aml.bib

Zimmermann2001

{Fuzzy Set Theory—and Its Applications}
H.-J. Zimmermann
    1--525  (2001)
http://dx.doi.org/10.1007/978-94-010-0646-0

Since its inception, the theory of fuzzy sets has advanced in a variety of ways and in many disciplines. Applications of fuzzy technology can be found in artificial intelligence, computer science, control engineering, decision theory, expert systems, logic, management science, operations research, robotics, and others. Theoretical advances have been made in many directions. The primary goal of Fuzzy Set Theory - and its Applications, Fourth Edition is to provide a textbook for courses in fuzzy set theory, and a book that can be used as an introduction. To balance the character of a textbook with the dynamic nature of this research, many useful references have been added to develop a deeper understanding for the interested reader. Fuzzy Set Theory - and its Applications, Fourth Edition updates the research agenda with chapters on possibility theory, fuzzy logic and approximate reasoning, expert systems, fuzzy control, fuzzy data analysis, decision making and fuzzy set models in operations research. Chapters have been updated and extended exercises are included.

Singh2014

{Artificial Neural Network Approach for More Accurate Solar Cell Electrical Circuit Model}
K. J. Singh and K. L. R. Kho and S. J. Singh and Y. C. Devi and N. B. Singh and S. K. Sarkar
Int. J. Comput. Appl.  4  101--116  (2014)
http://dx.doi.org/10.5121/ijcsa.2014.4310

Recent work has shown deep neural networks (DNNs) to be highly susceptible to well-designed, small perturbations at the input layer, or so-called adversarial examples. Taking images as an example, such distortions are often imperceptible, but can result in 100{\%} mis-classification for a state of the art DNN. We study the structure of adversarial examples and explore network topology, pre-processing and training strategies to improve the robustness of DNNs. We perform various experiments to assess the removability of adversarial examples by corrupting with additional noise and pre-processing with denoising autoencoders (DAEs). We find that DAEs can remove substantial amounts of the adversarial noise. How- ever, when stacking the DAE with the original DNN, the resulting network can again be attacked by new adversarial examples with even smaller distortion. As a solution, we propose Deep Contractive Network, a model with a new end-to-end training procedure that includes a smoothness penalty inspired by the contractive autoencoder (CAE). This increases the network robustness to adversarial exam- ples, without a significant performance penalty.

AlhusseinFawzi2015

{Analysis of classifiers' robustness to adversarial perturbations}
Alhussein Fawzi and Omar Fawzi and Pascal Frossard
    1--14  (2015)
http://arxiv.org/abs/1502.02590v1

The robustness of a classifier to arbitrary small perturbations of the datapoints is a highly desirable property when the classifier is deployed in real and possibly hostile environments. In this paper, we propose a theoretical framework for analyzing the robustness of classifiers to adversarial perturbations, and study two common families of classifiers. In both cases, we show the existence of a fundamental limit on the robustness to adversarial perturbations, which is expressed in terms of a distinguishability measure between the classes. Our result implies that in tasks involving small distinguishability, no classifier will be robust to adversarial perturbations, even if a good accuracy is achieved. Furthermore, we show that robustness to random noise does not imply, in general, robustness to adversarial perturbations. In fact, in high dimensional problems, linear classifiers are shown to be much more robust to random noise than to adversarial perturbations. Our analysis is complemented by experimental results on controlled and real-world data. Up to our knowledge, this is the first theoretical work that addresses the surprising phenomenon of adversarial instability recently observed for deep networks (Szegedy et al., 2014). Our work shows that this phenomenon is not limited to deep networks, and gives a theoretical explanation of the causes underlying the adversarial instability of classifiers.

Warde-Farley

{Adversarial Perturbations of Deep Neural Networks}
D. Warde-Farley and I. Goodfellow
      ()

This chapter provides a review of a body of recent work on the topic of adversarial examples and generative adversarial networks.

DiazdeLeon2005

{Progress in Pattern Recognition, Image Analysis and Applications}
R. D$\backslash$'iaz de Leon and L. E. Sucar
Lect. Notes Comput. Sci. Prog. Pattern Recognition, Image Anal. Comput. Vision, Appl.  3287  350--357  (2005)
http://link.springer.com/chapter/10.1007/978-3-642-33275-3%7B%5C_%7D2
http://dx.doi.org/10.1007/b101756

Restricted Boltzmann machines (RBMs) are probabilistic graphical models that can be interpreted as stochastic neural networks. The increase in computational power and the development of faster learning algorithms have made them applicable to relevant machine learning problems. They attracted much attention recently after being proposed as building blocks of multi-layer learning systems called deep belief networks. This tutorial introduces RBMs as undirected graphical models. The basic concepts of graphical models are introduced first, however, basic knowledge in statistics is presumed. Different learning algorithms for RBMs are discussed. As most of them are based on Markov chain Monte Carlo (MCMC) methods, an introduction to Markov chains and the required MCMC techniques is provided.

Tygar2011

{Adversarial machine learning}
J. D. Tygar
  15  4--6  (2011)
http://dl.acm.org/citation.cfm?doid=2046684.2046692
http://dx.doi.org/10.1109/MIC.2011.112

The author briefly introduces the emerging field of adversarial machine learning, in which opponents can cause traditional machine learning algorithms to behave poorly in security applications. He gives a high-level overview and mentions several types of attacks, as well as several types of defenses, and theoretical limits derived from a study of near-optimal evasion.

Sommer2010

{Outside the closed world: On using machine learning for network intrusion detection}
R. Sommer and V. Paxson
IEEE Symp. Secur. Priv.  2  305--316  (2010)
http://dx.doi.org/10.1109/SP.2010.25

In network intrusion detection research, one popular strategy for finding attacks is monitoring a network's activity for anomalies: deviations from profiles of normality previously learned from benign traffic, typically identified using tools borrowed from the machine learning community. However, despite extensive academic research one finds a striking gap in terms of actual deployments of such systems: compared with other intrusion detection approaches, machine learning is rarely employed in operational "real world" settings. We examine the differences between the network intrusion detection problem and other areas where machine learning regularly finds much more success. Our main claim is that the task of finding attacks is fundamentally different from these other applications, making it significantly harder for the intrusion detection community to employ machine learning effectively. We support this claim by identifying challenges particular to network intrusion detection, and provide a set of guidelines meant to strengthen future research on anomaly detection.

Lowd2005

{Adversarial learning}
D. Lowd and C. Meek
Proceeding Elev. ACM SIGKDD Int. Conf. Knowl. Discov. data Min. - KDD '05    641  (2005)
http://portal.acm.org/citation.cfm?doid=1081870.1081950
http://dx.doi.org/10.1145/1081870.1081950

Many classification tasks, such as spam filtering, intrusion detection, and terrorism detection, are complicated by an adversary who wishes to avoid detection. Previous work on adversarial classification has made the unrealistic assump- tion that the attacker has perfect knowledge of the classifier [2]. In this paper, we introduce the adversarial classifier reverse engineering (ACRE) learning problem, the task of learning sufficient information about a classifier to construct adversarial attacks. We present efficient algorithms for re- verse engineering linear classifiers with either continuous or Boolean features and demonstrate their effectiveness using real data from the domain of spam filtering

Xiao2015

{Support vector machines under adversarial label contamination}
H. Xiao and B. Biggio and B. Nelson and H. Xiao and C. Eckert and F. Roli
Neurocomputing  160  53--62  (2015)
http://dx.doi.org/10.1016/j.neucom.2014.08.081

Machine learning algorithms are increasingly being applied in security-related tasks such as spam and malware detection, although their security properties against deliberate attacks have not yet been widely understood. Intelligent and adaptive attackers may indeed exploit specific vulnerabilities exposed by machine learning techniques to violate system security. Being robust to adversarial data manipulation is thus an important, additional requirement for machine learning algorithms to successfully operate in adversarial settings. In this work, we evaluate the security of Support Vector Machines (SVMs) to well-crafted, adversarial label noise attacks. In particular, we consider an attacker that aims to maximize the SVM's classification error by flipping a number of labels in the training data. We formalize a corresponding optimal attack strategy, and solve it by means of heuristic approaches to keep the computational complexity tractable. We report an extensive experimental analysis on the effectiveness of the considered attacks against linear and non-linear SVMs, both on synthetic and real-world datasets. We finally argue that our approach can also provide useful insights for developing more secure SVM learning algorithms, and also novel techniques in a number of related research areas, such as semi-supervised and active learning.

Goodfellow2014

{Generative Adversarial Networks}
I. Goodfellow and J. Pouget-Abadie and M. Mirza
arXiv Prepr. arXiv …    1--9  (2014)
http://arxiv.org/abs/1406.2661

We propose a new framework for estimating generative models via an adversarial process, in which we simultaneously train two models: a generative model G that captures the data distribution, and a discriminative model D that estimates the probability that a sample came from the training data rather than G. The training procedure for G is to maximize the probability of D making a mistake. This framework corresponds to a minimax two-player game. In the space of arbitrary functions G and D, a unique solution exists, with G recovering the training data distribution and D equal to 1/2 everywhere. In the case where G and D are defined by multilayer perceptrons, the entire system can be trained with backpropagation. There is no need for any Markov chains or unrolled approximate inference networks during either training or generation of samples. Experiments demonstrate the potential of the framework through qualitative and quantitative evaluation of the generated samples.

Xue2008

{Comment on "on discriminative vs. generative classifiers: A comparison of logistic regression and naive bayes"}
J. H. Xue and D. M. Titterington
Neural Process. Lett.  28  169--187  (2008)
http://dx.doi.org/10.1007/s11063-008-9088-7

We compare discriminative and generative learning as typified by logistic regression and naive Bayes. We show, contrary to a widely- held belief that discriminative classifiers are almost always to be preferred, that there can often be two distinct regimes of per- formance as the training set size is increased, one in which each algorithm does better. This stems from the observation- which is borne out in repeated experiments- that while discriminative learning has lower asymptotic error, a generative classifier may also approach its (higher) asymptotic error much faster.

Szegedy2013

{Intriguing properties of neural networks}
C. Szegedy and W. Zaremba and I. Sutskever
arXiv Prepr. arXiv …    1--10  (2013)
http://arxiv.org/abs/1312.6199
http://dx.doi.org/10.1021/ct2009208

Deep neural networks are highly expressive models that have recently achieved state of the art performance on speech and visual recognition tasks. While their expressiveness is the reason they succeed, it also causes them to learn uninter- pretable solutions that could have counter-intuitive properties. In this paper we report two such properties. First, we find that there is no distinction between individual high level units and random linear combinations of high level units, according to various methods of unit analysis. It suggests that it is the space, rather than the individual units, that contains the semantic information in the high layers of neural networks. Second, we find that deep neural networks learn input-output mappings that are fairly discontinuous to a significant extent. We can cause the network to misclas- sify an image by applying a certain hardly perceptible perturbation, which is found by maximizing the network's prediction error. In addition, the specific nature of these perturbations is not a random artifact of learning: the same perturbation can cause a different network, that was trained on a different subset of the dataset, to misclassify the same input.

Kearns1993

{Learning in the Presence of Malicious Errors}
M. Kearns and M. Li
SIAM J. Comput.  22  807--837  (1993)
http://epubs.siam.org/doi/abs/10.1137/0222052
http://dx.doi.org/10.1137/0222052

In this paper w e study an extension of the distribution?free model of learning in troduced b yV alian t ??? ? ?also kno wn as the pr ob ably appr oximately c orr ct or P C model? that allo e A ws the presence of malicious errors in the examples giv en to a learning algorithm? Suc h errors are generated b y an adv ersary with un bounded computational po er and access to the en w tire history of the learning algorithm?s computation? Th us? w e study a w orst?case model of errors? Our results include general methods for bounding the rate of error tolerable b yan y learning algorithm? e?cien t algorithms tolerating non trivial rates of malicious errors? and equiv alences bet een problems of learning with errors and standard com w binatorial optimization problems? ?

Scholz2011

{Machine Learning and Knowledge Discovery in Databases}
C. Scholz and S. Doerfel and M. Atzmueller and A. Hotho and G. Stumme and D. Gunopulos and T. Hofmann and D. Malerba and M. Vazirgiannis
  6913  129--144  (2011)
http://www.springerlink.com/content/a270055474n727j2/
http://dx.doi.org/10.1007/978-3-642-23808-6

This paper focuses on resource-aware and cost-effective indoor-localization at room-level using RFID technology. In addition to the tracking information of people wearing active RFID tags, we also include information about their proximity contacts. We present an evaluation using real-world data collected during a conference: We complement state-of-the-art machine learning approaches with strategies utilizing the proximity data in order to improve a core localization technique further.

Kantchelian2015

{Evasion and Hardening of Tree Ensemble Classifiers}
A. Kantchelian and J. D. Tygar and A. D. Joseph
  48  1--9  (2015)
http://arxiv.org/abs/1509.07892

Recent work has successfully constructed adversarial "evading" instances for differentiable prediction models. However generating adversarial instances for tree ensembles, a piecewise constant class of models, has remained an open problem. In this paper, we construct both exact and approximate evasion algorithms for tree ensembles: for a given instance x we find the "nearest" instance x' such that the classifier predictions of x and x' are different. First, we show that finding such instances is practically possible despite tree ensemble models being non-differentiable and the optimal evasion problem being NP-hard. In addition, we quantify the susceptibility of such models applied to the task of recognizing handwritten digits by measuring the distance between the original instance and the modified instance under the L0, L1, L2 and L-infinity norms. We also analyze a wide variety of classifiers including linear and RBF-kernel models, max-ensemble of linear models, and neural networks for comparison purposes. Our analysis shows that tree ensembles produced by a state-of-the-art gradient boosting method are consistently the least robust models notwithstanding their competitive accuracy. Finally, we show that a sufficient number of retraining rounds with L0-adversarial instances makes the hardened model three times harder to evade. This retraining set also marginally improves classification accuracy, but simultaneously makes the model more susceptible to L1, L2 and L-infinity evasions.

Corona2013

{Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues}
I. Corona and G. Giacinto and F. Roli
Inf. Sci. (Ny).  239  201--225  (2013)
http://dx.doi.org/10.1016/j.ins.2013.03.022

Intrusion Detection Systems (IDSs) are one of the key components for securing computing infrastructures. Their objective is to protect against attempts to violate defense mechanisms. Indeed, IDSs themselves are part of the computing infrastructure, and thus they may be attacked by the same adversaries they are designed to detect. This is a relevant aspect, especially in safety-critical environments, such as hospitals, aircrafts, nuclear power plants, etc. To the best of our knowledge, this survey is the first work to present an overview on adversarial attacks against IDSs. In particular, this paper will provide the following original contributions: (a) a general taxonomy of attack tactics against IDSs; (b) an extensive description of how such attacks can be implemented by exploiting IDS weaknesses at different abstraction levels; (c) for each attack implementation, a critical investigation of proposed solutions and open points. Finally, this paper will highlight the most promising research directions for the design of adversary-aware, harder-to-defeat IDS solutions. To this end, we leverage on our research experience in the field of intrusion detection, as well as on a thorough investigation of the relevant related works published so far. ?? 2013 Elsevier Inc. All rights reserved.

Papernot2016

{Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks}
N. Papernot and P. McDaniel and X. Wu and S. Jha and A. Swami
    582--597  (2016)
http://arxiv.org/abs/1511.04508
http://dx.doi.org/10.1109/SP.2016.41

Deep learning algorithms have been shown to perform extremely well on many classical machine learning problems. However, recent studies have shown that deep learning is vulnerable to adversarial samples: inputs crafted to force a deep neural network (DNN) to provide adversary-selected outputs. Such attacks can seriously undermine the security of the system supported by the DNN, sometimes with devastating consequences. For example, autonomous vehicles can be crashed, illicit or illegal content can bypass content filters, or biometric authentication systems can be manipulated to allow improper access. In this work, we introduce a defensive mechanism called defensive distillation to reduce the effectiveness of adversarial samples on DNNs. We analytically investigate the generalizability and robustness properties granted by the use of defensive distillation when training DNNs. We also empirically study the effectiveness of our defense mechanisms on two DNNs placed in adversarial settings. The study shows that defensive distillation can reduce effectiveness of sample creation from 95{\%} to less than 0.5{\%} on a studied DNN. Such dramatic gains can be explained by the fact that distillation leads gradients used in adversarial sample creation to be reduced by a factor of 10{\^{}}30. We also find that distillation increases the average minimum number of features that need to be modified to create adversarial samples by about 800{\%} on one of the DNNs we tested.

Milenkoski2015

{Evaluating Computer Intrusion Detection Systems: A Survey of Common Practices}
A. Milenkoski and M. Vieira and S. Kounev and A. Avritzer and B. D. Payne
ACM Comput. Surv.  48  1--41  (2015)
http://dl.acm.org/citation.cfm?doid=2808687.2808691
http://dx.doi.org/10.1145/2808691

The evaluation of computer intrusion detection systems (which we refer to as intrusion detection systems) is an active research area. In this article, we survey and systematize common practices in the area of evaluation of such systems. For this purpose, we define a design space structured into three parts: workload, metrics, and measurement methodology. We then provide an overview of the common practices in evaluation of intrusion detection systems by surveying evaluation approaches and methods related to each part of the design space. Finally, we discuss open issues and challenges focusing on evaluation methodologies for novel intrusion detection systems.

Gornitz2009

{Active Learning for Network Intrusion Detection}
N. Gornitz and M. Kloft and K. Rieck and U. Brefeld
Proc. 2nd ACM Work. Secur. Artif. Intell. AISec 09    47  (2009)
http://eprints.pascal-network.org/archive/00005488/
http://dx.doi.org/10.1145/1654988.1655002

Anomaly detection for network intrusion detection is usually considered an unsupervised task. Prominent techniques, such as one-class support vector machines, learn a hyper-sphere enclosing network data, mapped to a vector space, such that points outside of the ball are considered anomalous. However, this setup ignores relevant information such as expert and background knowledge. In this paper, we rephrase anomaly detection as an active learning task. We propose an effective active learning strategy to query low- confidence observations and to expand the data basis with minimal labeling effort. Our empirical evaluation on network intrusion detection shows that our approach consistently outperforms existing methods in relevant scenarios.

Yang2011

{Active Learning with a Drifting Distribution}
L. Yang
  1  1--14  (2011)
http://papers.nips.cc/paper/4190-active-learning-with-a-drifting-distribution

We study the problem of active learning in a stream-based setting, allowing the distribution of the examples to change over time. We prove upper bounds on the number of prediction mistakes and number of label requests for established disagreement-based active learning algorithms, both in the realizable case and under Tsybakov noise. We further prove minimax lower bounds for this problem.

Barreno2006

{Can machine learning be secure?}
M. Barreno and B. Nelson and R. Sears and A. D. Joseph and J. D. Tygar
Proc. 2006 Symp. Information, Comput. Commun. Secur.    16--25  (2006)
http://dl.acm.org/citation.cfm?id=1128824
http://dx.doi.org/10.1145/1128817.1128824

Machine learning systems offer unparalled flexibility in deal- ing with evolving input in a variety of applications, such as intrusion detection systems and spam e-mail filtering. How- ever, machine learning algorithms themselves can be a target of attack by a malicious adversary. This paper provides a framework for answering the question, “Can machine learn- ing be secure?” Novel contributions of this paper include a taxonomy of different types of attacks on machine learn- ing techniques and systems, a variety of defenses against those attacks, a discussion of ideas that are important to security for machine learning, an analytical model giving a lower bound on attacker's work function, and a list of open problems.

Zhao2012

{Sampling attack against active learning in adversarial environment}
W. Zhao and J. Long and J. Yin and Z. Cai and G. Xia
  7647 LNAI  222--223  (2012)
http://link.springer.com/10.1007/978-3-642-34620-0%7B%5C_%7D21
http://dx.doi.org/10.1007/978-3-642-34620-0_21

Active learning has played an important role in many areas because it can reduce human efforts by just selecting most informative instances for training. Nevertheless, active learning is vulnerable in adversarial environments, including intrusion detection or spam filtering. The purpose of this paper was to reveal how active learning can be attacked in such environments. In this paper, three contributions were made: first, we analyzed the sampling vulnerability of active learning; second, we presented a game framework of attack against active learning; third, two sampling attack methods were proposed, including the adding attack and the deleting attack. Experimental results showed that the two proposed sampling attacks degraded sampling efficiency of naive-bayes active learner.

??rndi??2014

{Practical evasion of a learning-based classifier: A case study}
N. ??rndi?? and P. Laskov
    197--211  (2014)
http://ieeexplore.ieee.org/document/6956565/
http://dx.doi.org/10.1109/SP.2014.20

Learning-based classifiers are increasingly used for detection of various forms of malicious data. However, if they are deployed online, an attacker may attempt to evade them by manipulating the data. Examples of such attacks have been previously studied under the assumption that an attacker has full knowledge about the deployed classifier. In practice, such assumptions rarely hold, especially for systems deployed online. A significant amount of information about a deployed classifier system can be obtained from various sources. In this paper, we experimentally investigate the effectiveness of classifier evasion using a real, deployed system, PDFrate, as a test case. We develop a taxonomy for practical evasion strategies and adapt known evasion algorithms to implement specific scenarios in our taxonomy. Our experimental results reveal a substantial drop of PDFrate's classification scores and detection accuracy after it is exposed even to simple attacks. We further study potential defense mechanisms against classifier evasion. Our experiments reveal that the original technique proposed for PDFrate is only effective if the executed attack exactly matches the anticipated one. In the discussion of the findings of our study, we analyze some potential techniques for increasing robustness of learning-based systems against adversarial manipulation of data.

Cheng2012

{Evasion techniques: Sneaking through your intrusion detection/prevention systems}
T. H. Cheng and Y. D. Lin and Y. C. Lai and P. C. Lin
IEEE Commun. Surv. Tutorials  14  1011--1020  (2012)
http://dx.doi.org/10.1109/SURV.2011.092311.00082

Detecting attacks disguised by evasion techniques is a challenge for signature-based Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs). This study examines five common evasion techniques to determine their ability to evade recent systems. The denial-of-service (DoS) attack attempts to disable a system by exhausting its resources. Packet splitting triestochop dataintosmall packets, so that a system may not completely reassemble the packets for signature matching. Duplicate insertion can mislead a system if the system and the target host discard different TCP/IP packets with a duplicate offset or sequence. Payload mutation fools a system with a mutative payload. Shellcode mutation transforms an attacker's shellcode to escape signature detection. This study assesses the effectiveness of these techniques on three recent signature-based systems, and among them, explains why Snort can be evaded. The results indicate that duplicate insertion becomes less effective on recent systems, but packet splitting, payload mutation and shellcode mutation can be still effective against them.

Biggio2013

{Evasion Attacks against Machine Learning at Test Time}
B. Biggio and I. Corona and D. Maiorca and B. Nelson and N. Srndic and P. Laskov and G. Giacinto and F. Roli
Mach. Learn. Knowl. Discov. Databases  8190  387--402  (2013)
http://dx.doi.org/10.1007/978-3-642-40994-3%7B%5C_%7D25
http://dx.doi.org/10.1007/978-3-642-40994-3_25

In security-sensitive applications, the success of machine learning depends on a thorough vetting of their resistance to adversarial data. In one pertinent, well-motivated attack scenario, an adversary may attempt to evade a deployed system at test time by carefully manipulating attack samples. In this work, we present a simple but effective gradient-based approach that can be exploited to systematically assess the security of several, widely-used classification algorithms against evasion attacks. Following a recently proposed framework for security evaluation, we simulate attack scenarios that exhibit different risk levels for the classifier by increasing the attacker's knowledge of the system and her ability to manipulate attack samples. This gives the classifier designer a better picture of the classifier performance under evasion attacks, and allows him to perform a more informed model selection (or parameter setting). We evaluate our approach on the relevant security task of malware detection in PDF files, and show that such systems can be easily evaded. We also sketch some countermeasures suggested by our analysis.

Joseph2009

{ANTIDOTE : Understanding and Defending against}
A. D. Joseph and N. Taft
Traffic    1--14  (2009)

Kantarcioglu

{Adversarial Data Mining for Cyber Security}
M. Kantarcioglu and B. Xi
      ()

Rubinstein2009

{Stealthy poisoning attacks on PCA-based anomaly detectors}
B. I. P. Rubinstein and B. Nelson and L. Huang and A. D. Joseph and S.-h. Lau and S. Rao and N. Taft and J. D. Tygar
ACM SIGMETRICS Perform. Eval. Rev.  37  73  (2009)
http://dx.doi.org/10.1145/1639562.1639592

We consider systems that use PCA-based detectors obtained from a comprehensive view of the network's traffic to identify anomalies in backbone networks. To assess these detectors' susceptibility to adversaries wishing to evade detection, we present and evaluate short-term and long-term data poisoning schemes that trade-off between poisoning duration and the volume of traffic injected for poisoning. Stealthy Boiling Frog attacks significantly reduce chaff volume,while only moderately increasing poisoning duration. ROC curves provide a comprehensive analysis of PCA-based detection on contaminated data, and show that even small attacks can undermine this otherwise successful anomaly detector.

Kantchelian2013

{Approaches to Adversarial Drift}
A. Kantchelian and S. Afroz and L. Huang and A. C. Islam and B. Miller and M. C. Tschantz and R. Greenstadt and A. D. Joseph and J. D. Tygar
AISec    99--109  (2013)
http://dx.doi.org/10.1145/2517312.2517320

In this position paper, we argue that to be of practical interest, a machine-learning based security system must engage with the human operators beyond feature engineering and instance labeling to address the challenge of drift in adversarial environments. We propose that designers of such systems broaden the classification goal into an explanatory goal, which would deepen the interaction with system's operators.$\backslash$r$\backslash$nTo provide guidance, we advocate for an approach based on maintaining one classifier for each class of unwanted activity to be filtered. We also emphasize the necessity for the system to be responsive to the operators constant curation of the training set. We show how this paradigm provides a property we call isolation and how it relates to classical causative attacks.$\backslash$r$\backslash$nIn order to demonstrate the effects of drift on a binary classification task, we also report on two experiments using a previously unpublished malware data set where each instance is timestamped$\backslash$r$\backslash$naccording to when it was seen.