Robust ML with Multiple Learners

Increasing use of machine learning in adversarial settings has motivated a series of efforts investigating the extent to which learning approaches can be subverted by malicious parties. An important class of such attacks involves adversaries changing their behaviors, or features of the environment, to effect an incorrect prediction. Most previous efforts study this problem as an interaction between a single learner and a single attacker. However, in reality attackers often target a broad array of potential victim organizations. For example, they craft generic spam templates and generic malware, and then disseminate these widely to maximize impact. The resulting ecology of attack targets reflects not a single learner, but many such learners, all making autonomous decisions about how to detect malicious content, although these decisions often rely on similar training datasets.

In this project, we study the linear regression problem in an adversarial setting where the adversary’s decision is aimed at a collection of learners, rather than specifically targeted at each independently. We model the resulting game as an interaction between multiple learners, who simultaneously learn linear regression models, and an attacker, who observes the learned models and modifies the original feature vectors at test time to induce incorrect predictions. We term the resulting game a Multi-Learner Stackelberg Game, to allude to its two stages, with learners jointly acting as Stackelberg leaders, and the attacker being the follower. The robustness of our solution to the game is shown through both theoretically (by showing it to be equivalent to a particular robust optimization problem), and through extensive experiments (in case studies on PDF malware scoring and house price prediction), which demonstrate it to be much more robust to attacks than standard regularization approaches.