On the Statistical Detection of Adversarial Instances over Encrypted Data

Abstract

Adversarial instances are malicious inputs designed to fool machine learning models. In particular, motivated and sophisticated attackers intentionally design adversarial instances to evade classifiers which have been trained to detect security violation, such as malware detection. While the existing approaches provide effective solutions in detecting and defending adversarial samples, they fail to detect them when they are encrypted. In this study, a novel framework is proposed which employs statistical test to detect adversarial instances, when data under analysis are encrypted. An experimental evaluation of our approach shows its practical feasibility in terms of computation cost.

Appendix

In what follows we prove Theorem 1, claiming that if we set \(\alpha ' = \sqrt{ \alpha ^2- 2d \updelta }\) (for negligible \(\updelta \)), then from \(MMD'(D'_1, D'_2) \le \alpha '\) we can conclude that \(MMD(D_1, D_2) \le \alpha \).

Basically, we are looking for \(\alpha '\) such that if the following relation holds:

$$\begin{aligned} n^2 \sum _{i,j = 1}^{m} d^{n_{X_iX_j}} - 2 mn \sum _{i,j = 1}^{m , n } d^{n_{X_iY_j}} + m^2 \sum _{i,j = 1}^{n} d^{n_{Y_iY_j} } \le m^2n^2{\alpha '}^2 \end{aligned}$$

We can conclude that:

$$\begin{aligned} n^2 \sum _{i,j = 1}^{m} \kappa (X_i, X_j) - 2 mn \sum _{i,j = 1}^{m , n } \kappa (X_i, Y_j) + m^2 \sum _{i,j = 1}^{n} \kappa (Y_i, Y_j) \le m^2 n^2 \alpha ^2 \end{aligned}$$

To this end, we first find a relation between two above relations:

$$\begin{aligned}&n^2 \sum _{i,j = 1}^{m} \kappa (X_i, X_j) - 2 mn \sum _{i,j = 1}^{m , n } \kappa (X_i, Y_j) + m^2 \sum _{i,j = 1}^{n} \kappa (Y_i, Y_j) \\ \le&n^2 \sum _{i,j = 1}^{m} (d + \updelta )^{n_{X_iX_j}} - 2 mn \sum _{i,j = 1}^{m , n } d^{n_{X_iY_j}} + m^2 \sum _{i,j = 1}^{n} (d+ \updelta )^{n_{Y_iY_j} } \\&= n^2 (\sum _{i,j = 1}^{m} d^{n_{X_iX_j}} + \sum _{i,j = 1}^{m} [ \frac{n_{X_iX_j} (n_{X_iX_j} - 1) }{2} d^{n_{X_iX_j}-1} \updelta + \ldots ] ) - 2 mn \sum _{i,j = 1}^{m , n } d^{n_{X_iY_j}}\\&\quad + m^2 ( \sum _{i,j = 1}^{n} d^{n_{Y_iY_j}} + \sum _{i,j = 1}^{n} [ \frac{n_{Y_iY_j} (n_{Y_iY_j} - 1) }{2} d^{n_{Y_iY_j}-1} \updelta + \ldots ] ) \end{aligned}$$

From the application of binomial theorem, we obtain:

$$\begin{aligned}&(n^2 \sum _{i,j = 1}^{m} d^{n_{X_iX_j}} - 2 mn \sum _{i,j = 1}^{m , n } d^{n_{X_iY_j}} + m^2 \sum _{i,j = 1}^{n} d^{n_{Y_iY_j} } ) + ( n^2 \sum _{i,j = 1}^{m} [ \frac{n_{X_iX_j} (n_{X_iX_j} - 1) }{2} d^{n_{X_iX_j}-1} \updelta + \ldots ] \\&+ m^2 \sum _{i,j = 1}^{n} [ \frac{n_{Y_iY_j} (n_{Y_iY_j} - 1) }{2} d^{n_{Y_iY_j}-1} \updelta + \ldots ] ) \le m^2 n^2 \alpha ^2 \end{aligned}$$

This means that it is enough to set \({\alpha '}^2 = \alpha ^2 - 2 \updelta d\), because:

$$\begin{aligned} \Rightarrow \alpha '&= m^2 n^2 \alpha ^2 - ( n^2 \sum _{i,j = 1}^{m} [ \frac{n_{X_iX_j} (n_{X_iX_j} - 1) }{2} d^{n_{X_iX_j}-1} \updelta + \ldots ]\\&+ m^2 \sum _{i,j = 1}^{n} [ \frac{n_{Y_iY_j} (n_{Y_iY_j} - 1) }{2} d^{n_{Y_iY_j}-1} \updelta + \ldots ] ) \\&\le m^2 n^2 \alpha ^2 - ( n^2 \updelta \sum _{i,j = 1}^{m} d + m^2 \updelta \sum _{i,j = 1}^{n} d ) \\&\quad = m^2 n^2 \alpha ^2 - 2 m^2 n^2 \updelta d \end{aligned}$$