In the literature, it is well explored that machine learning algorithms trained on image classes are highly vulnerable against adversarial examples. However, very limited attention has been given to other sets of inputs such as speech, text, and tabular data. One such application where little work has been done towards adversarial examples generation is financial systems. Despite processing sensitive information such as credit fraud detection and default payment prediction, a low depiction of the robustness of the financial machine learning algorithms can be dangerous. One possible reason for such limited work is the challenge of crafting adversarial examples on the financial databases. The financial databases are heterogeneous where features might have a strong dependency on each other. Whereas image databases are homogeneous, and hence several existing works have shown it is easy to attack the classifiers trained on them. In this paper, for the first, we have analyzed the vulnerability of several traditional machine learning classifiers trained on financial tabular databases. To check the robustness of these classifiers, ' black-box and classifier agnostic ' adversarial attack is proposed through mathematical operations on the features. In brief, the proposed research for the first time presents a detailed analysis that reflects which classifier is robust against minute perturbation in the tabular features. Apart from that through the perturbation on individual features, it is shown which column feature is more or less sensitive for the incorrect classification of the classifier.
evaluated several machine learning models and their
vulutilize the power of machine learning (ML) algorithms. due to no drastic change in the feature space and hence
[
The recent research articles claim that in the last decade
from 2010 to 2020, people with the personal loan double
from $11 million to $21 million [
Imagine a scenario, where a corrupt individual came into the bank for credit card approval and the issue of a In International Workshop on Modelling Uncertainty in the Financial World (MUFin21) In conjunction with CIKM 2021,
https://sites.google.com/iiitd.ac.in/agarwalakshay/home (A. Agarwal); https://nalini-ratha.github.io/ (N. Ratha) 0000-0001-7362-4752 (A. Agarwal); 0000-0001-7913-5722 © 2021 Copyright for this paper by its authors. Use permitted under Creative (N. Ratha) nerability against minute perturbations in the feature the databases. Later, the machine learning classifiers space (or input space). The credit card default prediction chosen to perform the vulnerability analysis are dedatabases contain multiple features such as age, gender, scribed. The experimental results along with analysis payment status, and education. The individual feature are presented to showcase the impact of the proposed can afect the classification decision due to any reason ‘black-box and classifier agnostic’ adversarial perturbasuch as bias and mislabelling. For example, it might tion. be believed that the highly educated individual might not perform fraud. Therefore, in this research, we have identified the sensitivity of various machine learning clas- 2. Existing Adversarial Examples sifiers against individual features both in their raw form Research and under minute perturbation. While the features play an important role, the optimization function of diferent Since the finding of adversarial examples [ 14], several classifiers play an important role in learning decision adversarial attack algorithms are presented in the literboundaries. Hence, the detailed experimental evaluation ature. The existing adversarial attacks can be divided of multiple machine learning classifiers has been per- based on the following two criteria: (i) intention and (ii) formed to showcase which classifier is more robust or type of learning. The type of learning can be described sensitive against imperceptible perturbations. In brief, how much knowledge of the machine learning classithe contributions of this research are: ifer is needed to fool it and it can be categorized into white-box and black-box. In the white-box setting, an • first-ever black-box inference time imperceptible attacker assumes the complete knowledge of the system adversarial attack on credit-card default predic- such as its parameters and classification probabilities. On tion is performed; the other hand, the black-box attacks do not utilize any • extensive ablation studies are conducted to find ML network information in creating adversarial examout the importance of individual feature value ples. In the real world, it is extremely dificult to acquire towards decision making; the knowledge of the machine learning classifiers due • sensitivity analysis of multiple machine learning to their security and the existence of a wide variety of classifiers are presented to help in building a ro- machine learning algorithms. For example, Goel et al. bust finance system utilizing robust classifier(s); [15, 16, 17] have utilized the concept of blockchain and • comprehensive survey of the existing adversarial cryptography to either change the structure of the netattacks developed in other data domains show- works or encrypt them to make it dificult to identify the case the needs of the development of adversary exact parameters of the networks. Similarly, there exists to identify the vulnerabilities in the finance space a humongous number of machine learning algorithms as well. such as supervised, unsupervised, and ensemble learning, hence, assuming the knowledge of the system an attacker
In the next section, the review of the existing adver- wants to fool is dificult [ 18, 19]. Due to the above obsersarial examples is presented followed by the descrip- vations, a black-box attack is practical in the real world tion of credit card default prediction databases. In and at the same dificult to achieve. On the other hand, the next, exploratory database analysis has been per- intention-based attacks are divided into targeted attacks formed to efectively examine the characteristics of and untargeted attacks. The targeted attacks aim the input data to be misclassified by the network into one of Table 1 the desired classes. For example, a credit card defaulter Characteristics of the Credit Card databases. would like to be classified as genuine by the machine Default Credit Australian Credit learning classifier. Whereas, the untargeted attacks aim Feature Name Type Feature Type the input data to be misclassified into ‘any’ class except 21 ILDimit-Bal CCoonnttiinnuuoouuss AA12 BCionnatriynuous the true class. 3 Sex Binary A3 Continuous
In the literature, several adversarial attacks are pro- 45 EMdaurcraiatgioen CCaatteeggoorriiccaall AA45 CCaatteeggoorriiccaall posed. The majority of the attacks are proposed for visual 6 Age Continuous A6 Categorical object classification and limited work has been done so 7 Pay_0 Continuous A7 Continuous far for other kinds of input information such as speech 98 PPaayy__23 CCoonnttiinnuuoouuss AA89 BBiinnaarryy and tabular data, and machine learning classifiers such 10 Pay_4 Continuous A10 Continuous as reinforcement learning. The gradient is one of the 1121 PPaayy__56 CCoonnttiinnuuoouuss AA1112 BCiantaergyorical most essential information in deep network learning and 13 Bill_Amt1 Continuous A13 Continuous utilizing this information several attacks are proposed. 14 Bill_Amt2 Continuous A14 Continuous For example, PGD attack [20] is one of the strongest 1156 BBiillll__AAmmtt34 CCoonnttiinnuuoouuss A15 Binary attacks for visual image classifiers. The attack is per- 17 Bill_Amt5 Continuous formed in multiple iterations by projecting the gradient 18 Bill_Amt6 Continuous in the direction that leads to the strong adversary. Other 1290 PPaayy__AAmmtt12 CCoonnttiinnuuoouuss image-based attacks such as DeepFool [21], add the per- 21 Pay_Amt3 Continuous turbation in the image iteratively so that the image can 2232 PPaayy__AAmmtt45 CCoonnttiinnuuoouuss pass its corresponding class decision boundary learned 24 Pay_Amt6 Continuous by the network. The above attacks learn the manipu- 25 Default Payment Binary lation for each image separately, while it is possible to learn a unique noise vector to apply on multiple images and fool the network [22, 23]. The above-described at- efectively. Agarwal et al. [ 28] have not utilized any extertacks are performed in the white-box setting utilizing the nal knowledge including perturbation vector but extract complete knowledge of the classifier. Another disadvan- the noise inherently present in an image. The authors use tage of the white-box attack is the transferability against an intelligent observation that due to several factors such multiple models. As the attacks are generated utilizing as camera preprocessing steps, environmental factors, the knowledge of the classifier which can be significantly the noise inherently present in an image. The authors diferent from the other unseen models, hence, leads to a extract those noise pattern and used as an adversarial poor success rate against unseen models [24, 25]. pattern. The above-mentioned attacks are performed in
The other class of attack is the black-box attacks which the image space. Limited attacks are also proposed in are more practical in the real world and can fool multiple other categories of networks or input such as generative classifiers. The black-box attack can be further divided models [29], reinforcement learning [30], and cyberspace into query-based and generic manipulation-based. In [31]. the query-based attack, some knowledge of the system While on the one hand, adversarial attacks on machine is assumed such as the decision of the classifier. By uti- learning classifiers especially deep learning classifiers lizing the decision of the classifier on the given input, are prevalent, the defense against them is also getting the noise is modified leading to the desired intent of significant attention. Several defense algorithms based misclassification, i.e., targeted or untargeted. While the on the following two motives are proposed: (i) segregaquery-based attacks are more successful for unseen mod- tion of the adversarial examples from the clean examples els whose knowledge is not available but still bounded [32] and (ii) mitigating the impact of adversarial noise by the number of queries that can be sent for the noise [27]. The defense algorithms have shown tremendous generation. Therefore, this limitation restricts the practi- success in countering the adversarial attacks on the imcal deployment at multiple places. Another category of age domain and show generalizability even in complex attack which is general manipulation is one of the most situations such as an unseen attack, unseen database, successful attacks because not utilization of any classifier and unseen model [33, 34]. The survey of the existing knowledge makes them agnostic to classifiers and can research on adversarial examples can be further referred fool multiple classifiers. Goswami et al. [ 26, 27] have from the survey papers [35, 36, 37]. proposed several image manipulations for fooling face It is interesting to observe from the above discussion recognition networks. The manipulations are somewhat that adversarial machine learning is one of the fasted inspired by the domain knowledge of face recognition growing communities; however, only a few works exand therefore, modified the landmark features of a face ist towards the robustness in the financial domain. The image which were able to fool the recognition networks prime reason for such low existence can bethink from the point of the type of input. The financial data espe- operators. The proposed attacks work in the black-box cially tabular databases are heterogeneous as compared setting and do not utilize any information of a classifier. to homogeneous image databases. Tabular features are Therefore, the proposed attack is classifier agnostic and not interchangeable in contrast to the pixels of an image. can be applied against ‘any’ classifier. In contrast to the Apart from that, the images are rich in visual informa- existing research reported on the limited classifier, the tion and hence humans can predict the information by proposed research study the adversarial strength against looking at them and easy to identify whether any manip- multiple classifiers and shows that the proposed attack ulation has been performed. Whereas tabular data are can fool each of them. Apart from this, the proposed less interpretative and it is complex to identify the minor manipulation also aims to reveal the role of individual modification in individual value. In the literature, few re- tabular features in the classification. search works are proposed for crafting adversarial noise on tabular databases. Ballet et al. [38] and Levy et al. [39] have proposed an imperceptible adversarial attack 3. Finance Databases by minimizing the norm of the perturbation. The critical drawback of the attacks is that the attacker assumes the complete knowledge of the classifier for learning the perturbation and hence less practical for real-world deployment. Another drawback is that the norm-based perturbation on the tabular features can yield unrealistic transformations [40]. Apart from that, the above attacks on tabular data are evaluated on a single classifier, i.e., a shallow neural network or decision forest.
To overcome the limitations of the existing adversarial study on the tabular databases, we have proposed an adversarial manipulation method based on mathematical
card default prediction databases namely Default Credit Database [41, 42] ad Australian Credit Database [12]. The default credit database is one of the largest databases for the binary prediction of the default payment category.
The database contains 30, 000 data points belonging to two categories of default payment, i.e., yes or no. In total, the database consists of 24 features belonging to multiple types such as binary (0 or 1), categorical (1 to ), and continuous. The ID is a feature to represent an individual in the database and hence no role in the classification of the data point. Therefore, the ID feature is 4.1. Correlation Analysis discarded from the Default Credit database. It is clear from the description that each feature has a diferent scale and hence, it is important to bring each feature into the same range, such as between 0 to 1. We have performed the min-max normalization to bring the scale of each feature to the same range. The Australian Credit database contains 14 features aiming to classify the data into binary categories of default payment. Similar to the Default Credit database, the Australian database consists of the features of diferent scales and hence normalized using min-max scaling. The characteristics of both the databases are given in Table 1. Contrary to few available pieces of research [38] which drops few features for adversarial learning on credit database, we have utilized each feature in the database and analyze their impact on adversary generation.
Figure 2 shows the correlation heatmap among each feature in the Default Credit Card database. It is clear from the heatmap that, no feature exhibits a strong correlation with the class variable (default payment). Whereas, the features that belong to the same category such as ‘Pay_’ and ‘BILL_AMT’ show a strong correlation among themselves. For example, ‘Pay_0’ have the positive correlation value of 0.67 with variable ‘Pay_1’. ‘Pay_0’ feature represents the repayment status in September 2005 and the value of the feature ranges between -1 to 9. Other pay features represent the repayment status between April to August 2005. The correlation among them shows the repayment status of the current month and in turn, the credit default payment is somewhat dependent on the status of the last month. However, as compared to repayment status, ‘BILL_AMT’ features have very strong 4. Exploratory Data Analysis correlation values among themselves. The correlation value of at least 0.8 is observed between diferent features.
Before performing the adversarial attack on the input ‘BILL_AMT’ represents the amount of bill statement befeatures of the Credit Card databases, we have performed tween April 2005 to September 2005. the exploration studies on the features such as correlation among the features and relevance of the features. 4.2. Feature Importance goal of selecting the important features by reducing the redundancy among the features and weighting the releAnother data exploratory analysis has been performed vant features. For that, the MRMR algorithm computes by examining the importance of individual features con- the mutual information among the features and between cerning the class label. For that two feature selection or feature and class label. The MRMR algorithm selects the feature weight assignment algorithms namely Univari- best feature set ( ) for classification by maximizing the ate Feature Ranking (UFR) and Minimum Redundancy relevance score | | between feature and class label . Maximum Relevance (MRMR) [43], are utilized. The At the same time, the algorithm aims to minimize the advantage of both the algorithm is that they accept cat- redundancy score | | between two feature values and egorical and continuous features for the classification . The | | and | | can be defined using the following problem. The UFR algorithm measures the independence equations: cohfie-saqcuhafreeatteusrtebceotwnceeenrntihnegmt.hTehcelassms avlalerriatbhleepu-vsianlugetohne = 1 ∑ (, ) a particular feature represents the higher the dependence || ∈ between the feature and class label and the importance = 1 ∑ (, ) of the feature for classification. MRMR algorithm itera- || 2 ∈ tively examines the features to find the features which where, || represents the number of features in the optiare mutually and maximally dissimilar to each other but mal subset . Finally, mutual information quotient (MIQ) efective for decision making. The algorithm achieves its
Adversarial vulnerability of multiple machine learning classifiers against the proposed perturbation defined in Equation 1 on Australian Credit Card Database. Colored box represents the sensitive features and drop in accuracy of classifier on the
Feature 1 2 3 4 5 6 7 8 9 10 11 12 13 14
SVM Linear where, and are the relevance and redundancy value
The earlier adversarial studies discarded few features and hence do not provide the complete picture on the credit card domain. We want to highlight that the proposed research is the first work explaining detailed analysis helpful both crafting the attack and mitigating it by protecting the important features. Figure 3 and Figure
shown in Table 1) shows the highest importance irrespective of the feature selection algorithm. Feature 8 is found most relevant in the Australian database using both UFR and MRMR feature selection algorithms.
In this research, we have used several machine learning algorithms to carefully investigate the impact of adversarial manipulation on the feature space of Credit Card databases. To present a first-ever detailed study, in total, nine diferent classifiers are used for extensively investigating the adversarial fraud in the finance domain. Further, we describe each of the algorithms used for binary classification on clean and manipulated features: Deep the model. The probability of each class can be computed using the following logistic formula: ( ) =
exp 0 + 1 1 + ...... + 6. Proposed Adversarial Attack
and Experimental Results
In this section, we describe the adversarial manipulation results and analysis using the constant value modification as the attack. The databases are divided into training and testing, where the training set contains randomly selected 75% of the total data point. The remaining 25% data points are used for the evaluation of each of the classifiers trained on the training set.
The analysis of the results can be divided into the following parts: 1 accuracy on the clean images, 2 robustness of a classifier, and 3 sensitive features for adversarial goal. The credit card default payment results of each classifier on a clean test of both the databases are reported in Figure 5. On the Australian database, as compared to the non-linear classifiers such as RBF SVM and Neural Network, the linear classifier such as linear SVM performs better. Whereas, on the default credit card database, the RBF SVM performs best as compared to other linear and non-linear classifiers. It is interesting to note from going shallow to a deep neural network, no significant improvement in accuracy notices on both the databases. In another observation, the Naive Bayes classifier performs the worst on the Australian credit card database and second-worst on the default credit card database.
Analysis concerning classifiers: In terms of the sensitivity of the classifier, it is found that the SVM classifier is the least robust in terms of the magnitude of the accuracy ( − )|Σ |−1 ( −1 2 ((2 ) |Σ |)1/2 (|) =
( − ) ) drop on both Australian credit card and default credit Analysis concerning features: The default payment card databases. On the Australian database, the accuracy database contains 23 features by removing the ID feaof the linear SVM drops from 86.13% to 13.88%. The rela- ture which is simply a sequence reflecting the obsertive drop in the accuracy is 72.25% which is the highest vation number and class variable, i.e., default payment. among all the classifiers used for credit default predic- Whereas, the Australian database contains 14 features for tion. On the other hand, the Naive Bayes classifier which classification. We want to mention that in this research, performs the worst on the Australian database shows the we have shown the adversarial strength by perturbing least drop in accuracy when the features are perturbed a single feature only. On the Australian database, feausing the proposed black-box and model agnostic attack. ture 8 is found most sensitive feature, and perturbing In other words, the Naive Bayes classifier is found most that feature afects the performance of each classifier efective in handling the perturbation. The accuracy of significantly. Apart from afecting the performance of each classifier on the clean images, least accuracy ob- each classifier, feature 8 shows the highest reduction in tained under perturbation, and diference reflecting a the accuracy of each classifier. Feature 8 contains the maximum drop in the accuracy is reported in Figure 6 binary values and we have modified the binary values (left) on the Australian database. On the default credit through the ‘XOR’ operator as shown in the proposed card database, the non-linear RBF classifier found the attack equation 1. The second worst feature is the feahighest vulnerable and the relative drop in the perfor- ture 14 which contains the continuous values. However, mance is went to 60.3%. KNN classifier is found most interesting both linear and non-linear SVM, binary trees, robust in terms of the relative drop in the performance and deep neural networks are found robust against the when the features are compared as compared to the ac- slight modification on it. curacy on the clean features. It is interesting to note On the default credit card database, feature 6 found that, even on the Australian database, KNN shows the the weakest point of each classifier except for shallow second-best robustness on the perturbed features. Figure neural network (S-NNet). The perturbation of the fea6 (right) shows the maximum sensitivity of each classifier ture 6 significantly dropped the accuracy of the afected on the default credit card database. classifiers. The RBF SVM classifier is found sensitive against feature 6 only. We want to highlight that both perturbation can be defined in the terms of the numthe feature selection algorithms give the highest score to ber of values available for manipulation. For example, the features 6 as shown in Figure 3 on the default credit an image contains a significantly large number of valcard database. Similarly, on the Australian database, each ues (pixels) available for manipulation and is easily inclassifier has been found highly sensitive to the highest terchangeable. Whereas, the tabular finance databases relevance features reported by the feature selection al- contain a low number of features and can not be easily ingorithms as shown in Figure 4. The detailed analysis on terchanged with each other. Few works exist to identify the sensitivity of individual features is given in Tables 2 the vulnerability of ML algorithms on tabular databases. and 3. However, limitations of the existing attacks are that they Other Manipulations: We want to highlight that the require white-box access of the classifiers and result in other mathematical operations such as and men- unwanted transformations of the features. In this retioned in Section 6 yield similar adversarial phenomena search, we have proposed a first-ever black-box attack are observed on each classifier. on the tabular credit card default prediction databases. We have evaluated a broad number of machine learning 6.1. Unwanted Phenomena for Attacker classifiers as compared to a few classifier vulnerability assessments in the existing works. The proposed attack proves its classifier agnostic strength by fooling each classifier. Apart from the evaluation of multiple classifiers, we have also studied the sensitivity concerning individual features of the databases. Interestingly, it is observed that perturbation of every feature might hurt the aim of an attack, and therefore, intelligent consideration is required. We hope the proposed research opens multiple research threads both towards finding the vulnerabilities of tabular classifiers and improving their robustness.
It is interesting to observe that the adversarial perturbation does not always reduce the performance of a classifier. Apart from that, another interesting point is that the features which are least important for classification, perturbing them can inversely afect the goal of an attacker. The importance of the features can be calculated using the feature selection algorithm. For example, on the Australian database, the feature 11 was found least relevant by both UFR and MRMR feature selection algorithm. Interestingly, perturbing this feature significantly improves the performance of multiple classifiers. For example, the performance of the RBF SVM, logistic regression, and shallow neural network (S-NNet) improves by 2.89%, 1.73%, and 2.31%, respectively. Similarly, the features which are found less relevant by the feature selection algorithms on the default database, perturbing them shows the performance improvement. For example, features 1 and 14 are among the least important feature in the default payment database. However, perturbing them drastically increased the performance of the Naive Bayes classifier. The performance of Naive Bayes shows at least 5.55% jump in the classification performance when perturbing these features. From the above analysis, we suggest careful attention is required while perturbing a feature, a random perturbation of any feature set might not be fruitful for an attacker. Although further analysis can reveal future directions to improve the performance of a classifier by securing only the relevant features.
Adversarial vulnerability of the visual classifiers is extensively explored and paves the way for improving their robustness for secure real-world deployment. However, limited work has been done on financial databases especially tabular databases. The probable reason might be the heterogeneous nature of the databases and the low degree of freedom for perturbation. The degree of [7] M. Singh, S. Nagpal, R. Singh, M. Vatsa, Derivenet [20] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, for (very) low resolution image classification, IEEE A. Vladu, Towards deep learning models resistant to Transactions on Pattern Analysis and Machine In- adversarial attacks, arXiv preprint arXiv:1706.06083 telligence (2021). (2017). [8] S. Ghosh, R. Singh, M. Vatsa, Subclass heterogene- [21] S.-M. Moosavi-Dezfooli, A. Fawzi, P. Frossard, ity aware loss for cross-spectral cross-resolution Deepfool: a simple and accurate method to fool face recognition, IEEE Transactions on Biometrics, deep neural networks, in: Proceedings of the IEEE Behavior, and Identity Science 2 (2020) 245–256. conference on computer vision and pattern recog[9] I. Nigam, R. Keshari, M. Vatsa, R. Singh, K. Bowyer, nition, 2016, pp. 2574–2582.
Phacoemulsification cataract surgery afects the [22] K. R. Mopuri, A. Ganeshan, R. V. Babu, Generdiscriminative capacity of iris pattern recognition, alizable data-free objective for crafting universal Scientific reports 9 (2019) 1–9. adversarial perturbations, IEEE transactions on [10] Alphafold: a solution to a 50- pattern analysis and machine intelligence 41 (2018) year-old grand challenge in biol- 2452–2465. ogy, https://deepmind.com/blog/article/ [23] J. Hayes, G. Danezis, Learning universal adversarial alphafold-a-solution-to-a-50-year-old-grand-\ perturbations with generative models, in: 2018 challenge-in-biology, 2020. IEEE Security and Privacy Workshops (SPW), IEEE, [11] F. O. Geraldes, Pushing the boundaries of computer- 2018, pp. 43–49.
aided diagnosis of melanoma, The Lancet Oncology [24] C. Xie, Z. Zhang, Y. Zhou, S. Bai, J. Wang, Z. Ren, 22 (2021) 433. A. L. Yuille, Improving transferability of adversarial [12] Statlog (australian credit approval) data set, examples with input diversity, in: Proceedings of https://archive.ics.uci.edu/ml/datasets/Statlog+ the IEEE/CVF Conference on Computer Vision and %28Australian+Credit+Approval%29, 2020. Pattern Recognition, 2019, pp. 2730–2739. [13] F. Pierazzi, F. Pendlebury, J. Cortellazzi, L. Cavallaro, [25] X. Wang, K. He, Enhancing the transferability of Intriguing properties of adversarial ml attacks in adversarial attacks through variance tuning, in: the problem space, in: 2020 IEEE Symposium on Se- Proceedings of the IEEE/CVF Conference on Comcurity and Privacy (SP), IEEE, 2020, pp. 1332–1349. puter Vision and Pattern Recognition, 2021, pp. [14] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Er- 1924–1933.
han, I. Goodfellow, R. Fergus, Intriguing properties [26] G. Goswami, N. Ratha, A. Agarwal, R. Singh, of neural networks, arXiv preprint arXiv:1312.6199 M. Vatsa, Unravelling robustness of deep learn(2013). ing based face recognition against adversarial at[15] A. Goel, A. Agarwal, M. Vatsa, R. Singh, N. Ratha, tacks, in: Proceedings of the AAAI Conference on Deepring: Protecting deep neural network with Artificial Intelligence, volume 32, 2018. blockchain, in: Proceedings of the IEEE/CVF Con- [27] G. Goswami, A. Agarwal, N. Ratha, R. Singh, ference on Computer Vision and Pattern Recogni- M. Vatsa, Detecting and mitigating adversarial pertion Workshops, 2019, pp. 0–0. turbations for robust face recognition, International [16] A. Goel, A. Agarwal, M. Vatsa, R. Singh, N. Ratha, Journal of Computer Vision 127 (2019) 719–742.
Securing cnn model and biometric template using [28] A. Agarwal, M. Vatsa, R. Singh, N. K. Ratha, Noise blockchain, in: 2019 IEEE 10th International Con- is inside me! generating adversarial perturbations ference on Biometrics Theory, Applications and with noise derived from natural filters, in: ProSystems (BTAS), IEEE, 2019, pp. 1–7. ceedings of the IEEE/CVF Conference on Computer [17] A. Goel, A. Agarwal, M. Vatsa, R. Singh, N. K. Ratha, Vision and Pattern Recognition Workshops, 2020, Dndnet: Reconfiguring cnn for adversarial robust- pp. 774–775. ness, in: Proceedings of the IEEE/CVF Conference [29] J. Kos, I. Fischer, D. Song, Adversarial examples for on Computer Vision and Pattern Recognition Work- generative models, in: IEEE Security and Privacy shops, 2020, pp. 22–23. Workshops, 2018, pp. 36–42. [18] K. Das, R. N. Behera, A survey on machine learning: [30] Y.-C. Lin, Z.-W. Hong, Y.-H. Liao, M.-L. Shih, M.-Y. concept, algorithms and applications, International Liu, M. Sun, Tactics of adversarial attack on deep Journal of Innovative Research in Computer and reinforcement learning agents, in: International Communication Engineering 5 (2017) 1301–1309. Joint Conference on Artificial Intelligence, 2017, pp. [19] S. Pouyanfar, S. Sadiq, Y. Yan, H. Tian, Y. Tao, M. P. 3756–3762.
Reyes, M.-L. Shyu, S.-C. Chen, S. Iyengar, A sur- [31] I. Rosenberg, A. Shabtai, L. Rokach, Y. Elovici, vey on deep learning: Algorithms, techniques, and Generic black-box end-to-end attack against state applications, ACM Computing Surveys (CSUR) 51 of the art api call based malware classifiers, in: In(2018) 1–36. ternational Symposium on Research in Attacks, Intrusions, and Defenses, Springer, 2018, pp. 490–510. icone mask based face presentation attack, in: 2019 [32] A. Agarwal, R. Singh, M. Vatsa, N. Ratha, Are IEEE 10th International Conference on Biometrics image-agnostic universal adversarial perturbations Theory, Applications and Systems (BTAS), IEEE, for face recognition dificult to detect?, in: 2018 2019, pp. 1–5.
IEEE 9th International Conference on Biometrics [46] A. Agarwal, D. Yadav, N. Kohli, R. Singh, M. Vatsa, Theory, Applications and Systems (BTAS), IEEE, A. Noore, Face presentation attack with latex masks 2018, pp. 1–7. in multispectral videos, in: Proceedings of the [33] A. Agarwal, R. Singh, M. Vatsa, N. K. Ratha, Im- IEEE Conference on Computer Vision and Pattern age transformation based defense against adver- Recognition Workshops, 2017, pp. 81–89. sarial perturbation on deep learning models, IEEE [47] R. E. Wright, Logistic regression. (1995). Transactions on Dependable and Secure Computing [48] J. J. Hopfield, Artificial neural networks, IEEE (2020). Circuits and Devices Magazine 4 (1988) 3–10. [34] A. Agarwal, G. Goswami, M. Vatsa, R. Singh, N. K. [49] K. S. Fu, T. M. Cover, Digital pattern recognition, Ratha, Damad: Database, attack, and model agnos- volume 3, Springer, 1976. tic adversarial perturbation detector, IEEE Transactions on Neural Networks and Learning Systems (2021). [35] J. Zhang, C. Li, Adversarial examples: Opportunities and challenges, IEEE transactions on neural networks and learning systems 31 (2019) 2578–2593. [36] R. Singh, A. Agarwal, M. Singh, S. Nagpal, M. Vatsa,
On the robustness of face recognition algorithms against attacks and bias, in: Proceedings of the AAAI Conference on Artificial Intelligence, volume 34, 2020, pp. 13583–13589. [37] A. Serban, E. Poll, J. Visser, Adversarial examples on object recognition: A comprehensive survey,
ACM Computing Surveys (CSUR) 53 (2020) 1–38. [38] V. Ballet, J. Aigrain, T. Laugel, P. Frossard, M. Detyniecki, et al., Imperceptible adversarial attacks on tabular data, in: NeurIPS 2019 Workshop on Robust AI in Financial Services: Data, Fairness, Explainability, Trustworthiness and Privacy (Robust
AI in FS 2019), 2019. [39] E. Levy, Y. Mathov, Z. Katzir, A. Shabtai, Y. Elovici,
Not all datasets are born equal: On heterogeneous data and adversarial examples, arXiv preprint arXiv:2010.03180 (2020). [40] E. Erdemir, J. Bickford, L. Melis, S. Aydore, Adversarial robustness with non-uniform perturbations, arXiv preprint arXiv:2102.12002 (2021). [41] I.-C. Yeh, C.-h. Lien, The comparisons of data mining techniques for the predictive accuracy of probability of default of credit card clients, Expert Systems with Applications 36 (2009) 2473–2480. [42] M. Lichman, Uci machine learning repository, https:
//archive.ics.uci.edu/ml, 2013. [43] C. Ding, H. Peng, Minimum redundancy feature selection from microarray gene expression data, Journal of bioinformatics and computational biology 3 (2005) 185–205. [44] C. Cortes, V. Vapnik, Support-vector networks,
Machine learning 20 (1995) 273–297. [45] A. Agarwal, M. Vatsa, R. Singh, Chif: Convoluted histogram image features for detecting sil