{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T04:35:37Z","timestamp":1775882137453,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":64,"publisher":"ACM","license":[{"start":{"date-parts":[[2011,10,21]],"date-time":"2011-10-21T00:00:00Z","timestamp":1319155200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2011,10,21]]},"DOI":"10.1145\/2046684.2046692","type":"proceedings-article","created":{"date-parts":[[2011,10,25]],"date-time":"2011-10-25T12:23:06Z","timestamp":1319545386000},"page":"43-58","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":755,"title":["Adversarial machine learning"],"prefix":"10.1145","author":[{"given":"Ling","family":"Huang","sequence":"first","affiliation":[{"name":"Intel Labs Berkeley, Berkeley, CA, USA"}]},{"given":"Anthony D.","family":"Joseph","sequence":"additional","affiliation":[{"name":"UC Berkeley, Berkeley, CA, USA"}]},{"given":"Blaine","family":"Nelson","sequence":"additional","affiliation":[{"name":"University of Tubingen, Tubingen, Germany"}]},{"given":"Benjamin I.P.","family":"Rubinstein","sequence":"additional","affiliation":[{"name":"Microsoft, Mountain View, CA, USA"}]},{"given":"J. D.","family":"Tygar","sequence":"additional","affiliation":[{"name":"UC Berkeley, Berkeley, CA, USA"}]}],"member":"320","published-online":{"date-parts":[[2011,10,21]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1265530.1265569"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/1128817.1128824"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-11799-2_26"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-12127-2_8"},{"key":"e_1_3_2_1_5_1","volume-title":"Pattern Recognition and Machine Learning","author":"Bishop C. M.","year":"2006","unstructured":"C. M. Bishop . Pattern Recognition and Machine Learning . Springer , 2006 . C. M. Bishop. Pattern Recognition and Machine Learning. Springer, 2006."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1065167.1065184"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1374376.1374464"},{"key":"e_1_3_2_1_8_1","first-page":"171","volume-title":"NIPS","author":"Bruckner M.","year":"2009","unstructured":"M. Bruckner and T. Scheffer . Nash equilibria of static prediction games . In NIPS , pages 171 -- 179 . 2009 . M. Bruckner and T. Scheffer. Nash equilibria of static prediction games. In NIPS, pages 171--179. 2009."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.5555\/1137817"},{"key":"e_1_3_2_1_10_1","first-page":"289","volume-title":"NIPS","author":"Chaudhuri K.","year":"2009","unstructured":"K. Chaudhuri and C. Monteleoni . Privacy-preserving logistic regression . In NIPS , pages 289 -- 296 , 2009 . K. Chaudhuri and C. Monteleoni. Privacy-preserving logistic regression. In NIPS, pages 289--296, 2009."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.5555\/1953048.2021036"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/11856214_4"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"crossref","unstructured":"S. P.\n      Chung\n     and \n      A. K.\n      Mok\n  . \n  Advanced allergy attacks: Does a corpus really help? In RAID'07 volume \n  4637\n   of \n  LNCS pages \n  236\n  --\n  255 2007\n  .   S. P. Chung and A. K. Mok. Advanced allergy attacks: Does a corpus really help? In RAID'07 volume 4637 of LNCS pages 236--255 2007.","DOI":"10.1007\/978-3-540-74320-0_13"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.5555\/345662"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.chemolab.2007.01.004"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1014052.1014066"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/773153.773173"},{"key":"e_1_3_2_1_18_1","first-page":"207","volume-title":"USENIX Security","author":"Duan Y.","year":"2010","unstructured":"Y. Duan , J. Canny , and J. Zhan . P4P: Practical large-scale privacy-preserving distributed computation robust against malicious users . In USENIX Security , pages 207 -- 222 , 2010 . Y. Duan, J. Canny, and J. Zhan. P4P: Practical large-scale privacy-preserving distributed computation robust against malicious users. In USENIX Security, pages 207--222, 2010."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/11787006_1"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866739.1866758"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1536414.1536466"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/11681878_14"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/1250790.1250804"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1536414.1536467"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-85174-5_26"},{"key":"e_1_3_2_1_26_1","volume-title":"Question 14: Combining independent tests of significance. American Statistician, 2(5):30--31","author":"Fisher R. A.","year":"1948","unstructured":"R. A. Fisher . Question 14: Combining independent tests of significance. American Statistician, 2(5):30--31 , 1948 . R. A. Fisher. Question 14: Combining independent tests of significance. American Statistician, 2(5):30--31, 1948."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180414"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/1143844.1143889"},{"key":"e_1_3_2_1_29_1","volume-title":"Official Statistics","author":"Hall R.","year":"2011","unstructured":"R. Hall , S. Fienberg , and Y. Nardi . Secure multiparty linear regression based on homomorphic encryption. J . Official Statistics , 2011 . To appear. R. Hall, S. Fienberg, and Y. Nardi. Secure multiparty linear regression based on homomorphic encryption. J. Official Statistics, 2011. To appear."},{"key":"e_1_3_2_1_30_1","volume-title":"Robust Statistics: The Approach Based on Influence Functions. Probability and Mathematical Statistics","author":"Hampel F. R.","year":"1986","unstructured":"F. R. Hampel , E. M. Ronchetti , P. J. Rousseeuw , and W. A. Stahel . Robust Statistics: The Approach Based on Influence Functions. Probability and Mathematical Statistics . John Wiley and Sons , 1986 . F. R. Hampel, E. M. Ronchetti, P. J. Rousseeuw, and W. A. Stahel. Robust Statistics: The Approach Based on Influence Functions. Probability and Mathematical Statistics. John Wiley and Sons, 1986."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1806689.1806786"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/FOCS.2008.27"},{"key":"e_1_3_2_1_34_1","first-page":"5","article-title":"La cryptographie militaire","volume":"9","author":"Kerckhoffs A.","year":"1883","unstructured":"A. Kerckhoffs . La cryptographie militaire . Journal des Sciences Militaires , 9 : 5 -- 83 , January 1883 . A. Kerckhoffs. La cryptographie militaire. Journal des Sciences Militaires, 9:5--83, January 1883.","journal-title":"Journal des Sciences Militaires"},{"key":"e_1_3_2_1_35_1","volume-title":"AISTATS'10","author":"Kloft M.","year":"2010","unstructured":"M. Kloft and P. Laskov . Online anomaly detection under adversarial impact . In AISTATS'10 , 2010 . M. Kloft and P. Laskov. Online anomaly detection under adversarial impact. In AISTATS'10, 2010."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/1015467.1015492"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1654988.1654990"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1299015.1299020"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/1081870.1081950"},{"key":"e_1_3_2_1_40_1","volume-title":"CEAS'05","author":"Lowd D.","year":"2005","unstructured":"D. Lowd and C. Meek . Good word attacks on statistical spam filters . In CEAS'05 , 2005 . D. Lowd and C. Meek. Good word attacks on statistical spam filters. In CEAS'05, 2005."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1217299.1217302"},{"key":"e_1_3_2_1_42_1","series-title":"LNCS","first-page":"220","volume-title":"RAID'03","author":"Mahoney M. V.","year":"2003","unstructured":"M. V. Mahoney and P. K. Chan . An analysis of the 1999 DARPA\/Lincoln Laboratory evaluation data for network anomaly detection . In RAID'03 , volume 2820 of LNCS , pages 220 -- 237 , 2003 . M. V. Mahoney and P. K. Chan. An analysis of the 1999 DARPA\/Lincoln Laboratory evaluation data for network anomaly detection. In RAID'03, volume 2820 of LNCS, pages 220--237, 2003."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1557019.1557090"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/FOCS.2007.41"},{"key":"e_1_3_2_1_45_1","volume-title":"CEAS'04","author":"Meyer T. A.","year":"2004","unstructured":"T. A. Meyer and B. Whateley . SpamBayes: Effective open-source, Bayesian based, email classification system . In CEAS'04 , 2004 . T. A. Meyer and B. Whateley. SpamBayes: Effective open-source, Bayesian based, email classification system. In CEAS'04, 2004."},{"key":"e_1_3_2_1_46_1","volume-title":"Machine Learning","author":"Mitchell T.","year":"1997","unstructured":"T. Mitchell . Machine Learning . McGraw Hill , 1997 . T. Mitchell. Machine Learning. McGraw Hill, 1997."},{"key":"e_1_3_2_1_47_1","first-page":"1","volume-title":"LEET'08","author":"Nelson B.","year":"2008","unstructured":"B. Nelson , M. Barreno , F. J. Chi , A. D. Joseph , B. I. P. Rubinstein , U. Saini , C. Sutton , J. D. Tygar , and K. Xia . Exploiting machine learning to subvert your spam filter . In LEET'08 , pages 1 -- 9 , 2008 . B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. P. Rubinstein, U. Saini, C. Sutton, J. D. Tygar, and K. Xia. Exploiting machine learning to subvert your spam filter. In LEET'08, pages 1--9, 2008."},{"key":"e_1_3_2_1_48_1","first-page":"17","volume-title":"J. J. P. Tsai and P. S. Yu","author":"Nelson B.","year":"2009","unstructured":"B. Nelson , M. Barreno , F. J. Chi , A. D. Joseph , B. I. P. Rubinstein , U. Saini , C. Sutton , J. D. Tygar , and K. Xia . Misleading learners: Co-opting your spam filter . In J. J. P. Tsai and P. S. Yu , editors, Machine Learning in Cyber Trust : Security, Privacy, Reliability, pages 17 -- 51 . Springer , 2009 . B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. P. Rubinstein, U. Saini, C. Sutton, J. D. Tygar, and K. Xia. Misleading learners: Co-opting your spam filter. In J. J. P. Tsai and P. S. Yu, editors, Machine Learning in Cyber Trust: Security, Privacy, Reliability, pages 17--51. Springer, 2009."},{"key":"e_1_3_2_1_49_1","volume-title":"Proc. Workshop on Tackling Computer Systems Problems with Machine Learning Techniques","author":"Nelson B.","year":"2006","unstructured":"B. Nelson and A. D. Joseph . Bounding an attack's complexity for a simple learning model . In Proc. Workshop on Tackling Computer Systems Problems with Machine Learning Techniques , 2006 . B. Nelson and A. D. Joseph. Bounding an attack's complexity for a simple learning model. In Proc. Workshop on Tackling Computer Systems Problems with Machine Learning Techniques, 2006."},{"key":"e_1_3_2_1_50_1","volume-title":"AISTATS","author":"Nelson B.","year":"2010","unstructured":"B. Nelson , B. I. P. Rubinstein , L. Huang , A. D. Joseph , S. hon Lau , S. Lee , S. Rao , A. Tran , and J. D. Tygar . Near-optimal evasion of convex-inducing classifiers . In AISTATS , 2010 . B. Nelson, B. I. P. Rubinstein, L. Huang, A. D. Joseph, S. hon Lau, S. Lee, S. Rao, A. Tran, and J. D. Tygar. Near-optimal evasion of convex-inducing classifiers. In AISTATS, 2010."},{"key":"e_1_3_2_1_51_1","volume-title":"Proc. Workshop on Privacy & Security issues in Data Mining and Machine Learning","author":"Nelson B.","year":"2010","unstructured":"B. Nelson , B. I. P. Rubinstein , L. Huang , A. D. Joseph , and J. D. Tygar . Classifier evasion: Models and open problems (position paper) . In Proc. Workshop on Privacy & Security issues in Data Mining and Machine Learning , 2010 . B. Nelson, B. I. P. Rubinstein, L. Huang, A. D. Joseph, and J. D. Tygar. Classifier evasion: Models and open problems (position paper). In Proc. Workshop on Privacy & Security issues in Data Mining and Machine Learning, 2010."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1007\/11856214_5"},{"key":"e_1_3_2_1_53_1","first-page":"303","volume-title":"COLT","author":"Rademacher L.","year":"2009","unstructured":"L. Rademacher and N. Goyal . Learning convex bodies is hard . In COLT , pages 303 -- 308 , 2009 . L. Rademacher and N. Goyal. Learning convex bodies is hard. In COLT, pages 303--308, 2009."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/1254882.1254895"},{"key":"e_1_3_2_1_55_1","article-title":"A statistical approach to the spam problem","author":"Robinson G.","year":"2003","unstructured":"G. Robinson . A statistical approach to the spam problem . Linux Journal , Mar. 2003 . G. Robinson. A statistical approach to the spam problem. Linux Journal, Mar. 2003.","journal-title":"Linux Journal"},{"key":"e_1_3_2_1_56_1","volume-title":"Learning in a large function space: Privacy-preserving mechanisms for SVM learning","author":"Rubinstein B. I. P.","year":"2009","unstructured":"B. I. P. Rubinstein , P. L. Bartlett , L. Huang , and N. Taft . Learning in a large function space: Privacy-preserving mechanisms for SVM learning , 2009 . In submission; http:\/\/arxiv.org\/abs\/0911.5708v1. B. I. P. Rubinstein, P. L. Bartlett, L. Huang, and N. Taft. Learning in a large function space: Privacy-preserving mechanisms for SVM learning, 2009. In submission; http:\/\/arxiv.org\/abs\/0911.5708v1."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/1644893.1644895"},{"key":"e_1_3_2_1_58_1","volume-title":"TREC'06","author":"Sculley D.","year":"2006","unstructured":"D. Sculley , G. M. Wachman , and C. E. Brodley . Spam filtering using inexact string matching in explicit feature space with on-line linear classifiers . In TREC'06 , 2006 . D. Sculley, G. M. Wachman, and C. E. Brodley. Spam filtering using inexact string matching in explicit feature space with on-line linear classifiers. In TREC'06, 2006."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/1993636.1993743"},{"key":"e_1_3_2_1_60_1","article-title":"Detecting viral propagations using email behavior profiles","author":"Stolfo S. J.","year":"2004","unstructured":"S. J. Stolfo , W. jen Li , S. Hershkop , K. Wang , C. wei Hu , and O. Nimeskern . Detecting viral propagations using email behavior profiles . In ACM Trans. Internet Technology , May 2004 . S. J. Stolfo, W. jen Li, S. Hershkop, K. Wang, C. wei Hu, and O. Nimeskern. Detecting viral propagations using email behavior profiles. In ACM Trans. Internet Technology, May 2004.","journal-title":"ACM Trans. Internet Technology"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1142\/S0218488502001648"},{"key":"e_1_3_2_1_62_1","series-title":"LNCS","first-page":"54","volume-title":"RAID'02","author":"Tan K. M. C.","year":"2002","unstructured":"K. M. C. Tan , K. S. Killourhy , and R. A. Maxion . Undermining an anomaly-based intrusion detection system using common exploits . In RAID'02 , volume 2516 of LNCS , pages 54 -- 73 , 2002 . K. M. C. Tan, K. S. Killourhy, and R. A. Maxion. Undermining an anomaly-based intrusion detection system using common exploits. In RAID'02, volume 2516 of LNCS, pages 54--73, 2002."},{"key":"e_1_3_2_1_63_1","volume-title":"NDSS'08","author":"Venkataraman S.","year":"2008","unstructured":"S. Venkataraman , A. Blum , and D. Song . Limits of learning-based signature generation with adversaries . In NDSS'08 , 2008 . S. Venkataraman, A. Blum, and D. Song. Limits of learning-based signature generation with adversaries. In NDSS'08, 2008."},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586145"},{"key":"e_1_3_2_1_65_1","volume-title":"CEAS'04","author":"Wittel G. L.","year":"2004","unstructured":"G. L. Wittel and S. F. Wu . On attacking statistical spam filters . In CEAS'04 , 2004 . G. L. Wittel and S. F. Wu. On attacking statistical spam filters. In CEAS'04, 2004."}],"event":{"name":"CCS'11: the ACM Conference on Computer and Communications Security","location":"Chicago Illinois USA","acronym":"CCS'11","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 4th ACM workshop on Security and artificial intelligence"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2046684.2046692","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2046684.2046692","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T09:48:42Z","timestamp":1750240122000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2046684.2046692"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2011,10,21]]},"references-count":64,"alternative-id":["10.1145\/2046684.2046692","10.1145\/2046684"],"URL":"https:\/\/doi.org\/10.1145\/2046684.2046692","relation":{},"subject":[],"published":{"date-parts":[[2011,10,21]]},"assertion":[{"value":"2011-10-21","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}