Presentation: Can an Adversarial Bot Beat the Stock Market?

Presentation: Can an Adversarial Bot Beat the Stock Market?

On October 30th, 2019, Manceps CEO, Al Kari and CTO, Garrett Lander, gave a presentation at Tensorflow World 2019 on adversarial bots being used to manipulate the stock market. Several weeks ago, we wrote up a story about their research and what they discovered but now, we are pleased to bring you the entire presentation.



AL KARI:  Some of you remember this. For many of you, this is all something in the past. This is how the stock market used to operate in the past — and this is how we had the 1987 crash and the 1997 crash.

THose crashes were mainly driven by this number of people who are trading manual trades and a lot of chaos that happens in the stock market after a sell-off.

1997 was the last crash and in 2007 we skipped a crash but we had the recession right after. In 2017, we did not see a crash, and that is because we put a lot of systems and a lot of neural networks were now put in charge of actually making sure a crash does not happen.

Also, because the fact that people stopped getting involved. So just like people shouldn't be on the road driving, people shouldn't be out in the stock market, trading stocks, because people make mistakes and people are emotional.

The current stock market today looks like this. This is how the trading floor is. All that chaos is gone. And what is interesting is that only about 10% of trades are done by humans today. That's also done in an electronic fashion. 60% of all assets on the stock market are traded by and controlled by algorithmic trading. That basically is split between rule-based and machine learning-based trading that is driving most of the decisions of buy and sell stock market. That number has doubled since 2010.

Today's market is largely transactional. It's largely driven by short term transactions that are driving fast turnaround and fast profits for the traders.

Why is all that happening? Why did that happen? Well, it turned out you guys and ladies, you are a lot cheaper than stock traders or maybe some of you are, or maybe the bulk of them are a lot more expensive than one of you guys.

So in 2017, Goldman Sachs actually laid off 600 of their traders and hired 200 data scientists instead. And the reason for that, they thought, was, well, we're going to save a lot of money. That's obvious when you actually build one system and use that system to copy and paste for multiple tradings, multiple transactions, and multiple clients. You don't have to hire so many traders. You could run that with a machine learning bot that actually make predictions and build portfolios for your clients.

It's also a lot more stable. You know, obviously, machine learning and computers are a lot more stable, more predictable and less subjective. They are not influenced by emotions or other elements. Also, it's a lot more scalable, which means it can be offered to different to different customers in different areas. It also afforded them that secrecy or ability to hide data or processes or elements of decision-making from anybody, including their own internal employees.
We're Manceps. And we help our customers build A.I. solutions and provide production-grade ML to enterprise.

The reason why we got here, the way we got into doing this research is by engaging with our customers in a lot of audits and a lot of engagements where we help our customers not only fine tuned for performance and for scalability, we help our customers audit their neural networks. In auditing their neural networks, it was very obvious that adversarial attacks are are the key element that neural networks are susceptible to.

This is where we started researching. So what wan adversary could potentially have, what someone who's got malicious intentions to either wreak havoc in the markets or drive some profit or drive someone bankrupt. So this is how we got started. And Garrett is going to continue describing how this is done and how did we build this lab that you're about to see.
Garrett Lander: Thank you. My volume, OK? Hello, T.F. World. Thank you all very much for coming here. I realize there's a lot of other really good sessions going on right now, so I congratulate you all on having great taste.

As Al was talking about, the market has changed drastically. It is now run mostly by automated trading and we sought to recreate some of that in a closed, controlled experiment. Part of what allows that trading to occur. Is that bots are capable — or neural networks are capable — of picking up on really, really subtle, imperceptible patterns.

The fun, invisible world of conditional probability.

If this stock has moved this amount in this couple of days and this other stock has moved this and this volume has moved this and this is the day of the month, and given those, we are most likely to see this change.

So for our experiment, we took some historical data from a random sample of companies unrelated to the convention: Intel, Amazon, Indeed, and Microsoft.

We took 20 years of data — so sorry, Google, you guys didn't have 20 years. 

So we took their high, their low, their open, their volume, and we took the adjusted close as the target for prediction because we wanted to allow the bots to learn a little bit of seasonality if they could. And that would have a little more explainable variance than the close itself, which would sort of jump around based on how those adjustments came in. We scaled them by 10H estimators, by year, by company, and by company year and fed all of that data into a series of bots.

So we did just a random grid search on hyper-parameters, not really trying to get to an optimal hyper-parameter, but just trying to set an environment of different bots with that would behave differently and make different predictions given different inputs.If any of you went to our lab yesterday, the network for these bots is pretty similar to that one. It’s just a set of 1D convolutional layers across the time series for each feature, with dense layer pooling of the filters leading into a merge layer before the final dense layers and prediction layer. And you’re just trying to minimize the mean squared error loss between those predicted prices and the actual prices.
And of course, that experiment worked fine. It's not too difficult to get something fairly close to that and keep validation loss under control.

But what was much more interesting is the question of if these bots really are better than human traders or if some of their strengths are also some of their weaknesses.

So. Yes, bots are great at pattern recognition, but their type of pattern recognition is also a pattern and that can be recognized by another neural network. So we created an environment where we took those bots, imported them in to the graph of another neural network, frozen, untrainable, no access to any of its layers. 

The idea behind the experiment is that this bot is just someone else buying and selling commodities in this closed market and it's allowed to make slight changes to the amount of volume. It can't control the price. It can't control the day. It can't do anything to any features other than have the volume reflect its own activity.

Unlike those bots that we're trained on trying to minimize their MSE loss, this one is trying to maximize the loss of those other bots, based purely on the way it decides to adjust volumes or how much it decides to buy and sell.

So it's fairly straightforward, I think. Eh, we'll see.

So, going into a demo of how that after we trained that bot, I'm going to show you how in our closed system that bot was able to make small changes to the prices of those companies and how the total holdings of those other bots or those bots are kind of being represented as classes that have holdings. And each one of them is tied to one of the networks that was trained to predict price. And based on the percent price difference expected between the current and the prediction, they decide to buy or sell individual stocks.

The caveats to this are it is a closed system. The bots and the adversary only are subject to one price. There's no gap between the put and the call. So whatever they buy for is also what they sell for. And there are no transaction fees. This allows things to make money in an experiment like this that would not necessarily work in the real stock market.

The data is also limited to just this time series data. So in a sense, these are just very intelligent chartists. They don't have access to an LP of press releases or Twitter or fundamental analysis, any of that would go into a real trading bot that's probably in production right now.
So now I'm going to switch the display, and hopefully this works. I've tested this about 30 times, so I can assure you this is the time it will fail.

It's supposed to wait a few seconds. It's not broken, it's just so I can shift this around a little bit.

Now it's moving. Okay.

So what we're going to see here is the market prices for those eight companies we selected, the bots as you — this happened very quickly within the first couple of iterations. Some of them severely lost their holdings, others are doing fine and continuing to make money.

This is the small micro-adjustments the adversary is making. Because volumes are on huge scales and vary by company, I decided to just display the scaled adjustments because they would be sort of easier to see.

Because they're 10h estimator-scaled, most values are going to be between, like, right around 0.5. So the fact that these are changing by .001, indicates that it's barely doing anything. The adversary is making Holding's over the course of this but the really interesting and exciting part of this is not just that it worked and was able to cause some of these bots to lose money, but that it -- when it decided to traverse the lost space of how it was going to do that, it didn't affect all of the bots. It realized there were some that were easier to fool than others or some that had more predictable pattern recognition in terms of how its volume changes would affect them. And those are the only ones that really learned around while minimizing its loss. And so you can see other bots have gained money and 1, 4 and 6 or 2, 5 and 7 have significantly lost it, which is kind of cool, I think.

The demo probably lasts about a year and a half worth and it's probably almost done, but I think we can switch back 'cause nothing new and exciting is going to happen in there.

Did it work? Yeah, it worked!

All right, so the conclusions we get from this are bots are smarter than human traders and bot traders are dumber than human traders. These minor little changes to the volume of trade activity for these stocks would not affect a human trader knowing that Amazon sold an extra -- someone bought or sold an extra thousand Amazon shares today out of the entire stock market. But when these bots see a thousand Amazon shares go up and five Microsoft shares sold and 30 Intel shares, it decides that some special combination that signals the price is going to change one way or another.
But at the same time, bots are smarter because they're also able -- as you saw with the other ones -- they were able to given our clothed, controlled experiment, continuously accrue money on their predictions.

And I think that's --

AL KARI:  So, like Garrett described with adjusting just a little bit, making -- introducing some well-calculated transactions in the stock market and in very low volumes that would cost an adversary very little money, we are able to make a significant change to our holdings and to other bots that are running the market's holdings.

This concept was demonstrated on computer vision with multiple adverserial attacks where a Stop Sign can be read as a Go Sign, if a few pixels were changed, and that allows the network to see different, then what the human eye would see. By changing just one pixel, in some cases, you are able to completely change that prediction, if you changed the right pixel to the right tone.

,We applied the same logic, the same concept, to the market and guess what? This could be used by a malicious person to introducte some new dynamics in the market. We are doing this to raise awareness. We're hoping that this will allow all of us to work together on improving those neural networks, on building networks that are robust for those kinds of attacks, that we are starting a movement that will allow us to put our hands together and really get the technology to be robust enough to be more sustainable and manage the markets in better ways.

We ask that you join us either by coming out to our booth today and test out the lab if you haven't yet and try to change some parameters to what your human intuition will tell you will be ideal. Run the training and the prediction and the closest prediction is going to win a prize by closing bell today. We are working with real time data so you're going to be training with yesterday's data so you have the same shot like everyone who did the lab yesterday.

Also, please scan that barcode or that QR code and go to our Github Repot. We're open-sourcing the whole project today. So, all the code and all the bots, the lab, and the adversaries are in GitHub.

We ask that you please use it wisely. Don't get us in trouble, please. We don't want to be in trouble with the FCC or anyone else. But we ask that if you find ways to help better the code or optimize it or make suggestions, we welcome the request. And this is a community project.

And if you're out here looking for a job, we're hiring. It's just my plug. Sorry.

So with that, I want to thank the Tensorflow World the entire community and O'Reilly for hosting us. We're happy to answer questions, and if you don't mind rating our session after you leave this.

Any questions for the lab or for the --

AUDIENCE QUESTION: So, is this approach extendable to other products which are not necessarily traded as frequently, or is there an inherent assumption in your model, which assumes that it has to be frequently traded or with this certain frequency?

MR. LANDER: I mean, this approach is extendable to anything else you're training, really. I mean anything where you have a loss that your have mapped and are minimizing and can create a scenario where you're able to block another network that's learning off of pre-trade networks from getting more information than it should have. But any anything where you can combine them in a graph like this, you could apply the same approach to. I don't think there's anything super special about the stock market data. I think it's --I think it's affective for this particular problem just because the the fluctuations are pretty mild and it's easy to create a bad prediction, especially when you're limiting the future space like this just by making small adjustments.
MR. KARI: Let me add one more thing. Any time series data is good for this kind of prediction. In fact, we tried this on predicting the weather. So we trained the network with the 2010 weather information and we attempted to predict tomorrow's weather with it. And it was more accurate than the weather man, without any knowledge of anything weather-related. So it didn't go to college for four years and didn't study weather at all. But if you try an adversarial attack on the weather, it's not going to rain tomorrow, I promise you.

Any other questions?

AUDIENCE QUESTION: Hi, I can envision the case of -- can it discover the case of where, even there's collusion between even traders, for example, say insider trading. They have some specialized inside information and they're conducting suspicious trades, right?

MR. LANDER: You could -- I mean, there are cases like -- that's actually sounds like a cool, interesting use case. I mean, for something like that to work, you would kind of have to have access to the algorithm that different firms are using through some API or -- 

AUDIENCE: Not necessarily, I mean, just from outside information, say, if I were the SEC and I was trying to catch bad actors within the system, say, for example.

MR. LANDER: Sure. Yeah. So I I don't mean full access to the network a trading firm is using. But in this scenario, for instance, if you were giving it -- if you were able to run inference on their network somehow through whatever -- seeing if somehow these minor -- if it's not responding to minor changes the way it normally would, then you might have a signal of insider trade or they might have just trained it more robustly than than our demo bots.

AUDIENCE: Right and another application probably possibly could be if, say, looking at all the financial networks like Swift, say, for example, and looking at financial transactions and looking at transactions that may indicate that some kind of money laundering is going on, say for example.

MR. KARI: I actually would love to have this conversation with you outside. This is amazing. I think that's great brainstorming. And I think those would be great ideas to put together because we have the data, we have networks and just adding those components to it is somewhat trivial. You just add features.
AUDIENCE: The reason why I'm saying this is because I'm not sure the FCC can keep up with the technology and the ability to -- their ability to actually enforce regulations is being stifled by that.
Mr. Kari: Absolutely and I think we in the private sector have the obligation to help out and point these issues out so they don't become problems. We don't we don't want to wait for such things to evolve as viruses or worms have evolved in the past.

Any other questions? I saw someone's hand up somewhere here.

Well, I want to thank you so much for joining us today. And please do visit our booth and try the lab, if you like. It's a ten-minute thing that's going to show you how neural networks work. Even if you're not technical, all you're doing is pressing run on cells.

If you didn't make any modifications, you're just going to get the same guess like everyone else. Maybe changing some hyper-parameters or the structure of the network could help you gain an edge and that will give you exposure as to how these things work.

As I said, please look up the Github Repo and feel free to add or make suggestions. Any pull requests will be absolutely welcome. Thank you all very much for coming out today.

Thanks, guys.
Further Reading: How Adversarial Bots could manipulate the Stock Market


50 AI Secrets: How Every Fortune 50 Company is Using AI Right Now

Get notified when we publish a new story.

Our Most Recent Articles

Tutorial: Building Your First Kubeflow Pipelines Workflow (Part 2)
Data science workflows on Kubernetes with Kubeflow Pipelines (Part 1)
A Tale of Two Companies
The Ideal Phases of Machine Learning Projects