Adversarial Classification, by Dalvi, N et al, 2004 Review by Mark Strohmaier Many data mining algorithms have an underlying assumption that the method of data generation is independent of the miner's activities. While this assumption is valid in some cases, there are numerous domains where it does not hold, including fraud and spam detection, surveillance, and network intrusions. Adversarial Classification is a 2004 paper by Dalyi et al which looks at the problem of classification in these types of domains, where there is an active effort to make the classifier produce false negatives (such as a missed intrusion attempt). Using spam filtering as an initial example, the paper does a good job of highlighting the problems classical data mining approaches can have when handling adversarial data. As the attackers modify their approaches to get around the classifier, the performance of the filter will steadily degrade over time. What the authors propose is the generation of an automated system that will continually update the classifier, to stay abreast of the adversary's most recent attempts while not incurring the large human cost of rebuilding the classifier. They define adversarial classification as a game between a classifier – a function which attempts to correctly predict positive and negative intrusion instances – and an adversary – which attempts to cause the classifier to predict false negatives. In each turn, each side will attempt to generate an optimal strategy to use against the other. Though the proof is not included, the authors say this game achieves a Nash equilibrium. However, attempting to calculate the equilibrium in this case would be triply exponential. In generating a solution, then, the authors focus on a simplified case where each player will only make one move, at attempt to find solutions for that case. They then describe approaches for both the adversary and classifier, with the following assumptions: both the adversary and classifier have full knowledge of the parameters in play, the adversary assumes it is undetected, the adversary has not tampered with the classifier's training data, and the classifier assumes that any adversaries use optimal approaches. Implementing a system based on their approach, the authors then tested it on a two sets of spam data, one composed of spam and legitimate messages from a mailing list and the other composed of spam and legitimate messages from regular e-mail. The adversary was given three different ways to modify the spam – by adding words, lengthening words, and changing words to their synonyms, and a total of seven different test types were done – Adversary-classifier with each of the three modification methods, and naive Bayes against the three modification methods and the unmodified data. In each case the adversary-classifier approach performed better, though the statistical significance of the improvement is not discussed. As it is written, the paper is, in this reviewer's opinion, a solid advancement in the area of handling adversarial classifications. However, there are several aspects which could be improved upon. The first is with regard to the game's design. The authors acknowledge that they primarily designed the system around each player having only one turn, and do provide a brief discussion at the end of the paper on potential scaling into a multi-turn game. This is one area which could be investigated more and would have a significant effect on the efficacy of this approach, as any real-life application of this would need to deal with multiple rounds. A second area of concern is how the approach would translate into areas besides spam detection. While the authors demonstrate that the approach can handle spam e-mail (at least for the first stage) well, it would be interesting to see if it can handle the other problem areas they discuss (such as network intrusion) as effectively. Finally, a comparison to more classification methods than just naive Bayes. While naive Bayes is a common method – especially in spam filtering which they studied in depth – seeing how the game approach works versus other methods could provide information about how effective it would be in many situations. While these changes would improve an already solid paper, the only change which this reviewer would recommend before publication would be an analysis of the results statistical significance.