Adversarial Pattern Classification Using Multiple Classifiers and Randomisation Battista Biggio, Giorgio Fumera, and Fabio Roli Dept. of Electrical and Electronic Eng., University of Cagliari, Piazza d’Armi, 09123 Cagliari, Italy {battista.biggio,fumera,roli}@diee.unica.it, WWW home page: http://prag.diee.unica.it Abstract. In many security applications a pattern recognition system faces an adversarial classification problem, in which an intelligent, adap- tive adversary modifies patterns to evade the classifier. Several strate- gies have been recently proposed to make a classifier harder to evade, but they are based only on qualitative and intuitive arguments. In this work, we consider a strategy consisting in hiding information about the classifier to the adversary through the introduction of some randomness in the decision function. We focus on an implementation of this strat- egy in a multiple classifier system, which is a classification architecture widely used in security applications. We provide a formal support to this strategy, based on an analytical framework for adversarial classification problems recently proposed by other authors, and give an experimental evaluation on a spam filtering task to illustrate our findings. 1 Introduction Pattern recognition techniques are currently applied to several security appli- cations, like biometric personal authentication, intrusion detection in computer networks and spam filtering [1–5]. However, these kinds of application do not fit the standard pattern classification model [6]. The main reason is that, in these applications, a pattern classification system faces an intelligent, adaptive adversary who engineers patterns to defeat the system itself. The machine learn- ing community is becoming aware of the relevance of this problem, as a recent workshop held as part of the NIPS 2007 conference shows. 1 To date, few works have explicitly addressed this problem [7–10]. In [9], the general issue of how to design machine learning and pattern classification systems which are hard to evade for an adaptive adversary was discussed. A taxonomy of attack types for different security applications was proposed and some potential approaches to design “evade hard” classification systems were suggested for future work. Practical solutions for securing classification systems have been also proposed in applications like intrusion detection in computer systems [3]. However, such 1 Workshop on Machine Learning in Adversarial Environments for Computer Security, http://nips.cc/Conferences/2007/Program/event.php?ID=615