DataMinKnowlDisc(2011)22:291–335 DOI10.1007/s10618-010-0197-3 Classifier evaluation and attribute selection against active adversaries MuratKantarcıog˘lu · BoweiXi · ChrisClifton Received:16June2008/Accepted:17July2010/Publishedonline:12August2010 ©TheAuthor(s)2010.ThisarticleispublishedwithopenaccessatSpringerlink.com Abstract Manydataminingapplications,suchasspamfilteringandintrusiondetec- tion, are faced with active adversaries. In all these applications, the future data sets and the training data set are no longer from the same population, due to the trans- formations employed by the adversaries. Hence a main assumption for the existing classification techniques no longer holds and initially successful classifiers degrade easily.Thisbecomesagamebetweentheadversaryandthedataminer:Theadversary modifiesitsstrategytoavoidbeingdetectedbythecurrentclassifier;thedataminer thenupdatesitsclassifierbasedonthenewthreats.Inthispaper,weinvestigatethe possibilityofanequilibriuminthisseeminglyneverendinggame,whereneitherparty hasanincentivetochange.Modifyingtheclassifiercausestoomanyfalsepositives withtoolittleincreaseintruepositives;changesbytheadversarydecreasetheutilityof thefalsenegativeitemsthatarenotdetected.Wedevelopagametheoreticframework whereequilibriumbehaviorofadversarialclassificationapplicationscanbeanalyzed, andprovidesolutionsforfindinganequilibriumpoint.Aclassifier’sequilibriumper- formance indicates its eventual success or failure. The data miner could then select attributesbasedontheirequilibriumperformance,andconstructaneffectiveclassifier. Responsibleeditor:JohannesFürnkranz. B M.Kantarcıog˘lu( ) ComputerScienceDepartment,UniversityofTexasatDallas,Richardson,TX,USA e-mail:[email protected] B.Xi DepartmentofStatistics,PurdueUniversity,WestLafayette,IN,USA e-mail:[email protected] C.Clifton DepartmentofComputerScience,PurdueUniversity,WestLafayette,IN,USA e-mail:[email protected] 123 292 M.Kantarcıog˘luetal. A case study on online lending data demonstrates how to apply the proposed game theoreticframeworktoarealapplication. Keywords Adversarialclassification·Gametheory·Attributeselection· Simulatedannealing 1 Introduction Many data mining applications, both current and proposed, are faced with active adversaries.Problemsrangefromtheannoyanceofspamtothedamageofcomputer hackers to the destruction of terrorists.In all of these cases, statistical classification techniquesplayanimportantroleindistinguishingthelegitimatefromthedestructive. Therehasbeensignificantinvestmentintheuseoflearnedclassifierstoaddressthese issues,fromcommercialspamfilterstoresearchprogramssuchasthoseonintrusion detection (Lippmann et al. 2000). These problems pose a significant new challenge notaddressedinpreviousresearch:Thebehaviorofaclasscontrolledbytheadversary mayadapttoavoiddetection.Traditionallyaclassifierisconstructedfromatraining dataset,andfuturedatasetscomefromthesamepopulationasthetrainingdataset. Aclassifierconstructedbythedataminerinsuchastaticenvironmentcannotmaintain itsoptimalperformanceforlong,whenfacedwithanactiveadversary. One intuitive approach to fight the adversary is to let the classifier adapt to the adversary’sactions,eithermanuallyorautomatically.Suchaclassifierwasproposed inDalvietal.(2004).Theproblemisthatthisbecomesanever-endinggamebetween theclassifierandtheadversary.Anotherapproachistominimizetheworstcaseerror throughazero-sumgame(Lanckrietetal.2003;ElGhaouietal.2003). Ourapproachisnottodevelopalearningstrategyfortheclassifiertostayaheadof theadversary.Instead,weproposeanAdversarialClassificationStackelbergGame,a two-playergame,tomodelthesequentialmovesoftheadversaryandthedataminer. Each player follows their own interest in the proposed game theoretic framework: Theadversarytriestomaximizeitsreturnfromthefalsenegativeitems(thosethatget throughtheclassifier),andthedataminertriestominimizethemisclassificationcost. Wethenpredicttheendstateofthegame—anequilibriumstate.Whenconsider- ingthewholestrategyspaceofallthepossibletransformationsandthepenaltiesfor transformation, an equilibrium state offers insight into the error rate to be expected fromaclassifierinthelongrun.Equilibriuminformationalsooffersanalternativeto theminimaxapproachwhichcouldbetoopessimisticinsomecases. Weexamineunderwhichconditionsanequilibriumwouldexist,andprovideasto- chasticsearchmethodandaheuristicmethodtoestimatetheclassifierperformance andtheadversary’sbehavioratsuchanequilibriumpoint(e.g.,theplayers’equilib- riumstrategies).Furthermore,foranygivensetofattributes,wecanobtainequilibrium strategiesonthesubsetsofattributes.Suchinformationisusedtoselectthemosteffec- tiveattributestobuildaclassifier.Whennoneofthesubset’sequilibriumperformance issatisfactory,thedataminerwillhavetochangetherulesofthegame.Forexample, considernewinputattributesorincreasethepenaltiesforexistingones. 123 Classifierevaluationandattributeselection 293 Predictingtheeventualequilibriumstatehastwoprimaryuses.First,thedataminer candetermineiftheapproachusedwillhavelongtermvalue,beforemakingalarge investmentintodeployingthesystem.Second,thiscanaidinattributeselection.While itmayseemthatthebestsolutionissimplytouseallavailableattributes,thereisoften acostassociatedwithobtainingtheattributes.Forexample,inspamfiltering“white listing”goodaddressesand“blacklisting”badIPaddressesareeffective.Butbesides blockingsomegoodtraffic,atrade-offintheclassifierlearningprocess,creatingand maintainingsuchlistsdemandseffort.Ourapproachenablesthedataminertopredict ifsuchexpensiveattributeswillbeeffectiveinthelongrun,orifthelong-termbenefit does not justify the cost. In Sect. 7 we show experimentally that an attribute that is effectiveatthebeginningmaynotbeeffectiveinthelong-term. Ourframeworkisgeneralenoughtobeapplicableinavarietyofadversarialclas- sification scenarios and can accommodate different classification techniques. Spam filtering is one such application where classifier degradation is clearly visible and where we can easily observe the actions taken by the adversary (spammer) and the classifier(spamfilter).1 Anotherexampleisbotnetdetectionwhereseveraldetectionalgorithmshavebeen proposed in the literature, each monitoring different sets of attributes (Stinson and Mitchell 2008). The equilibrium performance of different defensive algorithms can helpthedataminertodeterminetheireffectiveness.Furthermore,thedataminercan applytheproposedframeworktoselectthemosteffectiveattributesfromeachdefen- sive approach. In return, these attributes can be combined to build a more robust defensivealgorithm. Finally,weapplytheproposedframeworktomodelonlinelendingdatainSect.9. Inthiscase,theadversary’sequilibriumtransformationcanhelpthelendertoidentify high risk applications and determine how often additional information needs to be verifiedtoincreasethepenaltyfortheadversary. Thepaperisorganizedasfollows:InSect.2wepresentagametheoreticmodel. In Sect. 3 we propose a stochastic search method to solve for an equilibrium. We demonstrate that penalty costs can affect the equilibrium Bayes error in interesting waysforGaussiandistributioninSect.4.Weexaminetheimpactofextremeclassifi- cationrules(topassallortoblockallobjects)onanequilibrium,usingGaussianand Bernoullirandomvariablesrespectively,inSect.5.InSect.6weprovideacomputa- tionallyefficientheuristicsolutionforBayesianclassifier,whichallowsustohandle highdimensionaldata.Section7presentsasimulationstudy,whereweevaluatethe equilibrium performance of multiple combinations of Gaussian attributes, demon- strating the effect of different combinations of distributions and penalties without transformationandinequilibrium.Section8presentsanothersimulationstudywith Bernoullirandomvariables.Section9presentsacasestudyofmodelingonlinelend- ingdata.Weconcludewithadiscussionoffuturework.First,wediscussrelatedwork below. 1 PleaserefertoPuandWebb(2006)foranextensivestudyofadversarialbehaviorevolutioninspam filtering. 123 294 M.Kantarcıog˘luetal. 1.1 Relatedwork Learninginthepresenceofanadaptiveadversaryisanissueinmanydifferentapplica- tions.Problemsrangingfromintrusiondetection(MahoneyandChan2002)tofraud detection(FawcettandProvost1997)needtobeabletocopewithadaptivemalicious adversaries.AsdiscussedinDalvietal.(2004),thechallengescreatedbythemalicious adversariesarequitedifferentfromthoseinconceptdrift(Hultenetal.2001),because theconceptismaliciouslychangedbasedontheactionsoftheclassifier.Therehave beenapplicationsofgametheorytospamfiltering.InAndroutsopoulosetal.(2005), the spam filter and spam emails are considered fixed; the game is if the spammer shouldsendlegitimateorspamemails,andtheuserdecidesifthespamfiltershould betrustedornot.InLowdandMeek(2005a),theadversarytriestoreverseengineer theclassifiertolearntheparameters.InDalvietal.(2004),theauthorsappliedgame theorytoproduceaNaïveBayesclassifierthatcouldautomaticallyadapttotheadver- sary’s expected actions. While recognizing the importance of an equilibrium state, theysimplifiedthesituationbyassumingtheadversarybasesitsstrategyontheinitial NaïveBayesclassifierratherthantheirproposedadaptivestrategy. In Lowd and Meek (2005b), the authors studied the impact of attaching words thatserveasstrongindicatorofregularuseremails.Thestudyshowsthatbyadding 30-150goodwords,spammercansignificantlyincreaseitssuccessrate.Inthispaper, weproposeagame theoreticmodelwheresuchconclusions could bereached auto- matically.Inaddition,robustclassificationtechniquesthatuseminimaxcriterionhave been proposed in El Ghaoui et al. (2003) and Lanckriet et al. (2003). Compared to thoseworks,weassumethattheadversarycanmodifytheentirebadclassdistribu- tiontoavoidbeingdetected.Alsoourmodelallowsthedataminerandtheadversary to have different utility functions. There has been other work on how to construct robust classifiers for various tasks. For example, in Globerson and Roweis (2006), theauthorsconstructedrobustclassifiersindomainssuchasdocumentclassification bynotover-weightinganysingleattribute.Similarly,inTeoetal.(2008),theauthors applieddomainspecificknowledgeofinvariancetransformationstoconstructarobust supervisedlearningalgorithm.Comparedtothatwork,weincorporatethecostforthe adversariesintoourmodelaswellasthecostfordataminer. InonlinelearningsuchasCesa-Bianchi andLugosi(2006),astrategicgame has beenusedtolearnaconceptinrealtimeormakeapredictionforthenearfutureby seeinginstancesoneatatime.Tothebestofourknowledge,thoseworksdonotdeal withsituationswhereanadversarychangesthedistributionoftheunderlyingconcept. Overall, we take a very different approach from the existing work. By directly investigatinganequilibriumstateofthegame,atwhichpointallpartiessticktotheir currentstrategies,weaimatprovidingaguidelineforbuildingclassifiersthatcould leadtothedataminer’seventualsuccessinthegame. 2 Agametheoreticmodel Inthissectionwepresentagametheoreticmodelforadversarialclassificationappli- cations.Beforewediscussthemodelindetails,weprovideamotivatingexamplethat explainsthebasicaspectsofourmodel. 123 Classifierevaluationandattributeselection 295 2.1 Motivatingexample Considerthecasewhereaclassifierisbuilttodetectwhetheracomputeriscompro- mised or not by malware that sends spam e-mails. This malware detection system couldbebuiltbasedonvarioussystemwideparameters.Forexample,lookingatthe numberofe-mailssentbyacompromisedcomputercouldbeoneusefulmeasureto detectsuchmalware. Insuchascenario,asimpleclassifierthatraisesanalarmifthenumberofe-mails sentbyacomputerexceedsathresholdvaluecouldbeinitiallyverysuccessful.Now anattackerthatdesignsamalwarecanreducethenumberofspame-mailssenttoavoid detection.Theattackercanpossiblyreducethespame-mailssentperdaytonearzero and avoid being detected, but this will not be profitable for the attacker. Afterward, dependingonthenumberofspame-mailssentperday,thedataminersetathreshold value.Tokeepthenumberoffalsepositivesatareasonablelevel,thethresholdvalue chosentobetheclassificationrulecannotbetoosmall.Insuchagametheattacker andthedataminermayreachanequilibriumpointwherebothpartieshavenoincen- tivetochangetheirstrategies.Theattackerwouldsetthespame-mailssentperday to a number that is most profitable: Increasing the number causes the computer to bedetected,andreducingthenumberislessprofitableandnotnecessary.Whenthe attacker receives maximum payoff and does not change its strategy, the data miner doesnotneedtore-setthethresholdvalue:Ifthethresholdusedbytheclassifierwere furtherloweredtodetectthespammingmachine,toomanylegitimatemachineswould bemisidentifiedassourcesofspam.Theimportantquestioniswhethertheclassifier equilibriumperformanceissatisfactoryforthedataminer.Ifnot,thedataminerwould needanewclassificationapproach,suchasincludingadditionalattributes(e.g.sys- tem call sequences executed by the programs) to build a classifier and improve its equilibriumperformance. Below, we discuss how an example given above could be modeled in our frame- worktounderstandtheequilibriumperformanceforagivenclassifierandthesetof attributesusedforbuildingsuchaclassifier. 2.2 Adversarialclassificationstackelberggame The adversarial classification scenario is formulated as a two class problem, where class one (π ) is the “good” class and class two (π ) is the “bad” class. Assume q g b attributesaremeasuredfromanobjectcomingfromeitherclass.Wedenotethevector ofattributesbyx=(x ,x ,...,x )(cid:2).Furthermore,weassumethattheattributesofan 1 2 q objectxfollowdifferentdistributionsfordifferentclasses.Let f (x)betheprobability i densityfunctionofclassπ ,i =gorb.Theoverallpopulationisformedbycombin- i ingthetwoclasses.Let p denotetheproportionofclassπ intheoverallpopulation; i i p + p = 1. The distribution of the attributes x for the overall population can be g b consideredasamixtureofthetwodistributions,withthedensityfunctionwrittenas f(x)= p f (x)+ p f (x). g g b b We assume that the adversary can control the distribution of the “bad” class π . b Inotherwords,theadversarycanmodifythedistributionbyapplyingatransformation 123 296 M.Kantarcıog˘luetal. Ttotheattributesofanobjectxthatbelongstoπ .Hence f (x)istransformedinto b b fT(x). Each such transformation comes with a cost; the transformed object is less b likelytobenefittheadversary,althoughmorelikelytopasstheclassifier.Forexam- ple, a spammer could send a legitimate journal call for papers; while this would be hardtodetectasspam,itwouldnotresultinsalesofthespammer’sproduct.Whena “bad”objectfromπ ismisclassifiedasa“good”objectintoπ ,itgeneratesprofitfor b g theadversary.Atransformedobjectfrom fT(x)generateslessprofitthantheoriginal b one.Inallofthesimulationstudies,weassumethatthevaluesof p and p arenot g b affectedbytransformation,meaningthatadversarytransformsthedistributionofπ , b but in a short time period does not significantly increase or decrease the number of “bad”objects.However,foraBayesianclassifier p and p arejustparametersthat b g define the classification regions. They can be transformed by the adversary and be adjustedinBayesianclassifiertooptimizetheclassificationrulebydataminer.Here we examine the case where a rational adversary and a rational data miner play the followinggame: 1. Giventheinitialdistributionanddensity f(x),theadversarychoosesatransfor- mationTfromthesetofallfeasibletransformationsS,thestrategyspace. 2. AfterobservingthetransformationT,dataminercreatesaclassificationruleh. Consider the case where data miner wants to minimize its misclassification cost. Given transformation T and the associated fT(x), the data miner responds with a b classificationruleh(x).Let L(h,i)betheregionwheretheobjectsareclassifiedas π basedonh(x)fori =gorb.LettheexpectedcostofmisclassificationbeC(T,h), i whichisalwayspositive.Definethepayofffunctionofdatamineras u (T,h)=−C(T,h). g Inordertomaximizeitspayoffu ,thedataminerneedstominimizethemisclassifi- g cationcostC(T,h). Notethatadversaryonlyprofitsfromthe“bad”objectsthatareclassifiedas“good”. Alsonotethattransformationmaychangetheadversary’sprofitofanobjectthatsuc- cessfully passes detection. Define g(T,x) as the profit function for a “bad” object x beingclassifiedasa“good”one,aftertransformationTbeingapplied.Definethe adversary’spayofffunctionofatransformationTgivenh asthefollowing: (cid:2) u (T,h)= g(T,x)fT(x)dx. b b L(h,g) Within the vast literature of game theory, the extensive game provides a suitable framework for us to model the sequential structure of adversary and data miner’s actions. Specifically, the Stackelberg game with two players suits our need. In a Stackelberggame,oneofthetwoplayers(Leader)choosesanactiona firstandthe b secondplayer(Follower),afterobservingtheactionoftheleader,choosesanactiona . g Thegameendswithpayoffstoeachplayerbasedontheirutilityfunctionsandactions. Inourmodel,weassumeallplayersactrationallythroughoutthegame.FortheStac- kelberggame,thisimpliesthatthefollowerrespondswiththeactiona thatmaximizes g 123 Classifierevaluationandattributeselection 297 u giventheactiona ofthefirstplayer.Theassumptionofactingrationallyatevery g b stageofthegameeliminatestheNashequilibriawithnon-crediblethreatsandcreates anequilibriumcalledthesubgameperfectequilibrium. We assume that each player has perfect information about the other. Here in this context,“perfectinformation”meansthateachplayerknowstheotherplayer’sutility function.Furthermore,followerobservesa beforechoosinganaction.Thisassump- b tionisnotunreasonablesincedataandotherinformationarepubliclyavailableinmany applications,suchasspamfiltering.Theutilitiescanbeestimatedinsomeapplication areas.ForthecasestudyinSect.9,thepenaltiesfortransformationcanbemeasuredby theamountofmoneytheadversaryspendstoimproveitsprofile.Forbotnetdetection thepenaltiesfortransformationcanbethereductionintheamountoftrafficgenerated bytheadversary.Inaddition,differentpenaltiescanbeusedtorunwhat-ifanalysis. For example, in loan applications, to prevent an adversary transforming the home ownershipattribute(falselyclaimingtoownahome),wecanputverificationrequire- mentsinplace.Suchverificationwillmakeitcostlytotransformthehomeownership attribute in a loan application. Our model can be re-run with different penalties to predicttheeffectofinstitutingsuchaverificationprocess. AninterestingspecialcaseofStackelberggameisthezero-sumgame,whenthetwo utility functions have the following relationship: u (T,h) = −u (T,h) (Basar and b g Olsder1999).Inthatcase,theStackelbergsolutionconceptforadversarialclassifica- tioncorrespondstotheminimaxsolutionstudiedindepthbymanyauthors(Lanckriet etal.2003;ElGhaouietal.2003).AgeneralStackelbergsolutionfortheadversarial classificationgameautomaticallyhandlestheminimaxsolutionconcept.2 Thegametheoreticframeworkweproposeisdifferentthanthewellknownstrategic games,suchasnon-cooperativestrategicgames.Inastrategicgame,eachplayerisnot informedabouttheotherplayer’splanofaction.Playerstake“simultaneous”actions. The famous Nash equilibrium concept (Osborne and Rubinstein 1999) captures the steady state of such a game. In strategic games, a player cannot change its chosen actionafteritlearnstheotherplayer’saction.Consequentlyifoneplayerchoosesthe equilibriumstrategywhiletheotherdoesnot,theresultcanbebadforbothofthem. Compared with strategic games with “simultaneous” actions, we choose the Stackelberggametoemphasizethesequentialactionsofthetwoplayers.Weassume that the data miner monitors a certain set of attributes through a classifier and the adversaryisawareoftheexistenceoftheclassifierbeforethegamestarts.Thedata miner empirically sets the parameters of the classifier in its initial state. This ini- tial action does not need to be directly modeled by the proposed Stackelberg Game framework.Whenthegamestarts,firsttheadversarytransformstheattributesbeing monitoredbytheclassifiertoincreaseitspayoff.Inthesecondstep,afterobserving thetransformationemployedbytheadversary,thedatamineroptimizestheparameter valuesoftheclassifier.TheproposedStackelberggamemimicstheparametertuning action,becausethedataminerenjoysthefreedomtoadjusttheclassifierparameters afteritobservesasignificantchangeinthedata.Althoughtheadversaryistheleader inthegame,thedataminerchoosesacertainsetofattributesandbuildsaclassifier 2 Ofcourse,moreefficientmethodsforminimaxsolutionconceptcouldbefoundusingsomeoftheexisting techniquessuchastheonesgiveninLanckrietetal.(2003).Herewefocusonthegeneralframework. 123 298 M.Kantarcıog˘luetal. beforethegamestarts.Thedataminersetsthetoneforthegameandthereforehasthe advantageovertheadversary. WedefinetheAdversarialClassificationStackelbergGameG =(N,H,P,u ,u ): b g N = {adversary,dataminer}.Setofsequences H = {∅,(T),(T,h)}s.t.T ∈ S and h ∈ C, where S is the set of all admissible transformations for adversary, and C is thesetofallpossibleclassificationrulesgivenacertaintypeofclassifier.Function P assignsaplayertoeachsequencein H: P(∅) =adversaryand P((T)) =dataminer. Equivalentlythereexistsacorrespondingfunction A thatassignsanactionspaceto each sequence in H: A(∅) = S,A((T)) = C,and A((T,h)) = ∅.Payoff functions u andu aredefinedasabove. b g In our framework we need the distribution of the “bad” class to understand the transformationbeingemployedandtoassesspenaltyfortheadversary.Dependingon thetypeoftheclassifierbeingused,theknowledgeofthedistributionsmayormay notbenecessarytoobtaintheoptimalclassificationruleemployedbydataminer.The classifiercanbere-trainedusingadatasetcontainingthetransformedbadinstances thatarecollectedorsimulated. However, we assume that data miner sticks to one type of classifier while the adversarycanchoosefromallthetransformationsinthestrategyspace.Forexample, ifdataminerchoosesaBayesianclassifier,itadjuststheBayesianclassifierwithnew weights in order to defeat the adversary’s transformations. The data miner will not use a Bayesian classifier facing certain transformations and a decision tree against other transformations. This is a realistic assumption because of development costs: adjustingparametersinamodel(orevenretrainingthemodel)ismuchlessexpensive thanswitchingtoanewmodel. WenoticethatthestrategyspaceofadversarytransformationsScanbequitecom- plex.However,inrealitypeoplehavetodealwitheverytransformationemployedby adversary.Thisiswelldocumentedandcanbeobservedfromdata.Insuchcases,a formalmodelprovidesasystematicapproachtodealwithvarioustransformations. Examiningtheclassifier’sperformanceatequilibrium,wheretheadversarymax- imizes itsgain given the classifier being optimized todefeat itsaction, isasensible choiceinaStackelberggame.Forafixedtransformation,itistruethattheproblem reducestoaregularlearningproblem.Ontheotherhand,givenacertainsetofattri- butesmonitoredthroughaclassifier,everypossibletransformationandtheoptimized classificationruletodefeatthistransformationgeneratesacorrespondingerrorrate. Themainissueistoknowwhichoneofthepotentialtransformationsaremorelikely tobeadoptedinpracticeandwhattodoaboutitifsuchtransformationoccurs.One approachistoselectasetofattributesthatminimizestheworstcaseerrorrateunderall possibletransformations.ForsomeapplicationareassuchasonlinelendinginSect.9, theworstcasescenarioisunlikelytohappenbecauseoftheheavypenaltiesfortrans- formation. Equilibrium information offers an alternative to the minimax approach. Whenconsideringthewholestrategyspaceofallthepossibletransformationsandthe penaltiesfortransformation,anequilibriumstateoffersinsightintotheerrorrateto beexpectedfromaclassifierinthelongrun.Assuggestedbyourpaper,suchinsights areusedtoguideattributeselection. Inthisgame,weassumethattheadversaryactsb(cid:3)yfirstap(cid:4)plyingatransformationT. AfterobservingTbeingappliedtothe“bad”class fT(x) ,theoptimalclassification b 123 Classifierevaluationandattributeselection 299 rulebecomesh (x).h (x)isthebestresponseofdataminerfacingatransformation T T T.LetL(h ,g)betheregionwheretheobjectsareclassifiedasπ givenh .Define T g T theadversarygainofapplyingtransformationTas: (cid:2) (cid:3) (cid:4) W(T)=ub(T,hT)= g(T,x)fbT(x)dx= EfT I{L(hT,g)}(x)g(T,x) . b L(hT,g) (2.1) W(T)istheexpectedvalueoftheprofitgeneratedbythe“bad”objectsthatpassdetec- tion under transformation T and the data miner’s optimal classification rule against T. When both parties are rational players, both attempt to maximize their payoff. Thereforewecanwriteasubgameperfectequilibriumas(Te,hTe),where Te =argmaxT∈S (W(T)). (2.2) Gametheory(OsborneandRubinstein1999)establishesthatthesolutionoftheabove maximizationproblemisasubgameperfectequilibrium.Furthermoreifthestrategy spaceSiscompactandW(T)iscontinuous,themaximizationproblemhasasolution. Theaboveformulationcanaccommodateanywell-definedsetoftransformations S,anyappropriatedistributionswithdensities f (x)and f (x),andanymeaningful g b profitfunctiong(T,x). We solve the above equations by exploiting the structure of the game: To search for an equilibrium in a Stackelberg game is equivalent to solving an optimization problem. We present a general solution based on stochastic search in Sect. 3, and a heuristicsolutionbasedonanapproximationoftheclassificationregionforminimal costBayesianclassifierinSect.6,forhighdimensionaltasks. 3 Solvingfortheequilibrium Tosearchforasubgameperfectequilibrium,theunderlyingproblemisconvertedto anoptimizationproblemsimilartotheonedefinedbyEq.2.2(BasarandOlsder1999). Althoughtherearecomputationalgametheorytoolstofindsubgameperfectequilibria forfinitegames(McKelveyetal.2007),searchingforsubgameperfectequilibriaisa hardproblemingeneral(BasarandOlsder1999).Therefore,optimizationtechniques suchasgeneticalgorithms,havebeenappliedtosearchforsubgameperfectequilibria (ValleeandBasar1999).Tothebestofourknowledge,noneoftheexistingcompu- tationalgamealgorithmscanbeappliedtoourcaseduetothespecialstructureofthe adversary gain W(T). Since the integration region L(h ,g) for the adversary gain T W(T)isafunctionoftransformationT,findingananalyticalsolutiontothemaximiza- tionproblemischallenging.Inaddition,evencalculatingtheintegrationanalytically foraspecifictransformationisnotpossibleforhighdimensionaldata.Wehavetoeval- uate W(T) numerically. Because of such difficulties, we consider stochastic search algorithmsforfindinganapproximatesolution.Atypicalstochasticsearchalgorithm foroptimizationproblemsworksasfollows:Thealgorithmstartswitharandominitial 123 300 M.Kantarcıog˘luetal. pointandthensearchesthesolutionspacebymovingtodifferentpointsbasedonsome selectioncriterion.Thisprocessinvolvesevaluatingthetargetfunctionattheselected pointsinthesolutionspace.Clearly,thisimpliesacomputationallyefficientmethod for calculating W(T) is required, since the function will be evaluated at thousands of transformations in S. Furthermore, a stochastic search algorithm with the ability to converge to a global optimal solution is highly desirable. In the rest of this sec- tion,MonteCarlointegrationmethodisintroducedtocomputeW(T)andsimulated annealingalgorithmisimplementedtosolveforasubgameperfectequilibrium. 3.1 Montecarlointegration MonteCarlointegrationtechniqueconvertsanintegratio(cid:5)nproblemtocomputingan expected value.Assumethatwew(cid:5)ouldliketocalculate g(x)dx.Ifwecanfinda probabilitydensityfunction f(x)( f(x)dx=1)thatiseasytosamplefrom,then (cid:2) (cid:2) (cid:6) (cid:7) g(x) g(x) g(x)dx= × f(x)dx= E . f(x) f f(x) (cid:5) g(x)dxisequaltotheexpectedvalueofg(x)/f(x)withrespecttothedensity f(x). Theexpe(cid:8)cta(cid:9)tionofg(x)/f(x)isestimatedbycomputin(cid:10)gas(cid:3)am(cid:3)ple(cid:4)mea(cid:3)n.(cid:4)G(cid:4)enerate m samples xi from f(x) and calculate μm = 1/m × m1 g xi /f(cid:5)xi . When thesamplesizem islargeenough,μ providesanaccurateestimateof g(x)dx. m TheadversarygainW(T)canbewrittenas: (cid:2) (cid:3) (cid:4) W(T)= IL(hT,g)(x)×g(T,x) fbT(x)dx. Intheaboveformula,IL(hT,g)(x)isanindicatorfunction.Itreturns1ifatransformed “bad”objectxisclassifiedintoπ ,elseitreturns0. fT(x)isnaturallyaprobability g b density function. Therefore W(T) could be calculated by sampling m points from fT(x),andtakingtheaverageof g(T,x)ofthesamplepointsthatfallin L(h ,g). b T Thepseudo-codeforMonteCarlointegrationisgiveninAlgorithm3.1. Algorithm3.1MonteCarloIntegration {EvaluatingW(T)fo(cid:11)rag(cid:12)iventransformationT} Generatemsamples xi from fT(x) b sum=0 fori=1tomdo ifxi ∈L(hT,g)th(cid:13)en (cid:14) sum=sum+g T,xi endif endfor returnsum/m 123