 2004: Adversarial Classification Dalvi, Domingos, Mausam, Sanghai, Verma University of Washington

Introduction Paper views classification as a game between classifier and the adversary Data is actively manipulated by the adversary to make classifier produce false negatives Proposes a (Naïve Bayes) classifier that is optimal given adversary’s optimal strategy

Motivation (1) Many (all) data-mining algorithms assume that data-generating process is independent of classifier’s activities This is not true in domains like Spam detection Intrusion detection Fraud detection Surveillance Where data is actively manipulated by an adversary seeking to make classifier produce false negatives

Motivation (2) In real world performance of classifier can degrade rapidly after deployment as adversary learns how to defeat it Solution: repeated, manual, ad hoc reconstruction of the classifier This problem is different from a concept drift, since data is actively manipulated – is a function of the classifier itself

Outline Problem definition For Naïve Bayes: Optimal strategy for adversary against adversary-unaware classifier Optimal strategy for classifier playing against adversary Experimental results on 2 email spam datasets

Problem definiton X = (X1, X2, … Xn) a set of features Instance space X. Instance x X has feature values xi Instances belong to 2 classes: Positive (malicious) are i.i.d. from P(X|+) Negative (innocent) are i.i.d. from P(X|–) Training set S, test set T

A game between 2 players: Classifier tries to learn a function yC = C(x) that will correctly predict classes Adversary attempts to make Classifier classify positive (harmful) instances as negative by modifying an instance x: x’ = A(x) (note: adversary can not modify negative, ie. non-spam, instances)

Cost/Utilities for Classifier Vi: cost of measuring feature Xi UC(yC, y): utility of classifying instance as yC having true class y Typically: UC(+, –) < 0, UC(–, +) < 0 UC(+, +) > 0, UC(–, –) > 0 makes an error correct classification

Cost/Utilities for Adversary Wi(xi, x’): cost of changing ith feature from xi to xi’ UA(yC, y): utility accrued by adversary when classifier classifyes yc an instance of class y. Typically: UA(–, +) > 0 UA(+, +) < 0 UA(+, –) = 0, UA(–, –) = 0 spam get through spam in detected don’t care about non-spam

Goal of Classifier Wants to build classifier C that will maximize expected utility taking into account adversaries actions: utility given modified data cost for observing a feature

Goal of Adversary Wants to find feature change strategy that will maximize utility given the costs: utility given modified data cost of changing the features

The game We assume that all parameters of both players are known to each other Game operates: Classifier starts assuming data in unaltered Adversary deploys optimal plan A(x) against classifier Classifier deploys optimal classifier C(A(x)) against adversary ...

Classifier: No Adversary Naïve Bayes: Bayes’ optimal prediction given utility matrix for instance x is the class yC that maximizes: prediction expected utility

Adversary strategy Adversary assumes: complete information classifier is unaware of adversary Naïve Bayes classifies x as positive if: Modify features so that inequality does not hold the cost is lower than expected utility Boils down to a integer linear program Naïve Bayes

Classifier with Adversary training set is drawn from the real distribution Classifier assumes: Adversary uses optimal strategy Training set is not tampered by Adversary Maximize conditional utility: The only change is: adversary modifies only positive examples It will not modify example if: classifier’s prediction is negative, or transformation is to costly Naïve algorithm: for all positive examples and find probability they are modified

Experiments 2 datasets: Scenarios: Ling-Spam: 2412 non-spam, 481 spam Email-Data: 642 non-spam, 789 spam Scenarios: Add words: adversary is adding words. Cost of adding a word is 1. (Adding unnecessary words) Add length: same as Add words, except cost is proportional to word length. (Spammer is paying for data transfer) Synonyms: replace existing word with its synonym. (Spammer does not want to alter the content)

Utility matrix UA: adversary UC: classifier +: spam –: no spam Scenarios: AddWords: can add max 20 words AddLength: can add max 200 characters Synonmy: can change max 20 synonyms true class prediction

False positives and False negatives By increasing UC we observe expected behavior AC never produces False Positive so average utility stays the same Adversary “helps” classifier to reduce FPs, because adversary is unlikely to send spam unaltered. So non-spam messages (unaltered) will now be classified as negative.

Further work / Conclusions Repeated game Incomplete information Approximately optimal strategies Generalization to other classifiers Conclusions: Formalized the problem of adversarial manipulation Extended Naïve Bayes classifier Outperforms standard technique

Other interesting papers (1) Best Paper: Probabilistic Framework for Semi-Supervised Clustering by Basu, Bilenko, and Mooney: gives a probabilistic model to find clusters that respect "must-link" and "cannot-link" constraints the EM-type algorithm is an incremental improvement over previous methods

Other interesting papers (2) Data Mining in Metric Space: An Empirical Analysis of Supervised Learning Performance Criteria by Caruana and Niculescu-Mizil: a massive comparison of different learning methods with different binary datasets, on different measure of performance: accuracy given a threshold, area under the ROC curve, squared error, etc. measures that depend on ranking only, and measures that depend on scores being calibrated probabilities, form two clusters. maximum margin methods (SVMs and boosted trees) give excellent ranking but scores that are far from well-calibrated probabilities.  squared error may be the best general-purpose measure.

Other interesting papers (3) Cyclic Pattern Kernels for Predictive Graph Mining by Horvath, Gaertner, and Wrobel: kernel for classifying graphs based on cyclic and tree patterns Computationally efficient (does not suffer frequent sub-graphs limitations) they use it with SVM for classifying molecules

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.