Machine learning is vulnerable to adversarial examples-inputs designed to cause models to perform poorly. However, it is unclear if adversarial examples represent realistic inputs in the modeled domains. Diverse domains such as networks and phishing have domain constraints-complex relationships between features that an adversary must satisfy for an attack to be realized (in addition to any adversary-specific goals). In this paper, we explore how domain constraints limit adversarial capabilities and how adversaries can adapt their strategies to create realistic (constraint-compliant) examples. In this, we develop techniques to learn domain constraints from data, and show how the learned constraints can be integrated into the adversarial crafting process. We evaluate the efficacy of our approach in network intrusion and phishing datasets and find: (1) up to 82% of adversarial examples produced by state-of-the-art crafting algorithms violate domain constraints, (2) domain constraints are robust to adversarial examples; enforcing constraints yields an increase in model accuracy by up to 34%. We observe not only that adversaries must alter inputs to satisfy domain constraints, but that these constraints make the generation of valid adversarial examples far more challenging.

研究论文探讨领域约束如何限制对手的能力以及对手如何适应这些限制来创建现实的（符合约束的）对抗性示例。作者开发了从数据中学习领域约束的技术，并展示了如何将学习到的约束集成到对抗制作流程中。作者在网络入侵和网络钓鱼数据集上评估了该方法的功效，并发现：（1）最先进的制作算法产生的高达 82％ 的对抗性示例违反领域约束，（2）强制执行约束使模型精度提高了高达 34％。

领域约束的稳健性