On Security and Sparsity of Linear Classifiers for Adversarial Settings

  • Ambra DemontisEmail author
  • Paolo Russu
  • Battista Biggio
  • Giorgio Fumera
  • Fabio Roli
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10029)


Machine-learning techniques are widely used in security-related applications, like spam and malware detection. However, in such settings, they have been shown to be vulnerable to adversarial attacks, including the deliberate manipulation of data at test time to evade detection. In this work, we focus on the vulnerability of linear classifiers to evasion attacks. This can be considered a relevant problem, as linear classifiers have been increasingly used in embedded systems and mobile devices for their low processing time and memory requirements. We exploit recent findings in robust optimization to investigate the link between regularization and security of linear classifiers, depending on the type of attack. We also analyze the relationship between the sparsity of feature weights, which is desirable for reducing processing cost, and the security of linear classifiers. We further propose a novel octagonal regularizer that allows us to achieve a proper trade-off between them. Finally, we empirically show how this regularizer can improve classifier security and sparsity in real-world application examples including spam and malware detection.


Support Vector Machine Linear Classifier Dual Norm Classifier Security Hinge Loss 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Dalvi, N., Domingos, P., Mausam, Sanghai, S., Verma, D.: Adversarial classification. In: 10th International Conference on Knowledge Discovery and Data Mining (KDD), Seattle, WA, USA, pp. 99–108. ACM (2004)Google Scholar
  2. 2.
    Lowd, D., Meek, C.: Adversarial learning. In: 11th International Conference on Knowledge Discovery in Data Mining (KDD), Chicago, IL, USA, pp. 641–647. ACM (2005)Google Scholar
  3. 3.
    Lowd, D., Meek, C.: Good word attacks on statistical spam filters. In: 2nd Conference on Email and Anti-Spam (CEAS), Mountain View, CA, USA (2005)Google Scholar
  4. 4.
    Kolcz, A., Teo, C.H.: Feature weighting for improved classifier robustness. In: 6th Conference on Email and Anti-Spam (CEAS), Mountain View, CA, USA (2009)Google Scholar
  5. 5.
    Nelson, B., Barreno, M., Chi, F.J., Joseph, A.D., Rubinstein, B.I.P., Saini, U., Sutton, C., Tygar, J.D., Xia, K.: Exploiting machine learning to subvert your spam filter. In: LEET 2008, Berkeley, CA, USA, pp. 1–9. USENIX Association (2008)Google Scholar
  6. 6.
    Barreno, M., Nelson, B., Sears, R., Joseph, A.D., Tygar, J.D.: Can machine learning be secure? In: ASIACCS 2006, pp. 16–25. ACM, New York (2006)Google Scholar
  7. 7.
    Biggio, B., Fumera, G., Roli, F.: Multiple classifier systems for robust classifier design in adversarial environments. Int. J. Mach. Learn. Cybern. 1(1), 27–41 (2010)CrossRefGoogle Scholar
  8. 8.
    Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., Giacinto, G., Roli, F.: Evasion attacks against machine learning at test time. In: Blockeel, H., Kersting, K., Nijssen, S., Železný, F. (eds.) ECML PKDD 2013. LNCS (LNAI), vol. 8190, pp. 387–402. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40994-3_25 CrossRefGoogle Scholar
  9. 9.
    Biggio, B., Fumera, G., Roli, F.: Security evaluation of pattern classifiers under attack. IEEE Trans. Knowl. Data Eng. 26(4), 984–996 (2014)CrossRefGoogle Scholar
  10. 10.
    Biggio, B., Fumera, G., Roli, F.: Pattern recognition systems under attack: design issues and research challenges. Int. J. Pattern Recognit. Artif. Intell. 28(7), 1460002 (2014)CrossRefGoogle Scholar
  11. 11.
    Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B., Tygar, J.D.: Adversarial machine learning. In: 4th ACM Workshop on Artificial Intelligence and Security (AISec), Chicago, IL, USA, pp. 43–57 (2011)Google Scholar
  12. 12.
    Zhang, F., Chan, P., Biggio, B., Yeung, D., Roli, F.: Adversarial feature selection against evasion attacks. IEEE Trans. Cybern. 46(3), 766–777 (2016)CrossRefGoogle Scholar
  13. 13.
    Xu, H., Caramanis, C., Mannor, S.: Robustness and regularization of support vector machines. J. Mach. Learn. Res. 10, 1485–1510 (2009)MathSciNetzbMATHGoogle Scholar
  14. 14.
    Sra, S., Nowozin, S., Wright, S.J.: Optimization for Machine Learning. MIT Press, Cambridge (2011)Google Scholar
  15. 15.
    Livni, R., Crammer, K., Globerson, A., Edmond, E.I., Safra, L.: A simple geometric interpretation of SVM using stochastic adversaries. In: AISTATS 2012. JMLR W&CP, vol. 22, pp. 722–730 (2012)Google Scholar
  16. 16.
    Wang, F., Liu, W., Chawla, S.: On sparse feature attacks in adversarial learning. In: IEEE International Conference on Data Mining (ICDM), pp. 1013–1018. IEEE (2014)Google Scholar
  17. 17.
    Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20, 273–297 (1995)zbMATHGoogle Scholar
  18. 18.
    Bennett, K.P., Bredensteiner, E.J.: Duality and geometry in SVM classifiers. In: 17th ICML, pp. 57–64. Morgan Kaufmann Publishers Inc. (2000)Google Scholar
  19. 19.
    Zhu, J., Rosset, S., Tibshirani, R., Hastie, T.J.: 1-norm support vector machines. In: Thrun, S., Saul, L., Schölkopf, B. (eds.) NIPS 16, pp. 49–56. MIT Press (2004)Google Scholar
  20. 20.
    Bondell, R.: Simultaneous regression shrinkage, variable selection, and supervised clustering of predictors with OSCAR. Biometrics 64, 115–123 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    LeCun, Y., et al.: Comparison of learning algorithms for handwritten digit recognition. In: International Conference on Artificial Neural Networks, pp. 53–60 (1995)Google Scholar
  22. 22.
    Cormack, G.V.: TREC 2007 spam track overview. In: Voorhees, E.M., Buckland, L.P., (eds.) TREC. Volume Special Publication, pp. 500–274. NIST (2007)Google Scholar
  23. 23.
    Sebastiani, F.: Machine learning in automated text categorization. ACM Comput. Surv. 34, 1–47 (2002)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Maiorca, D., Giacinto, G., Corona, I.: A pattern recognition system for malicious PDF files detection. In: Perner, P. (ed.) MLDM 2012. LNCS (LNAI), vol. 7376, pp. 510–524. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31537-4_40 CrossRefGoogle Scholar
  25. 25.
    Zou, H., Hastie, T.: Regularization and variable selection via the elastic net. J. R. Stat. Soc. Ser. B 67(2), 301–320 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Biggio, B., Nelson, B., Laskov, P.: Poisoning attacks against SVMs. In: Langford, J., Pineau, J., (eds.) 29th ICML, pp. 1807–1814. Omnipress (2012)Google Scholar
  27. 27.
    Xiao, H., Biggio, B., Brown, G., Fumera, G., Eckert, C., Roli, F.: Is feature selection secure against training data poisoning? In: Bach, F., Blei, D. (eds.) 32nd ICML. JMLR W&CP, vol. 37, pp. 1689–1698 (2015)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Ambra Demontis
    • 1
    Email author
  • Paolo Russu
    • 1
  • Battista Biggio
    • 1
  • Giorgio Fumera
    • 1
  • Fabio Roli
    • 1
  1. 1.Department of Electrical and Electronic EngineeringUniversity of CagliariCagliariItaly

Personalised recommendations