On the Economics of Adversarial Machine Learning
The result's identifiers
Result code in IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F24%3A00375771" target="_blank" >RIV/68407700:21230/24:00375771 - isvavai.cz</a>
Result on the web
<a href="https://doi.org/10.1109/TIFS.2024.3379829" target="_blank" >https://doi.org/10.1109/TIFS.2024.3379829</a>
DOI - Digital Object Identifier
<a href="http://dx.doi.org/10.1109/TIFS.2024.3379829" target="_blank" >10.1109/TIFS.2024.3379829</a>
Alternative languages
Result language
angličtina
Original language name
On the Economics of Adversarial Machine Learning
Original language description
Given the widespread deployment of machine learning algorithms, the security of these algorithms and thus, the field of adversarial machine learning gained popularity in the research community. In this article, we loosen several unrealistic restrictions found in prior art and bring economical-inspired adversarial machine learning one step closer to being applicable in the real world. First, we extend our own game-theoretical framework such that it allows any arbitrary number of actions for both actors, and analytically determine equilibrium strategies and conditions where mixed strategies are expected for the specific case in which both actors choose from any two arbitrary actions. Then, we pay special attention to an adversary's knowledge about the attacked system by modeling them as a white-, gray-, or black-box adversary. We conduct extensive experiments for three architectures, two training procedures, and four adversarial attacks in different variations as direct and transfer attacks, resulting in 300 data points consisting of the respective accuracy and robustness values and the computational costs for both actors. We then instantiate our model with this data and explore the structure of the game for a wide range of each game parameter, overcoming the complexity by applying algorithmic game theory. We discover surprising properties in the actors' strategies, such as the feasibility of cheap attacks that have been dismissed as practically irrelevant so far - examples include universal adversarial perturbations or (transfer) attacks utilizing only few optimization steps. For the defender, we find that given recent attacks and countermeasures, a rational defender would try to hide as much as possible from their infrastructure.
Czech name
—
Czech description
—
Classification
Type
J<sub>imp</sub> - Article in a specialist periodical, which is included in the Web of Science database
CEP classification
—
OECD FORD branch
10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)
Result continuities
Project
Result was created during the realization of more than one project. More information in the Projects tab.
Continuities
P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)
Others
Publication year
2024
Confidentiality
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů
Data specific for result type
Name of the periodical
IEEE Transactions on Information Forensics and Security
ISSN
1556-6013
e-ISSN
1556-6021
Volume of the periodical
19
Issue of the periodical within the volume
2024
Country of publishing house
US - UNITED STATES
Number of pages
16
Pages from-to
4670-4685
UT code for WoS article
001216477200028
EID of the result in the Scopus database
2-s2.0-85188666468