{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T10:09:35Z","timestamp":1779098975521,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":40,"publisher":"ACM","license":[{"start":{"date-parts":[[2017,11,3]],"date-time":"2017-11-03T00:00:00Z","timestamp":1509667200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"UK EPSRC","award":["EP\/L022729\/1"],"award-info":[{"award-number":["EP\/L022729\/1"]}]},{"name":"UK EPSRC","award":["EP\/L016796\/1"],"award-info":[{"award-number":["EP\/L016796\/1"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2017,11,3]]},"DOI":"10.1145\/3128572.3140451","type":"proceedings-article","created":{"date-parts":[[2017,11,3]],"date-time":"2017-11-03T12:36:10Z","timestamp":1509712570000},"page":"27-38","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":336,"title":["Towards Poisoning of Deep Learning Algorithms with Back-gradient Optimization"],"prefix":"10.1145","author":[{"given":"Luis","family":"Mu\u00f1oz-Gonz\u00e1lez","sequence":"first","affiliation":[{"name":"Imperial College, London, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Battista","family":"Biggio","sequence":"additional","affiliation":[{"name":"University of Cagliari, Cagliari, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ambra","family":"Demontis","sequence":"additional","affiliation":[{"name":"University of Cagliari, Cagliari, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Andrea","family":"Paudice","sequence":"additional","affiliation":[{"name":"Imperial College, London, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Vasin","family":"Wongrassamee","sequence":"additional","affiliation":[{"name":"Imperial College, London, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Emil C.","family":"Lupu","sequence":"additional","affiliation":[{"name":"Imperial College, London, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Fabio","family":"Roli","sequence":"additional","affiliation":[{"name":"University of Cagliari, Cagliari, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2017,11,3]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10994-010-5188-5"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/1128817.1128824"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1162\/089976600300015187"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-44415-3_5"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-21557-5_37"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2013.57"},{"key":"e_1_3_2_1_8_1","volume-title":"29th Int'l Conf. on Machine Learning, John Langford and Joelle Pineau (Eds.). Int'l Conf. on Machine Learning (ICML)","author":"Biggio Battista","year":"1807","unstructured":"Battista Biggio , Blaine Nelson , and Pavel Laskov . 2012. Poisoning attacks against support vector machines , In 29th Int'l Conf. on Machine Learning, John Langford and Joelle Pineau (Eds.). Int'l Conf. on Machine Learning (ICML) , 1807 --1814. Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012. Poisoning attacks against support vector machines, In 29th Int'l Conf. on Machine Learning, John Langford and Joelle Pineau (Eds.). Int'l Conf. on Machine Learning (ICML), 1807--1814."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2517312.2517321"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2666652.2666666"},{"key":"e_1_3_2_1_11_1","unstructured":"C. Blake and C. J. Merz. 1998. UCI Repository of machine learning databases. http:\/\/www.ics.uci.edu\/~mlearn\/MLRepository.html (1998).  C. Blake and C. J. Merz. 1998. UCI Repository of machine learning databases. http:\/\/www.ics.uci.edu\/~mlearn\/MLRepository.html (1998)."},{"key":"e_1_3_2_1_12_1","series-title":"Lecture Notes in Computer Science","volume-title":"PAC Learning with Nasty Noise","author":"Bshouty Nader H.","unstructured":"Nader H. Bshouty , Nadav Eiron , and Eyal Kushilevitz . 1999. PAC Learning with Nasty Noise . In Algorithmic Learning Theory, Osamu Watanabe and Takashi Yokomori (Eds.). Lecture Notes in Computer Science , Vol. 1720 . Springer Berlin Heidelberg , 206--218. https:\/\/doi.org\/10.1007\/3-540-46769-6_17 10.1007\/3-540-46769-6_17 Nader H. Bshouty, Nadav Eiron, and Eyal Kushilevitz. 1999. PAC Learning with Nasty Noise. In Algorithmic Learning Theory, Osamu Watanabe and Takashi Yokomori (Eds.). Lecture Notes in Computer Science, Vol. 1720. Springer Berlin Heidelberg, 206--218. https:\/\/doi.org\/10.1007\/3-540-46769-6_17"},{"key":"e_1_3_2_1_13_1","unstructured":"C. Do C. S. Foo and A. Y. Ng. 2008. Efficient multiple hyperparameter learning for log-linear models. In Advances in Neural Information Processing Systems. 377--384.  C. Do C. S. Foo and A. Y. Ng. 2008. Efficient multiple hyperparameter learning for log-linear models. In Advances in Neural Information Processing Systems. 377--384."},{"key":"e_1_3_2_1_14_1","volume-title":"15th Int'l Conf. Artificial Intelligence and Statistics (Proceedings of Machine Learning Research), Neil D","author":"Domke Justin","unstructured":"Justin Domke . 2012. Generic Methods for Optimization-Based Modeling . In 15th Int'l Conf. Artificial Intelligence and Statistics (Proceedings of Machine Learning Research), Neil D . Lawrence and Mark Girolami (Eds.), Vol. 22 . PMLR, La Palma , Canary Islands , 318--326. Justin Domke. 2012. Generic Methods for Optimization-Based Modeling. In 15th Int'l Conf. Artificial Intelligence and Statistics (Proceedings of Machine Learning Research), Neil D. Lawrence and Mark Girolami (Eds.), Vol. 22. PMLR, La Palma, Canary Islands, 318--326."},{"key":"e_1_3_2_1_15_1","volume-title":"Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations.","author":"Goodfellow Ian J.","year":"2015","unstructured":"Ian J. Goodfellow , Jonathon Shlens , and Christian Szegedy . 2015 . Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations. Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"key":"e_1_3_2_1_17_1","volume-title":"Machine Learning Methods for Computer Security (Dagstuhl Perspectives Workshop 12371)","author":"Joseph Anthony D.","year":"2013","unstructured":"Anthony D. Joseph , Pavel Laskov , Fabio Roli , J. Doug Tygar , and Blaine Nelson . 2013 . Machine Learning Methods for Computer Security (Dagstuhl Perspectives Workshop 12371) . Dagstuhl Manifestos 3, 1 (2013), 1--30. Anthony D. Joseph, Pavel Laskov, Fabio Roli, J. Doug Tygar, and Blaine Nelson. 2013. Machine Learning Methods for Computer Security (Dagstuhl Perspectives Workshop 12371). Dagstuhl Manifestos 3, 1 (2013), 1--30."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1137\/0222052"},{"key":"e_1_3_2_1_19_1","first-page":"3647","article-title":"Security Analysis of Online Centroid Anomaly Detection","volume":"13","author":"Kloft Marius","year":"2012","unstructured":"Marius Kloft and Pavel Laskov . 2012 . Security Analysis of Online Centroid Anomaly Detection . Journal of Machine Learning Research 13 (2012), 3647 -- 3690 . Marius Kloft and Pavel Laskov. 2012. Security Analysis of Online Centroid Anomaly Detection. Journal of Machine Learning Research 13 (2012), 3647--3690.","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_2_1_20_1","volume-title":"International Conference on Machine Learning (ICML).","author":"Koh P. W.","unstructured":"P. W. Koh and P. Liang . 2017. Understanding Black-box Predictions via Influence Functions . In International Conference on Machine Learning (ICML). P. W. Koh and P. Liang. 2017. Understanding Black-box Predictions via Influence Functions. In International Conference on Machine Learning (ICML)."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"e_1_3_2_1_22_1","volume-title":"Proceedings of the 32Nd International Conference on International Conference on Machine Learning -","volume":"37","author":"Maclaurin Dougal","unstructured":"Dougal Maclaurin , David Duvenaud , and Ryan P. Adams . 2015. Gradient-based Hyperparameter Optimization Through Reversible Learning . In Proceedings of the 32Nd International Conference on International Conference on Machine Learning - Volume 37 (ICML'15). JMLR.org, 2113--2122. Dougal Maclaurin, David Duvenaud, and Ryan P. Adams. 2015. Gradient-based Hyperparameter Optimization Through Reversible Learning. In Proceedings of the 32Nd International Conference on International Conference on Machine Learning - Volume 37 (ICML'15). JMLR.org, 2113--2122."},{"key":"e_1_3_2_1_23_1","volume-title":"29th AAAI Conf. Artificial Intelligence (AAAI '15)","author":"Mei Shike","year":"2015","unstructured":"Shike Mei and Xiaojin Zhu . 2015 . Using Machine Teaching to Identify Optimal Training-Set Attacks on Machine Learners . In 29th AAAI Conf. Artificial Intelligence (AAAI '15) . Shike Mei and Xiaojin Zhu. 2015. Using Machine Teaching to Identify Optimal Training-Set Attacks on Machine Learners. In 29th AAAI Conf. Artificial Intelligence (AAAI '15)."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"crossref","unstructured":"Seyed-Mohsen Moosavi-Dezfooli Alhussein Fawzi Omar Fawzi and Pascal Frossard. 2017. Universal adversarial perturbations. In CVPR.  Seyed-Mohsen Moosavi-Dezfooli Alhussein Fawzi Omar Fawzi and Pascal Frossard. 2017. Universal adversarial perturbations. In CVPR.","DOI":"10.1109\/CVPR.2017.17"},{"key":"e_1_3_2_1_25_1","first-page":"1","article-title":"Exploiting Machine Learning to Subvert your Spam Filter","volume":"8","author":"Nelson B.","year":"2008","unstructured":"B. Nelson , M. Barreno , F. J. Chi , A. D. Joseph , B. I. P. Rubinstein , U. Saini , C.A. Sutton , J. D. Tygar , and K. Xia . 2008 . Exploiting Machine Learning to Subvert your Spam Filter . LEET 8 (2008), 1 -- 9 . B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. P. Rubinstein, U. Saini, C.A. Sutton, J. D. Tygar, and K. Xia. 2008. Exploiting Machine Learning to Subvert your Spam Filter. LEET 8 (2008), 1--9.","journal-title":"LEET"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.5555\/1387709.1387716"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"e_1_3_2_1_29_1","unstructured":"K. R. Patil X. Zhu L. Kope? and B. C. Love. 2014. Optimal teaching for limitedcapacity human learners. In Advances in Neural Information Processing Systems. 2465--2473.  K. R. Patil X. Zhu L. Kope? and B. C. Love. 2014. Optimal teaching for limitedcapacity human learners. In Advances in Neural Information Processing Systems. 2465--2473."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1162\/neco.1994.6.1.147"},{"key":"e_1_3_2_1_31_1","volume-title":"33rd International Conference on Machine Learning (Proceedings of Machine Learning Research), Maria Florina Balcan and Kilian Q. Weinberger (Eds.)","volume":"48","author":"Pedregosa F.","year":"2016","unstructured":"F. Pedregosa . 2016 . Hyperparameter optimization with approximate gradient . In 33rd International Conference on Machine Learning (Proceedings of Machine Learning Research), Maria Florina Balcan and Kilian Q. Weinberger (Eds.) , Vol. 48 . PMLR, New York, New York, USA, 737--746. F. Pedregosa. 2016. Hyperparameter optimization with approximate gradient. In 33rd International Conference on Machine Learning (Proceedings of Machine Learning Research), Maria Florina Balcan and Kilian Q. Weinberger (Eds.), Vol. 48. PMLR, New York, New York, USA, 737--746."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1644893.1644895"},{"key":"e_1_3_2_1_33_1","unstructured":"D. Sgandurra L. Mu\u00f1oz-Gonz\u00e1lez R. Mohsen and E. C. Lupu. 2016. Automated Dynamic Analysis of Ransomware: Benefits Limitations and use for Detection. arXiv preprint arXiv:1609.03020 (2016).  D. Sgandurra L. Mu\u00f1oz-Gonz\u00e1lez R. Mohsen and E. C. Lupu. 2016. Automated Dynamic Analysis of Ransomware: Benefits Limitations and use for Detection. arXiv preprint arXiv:1609.03020 (2016)."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420987"},{"key":"e_1_3_2_1_35_1","unstructured":"J. Steinhardt P. W. Koh and P. Liang. 2017. Certified Defenses for Data Poisoning Attacks. arXiv preprint arXiv:1706.03691 (2017).  J. Steinhardt P. W. Koh and P. Liang. 2017. Certified Defenses for Data Poisoning Attacks. arXiv preprint arXiv:1706.03691 (2017)."},{"key":"e_1_3_2_1_36_1","volume-title":"International Conference on Learning Representations. http:\/\/arxiv.org\/abs\/1312","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy , Wojciech Zaremba , Ilya Sutskever , Joan Bruna , Dumitru Erhan , Ian Goodfellow , and Rob Fergus . 2014 . Intriguing properties of neural networks . In International Conference on Learning Representations. http:\/\/arxiv.org\/abs\/1312 .6199 Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In International Conference on Learning Representations. http:\/\/arxiv.org\/abs\/1312.6199"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.20"},{"key":"e_1_3_2_1_38_1","volume-title":"Machine: Practical Adversarial Detection of Malicious Crowdsourcing Workers. In 23rd USENIX Security Symposium (USENIX Security 14)","author":"Wang Gang","unstructured":"Gang Wang , Tianyi Wang , Haitao Zheng , and Ben Y. Zhao . 2014. Man vs . Machine: Practical Adversarial Detection of Malicious Crowdsourcing Workers. In 23rd USENIX Security Symposium (USENIX Security 14) . USENIX Association, San Diego, CA. Gang Wang, Tianyi Wang, Haitao Zheng, and Ben Y. Zhao. 2014. Man vs. Machine: Practical Adversarial Detection of Malicious Crowdsourcing Workers. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA."},{"key":"e_1_3_2_1_39_1","volume-title":"Francis Bach and David Blei (Eds.)","volume":"37","author":"Xiao Huang","year":"2015","unstructured":"Huang Xiao , Battista Biggio , Gavin Brown , Giorgio Fumera , Claudia Eckert , and Fabio Roli . 2015 . Is Feature Selection Secure against Training Data Poisoning? In JMLR W&CP - Proc. 32nd Int'l Conf. Mach. Learning (ICML) , Francis Bach and David Blei (Eds.) , Vol. 37 . 1689--1698. Huang Xiao, Battista Biggio, Gavin Brown, Giorgio Fumera, Claudia Eckert, and Fabio Roli. 2015. Is Feature Selection Secure against Training Data Poisoning? In JMLR W&CP - Proc. 32nd Int'l Conf. Mach. Learning (ICML), Francis Bach and David Blei (Eds.), Vol. 37. 1689--1698."},{"key":"e_1_3_2_1_40_1","unstructured":"X. Zhu. 2013. Machine Teaching for Bayesian Learners in the Exponential Family. In Advances in Neural Information Processing Systems. 1905--1913.  X. Zhu. 2013. Machine Teaching for Bayesian Learners in the Exponential Family. In Advances in Neural Information Processing Systems. 1905--1913."}],"event":{"name":"CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security","location":"Dallas Texas USA","acronym":"CCS '17","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3128572.3140451","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3128572.3140451","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:11:01Z","timestamp":1750212661000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3128572.3140451"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,11,3]]},"references-count":40,"alternative-id":["10.1145\/3128572.3140451","10.1145\/3128572"],"URL":"https:\/\/doi.org\/10.1145\/3128572.3140451","relation":{},"subject":[],"published":{"date-parts":[[2017,11,3]]},"assertion":[{"value":"2017-11-03","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}