深度学习和机器博弈如何结合_对抗机器学习的博弈论方法

深度学习和机器博弈如何结合

Artificial Intelligence has known a great success in recent years as it provided us with powerful algorithms that use a large database to make accurate predictions or classifications. They are increasingly used for different purposes, including high-stake ones.

一个 rtificial智力已经知道了巨大的成功，近年来，因为它与使用大型数据库做出准确的预测或分类强大的算法为我们提供。 它们越来越多地用于不同的目的，包括高风险的目的。

And yet, they are not infallible.

但是，它们并不是绝对可靠的 。

In fact, most of these algorithms are trained on data that can be deliberately manipulated by an adversary looking to misguide it into making errors.

实际上，大多数这些算法都是在数据上训练的，而这些数据可能会被对手故意操纵以试图误导其导致错误。

Let’s take a simple example: email spam detection. At first, standard classifiers such as naïve Bayes were extremely efficient in terms of accuracy. However, spammers learned quickly how to fool them by changing “spam” worlds by their synonyms and adding more “non-spam” worlds. Consequently, spam filters were changed to detect these tricks. But spammers responded by using new ones. Therefore, this leads to an endless game between the defender and the attacker until an equilibrium state is reached.

让我们举一个简单的例子： 电子邮件垃圾邮件检测。 首先，诸如朴素贝叶斯之类的标准分类器在准确性方面非常高效。 但是，垃圾邮件发送者很快学会了如何通过用其同义词更改“垃圾邮件”世界并添加更多“非垃圾邮件”世界来欺骗他们的方法。 因此，垃圾邮件过滤器已更改为检测这些技巧。 但是，垃圾邮件发送者通过使用新邮件来应对。 因此，这导致了防御者和攻击者之间的无尽游戏，直到达到平衡状态 。

In this context, Game Theory can be very useful as it provides the mathematical tools that are needed to model the behaviors of the defender and the adversary behaviors in terms of defense and attack strategies.

在这种情况下， 博弈论非常有用，因为它提供了在防御和攻击策略方面建模防御者和对手行为的数学工具。

More specifically, game theory-based models enable to take into account:

更具体地说，基于博弈论的模型可以考虑以下因素：

• the tradeoff made by the attacker between the cost of adapting to the classifier and the benefit he gains from his attack.

  攻击者在适应分类器的成本与其从攻击中获得的收益之间进行权衡。

• the tradeoff made by the defender balance between the benefit of a correct attack detection and the cost of false alarm.

  防御者所做出的权衡是在正确的攻击检测收益与错误警报成本之间取得平衡。

Thus, game theory-based models can determine what suitable strategy is needed to reduce the defender’s loss from adversarial attacks.

因此，基于博弈论的模型可以确定需要哪种合适的策略来减少防御者因对抗性攻击而造成的损失 。

Spam filtering is not the only case for which these models can bring valuable information. This perspective can be used to describe many other situations with higher stakes: computer intrusion detection, fraud detection, aerial surveillance.

垃圾邮件过滤并不是这些模型可以带来有价值信息的唯一情况。 这种观点可以用来描述许多其他风险较高的情况：计算机入侵检测，欺诈检测，空中监视。

In this article, I will share with you my key findings about how to use Game theory for Adversarial Machine learning.

在本文中，我将与您分享有关如何将博弈论用于对抗性机器学习的主要发现。

After reading this article, you will learn:

阅读本文后，您将学习：

• How Game Theory can be used for in Machine Learning?
  博弈论如何用于机器学习？
• How can Game Theory help in addressing adversarial learning problems?
  博弈论如何帮助解决对抗性学习问题？
• How to make your Machine learning algorithms robust against adversarial attacks?
  如何使您的机器学习算法对对抗攻击具有鲁棒性？

基于博弈论方法的一个例子 (An Example of Game Theory-based Approach)

Let’s start with a simple example: spam detection.

让我们从一个简单的示例开始： 垃圾邮件检测。

The following section describes the game-theoretical model developed for adversarial learning by W. Liu and S. Chawal in the paper.

以下部分介绍了对抗性学习由W.刘和S. Chawal发达的博弈论模型纸 。

通用设置 (General Setting)

It can be modeled as a 2-player game between the Spammer (S) and the Defender (D).

可以将其建模为垃圾邮件发送者(S)和防御者(D)之间的2人游戏。

• The Spammer can choose 1) to attack the classifier by changing spam mails and get them through the spam filter, or 2) not to attack knowing that some spam emails might get through.

  垃圾邮件发送者可以选择1)通过更改垃圾邮件并通过垃圾邮件过滤器来攻击分类器，或2)在知道某些垃圾邮件可能通过的情况下不进行攻击。

• The Defender can choose 1) to retrain the classifier in order to maintain a low misclassification rate or 2) not to retrain the classifier despite the potential increase in spam mails misclassified.

  防御者可以选择1)重新训练分类器以保持较低的误分类率，或者2)尽管重新分类垃圾邮件的潜在数量增加，但不重新训练分类器。

We will assume that the Spammer will be the one to make the first move.

我们假设垃圾邮件发送者将是第一个采取行动的人。

There are 4 possible outcomes as shown in the graph below. It is possible to associate each scenario to a payoff for both players to reflect the relative ranking in terms of the final outcome.

如下图所示，有4种可能的结果 。 可以将每个方案与两个参与者的收益相关联，以反映最终结果方面的相对排名。

For instance, the scenario 2 is the worst scenario for the Defender and the best for the Spammer as his attacks on the non-retrained classifier will lead to a high number of misclassified spam mails.

例如， 方案2对于防御者来说是最糟糕的情况，而对于垃圾邮件发送者来说则是最好的，因为他对未经训练的分类程序的攻击将导致大量误分类的垃圾邮件 。

Game Tree between the Spammer and the Defender

垃圾邮件发送者和防御者之间的游戏树

型号定义 (Model definition