Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MISLEAD: Manipulating Importance of Selected features for Learning Epsilon in Evasion Attack Deception

Vidit Khazanchi, Pavan Kulkarni, Yuvaraj Govindarajulu, Manojkumar Parmar

TL;DR

MISLEAD addresses tabular-model vulnerability to evasion by coupling SHAP-based feature importance with an Optimal Epsilon (via binary search) to generate precise, targeted adversarial samples in a black-box setting. It builds a SHAP Summary Dictionary and feature-conversion rules to identify and execute perturbations that move predictions between classes, demonstrated on Iris (multiclass) and Bank Marketing (binary) data with multiple ML architectures. Empirical results show MISLEAD achieves high evasion efficacy and can reveal weaknesses even against some defenses, while also quantifying the resulting drop in accuracy. The work highlights the importance of interpretability-driven vulnerability assessment and supports future extensions to other data modalities and defensive strategies for robust ML security.

Abstract

Emerging vulnerabilities in machine learning (ML) models due to adversarial attacks raise concerns about their reliability. Specifically, evasion attacks manipulate models by introducing precise perturbations to input data, causing erroneous predictions. To address this, we propose a methodology combining SHapley Additive exPlanations (SHAP) for feature importance analysis with an innovative Optimal Epsilon technique for conducting evasion attacks. Our approach begins with SHAP-based analysis to understand model vulnerabilities, crucial for devising targeted evasion strategies. The Optimal Epsilon technique, employing a Binary Search algorithm, efficiently determines the minimum epsilon needed for successful evasion. Evaluation across diverse machine learning architectures demonstrates the technique's precision in generating adversarial samples, underscoring its efficacy in manipulating model outcomes. This study emphasizes the critical importance of continuous assessment and monitoring to identify and mitigate potential security risks in machine learning systems.

MISLEAD: Manipulating Importance of Selected features for Learning Epsilon in Evasion Attack Deception

TL;DR

MISLEAD addresses tabular-model vulnerability to evasion by coupling SHAP-based feature importance with an Optimal Epsilon (via binary search) to generate precise, targeted adversarial samples in a black-box setting. It builds a SHAP Summary Dictionary and feature-conversion rules to identify and execute perturbations that move predictions between classes, demonstrated on Iris (multiclass) and Bank Marketing (binary) data with multiple ML architectures. Empirical results show MISLEAD achieves high evasion efficacy and can reveal weaknesses even against some defenses, while also quantifying the resulting drop in accuracy. The work highlights the importance of interpretability-driven vulnerability assessment and supports future extensions to other data modalities and defensive strategies for robust ML security.

Abstract

Emerging vulnerabilities in machine learning (ML) models due to adversarial attacks raise concerns about their reliability. Specifically, evasion attacks manipulate models by introducing precise perturbations to input data, causing erroneous predictions. To address this, we propose a methodology combining SHapley Additive exPlanations (SHAP) for feature importance analysis with an innovative Optimal Epsilon technique for conducting evasion attacks. Our approach begins with SHAP-based analysis to understand model vulnerabilities, crucial for devising targeted evasion strategies. The Optimal Epsilon technique, employing a Binary Search algorithm, efficiently determines the minimum epsilon needed for successful evasion. Evaluation across diverse machine learning architectures demonstrates the technique's precision in generating adversarial samples, underscoring its efficacy in manipulating model outcomes. This study emphasizes the critical importance of continuous assessment and monitoring to identify and mitigate potential security risks in machine learning systems.
Paper Structure (34 sections, 12 equations, 8 figures, 6 tables)

This paper contains 34 sections, 12 equations, 8 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Adversarial Machine Learning
  4. Feature Importance
  5. Evasion attacks on ML models
  6. Feature + Evasion on Tabular classification
  7. SHAP for Black Box Access
  8. Methodology
  9. Threat Model and Assumptions
  10. Data Collection and Preprocessing
  11. Feature Importance Analysis using SHAP
  12. Binary Classification
  13. Multiclass Classification
  14. Feature Analysis for Evasion
  15. Feature Impact Categorization
  16. ...and 19 more sections

Figures (8)

  • Figure 1: Binary Classification Bar Plots
  • Figure 2: Binary Classification Beeswarm Plot
  • Figure 3: MutliClass Classification Beeswarm and Global Bar Plots
  • Figure 4: Feature Analysis For Evasion
  • Figure 5: Optimal Epsilon
  • ...and 3 more figures