Game Theory for Adversarial Machine Learning

Abstract

Recent years have witnessed dramatic progress in machine learning and many successful applications of deep neural networks with often super-human performance in many tasks including classification of visual images or speech recognition. With this success, machine learning algorithms are being used also in critical security/defense domains where the actions of an adversary are being classified (e.g., deciding whether a suspicious activity on a computer network is caused by an adversary). Ignoring the fact that data is generated by an adversary can cause misclassification with severe, life-threatening consequences - a STOP sign can be misclassified as a main street sign, friendly forces can be misclassified as an enemy. Game theory studies reasoning and decision making in the presence of an adversary and describes optimal behavior. While a number of practical and scalable game-theoretic algorithms have emerged in recent years, pushing the limits of the sizes of games for which one can compute equilibrium strategies, the actual usage of game-theoretic algorithms for making machine learning methods more robust against an adversary is limited. The main goal of the proposed project is to reinforce the use of game-theoretic algorithms in machine learning in order to create classifiers that are more robust in the presence of an adversary along two main directions. First, we define games that correspond to the adversarial machine learning. The strategy of one player corresponds to setting parameters of a learning model (e.g., weights of a neural network) and the strategy of the opponent is to choose an input leading to the desired result (e.g., misclassification to a pre-defined class). We identify types of utility functions appearing in games that correspond to (adversarial) machine learning problems and we will study how to compactly represent multi-dimensional strategy spaces in case of complex learning models. We first define models for one-shot problems that, for example, correspond to the classification in the presence of an adversary using a pre-trained model. Next, we extend our models to dynamic scenarios where the model is updated in an adversarial environment and where it can be subject to attacks that inject poisonous data into the learning process. Second, the main challenge of applying game-theoretic algorithms to the adversarial machine learning problems is an infinite action space, such as the set of parameters of a learning model. This is in contrast with most of the efficient algorithmic and computational results in game theory, which typically deals with finite action spaces. Choosing a pure strategy in games with infinite action spaces amounts to the choice of a (vector of) real/rational number(s). Although additional assumptions about utility functions are often made (continuity), it is not reasonable to expect that the class of games required by machine learning applications will fall into a single well-behaved family of models. For this reason, we are ready not only to adapt existing computational techniques, which were developed for games with compact action spaces and continuous utility functions, but also to explore new families of infinite games. Therefore, we will (i) analyze the properties of existence of equilibria in infinite games, (ii) identify the conditions under which (approximate) equilibria exist, and (iii) study conditions and novel sampling techniques under which the existing algorithms using finite action spaces can be adapted to an infinite setting.

Document Details

Document Type

DoD Grant Award

Publication Date

Jul 09, 2020

Source ID

W911NF2010197

Entities

Tags