Title Adversarial Machine Learning
Subtitle (Synthesis Lectures on Artificial Intelligence and Machine Learning)
Author Yevgeniy Vorobeychik, Murat Kantarcioglu, Series Editors: Ronald J. Brachman and Peter Stone
ISBN 9781681733951
List price USD 69.95
Price outside India Available on Request
Original price
Binding Paperback
No of pages 170
Book size 191 X 235 mm
Publishing year 2018
Original publisher Morgan & Claypool Publishers (Eurospan Group)
Published in India by .
Exclusive distributors Viva Books Private Limited
Sales territory India, Sri Lanka, Bangladesh, Pakistan, Nepal, .
Status New Arrival
About the book Send Enquiry


The increasing abundance of large high-quality datasets, combined with significant technical advances over the last several decades have made machine learning into a major tool employed across a broad array of tasks including vision, language, finance, and security. However, success has been accompanied with important new challenges: many applications of machine learning are adversarial in nature. Some are adversarial because they are safety critical, such as autonomous driving. An adversary in these applications can be a malicious party aimed at causing congestion or accidents, or may even model unusual situations that expose vulnerabilities in the prediction engine. Other applications are adversarial because their task and/or the data they use are. For example, an important class of problems in security involves detection, such as malware, spam, and intrusion detection. The use of machine learning for detecting malicious entities creates an incentive among adversaries to evade detection by changing their behavior or the content of malicius objects they develop.

The field of adversarial machine learning has emerged to study vulnerabilities of machine learning approaches in adversarial settings and to develop techniques to make learning robust to adversarial manipulation. This book provides a technical overview of this field. After reviewing machine learning concepts and approaches, as well as common use cases of these in adversarial settings, we present a general categorization of attacks on machine learning. We then address two major categories of attacks and associated defenses: decision-time attacks, in which an adversary changes the nature of instances seen by a learned model at the time of prediction in order to cause errors, and poisoning or training time attacks, in which the actual training dataset is maliciously modified. In our final chapter devoted to technical content, we discuss recent techniques for attacks on deep learning, as well as approaches for improving robustness of deep neural networks. We conclude with a discussion of several important issues in the area of adversarial learning that in our view warrant further research.

Given the increasing interest in the area of adversarial machine learning, we hope this book provides readers with the tools necessary to successfully engage in research and practice of machine learning in adversarial settings.


List of Figures



Chapter 1: Introduction

Chapter 2: Machine Learning Preliminaries • Supervised Learning • Regression Learning • Classification Learning • PAC Learnability • Supervised Learning in Adversarial Settings • Unsupervised Learning • Clustering • Principal Component Analysis • Matrix Completion • Unsupervised Learning in Adversarial Settings • Reinforcement Learning • Reinforcement Learning in Adversarial Settings • Bibliographic Notes

Chapter 3: Categories of Attacks on Machine Learning • Attack Timing • Information Available to the Attacker • Attacker Goals • Bibliographic Notes

Chapter 4: Attacks at Decision Time • Examples of Evasion Attacks on Machine Learning Models • Attacks on Anomaly Detection: Polymorphic Blending • Attacks on PDF Malware Classifiers • Modeling Decision-Time Attacks • White-Box Decision-Time Attacks • Attacks on Binary Classifiers: Adversarial Classifier Evasion • Decision-Time Attacks on Multiclass Classifiers • Decision-Time Attacks on Anomaly Detectors • Decision-Time Attacks on Clustering Models • Decision-Time Attacks on Regression Models • Decision-Time Attacks on Reinforcement Learning • Black-Box Decision-Time Attacks • A Taxonomy of Black-Box Attacks • Modeling Attacker Information Acquisition • Attacking Using an Approximate Model • Bibliographical Notes

Chapter 5: Defending Against Decision-Time Attacks • Hardening Supervised Learning against Decision-Time Attacks • Optimal Evasion-Robust Classification • Optimal Evasion-Robust Sparse SVM • Evasion-Robust SVM against Free-Range Attacks • Evasion-Robust SVM against Restrained Attacks • Evasion-Robust Classification on Unrestricted Feature Spaces • Robustness to Adversarially Missing Features • Approximately Hardening Classifiers against Decision-Time Attacks • Relaxation Approaches General-Purpose Defense: Iterative Retraining • Evasion-Robustness through Feature-Level Protection • Decision Randomization • Model • Optimal Randomized Operational Use of Classification • Evasion-Robust Regression • Bibliographic Notes

Chapter 6: Data Poisoning Attacks • Modeling Poisoning Attacks • Poisoning Attacks on Binary Classification • Label-Flipping Attacks • Poison Insertion Attack on Kernel SVM • Poisoning Attacks for Unsupervised Learning • Poisoning Attacks on Clustering • Poisoning Attacks on Anomaly Detection • Poisoning Attack on Matrix Completion • Attack Model • Attacking Alternating Minimization • Attacking Nuclear Norm Minimization • Mimicking Normal User Behaviors • A General Framework for Poisoning Attacks • Black-Box Poisoning Attacks • Bibliographic Notes

Chapter 7: Defending Against Data Poisoning • Robust Learning through Data Sub-Sampling • Robust Learning through Outlier Removal • Robust Learning through Trimmed Optimization • Robust Matrix Factorization • Noise-Free Subspace Recovery • Dealing with Noise • Efficient Robust Subspace Recovery • An Efficient Algorithm for Trimmed Optimization Problems • Bibliographic Notes

Chapter 8: Attacking and Defending Deep Learning • Neural Network Models • Attacks on Deep Neural Networks: Adversarial Examples •
l2 – Norm Attacks • l
8Norm Attacks • l0- Norm Attacks • Attacks in the Physical World • Black-Box Attacks • Making Deep Learning Robust to Adversarial Examples • Robust Optimization • Retraining • Distillation • Bibliographic Notes

Chapter 9: The Road Ahead • Beyond Robust Optimization • Incomplete Information • Confidence in Predictions • Randomization • Multiple Learners • Models and Validation


Authors’ Biographies


About the Authors:

Yevgeniy Vorobeychik, Washington University in Saint Louis

Yevgeniy Vorobeychik is an Associate Professor of Computer Science and Engineering at Washington University in Saint Louis. Previously, he was an Assistant Professor of Computer Science at Vanderbilt University. Between 2008 and 2010, he was a post-doctoral research associate at the University of Pennsylvania Computer and Information Science department. He received Ph.D. (2008) and M.S.E. (2004) degrees in Computer Science and Engineering from the University of Michigan, and a B.S. degree in Computer Engineering from Northwestern University. His work focuses on game theoretic modeling of security and privacy, adversarial machine learning, algorithmic and behavioral game theory and incentive design, optimization, agent-based modeling, complex systems, network science, and epidemic control. Dr. Vorobeychik received an NSF CAREER award in 2017, and was invited to give an IJCAI-16 early career spotlight talk. He was nominated for the 2008 ACM Doctoral Dissertation Award and received honorable mention for the 2008 IFAAMAS Distinguished Dissertation Award.

Murat Kantarcioglu, University of Texas, Dallas

Murat Kantarcioglu is a Professor of Computer Science and Director of the UTD Data Security and Privacy Lab at The University of Texas at Dallas. Currently, he is also a visiting scholar at Harvard’s Data Privacy Lab. He holds a B.S. in Computer Engineering from Middle East Technical University, and M.S. and Ph.D. degrees in Computer Science from Purdue University. Dr. Kantarcioglu’s research focuses on creating technologies that can efficiently extract useful information from any data without sacrificing privacy or security. His research has been supported by awards from NSF, AFOSR, ONR, NSA, and NIH. He has published over 175 peer-reviewed papers. His work has been covered by media outlets such as The Boston Globe and ABC News, among others, and has received three best paper awards. He is also the recipient of various awards including NSF CAREER award, a Purdue CERIAS Diamond Award for academic excellence, the AMIA (American Medical Informatics Association) 2014 Homer R. Warner Award, and the IEEE ISI (Intelligence and Security Informatics) 2017 Technical Achievement Award presented jointly by IEEE SMC and IEEE ITS societies for his research in data security and privacy. He is also a Distinguished Scientist of ACM.

Target Audience:

People interested in research and practice of machine learning in adversarial settings.


Special prices are applicable to the authorised sales territory only.
Prices are subject to change without prior notice.