Adversarial machine learning

In this paper (expanded from an invited talk at AISEC 2010), we discuss an emerging field of study: adversarial machine learning---the study of effective machine learning techniques against an adversarial opponent. In this paper, we: give a taxonomy for classifying attacks against online machine learning algorithms; discuss application-specific factors that limit an adversary's capabilities; introduce two models for modeling an adversary's capabilities; explore the limits of an adversary's knowledge about the algorithm, feature space, training, and input data; explore vulnerabilities in machine learning algorithms; discuss countermeasures against attacks; introduce the evasion challenge; and discuss privacy-preserving learning techniques.

• Publication year

  2019

• Venue

  Security and Artificial Intelligence

• Publication date

  2019-02-01

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1145/2046684.2046692
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Convex Adversarial Collective Classification

  2013cited by this paper
• Bayesian Games for Adversarial Regression Problems

  2013cited by this paper
• On the hardness of evading combinations of linear classifiers

  2013cited by this paper
• Efficient Algorithm for Privately Releasing Smooth Queries

  2013cited by this paper
• Identifying Personal Genomes by Surname Inference

  2013cited by this paper
• Local Privacy and Statistical Minimax Rates

  2013cited by this paper
• Evasion Attacks against Machine Learning at Test Time

  2013cited by this paper
• Poisoning Attacks against Support Vector Machines

  2012cited by this paper
• Functional Mechanism: Regression Analysis under Differential Privacy

  2012cited by this paper
• De-anonymizing social networks

  2012cited by this paper
• Robust detection of comment spam using entropy rate

  2012cited by this paper
• Differential privacy for functions and functional data

  2012cited by this paper
• Link prediction by de-anonymization: How We Won the Kaggle Social Network Challenge

  2011cited by this paper
• Differentially Private Spatial Decompositions

  2011cited by this paper
• Automatic analysis of malware behavior using machine learning

  2011cited by this paper
• Secure multiple linear regression based on homomorphic encryption

  2011cited by this paper
• Regret Minimizing Audits: A Learning-Theoretic Basis for Privacy Protection

  2011cited by this paper
• Privacy-preserving statistical estimation with optimal convergence rates

  2011cited by this paper
• Detecting adversarial advertisements in the wild

  2011cited by this paper
• Lower Bounds in Differential Privacy

  2011cited by this paper
• A firm foundation for private data analysis

  2011cited by this paper
• Classifier Evasion: Models and Open Problems

  2010cited by this paper
• Multiple Classifier Systems under Attack

  2010cited by this paper
• Classifier evaluation and attribute selection against active adversaries

  2010cited by this paper
• Characterizing, modeling, and generating workload spikes for stateful services

  2010cited by this paper
• Machine learning in adversarial environments

  2010cited by this paper
• P4P: Practical Large-Scale Privacy-Preserving Distributed Computation Robust against Malicious Users

  2010cited by this paper
• Query Strategies for Evading Convex-Inducing Classifiers

  2010cited by this paper
• Outside the Closed World: On Using Machine Learning for Network Intrusion Detection

  2010cited by this paper
• Security analysis of online centroid anomaly detection

  2010cited by this paper
• Bounds on the sample complexity for private learning and private data release

  2010cited by this paper
• Near-Optimal Evasion of Convex-Inducing Classifiers

  2010cited by this paper
• A Simple and Practical Algorithm for Differentially Private Data Release

  2010cited by this paper
• Privacy Violations Using Microtargeted Ads: A Case Study

  2010cited by this paper
• Online Anomaly Detection under Adversarial Impact

  2010cited by this paper
• Secure Learning and Learning for Security: Research in the Intersection

  2010cited by this paper
• VC bounds on the cardinality of nearly orthogonal function classes

  2010cited by this paper
• The security of machine learning

  2010cited by this paper
• A Learning-Based Approach to Reactive Security

  2009cited by this paper
• Applying PCA for Traffic Anomaly Detection: Problems and Solutions

  2009cited by this paper
• A framework for quantitative security analysis of machine learning

  2009cited by this paper
• On the complexity of differentially private data release: efficient algorithms and hardness results

  2009cited by this paper
• Misleading Learners: Co-opting Your Spam Filter

  2009cited by this paper
• ANTIDOTE: understanding and defending against poisoning of anomaly detectors

  2009cited by this paper
• Differentially Private Empirical Risk Minimization

  2009influential reference
• Differential privacy and robust statistics

  2009cited by this paper
• Analysis of Perceptron-Based Active Learning

  2009cited by this paper
• Differentially private recommender systems: building privacy into the net

  2009cited by this paper
• Learning in a Large Function Space: Privacy-Preserving Mechanisms for SVM Learning

  2009cited by this paper
• Learning Convex Bodies is Hard

  2009cited by this paper
• Nash Equilibria of Static Prediction Games

  2009cited by this paper
• On the geometry of differential privacy

  2009cited by this paper
• Stealthy poisoning attacks on PCA-based anomaly detectors

  2009cited by this paper
• Statistical Machine Learning Makes Automatic Control Practical for Internet Datacenters

  2009cited by this paper
• On the Power of Membership Queries in Agnostic Learning

  2009cited by this paper
• Exploiting Machine Learning to Subvert Your Spam Filter

  2008cited by this paper
• A learning theory approach to non-interactive database privacy

  2008cited by this paper
• What's going on?: learning communication rules in edge networks

  2008cited by this paper
• Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm

  2008cited by this paper
• Machine Learning in the Presence of an Adversary: Attacking and Defending the SpamBayes Spam Filter

  2008cited by this paper
• Privacy-preserving logistic regression

  2008cited by this paper
• What Can We Learn Privately?

  2008cited by this paper
• Limits of Learning-based Signature Generation with Adversaries

  2008cited by this paper
• New Efficient Attacks on Statistical Disclosure Control Mechanisms

  2008cited by this paper
• Compromising PCA-based Anomaly Detectors for Network-Wide Traffic

  2008cited by this paper
• Robust De-anonymization of Large Sparse Datasets

  2008cited by this paper
• Resolving Individuals Contributing Trace Amounts of DNA to Highly Complex Mixtures Using High-Density SNP Genotyping Microarrays

  2008cited by this paper
• Automating cross-layer diagnosis of enterprise wireless networks

  2007cited by this paper
• Learning Fast Classifiers for Image Spam

  2007cited by this paper
• Language models for detection of unknown attacks in network traffic

  2007cited by this paper
• Towards highly reliable enterprise network services via inference of multi-level dependencies

  2007cited by this paper
• t-Closeness: Privacy Beyond k-Anonymity and l-Diversity

  2007cited by this paper
• An Evolutionary Algorithm for the Block Stacking Problem

  2007cited by this paper
• Filtering spam with behavioral blacklisting

  2007cited by this paper
• Pseudorandom Bits for Polynomials

  2007cited by this paper
• Spectral Graph Theory and its Applications

  2007cited by this paper
• Sensitivity of PCA for traffic anomaly detection

  2007cited by this paper
• Fighting unicode-obfuscated spam

  2007cited by this paper
• Algorithms for Projection-Pursuit Robust Principal Component Analysis

  2007cited by this paper
• The Netflix Prize

  2007cited by this paper
• The price of privacy and the limits of LP decoding

  2007cited by this paper
• Advanced Allergy Attacks: Does a Corpus Really Help?

  2007cited by this paper
• Random Features for Large-Scale Kernel Machines

  2007cited by this paper
• Privacy, accuracy, and consistency too: a holistic solution to contingency table release

  2007cited by this paper
• Filtering Image Spam with Near-Duplicate Detection

  2007cited by this paper
• Pattern Recognition and Machine Learning (Information Science and Statistics)

  2006cited by this paper
• L-diversity: privacy beyond k-anonymity

  2006cited by this paper
• Nightmare at test time: robust learning by feature deletion

  2006cited by this paper
• Detection and identification of network anomalies using sketch subspaces

  2006cited by this paper
• Calibrating Noise to Sensitivity in Private Data Analysis

  2006cited by this paper
• Differential Privacy

  2006influential reference
• In-Network PCA and Anomaly Detection

  2006cited by this paper
• Paragraph: Thwarting Signature Learning by Training Maliciously

  2006cited by this paper
• Anomalous system call detection

  2006cited by this paper
• Allergy Attack Against Automatic Signature Generation

  2006cited by this paper
• Evading network anomaly detection systems: formal reasoning and practical techniques

  2006cited by this paper
• Spam Filtering Using Inexact String Matching in Explicit Feature Space with On-Line Linear Classifiers

  2006cited by this paper
• Behavior-based modeling and its application to Email analysis

  2006cited by this paper
• Can machine learning be secure?

  2006cited by this paper
• Bounding an Attack ’ s Complexity for a Simple Learning Model

  2006cited by this paper

• Fair and square? Evaluating fairness of LLM-generated synthetic datasets

  2026cites this paper
• Adversarial examples in Arabic language

  2026cites this paper
• Robust wavefront sensing based on graph attention adversarial learning

  2026cites this paper
• On the Adversarial Robustness of Hydrological Models

  2026cites this paper
• Stealthy Poisoning Attacks Bypass Defenses in Regression Settings

  2026cites this paper
• A survey on adversarial machine learning: Attacks, defenses, real-world applications, and future research directions

  2026cites this paper
• Protecting Language Models Against Unauthorized Distillation through Trace Rewriting

  2026cites this paper
• Trustworthy Agentic Supply Chains: A Governance Framework for Digital Twin Orchestrated AI Decisioning Under Compliance, Auditability, and Data Sovereignty Constraints

  2026cites this paper
• Comparative Insights on Adversarial Machine Learning from Industry and Academia: A User-Study Approach

  2026cites this paper
• Secure Semantic Communications via AI Defenses: Fundamentals, Solutions, and Future Directions

  2026cites this paper
• FRAME: Comprehensive risk assessment framework for adversarial machine learning threats

  2026cites this paper
• Adversarial Vulnerability Analysis of Deep Neural Network-Based Intrusion Detection Systems Using FGSM and PGD Attacks

  2026cites this paper
• Navigating Embodied Intelligence: Enabling Technologies, Security and Privacy, and Emerging Trends

  2026cites this paper
• Vulnerabilities in Machine Learning for cybersecurity: Current trends and future research directions

  2026cites this paper
• Identity-Spoofing Prompt Injection: Empirical Analysis of Instruction Leakage in Custom GPTs

  2026cites this paper
• Machine Learning and Game Theory Applications in Cybersecurity: Predicting Mitigation Strategies from Attack Techniques

  2025cites this paper
• Cybersecurity Architecture: The Case for Teaching Computer Hardware and Computer Security Together

  2025cites this paper
• Sistem Keamanan Siber Adaptif Berbasis AI: Analisis Kinerja, Arsitektur, dan Penerapannya pada Organisasi Modern

  2025cites this paper
• Towards Building Robust, Reliable and Private AI/ML Security Solutions in Open Radio Access Networks

  2025cites this paper
• Adversarial training with restricted data manipulation

  2025cites this paper
• Data Poisoning and Artificial Intelligence Modeling: Theoretical Foundations and Defensive Strategies

  2025cites this paper
• Integrated Technology and System for Risk and Safety Management in Smart Construction

  2025cites this paper
• Towards Adapting Federated & Quantum Machine Learning for Network Intrusion Detection: A Survey

  2025cites this paper
• 5/6G enhanced adversarial attack defense algorithm using the NS3 simulator

  2025cites this paper
• Adversarial Machine Learning: Analyzing Carlini & Wagner Attacks

  2025cites this paper
• Cloud-Native AI: Challenges and Opportunities in Infrastructure Security

  2025cites this paper
• Investigating AI-Enabled Threat Intelligence for Preventative Cybersecurity: Real-Time Threat Detection and Response

  2025cites this paper
• OMAD5G: Online Malware Detection in 5G Networks using Compound Paths

  2025cites this paper
• Adversarial Machine Learning in IoT Security: A Comprehensive Survey

  2025cites this paper
• Recurrent Biases and Fallacies in Dataset-Driven Intrusion Detection Research

  2025cites this paper
• VERITAS: Verification and Explanation of Realness in Images for Transparency in AI Systems

  2025cites this paper
• AI-Driven Cyber Threat Intelligence Systems: A National Framework for Proactive Defense Against Evolving Digital Warfare

  2025cites this paper
• Advancing Intelligent Threat Detection Systems Powered by AI: A Comprehensive Review and Conceptual Framework

  2025cites this paper
• Imitation Game for Adversarial Disillusion With Chain-of-Thought Reasoning in Generative AI

  2025cites this paper
• Evasion Attacks Against Bayesian Predictive Models

  2025cites this paper
• Transforming European Cybersecurity: AI-Powered Threat Analysis, Quantum Age, Blockchain/Crypto Risks, and Regulatory Strategies

  2025cites this paper
• A trust-driven optimization model for reliable authorization in Hadoop Environment

  2025cites this paper
• A Systematic Approach to AI Security Governance: Leveraging ISO 42001

  2025cites this paper
• Evaluating Robustness of Learning-Enabled Medical Cyber-Physical Systems with Naturally Adversarial Datasets

  2025cites this paper
• DOGe: Defensive Output Generation for LLM Protection Against Knowledge Distillation

  2025cites this paper
• MultiPhishGuard: An LLM-based Multi-Agent System for Phishing Email Detection

  2025cites this paper
• HP_FLAP: homomorphic and polymorphic federated learning aggregation of parameters framework

  2025cites this paper
• Cutting-edge advances in AI and ML for cybersecurity: a comprehensive review of emerging trends and future directions

  2025cites this paper
• VAP3: Variation-Aware Prompt Performance Prediction

  2025cites this paper
• Superior resilience to poisoning and amenability to unlearning in quantum machine learning

  2025cites this paper
• Optimizing Federated Learning With Aggregation Strategies: A Comprehensive Survey

  2025cites this paper
• Moving Target Offense: RL-based Adaptive Evasion Strategies for C2 Frameworks

  2025cites this paper
• The perils of stealthy data poisoning attacks in misogynistic content moderation

  2025cites this paper
• Enhancing IDS performance through a comparative analysis of Random Forest, XGBoost, and Deep Neural Networks

  2025cites this paper
• Enhancing Federated Learning With Differentially Private Continuous Data Release via k-Ary Trees

  2025cites this paper
• A unified Bayesian framework for adversarial robustness

  2025cites this paper
• Adversarially Robust Quantum Transfer Learning

  2025cites this paper
• Semantic Analysis and Query Suggestions for Distributed Redshift Systems

  2025cites this paper
• Cloud-Native AI: Challenges and Opportunities in Infrastructure Security

  2025cites this paper
• Erased but Not Forgotten: How Backdoors Compromise Concept Erasure

  2025cites this paper
• GIIDS-AR: End-to-end generalized intelligent intrusion detection system with adversarial robustness for heterogeneous UAVs in UAM

  2025cites this paper
• Evasion Attacks on Tree-Based Machine Learning Models

  2025cites this paper
• Certified unlearning for a trustworthy machine learning-based access control administration

  2025cites this paper
• An Analytical Framework for Evaluating Successful Poisoning Attacks on Machine Learning Algorithms

  2025cites this paper
• Agentic AI for Cyber Resilience: A New Security Paradigm and Its System-Theoretic Foundations

  2025cites this paper
• Black-box Adversarial Attack Defense Approach: An Empirical Analysis from Cybersecurity Perceptive

  2025cites this paper
• Adversarial AI for Cybersecurity to Mitigate AI-Induced Attacks

  2025cites this paper
• Evaluating Pretrained Deep Learning Models for Image Classification Against Individual and Ensemble Adversarial Attacks

  2025cites this paper
• Decoding FL Defenses: Systemization, Pitfalls, and Remedies

  2025cites this paper
• When Anti-Fraud Laws Become a Barrier to Computer Science Research

  2025cites this paper
• PEAR: privacy-preserving and effective aggregation for byzantine-robust federated learning in real-world scenarios

  2025cites this paper
• Approaching the Harm of Gradient Attacks While Only Flipping Labels

  2025cites this paper
• Empowering Cloud-Native Security: The Transformative Role Of Artificial Intelligence

  2025cites this paper
• Securing the Generative Frontier: A Systematic Analysis of Training Data Poisoning and Prompt Engineering Vulnerabilities in Large Language Models

  2025cites this paper
• Classification and challenges of non-functional requirements in ML-enabled systems: A systematic literature review

  2025cites this paper
• Poisoning Bayesian Inference via Data Deletion and Replication

  2025cites this paper
• A scoping study: crime and connected and autonomous vehicles

  2025cites this paper
• Cancermorphic Computing Toward Multilevel Machine Intelligence

  2025cites this paper
• Assessing Evasion Attacks on Tree-Based Machine Learning Models: Supervised vs. Unsupervised Approaches

  2025cites this paper
• AI-Enabled Multi-Factor Authentication (MFA) Systems for Private and Public Cloud Security

  2025cites this paper
• Classical Autoencoder Distillation of Quantum Adversarial Manipulations

  2025cites this paper
• Adversarial Attacks on Agentic AI Systems: Mechanisms, Impacts, and Defense Strategies

  2025cites this paper
• Proposing a Novel Approach Based on GAN Neural Networks to Address Data Poisoning Attacks in Federated Learning

  2025cites this paper
• Model-Targeted Data Poisoning Attacks against ITS Applications with Provable Convergence

  2025cites this paper
• TextBugger: an extended adversarial text attack on NLP-based text classification model

  2025cites this paper
• ATR-Bench: A Federated Learning Benchmark for Adaptation, Trust, and Reasoning

  2025cites this paper
• Robust Defense Mechanisms for Agentic News Recommenders: Mitigating Data Poisoning Attacks

  2025cites this paper
• Quantifying adversarial risk of multimodal foundation models for military applications

  2025cites this paper
• Text Emotion Recognition Based on Deep Learning and Attention with Whale Optimization Algorithm

  2025cites this paper
• Security Threats and Defence Mechanisms in Federated Learning: A Comprehensive Review

  2025cites this paper
• SHIELD: Secure Hypernetworks for Incremental Expansion Learning Defense

  2025cites this paper
• Adversarial Machine Learning Assisted Hybrid Chaotic Covert Communication in OFDM With Subcarrier Index Modulation

  2025cites this paper
• Position: Certified Robustness Does Not (Yet) Imply Model Security

  2025cites this paper
• THEORETICAL AND TECHNICAL ASPECTS OF MACHINE LEARNING USAGE IN CYBERSECURITY

  2025cites this paper
• Comparative Study of Adversarial Image Attacks

  2025cites this paper
• Towards Adversarial-Prevention-Capable Deep Learning Models: Divergent Approach

  2025cites this paper
• Enhancing software-defined perimeters with integrated identity solutions and threat detection for robust zero trust security

  2025cites this paper
• Minimal adversarial attack on the \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$L_0$$\end{document} norm

  2025cites this paper
• AEJaya+DE: a hybrid feature selection method for machine learning-based network intrusion detection on cybersecurity datasets

  2025cites this paper
• A comprehensive literature review of cyber threats and vulnerabilities in IoT-driven satellite networks: Research challenges and future directions

  2025cites this paper
• Particle Swarm Optimization-Tuned Deep Neural Network for Cloud Intrusion Detection

  2025cites this paper
• AI-Enabled Terrorism: A Strategic Analysis of Emerging Threats and Countermeasures in Global Security

  2025cites this paper
• Enhancing Remaining Useful Life Prediction Against Adversarial Attacks: An Active Learning Approach

  2025cites this paper
• Countering adversarial evasion in regression analysis

  2025cites this paper
• Model Inversion Attacks and Prevention Tactics Using the HPCC Systems Platform

  2025cites this paper