{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,26]],"date-time":"2025-07-26T09:00:04Z","timestamp":1753520404234,"version":"3.40.3"},"publisher-location":"Cham","reference-count":135,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030987947"},{"type":"electronic","value":"9783030987954"}],"license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"DOI":"10.1007\/978-3-030-98795-4_12","type":"book-chapter","created":{"date-parts":[[2022,4,7]],"date-time":"2022-04-07T18:03:58Z","timestamp":1649354638000},"page":"287-312","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["Adversarial Machine Learning"],"prefix":"10.1007","author":[{"given":"Carlos Javier","family":"Hern\u00e1ndez-Castro","sequence":"first","affiliation":[]},{"given":"Zhuoran","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Alex","family":"Serban","sequence":"additional","affiliation":[]},{"given":"Ilias","family":"Tsingenopoulos","sequence":"additional","affiliation":[]},{"given":"Wouter","family":"Joosen","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,4,8]]},"reference":[{"key":"12_CR1","unstructured":"Automatic speaker verification spoofing and countermeasures challenge. http:\/\/www.asvspoof.org\/"},{"key":"12_CR2","doi-asserted-by":"publisher","first-page":"14410","DOI":"10.1109\/ACCESS.2018.2807385","volume":"6","author":"N Akhtar","year":"2018","unstructured":"Akhtar, N., Mian, A.: Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access 6, 14410\u201314430 (2018)","journal-title":"IEEE Access"},{"key":"12_CR3","doi-asserted-by":"crossref","unstructured":"Al-Dujaili, A., Huang, A., Hemberg, E., O\u2019Reilly, U.M.: Adversarial deep learning for robust detection of binary encoded malware. In: S&P Workshops, pp. 76\u201382. IEEE (2018)","DOI":"10.1109\/SPW.2018.00020"},{"key":"12_CR4","unstructured":"Alzantot, M., Balaji, B., Srivastava, M.: Did you hear that? adversarial examples against automatic speech recognition. In: NIPS Workshop on Machine Deception (2018)"},{"key":"12_CR5","doi-asserted-by":"crossref","unstructured":"Alzantot, M., Sharma, Y., Chakraborty, S., Zhang, H., Hsieh, C.J., Srivastava, M.B.: Genattack: practical black-box attacks with gradient-free optimization. In: Proceedings of the Genetic and Evolutionary Computation Conference, pp. 1111\u20131119. ACM (2019)","DOI":"10.1145\/3321707.3321749"},{"key":"12_CR6","unstructured":"Anderson, H.S., Kharkar, A., Filar, B., Evans, D., Roth, P.: Learning to evade static PE machine learning malware models via reinforcement learning. arXiv:1801.08917 (2018)"},{"key":"12_CR7","unstructured":"Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: circumventing defenses to adversarial examples. In: ICLR (2018)"},{"issue":"2","key":"12_CR8","doi-asserted-by":"publisher","first-page":"121","DOI":"10.1007\/s10994-010-5188-5","volume":"81","author":"M Barreno","year":"2010","unstructured":"Barreno, M., Nelson, B., Joseph, A.D., Tygar, J.D.: The security of machine learning. Mach. Learn. 81(2), 121\u2013148 (2010). https:\/\/doi.org\/10.1007\/s10994-010-5188-5","journal-title":"Mach. Learn."},{"key":"12_CR9","doi-asserted-by":"crossref","unstructured":"Barreno, M., Nelson, B., Sears, R., Joseph, A.D., Tygar, J.D.: Can machine learning be secure? In: CCS, pp. 16\u201325. ACM (2006)","DOI":"10.1145\/1128817.1128824"},{"key":"12_CR10","unstructured":"Bhattad, A., Chong, M.J., Liang, K., Li, B., Forsyth, D.A.: Unrestricted adversarial examples via semantic manipulation. In: ICLR (2020)"},{"issue":"5","key":"12_CR11","doi-asserted-by":"publisher","first-page":"31","DOI":"10.1109\/MSP.2015.2426728","volume":"32","author":"B Biggio","year":"2015","unstructured":"Biggio, B., Russu, P., Didaci, L., Roli, F.: Adversarial biometric recognition\u202f: a review on biometric system security from the adversarial machine-learning perspective. IEEE Sig. Process. Mag. 32(5), 31\u201341 (2015)","journal-title":"IEEE Sig. Process. Mag."},{"key":"12_CR12","series-title":"Lecture Notes in Computer Science (Lecture Notes in Artificial Intelligence)","doi-asserted-by":"publisher","first-page":"387","DOI":"10.1007\/978-3-642-40994-3_25","volume-title":"Machine Learning and Knowledge Discovery in Databases","author":"B Biggio","year":"2013","unstructured":"Biggio, B., et al.: Evasion attacks against machine learning at test time. In: Blockeel, H., Kersting, K., Nijssen, S., \u017delezn\u00fd, F. (eds.) ECML PKDD 2013. LNCS (LNAI), vol. 8190, pp. 387\u2013402. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-40994-3_25"},{"issue":"4","key":"12_CR13","doi-asserted-by":"publisher","first-page":"984","DOI":"10.1109\/TKDE.2013.57","volume":"26","author":"B Biggio","year":"2013","unstructured":"Biggio, B., Fumera, G., Roli, F.: Security evaluation of pattern classifiers under attack. IEEE Trans. Knowl. Data Eng. 26(4), 984\u2013996 (2013)","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"12_CR14","unstructured":"Biggio, B., Nelson, B., Laskov, P.: Poisoning attacks against support vector machines. In: ICML, pp. 1467\u20131474 (2012)"},{"key":"12_CR15","doi-asserted-by":"publisher","first-page":"317","DOI":"10.1016\/j.patcog.2018.07.023","volume":"84","author":"B Biggio","year":"2018","unstructured":"Biggio, B., Roli, F.: Wild patterns: ten years after the rise of adversarial machine learning. Pattern Recogn. 84, 317\u2013331 (2018)","journal-title":"Pattern Recogn."},{"key":"12_CR16","doi-asserted-by":"crossref","unstructured":"Bigham, J.P., Cavender, A.C.: Evaluating existing audio CAPTCHAs and an interface optimized for non-visual users. In: CHI, pp. 1829\u20131838. ACM (2009)","DOI":"10.1145\/1518701.1518983"},{"key":"12_CR17","unstructured":"Brendel, W., Rauber, J., Bethge, M.: Decision-based adversarial attacks: reliable attacks against black-box machine learning models. In: ICLR (2018)"},{"issue":"10","key":"12_CR18","first-page":"2617","volume":"13","author":"M Br\u00fcckner","year":"2012","unstructured":"Br\u00fcckner, M., Kanzow, C., Scheffer, T.: Static prediction games for adversarial learning problems. J. Mach. Learn. Res. 13(10), 2617\u20132654 (2012)","journal-title":"J. Mach. Learn. Res."},{"key":"12_CR19","unstructured":"Brundage, M., et al.: Toward trustworthy AI development: mechanisms for supporting verifiable claims. arXiv:2004.07213 (2020)"},{"key":"12_CR20","doi-asserted-by":"crossref","unstructured":"Brunner, T., Diehl, F., Le, M.T., Knoll, A.: Guessing smart: biased sampling for efficient black-box adversarial attacks. In: ICCV, pp. 4958\u20134966 (2019)","DOI":"10.1109\/ICCV.2019.00506"},{"key":"12_CR21","unstructured":"Carlini, N., et al.: On evaluating adversarial robustness. arXiv:1902.06705 (2019)"},{"key":"12_CR22","unstructured":"Carlini, N., et al.: Hidden voice commands. In: USENIX Security, pp. 513\u2013530 (2016)"},{"key":"12_CR23","unstructured":"Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial attacks and defences: a survey. arXiv:1810.00069 (2018)"},{"key":"12_CR24","doi-asserted-by":"crossref","unstructured":"Chen, J., Jordan, M.I., Wainwright, M.J.: Hopskipjumpattack: a query-efficient decision-based attack. In: S&P, pp. 668\u2013685 (2020). IEEE","DOI":"10.1109\/SP40000.2020.00045"},{"key":"12_CR25","doi-asserted-by":"crossref","unstructured":"Chen, P.Y., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.J.: Zoo: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 15\u201326. AISec 2017. ACM (2017)","DOI":"10.1145\/3128572.3140448"},{"key":"12_CR26","doi-asserted-by":"crossref","unstructured":"Chen, S., Carlini, N., Wagner, D.: Stateful detection of black-box adversarial attacks. arXiv:1907.05587 (2019)","DOI":"10.1145\/3385003.3410925"},{"key":"12_CR27","doi-asserted-by":"crossref","unstructured":"Croce, F., Hein, M.: Sparse and imperceivable adversarial attacks. In: ICCV, pp. 4724\u20134732 (2019)","DOI":"10.1109\/ICCV.2019.00482"},{"key":"12_CR28","doi-asserted-by":"crossref","unstructured":"Dalvi, N., Domingos, P., Sanghai, S., Verma, D., et al.: Adversarial classification. In: KDD, pp. 99\u2013108. ACM (2004)","DOI":"10.1145\/1014052.1014066"},{"issue":"9","key":"12_CR29","doi-asserted-by":"publisher","first-page":"1734","DOI":"10.1109\/TPAMI.2015.2496141","volume":"38","author":"A Dosovitskiy","year":"2015","unstructured":"Dosovitskiy, A., Fischer, P., Springenberg, J.T., Riedmiller, M., Brox, T.: Discriminative unsupervised feature learning with exemplar convolutional neural networks. IEEE Trans. Pattern Anal. Mach. Intell. 38(9), 1734\u20131747 (2015)","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"12_CR30","unstructured":"Elson, J., Douceur, J.R., Howell, J., Saul, J.: Asirra: a CAPTCHA that exploits interest-aligned manual image categorization. In: CCS, pp. 366\u2013374. ACM (2007)"},{"key":"12_CR31","unstructured":"Engstrom, L., Tran, B., Tsipras, D., Schmidt, L., Madry, A.: A rotation and a translation suffice: fooling CNNs with simple transformations. In: NIPS 2017 Workshop on Machine Learning and Computer Security (2017)"},{"key":"12_CR32","unstructured":"Eykholt, K., et al.: Physical adversarial examples for object detectors. arXiv:1807.07769 (2018)"},{"key":"12_CR33","doi-asserted-by":"crossref","unstructured":"Eykholt, K., et al.: Robust physical-world attacks on deep learning visual classification. In: CVPR, pp. 1625\u20131634 (2018)","DOI":"10.1109\/CVPR.2018.00175"},{"key":"12_CR34","doi-asserted-by":"crossref","unstructured":"Ferdowsi, A., Challita, U., Saad, W., Mandayam, N.B.: robust deep reinforcement learning for security and safety in autonomous vehicle systems. In: IEEE Conference on Intelligent Transportation Systems, Proceedings, ITSC, pp. 307\u2013312 (2018)","DOI":"10.1109\/ITSC.2018.8569635"},{"key":"12_CR35","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1007\/978-3-642-15152-1_2","volume-title":"Trust, Privacy and Security in Digital Business","author":"C Fritsch","year":"2010","unstructured":"Fritsch, C., Netter, M., Reisser, A., Pernul, G.: Attacking image recognition Captchas. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 13\u201325. Springer, Heidelberg (2010). https:\/\/doi.org\/10.1007\/978-3-642-15152-1_2"},{"key":"12_CR36","doi-asserted-by":"crossref","unstructured":"Gao, H., Lei, L., Zhou, X., Li, J., Liu, X.: The robustness of face-based CAPTCHAs. In: 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing, pp. 2248\u20132255 (2015)","DOI":"10.1109\/CIT\/IUCC\/DASC\/PICOM.2015.332"},{"key":"12_CR37","doi-asserted-by":"crossref","unstructured":"Gao, H., Wang, W., Fan, Y.: Divide and conquer: an efficient attack on Yahoo! CAPTCHA. In: IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 9\u201316 (2012)","DOI":"10.1109\/TrustCom.2012.131"},{"key":"12_CR38","doi-asserted-by":"crossref","unstructured":"Gao, H., Wang, W., Qi, J., Wang, X., Liu, X., Yan, J.: The robustness of hollow CAPTCHAs. In: CCS, pp. 1075\u20131086. ACM (2013)","DOI":"10.1145\/2508859.2516732"},{"key":"12_CR39","doi-asserted-by":"crossref","unstructured":"Gao, H., et al.: A simple generic attack on text captchas. NDSS, pp. 21\u201324 (2016)","DOI":"10.14722\/ndss.2016.23154"},{"issue":"11","key":"12_CR40","doi-asserted-by":"publisher","first-page":"665","DOI":"10.1038\/s42256-020-00257-z","volume":"2","author":"R Geirhos","year":"2020","unstructured":"Geirhos, R., et al.: Shortcut learning in deep neural networks. Nature Mach. Intell. 2(11), 665\u2013673 (2020)","journal-title":"Nature Mach. Intell."},{"key":"12_CR41","unstructured":"Gilmer, J., Adams, R.P., Goodfellow, I., Andersen, D., Dahl, G.E.: Motivating the rules of the game for adversarial example research. arXiv:1807.06732 (2018)"},{"key":"12_CR42","unstructured":"Gleave, A., Dennis, M., Wild, C., Kant, N., Levine, S., Russell, S.: Adversarial policies: attacking deep reinforcement learning. In: ICLR (2019)"},{"key":"12_CR43","doi-asserted-by":"crossref","unstructured":"Globerson, A., Roweis, S.: Nightmare at test time: robust learning by feature deletion. In: ICML (2006)","DOI":"10.1145\/1143844.1143889"},{"key":"12_CR44","doi-asserted-by":"crossref","unstructured":"Golle, P.: Machine learning attacks against the Asirra captcha. In: SOUPS. ACM (2009)","DOI":"10.1145\/1572532.1572585"},{"key":"12_CR45","unstructured":"Goodfellow, I.J., Bulatov, Y., Ibarz, J., Arnoud, S., Shet, V.D.: Multi-digit number recognition from street view imagery using deep convolutional neural networks. In: ICLR (2014)"},{"key":"12_CR46","unstructured":"Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: ICLR (2015)"},{"key":"12_CR47","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"62","DOI":"10.1007\/978-3-319-66399-9_4","volume-title":"Computer Security \u2013 ESORICS 2017","author":"K Grosse","year":"2017","unstructured":"Grosse, K., Papernot, N., Manoharan, P., Backes, M., McDaniel, P.: Adversarial examples for malware detection. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 62\u201379. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-66399-9_4"},{"key":"12_CR48","doi-asserted-by":"crossref","unstructured":"Hern\u00e1ndez-Castro, C.J., R-Moreno, M.D., Barrero, D.F.: Using JPEG to measure image continuity and break capy and other puzzle CAPTCHAs. IEEE Internet Comput. 19(6), 46\u201353 (2015)","DOI":"10.1109\/MIC.2015.127"},{"key":"12_CR49","doi-asserted-by":"crossref","unstructured":"Hernandez-Castro, C.J., Ribagorda, A., Hernandez-Castro, J.C.: On the strength of EGglue and other logic CAPTCHAs. In: SECRYPT, pp. 157\u2013167 (2011)","DOI":"10.5220\/0003517001570167"},{"issue":"1","key":"12_CR50","doi-asserted-by":"publisher","first-page":"141","DOI":"10.1016\/j.cose.2009.06.006","volume":"29","author":"CJ Hernandez-Castro","year":"2010","unstructured":"Hernandez-Castro, C.J., Ribagorda, A.: Pitfalls in captcha design and implementation: the math captcha, a case study. Comput. Secur. 29(1), 141\u2013157 (2010)","journal-title":"Comput. Secur."},{"key":"12_CR51","doi-asserted-by":"crossref","unstructured":"Hernandez-Castro, C.J., Barrero, D.F., R-Moreno, M.D.: A machine learning attack against the civil rights captcha. In: International Symposium on Intelligent Distributed Computing (IDC) (2014)","DOI":"10.1007\/978-3-319-10422-5_26"},{"key":"12_CR52","doi-asserted-by":"crossref","unstructured":"Hernandez-Castro, C.J., Hernandez-Castro, J.C., Stainton-Ellis, J.D., Ribagorda, A.: Shortcomings in CAPTCHA design and implementation: Captcha2, a commercial proposal. In: International Network Conference (INC) (2010)","DOI":"10.1016\/j.cose.2009.06.006"},{"key":"12_CR53","doi-asserted-by":"crossref","unstructured":"Hern\u00e1ndez-Castro, C.J., R-moreno, M.D., Barrero, D.F.: Side-channel attack against the Capy HIP. In: International Conference on Emerging Security Technologies (EST), pp. 99\u2013104. IEEE (2014)","DOI":"10.1109\/EST.2014.30"},{"key":"12_CR54","unstructured":"Hernandez-Castro, C.J., Ribagorda, A., Saez, Y.: Side-channel attack on labeling captchas. In: SECRYPT (2010)"},{"key":"12_CR55","doi-asserted-by":"crossref","unstructured":"Hern\u00e1ndez-Castro, C., Li, S., R-Moreno, M.: All about uncertainties and traps: statistical oracle-based attacks on a new captcha protection against oracle attacks. Comput. Secur. 92, 101758 (2020)","DOI":"10.1016\/j.cose.2020.101758"},{"key":"12_CR56","unstructured":"Hong, S., Chandrasekaran, V., Kaya, Y., Dumitra\u015f, T., Papernot, N.: On the effectiveness of mitigating data poisoning attacks with gradient shaping. arXiv:2002.11497 (2020)"},{"key":"12_CR57","doi-asserted-by":"crossref","unstructured":"Hosseini, H., Poovendran, R.: Semantic adversarial examples. In: CVPR Workshops, pp. 1614\u20131619 (2018)","DOI":"10.1109\/CVPRW.2018.00212"},{"key":"12_CR58","unstructured":"Hu, W., Tan, Y.: Black-box attacks against RNN based malware detection algorithms. In: AAAI Workshops (2017)"},{"key":"12_CR59","unstructured":"Hu, W., Tan, Y.: Generating adversarial malware examples for black-box attacks based on GANs. arXiv:1702.05983 (2017)"},{"key":"12_CR60","unstructured":"Huang, S., Papernot, N., Goodfellow, I., Duan, Y., Abbeel, P.: Adversarial attacks on neural network policies. In: ICLR (2017)"},{"key":"12_CR61","unstructured":"Huang, W.R., Geiping, J., Fowl, L., Taylor, G., Goldstein, T.: Metapoison: practical general-purpose clean-label data poisoning. In: NeurIPS (2020)"},{"key":"12_CR62","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"399","DOI":"10.1007\/978-3-319-40667-1_20","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"W Huang","year":"2016","unstructured":"Huang, W., Stokes, J.W.: MtNet: a multi-task neural network for dynamic malware classification. In: Caballero, J., Zurutuza, U., Rodr\u00edguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 399\u2013418. Springer, Cham (2016). https:\/\/doi.org\/10.1007\/978-3-319-40667-1_20"},{"key":"12_CR63","unstructured":"Huang, X., et al.: Safety and trustworthiness of deep neural networks: a survey. arXiv:1812.08342 (2018)"},{"key":"12_CR64","unstructured":"Ilyas, A., Engstrom, L., Athalye, A., Lin, J.: Black-box adversarial attacks with limited queries and information. In: ICML, pp. 2137\u20132146 (2018)"},{"key":"12_CR65","unstructured":"Ilyas, A., Engstrom, L., Madry, A.: Prior convictions: black-box adversarial attacks with bandits and priors. In: ICLR (2019)"},{"key":"12_CR66","unstructured":"Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., Papernot, N.: High accuracy and high fidelity extraction of neural networks. In: USENIX Security (2019)"},{"key":"12_CR67","doi-asserted-by":"crossref","unstructured":"Jagielski, M., Oprea, A., Biggio, B., Liu, C., Nita-Rotaru, C., Li, B.: Manipulating machine learning: poisoning attacks and countermeasures for regression learning. In: S&P, pp. 19\u201335. IEEE (2018)","DOI":"10.1109\/SP.2018.00057"},{"key":"12_CR68","volume-title":"Adversarial Machine Learning","author":"AD Joseph","year":"2018","unstructured":"Joseph, A.D., Nelson, B., Rubinstein, B.I., Tygar, J.: Adversarial Machine Learning. Cambridge University Press, Cambridge (2018)"},{"key":"12_CR69","unstructured":"Ko\u0142cz, A., Teo, C.H.: Feature weighting for improved classifier robustness. In: CEAS (2009)"},{"key":"12_CR70","doi-asserted-by":"crossref","unstructured":"Kolosnjaji, B., et al.: Adversarial malware binaries: evading deep learning for malware detection in executables. In: EUSIPCO, pp. 533\u2013537. IEEE (2018)","DOI":"10.23919\/EUSIPCO.2018.8553214"},{"key":"12_CR71","series-title":"Lecture Notes in Computer Science (Lecture Notes in Artificial Intelligence)","doi-asserted-by":"publisher","first-page":"137","DOI":"10.1007\/978-3-319-50127-7_11","volume-title":"AI 2016: Advances in Artificial Intelligence","author":"B Kolosnjaji","year":"2016","unstructured":"Kolosnjaji, B., Zarras, A., Webster, G., Eckert, C.: Deep learning for classification of malware system call sequences. In: Kang, B.H., Bai, Q. (eds.) AI 2016. LNCS (LNAI), vol. 9992, pp. 137\u2013149. Springer, Cham (2016). https:\/\/doi.org\/10.1007\/978-3-319-50127-7_11"},{"key":"12_CR72","unstructured":"Labs, K.: Machine learning methods for malware detection (2020). https:\/\/media.kaspersky.com\/en\/enterprise-security\/Kaspersky-Lab-Whitepaper-Machine-Learning.pdf"},{"key":"12_CR73","unstructured":"Laidlaw, C., Feizi, S.: Functional adversarial attacks. NeurIPS (2019)"},{"key":"12_CR74","unstructured":"Larson, M., Liu, Z., Brugman, S., Zhao, Z.: Pixel privacy: increasing image appeal while blocking automatic inference of sensitive scene information. In: Working Notes Proceedings of the MediaEval Workshop (2018)"},{"key":"12_CR75","doi-asserted-by":"crossref","unstructured":"Lin, Y.C., Hong, Z.W., Liao, Y.H., Shih, M.L., Liu, M.Y., Sun, M.: IJCAI, p. 3756\u20133762. AAAI Press (2017)","DOI":"10.24963\/ijcai.2017\/525"},{"key":"12_CR76","doi-asserted-by":"publisher","first-page":"12103","DOI":"10.1109\/ACCESS.2018.2805680","volume":"6","author":"Q Liu","year":"2018","unstructured":"Liu, Q., Li, P., Zhao, W., Cai, W., Yu, S., Leung, V.C.: A survey on security threats and defensive techniques of machine learning: a data driven view. IEEE Access 6, 12103\u201312117 (2018)","journal-title":"IEEE Access"},{"issue":"4","key":"12_CR77","doi-asserted-by":"publisher","first-page":"974","DOI":"10.3390\/s19040974","volume":"19","author":"X Liu","year":"2019","unstructured":"Liu, X., Du, X., Zhang, X., Zhu, Q., Wang, H., Guizani, M.: Adversarial samples on android malware detection systems for IoT systems. Sensors 19(4), 974 (2019)","journal-title":"Sensors"},{"key":"12_CR78","unstructured":"Liu, Y., Chen, X., Liu, C., Song, D.: Delving into transferable adversarial examples and black-box attacks. In: ICLR (2017)"},{"key":"12_CR79","unstructured":"Liu, Z., Zhao, Z., Larson, M.: Pixel privacy 2019: protecting sensitive scene information in images. In: Working Notes Proceedings of the MediaEval Workshop (2019)"},{"key":"12_CR80","doi-asserted-by":"crossref","unstructured":"Liu, Z., Zhao, Z., Larson, M.: Who\u2019s afraid of adversarial queries? the impact of image modifications on content-based image retrieval. In: ICMR (2019)","DOI":"10.1145\/3323873.3325052"},{"key":"12_CR81","doi-asserted-by":"crossref","unstructured":"Lovisotto, G., Eberz, S., Martinovic, I.: Biometric backdoors: a poisoning attack against unsupervised template updating. In: Euro S&P (2019)","DOI":"10.1109\/EuroSP48549.2020.00020"},{"key":"12_CR82","doi-asserted-by":"crossref","unstructured":"Lowd, D., Meek, C.: Adversarial learning. In: KDD, pp. 641\u2013647. ACM (2005)","DOI":"10.1145\/1081870.1081950"},{"key":"12_CR83","doi-asserted-by":"crossref","unstructured":"Luo, B., Liu, Y., Wei, L., Xu, Q.: Towards imperceptible and robust adversarial example attacks against neural networks. In: AAAI, vol. 32 (2018)","DOI":"10.1609\/aaai.v32i1.11499"},{"key":"12_CR84","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018)"},{"key":"12_CR85","doi-asserted-by":"publisher","first-page":"270","DOI":"10.1016\/j.engappai.2015.01.013","volume":"41","author":"K Malialis","year":"2015","unstructured":"Malialis, K., Kudenko, D.: Distributed response to network intrusions using multiagent reinforcement learning. Eng. Appl. Artif. Intell. 41, 270\u2013284 (2015)","journal-title":"Eng. Appl. Artif. Intell."},{"key":"12_CR86","unstructured":"Mitchell, T.M., et al.: Machine learning. McGraw Hill, Burr Ridge, IL, vol. 45, no. 37, pp. 870\u2013877 (1997)"},{"key":"12_CR87","unstructured":"Naor, M.: Verification of a human in the loop or Identification via the Turing Test (1996). http:\/\/www.wisdom.weizmann.ac.il\/~naor\/PAPERS\/human.ps"},{"key":"12_CR88","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"98","DOI":"10.1007\/978-3-642-35404-5_9","volume-title":"Cryptology and Network Security","author":"VD Nguyen","year":"2012","unstructured":"Nguyen, V.D., Chow, Y.-W., Susilo, W.: Attacking animated CAPTCHAs via character extraction. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 98\u2013113. Springer, Heidelberg (2012). https:\/\/doi.org\/10.1007\/978-3-642-35404-5_9"},{"issue":"9","key":"12_CR89","doi-asserted-by":"publisher","first-page":"2684","DOI":"10.1109\/TNNLS.2018.2885530","volume":"30","author":"Z Ni","year":"2019","unstructured":"Ni, Z., Paul, S.: A multistage game in smart grid security: a reinforcement learning solution. IEEE Transactions on neural networks and learning systems 30(9), 2684\u20132695 (2019)","journal-title":"IEEE Transactions on neural networks and learning systems"},{"key":"12_CR90","doi-asserted-by":"crossref","unstructured":"Oh, S.J., Fritz, M., Schiele, B.: Adversarial image perturbation for privacy protection a game theory perspective. In: ICCV, pp. 1491\u20131500 (2017)","DOI":"10.1109\/ICCV.2017.165"},{"issue":"11","key":"12_CR91","doi-asserted-by":"publisher","first-page":"2640","DOI":"10.1109\/TIFS.2017.2718479","volume":"12","author":"M Osadchy","year":"2016","unstructured":"Osadchy, M., Hernandez-Castro, J., Hernandez, J., Gibson, S., Dunkelman, O., P\u00e9rez-Cabo, D.: No bot expects the DeepCAPTCHA! introducing immutable adversarial examples, with applications to CAPTCHA generation. IEEE Trans. Inf. Forensics Secur. 12(11), 2640\u20132653 (2016)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"12_CR92","unstructured":"Papernot, N., McDaniel, P., Sinha, A., Wellman, M.: Towards the science of security and privacy in machine learning. arXiv:1611.03814 (2016)"},{"key":"12_CR93","unstructured":"Qin, Y., Carlini, N., Cottrell, G., Goodfellow, I., Raffel, C.: Imperceptible, robust, and targeted adversarial examples for automatic speech recognition. In: ICML, pp. 5231\u20135240 (2019)"},{"key":"12_CR94","unstructured":"Raff, E., Barker, J., Sylvester, J., Brandon, R., Catanzaro, B., Nicholas, C.K.: Malware detection by eating a whole exe. In: AAAI (2018)"},{"key":"12_CR95","doi-asserted-by":"crossref","unstructured":"Rajabi, A., Bobba, R.B., Rosulek, M., Wright, C.V., Feng, W.c.: On the (im) practicality of adversarial perturbation for image privacy. In: Proceedings on Privacy Enhancing Technologies, pp. 85\u2013106 (2021)","DOI":"10.2478\/popets-2021-0006"},{"key":"12_CR96","doi-asserted-by":"crossref","unstructured":"Rozsa, A., Rudd, E.M., Boult, T.E.: Adversarial diversity and hard positive generation. In: CVPR Workshops, pp. 25\u201332 (2016)","DOI":"10.1109\/CVPRW.2016.58"},{"key":"12_CR97","doi-asserted-by":"crossref","unstructured":"Rubinstein, B.I., et al.: Antidote: understanding and defending against poisoning of anomaly detectors. In: ACM SIGCOMM Conference on Internet Measurement, pp. 1\u201314. ACM (2009)","DOI":"10.1145\/1644893.1644895"},{"key":"12_CR98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1007\/978-3-642-41383-4_3","volume-title":"Advances in Information and Computer Security","author":"S Sano","year":"2013","unstructured":"Sano, S., Otsuka, T., Okuno, H.G.: Solving Google\u2019s continuous audio CAPTCHA with HMM-based automatic speech recognition. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 36\u201352. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-41383-4_3"},{"key":"12_CR99","unstructured":"Santamarta, R.: Breaking gmail\u2019s audio captcha. http:\/\/blog.wintercore.com\/?p=11 (2008). http:\/\/blog.wintercore.com\/?p=11. Accessed 13 Feb 2010"},{"key":"12_CR100","unstructured":"Schmidt, L., Santurkar, S., Tsipras, D., Talwar, K., Madry, A.: Adversarially robust generalization requires more data. In: NeurIPS, pp. 5014\u20135026 (2018)"},{"key":"12_CR101","doi-asserted-by":"crossref","unstructured":"Sch\u00f6nherr, L., Kohls, K., Zeiler, S., Holz, T., Kolossa, D.: Adversarial attacks against automatic speech recognition systems via psychoacoustic hiding. In: NDSS (2019)","DOI":"10.14722\/ndss.2019.23288"},{"key":"12_CR102","unstructured":"Schultz, M.G., Eskin, E., Zadok, F., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: S&P, pp. 38\u201349. IEEE (2001)"},{"key":"12_CR103","unstructured":"Serban, A., Poll, E., Visser, J.: Adversarial examples on object recognition: a comprehensive survey. ACM Comput. Surv. (CSUR)"},{"key":"12_CR104","unstructured":"Shafahi, A., et al.: Adversarial training for free! In: NeurIPS, pp. 3353\u20133364 (2019)"},{"key":"12_CR105","unstructured":"Shamsabadi, A.S., Sanchez-Matilla, R., Cavallaro, A.: Colorfool: semantic adversarial colorization. In: CVPR, pp. 1151\u20131160 (2020)"},{"key":"12_CR106","unstructured":"Shan, S., Wenger, E., Zhang, J., Li, H., Zheng, H., Zhao, B.Y.: Fawkes: protecting privacy against unauthorized deep learning models. In: USENIX Security, pp. 1589\u20131604 (2020)"},{"key":"12_CR107","doi-asserted-by":"crossref","unstructured":"Sharif, M., Bhagavatula, S., Bauer, L., Reiter, M.K.: Accessorize to a crime: real and stealthy attacks on state-of-the-art face recognition. In: CCS, pp. 1528\u20131540. ACM (2016)","DOI":"10.1145\/2976749.2978392"},{"key":"12_CR108","unstructured":"Shet, V.: Street view and reCAPTCHA technology just got smarter (2014). https:\/\/security.googleblog.com\/2014\/04\/street-view-and-recaptcha-technology.html. Accessed 14 Aug 2017"},{"key":"12_CR109","unstructured":"Sidorov, Z.: Rebreakcaptcha: Breaking google\u2019s recaptcha v2 using google (2017). https:\/\/east-ee.com\/2017\/02\/28\/rebreakcaptcha-breaking-googles-recaptcha-v2-using-google\/"},{"key":"12_CR110","doi-asserted-by":"crossref","unstructured":"Sivakorn, S., Polakis, I., Keromytis, A.D.: I am robot: (deep) learning to break semantic image captchas. In: Euro S&P, pp. 388\u2013403. IEEE (2016)","DOI":"10.1109\/EuroSP.2016.37"},{"key":"12_CR111","unstructured":"Sivakorn, S., Polakis, J., Keromytis, A.D.: I\u2019m not a human : breaking the google reCAPTCHA (2016)"},{"key":"12_CR112","unstructured":"Smith, L.N.: A useful taxonomy for adversarial robustness of neural networks. arXiv:1910.10679 (2019)"},{"key":"12_CR113","unstructured":"Steinhardt, J., Koh, P.W.W., Liang, P.S.: Certified defenses for data poisoning attacks. In: NeurIPS, pp. 3517\u20133529 (2017)"},{"key":"12_CR114","unstructured":"Szegedy, C., et al.: Intriguing properties of neural networks. In: ICLR (2013)"},{"key":"12_CR115","unstructured":"Tam, J., Simsa, J., Hyde, S., von Ahn, L.: Breaking Audio Captchas, pp. 1625\u20131632. Curran Associates, Inc. (2008)"},{"key":"12_CR116","unstructured":"Tram\u00e8r, F., Carlini, N., Brendel, W., Madry, A.: On adaptive attacks to adversarial example defenses. In: NeurIPS (2020)"},{"key":"12_CR117","unstructured":"Tram\u00e8r, F., Zhang, F., Juels, A., Reiter, M.K., Ristenpart, T.: Stealing machine learning models via prediction APIs. In: USENIX Security, pp. 601\u2013618 (2016)"},{"key":"12_CR118","unstructured":"Tsipras, D., Santurkar, S., Engstrom, L., Turner, A., Madry, A.: Robustness may be at odds with accuracy. In: ICLR (2019)"},{"issue":"3","key":"12_CR119","first-page":"1","volume":"12","author":"Y Vorobeychik","year":"2018","unstructured":"Vorobeychik, Y., Kantarcioglu, M.: Adversarial machine learning. Synth. Lect. Artif. Intell. Mach. Learn. 12(3), 1\u2013169 (2018)","journal-title":"Synth. Lect. Artif. Intell. Mach. Learn."},{"key":"12_CR120","doi-asserted-by":"crossref","unstructured":"Wang, D., Moh, M., Moh, T.S.: Using Deep Learning to Solve Google ReCAPTCHA v2\u2019s Image Challenges, pp. 1\u20135 (2020)","DOI":"10.1109\/IMCOM48794.2020.9001774"},{"key":"12_CR121","unstructured":"Wong, E., Schmidt, F., Kolter, Z.: Wasserstein adversarial examples via projected sinkhorn iterations. In: ICML, pp. 6808\u20136817 (2019)"},{"key":"12_CR122","doi-asserted-by":"crossref","unstructured":"Xiao, C., Li, B., yan Zhu, J., He, W., Liu, M., Song, D.: Generating adversarial examples with adversarial networks. In: IJCAI, pp. 3905\u20133911 (2018)","DOI":"10.24963\/ijcai.2018\/543"},{"key":"12_CR123","unstructured":"Xiao, C., Zhu, J.Y., Li, B., He, W., Liu, M., Song, D.: Spatially transformed adversarial examples. In: ICLR (2018)"},{"issue":"3","key":"12_CR124","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1109\/MWC.2018.1700291","volume":"25","author":"L Xiao","year":"2018","unstructured":"Xiao, L., Wan, X., Dai, C., Du, X., Chen, X., Guizani, M.: Security in mobile edge caching with reinforcement learning. IEEE Wirel. Commun. 25(3), 116\u2013122 (2018)","journal-title":"IEEE Wirel. Commun."},{"key":"12_CR125","doi-asserted-by":"crossref","unstructured":"Xie, C., Wang, J., Zhang, Z., Zhou, Y., Xie, L., Yuille, A.: Adversarial examples for semantic segmentation and object detection. In: ICCV, pp. 1369\u20131378 (2017)","DOI":"10.1109\/ICCV.2017.153"},{"key":"12_CR126","doi-asserted-by":"crossref","unstructured":"Xu, W., Qi, Y., Evans, D.: Automatically evading classifiers: a case study on pdf malware classifiers. In: NDSS (2016)","DOI":"10.14722\/ndss.2016.23115"},{"key":"12_CR127","doi-asserted-by":"crossref","unstructured":"Yan, J., Ahmad, A.S.E.: A low-cost attack on a microsoft captcha. In: CCS, pp. 543\u2013554. ACM (2008)","DOI":"10.1145\/1455770.1455839"},{"key":"12_CR128","doi-asserted-by":"crossref","unstructured":"Yan, Q., Liu, K., Zhou, Q., Guo, H., Zhang, N.: Surfingattack: interactive hidden attack on voice assistants using ultrasonic guided wave. In: NDSS (2020)","DOI":"10.14722\/ndss.2020.24068"},{"key":"12_CR129","series-title":"Signals and Communication Technology","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4471-5779-3","volume-title":"Automatic Speech Recognition","author":"D Yu","year":"2015","unstructured":"Yu, D., Deng, L.: Automatic Speech Recognition. SCT, Springer, London (2015). https:\/\/doi.org\/10.1007\/978-1-4471-5779-3"},{"key":"12_CR130","doi-asserted-by":"crossref","unstructured":"Zhang, G., Yan, C., Ji, X., Zhang, T., Zhang, T., Xu, W.: Dolphinattack: Inaudible voice commands. In: CCS, pp. 103\u2013117. ACM (2017)","DOI":"10.1145\/3133956.3134052"},{"issue":"1","key":"12_CR131","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s13635-020-0101-7","volume":"2020","author":"H Zhang","year":"2020","unstructured":"Zhang, H., Avrithis, Y., Furon, T., Amsaleg, L.: Smooth adversarial examples. EURASIP J. Inf. Secur. 2020(1), 1\u201312 (2020)","journal-title":"EURASIP J. Inf. Secur."},{"key":"12_CR132","unstructured":"Zhao, Z., Liu, Z., Larson, M.: Adversarial color enhancement: generating unrestricted adversarial images by optimizing a color filter. In: BMVC (2020)"},{"key":"12_CR133","doi-asserted-by":"crossref","unstructured":"Zhao, Z., Liu, Z., Larson, M.: Towards large yet imperceptible adversarial image perturbations with perceptual color distance. In: CVPR, pp. 1039\u20131048 (2020)","DOI":"10.1109\/CVPR42600.2020.00112"},{"issue":"1","key":"12_CR134","first-page":"126","volume":"34","author":"Y Zhou","year":"2018","unstructured":"Zhou, Y., Yang, Z., Wang, C., Boutell, M.: Breaking google reCAPTCHA v2. J. Comput. Sci. Coll. 34(1), 126\u2013136 (2018)","journal-title":"J. Comput. Sci. Coll."},{"key":"12_CR135","doi-asserted-by":"crossref","unstructured":"Zhu, B.B., et al.: Attacks and design of image recognition captchas. In: CCS, pp. 187\u2013200. ACM (2010)","DOI":"10.1145\/1866307.1866329"}],"container-title":["Lecture Notes in Computer Science","Security and Artificial Intelligence"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-98795-4_12","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,21]],"date-time":"2024-09-21T19:52:32Z","timestamp":1726948352000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-030-98795-4_12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"ISBN":["9783030987947","9783030987954"],"references-count":135,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-98795-4_12","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2022]]},"assertion":[{"value":"8 April 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}}]}}