On the Foundations of Adversarial Single-Class Classification

Motivated by authentication, intrusion and spam detection applications we consider single-class classification (SCC) as a two-person game between the learner and an adversary. In this game the learner has a sample from a target distribution and the goal is to construct a classifier capable of distinguishing observations from the target distribution from observations emitted from an unknown other distribution. The ideal SCC classifier must guarantee a given tolerance for the false-positive error (false alarm rate) while minimizing the false negative error (intruder pass rate). Viewing SCC as a two-person zero-sum game we identify both deterministic and randomized optimal classification strategies for different game variants. We demonstrate that randomized classification can provide a significant advantage. In the deterministic setting we show how to reduce SCC to two-class classification where in the two-class problem the other class is a synthetically generated distribution. We provide an efficient and practical algorithm for constructing and solving the two class problem. The algorithm distinguishes low density regions of the target distribution and is shown to be consistent.

💡 Research Summary

The paper “On the Foundations of Adversarial Single‑Class Classification” reframes single‑class classification (SCC) – a problem that appears in authentication, intrusion detection, and spam filtering – as a two‑player zero‑sum game between a learner and an adversary. The learner possesses only samples from a target distribution (P) and must build a classifier that keeps the false‑positive rate (FPR) below a pre‑specified tolerance (\alpha) while minimizing the false‑negative rate (FNR), i.e., the intruder pass rate. The adversary may choose any other distribution (Q) to generate malicious observations and seeks to maximize the learner’s loss. This game‑theoretic formulation allows the authors to derive optimal strategies for both deterministic and randomized classifiers and to quantify the advantage of randomization.

Deterministic strategies.
When the learner commits to a deterministic rule (\phi(x)\in{0,1}), the optimal decision boundary is shown to be a density‑threshold rule: all points whose estimated density under (P) falls below a threshold (\tau) are labeled as “anomalous”. The threshold is chosen so that the constraint (\int_{\phi(x)=1} p(x)dx\le\alpha) is satisfied with equality. This result gives a clear probabilistic interpretation of the optimal SCC rule and highlights that the learner must protect the low‑density regions of (P). However, a deterministic rule is vulnerable: if the adversary knows the exact boundary, it can concentrate its mass precisely in the protected low‑density region, driving the FNR to its worst possible value.

Randomized (probabilistic) strategies.
To mitigate this vulnerability, the authors introduce a randomized classifier (\psi(x)\in