Evasion and Causative Attacks with Adversarial Deep Learning

This paper presents a novel approach to launch and defend against the causative and evasion attacks on machine learning classifiers. As the preliminary step, the adversary starts with an exploratory attack based on deep learning (DL) and builds a functionally equivalent classifier by polling the online target classifier with input data and observing the returned labels. Using this inferred classifier, the adversary can select samples according to their DL scores and feed them to the original classifier. In an evasion attack, the adversary feeds the target classifier with test data after selecting samples with DL scores that are close to the decision boundary to increase the chance that these samples are misclassified. In a causative attack, the adversary feeds the target classifier with training data after changing the labels of samples with DL scores that are far away from the decision boundary to reduce the reliability of the training process. Results obtained for text and image classification show that the proposed evasion and causative attacks can significantly increase the error during test and training phases, respectively. A defense strategy is presented to change a small number of labels of the original classifier to prevent its reliable inference by the adversary and its effective use in evasion and causative attacks. These findings identify new vulnerabilities of machine learning and demonstrate that a proactive defense mechanism can reduce the impact of the underlying attacks.