{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,5]],"date-time":"2025-11-05T14:33:27Z","timestamp":1762353207544,"version":"3.38.0"},"reference-count":40,"publisher":"SAGE Publications","issue":"1","license":[{"start":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T00:00:00Z","timestamp":1654041600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2023,1,26]]},"abstract":"<jats:p> Machine learning has proved invaluable for a range of different tasks, yet it also proved vulnerable to evasion attacks, i.e., maliciously crafted perturbations of inputs designed to force mispredictions. In this article we propose a novel technique to certify the security of machine learning models against evasion attacks with respect to an expressive threat model, where the attacker can be represented by an arbitrary imperative program. Our approach is based on a transformation of the model under attack into an equivalent imperative program, which is then analyzed using the traditional abstract interpretation framework. This solution is sound, efficient and general enough to be applied to a range of different models, including decision trees, logistic regression and neural networks. Our experiments on publicly available datasets show that our technique yields only a minimal number of false positives and scales up to cases which are intractable for a competitor approach. <\/jats:p>","DOI":"10.3233\/jcs-210133","type":"journal-article","created":{"date-parts":[[2022,6,3]],"date-time":"2022-06-03T15:38:47Z","timestamp":1654270727000},"page":"57-84","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":3,"title":["Certifying machine learning models against evasion attacks by program analysis"],"prefix":"10.1177","volume":"31","author":[{"given":"Stefano","family":"Calzavara","sequence":"first","affiliation":[{"name":"Universit\u00e0 Ca\u2019 Foscari Venezia, Italy"}]},{"given":"Pietro","family":"Ferrara","sequence":"additional","affiliation":[{"name":"Universit\u00e0 Ca\u2019 Foscari Venezia, Italy"}]},{"given":"Claudio","family":"Lucchese","sequence":"additional","affiliation":[{"name":"Universit\u00e0 Ca\u2019 Foscari Venezia, Italy"}]}],"member":"179","published-online":{"date-parts":[[2022,6,1]]},"reference":[{"doi-asserted-by":"publisher","key":"ref001","DOI":"10.1007\/978-3-642-40994-3_25"},{"doi-asserted-by":"publisher","key":"ref002","DOI":"10.1016\/j.patcog.2018.07.023"},{"unstructured":"C.M.\u00a0Bishop, Pattern Recognition and Machine Learning, 5th edn, Information Science and Statistics, Springer, 2007, https:\/\/www.worldcat.org\/oclc\/71008143. ISBN 9780387310732.","key":"ref003"},{"doi-asserted-by":"publisher","key":"ref004","DOI":"10.1023\/A:1010933404324"},{"unstructured":"L.\u00a0Breiman, J.H.\u00a0Friedman, R.A.\u00a0Olshen and C.J.\u00a0Stone, Classification and Regression Trees, Wadsworth, 1984. ISBN 0-534-98053-8.","key":"ref005"},{"doi-asserted-by":"publisher","key":"ref006","DOI":"10.1007\/978-3-030-59013-0_21"},{"doi-asserted-by":"publisher","key":"ref007","DOI":"10.1145\/3357384.3358149"},{"doi-asserted-by":"publisher","key":"ref008","DOI":"10.1007\/s10618-020-00694-9"},{"unstructured":"H.\u00a0Chen, H.\u00a0Zhang, D.S.\u00a0Boning and C.\u00a0Hsieh, Robust decision trees against adversarial examples, in: Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9\u201315 June 2019, Long Beach, California, USA, K.\u00a0Chaudhuri and R.\u00a0Salakhutdinov, eds, Proceedings of Machine Learning Research, Vol.\u00a097, PMLR, 2019, pp.\u00a01122\u20131131, http:\/\/proceedings.mlr.press\/v97\/chen19m.html.","key":"ref009"},{"unstructured":"H.\u00a0Chen, H.\u00a0Zhang, S.\u00a0Si, Y.\u00a0Li, D.S.\u00a0Boning and C.\u00a0Hsieh, Robustness verification of tree-based models, in: Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, December 8\u201314, 2019, Vancouver, BC, Canada, H.M.\u00a0Wallach, H.\u00a0Larochelle, A.\u00a0Beygelzimer, F.\u00a0d\u2019Alch\u00e9-Buc, E.B.\u00a0Fox and R.\u00a0Garnett, eds, 2019, pp.\u00a012317\u201312328, https:\/\/proceedings.neurips.cc\/paper\/2019\/hash\/cd9508fdaa5c1390e9cc329001cf1459-Abstract.html.","key":"ref010"},{"doi-asserted-by":"publisher","key":"ref011","DOI":"10.1145\/512950.512973"},{"doi-asserted-by":"publisher","key":"ref012","DOI":"10.1145\/567752.567778"},{"doi-asserted-by":"publisher","key":"ref013","DOI":"10.1145\/512760.512770"},{"doi-asserted-by":"publisher","key":"ref014","DOI":"10.1145\/3473039"},{"doi-asserted-by":"publisher","key":"ref015","DOI":"10.1007\/978-3-319-49055-7_29"},{"doi-asserted-by":"publisher","key":"ref016","DOI":"10.1007\/978-3-319-96145-3_1"},{"doi-asserted-by":"publisher","key":"ref017","DOI":"10.1609\/aaai.v33i01.33012446"},{"doi-asserted-by":"publisher","key":"ref018","DOI":"10.1007\/s10994-017-5663-3"},{"doi-asserted-by":"publisher","key":"ref019","DOI":"10.1214\/aos\/1013203451"},{"doi-asserted-by":"publisher","key":"ref020","DOI":"10.1109\/SP.2018.00058"},{"doi-asserted-by":"publisher","key":"ref021","DOI":"10.1145\/3134599"},{"doi-asserted-by":"publisher","key":"ref022","DOI":"10.1007\/978-3-319-63387-9_1"},{"doi-asserted-by":"publisher","key":"ref023","DOI":"10.1007\/978-3-642-02658-4_52"},{"unstructured":"D.\u00a0Jurafsky and J.H.\u00a0Martin, Speech and Language Processing: An Introduction to Natural Language Processing, Computational Linguistics, and Speech Recognition, 2nd edn, Prentice Hall Series in Artificial Intelligence, Prentice Hall, Pearson Education International, 2009, https:\/\/www.worldcat.org\/oclc\/315913020. ISBN 9780135041963.","key":"ref024"},{"unstructured":"A.\u00a0Kantchelian, J.D.\u00a0Tygar and A.D.\u00a0Joseph, Evasion and hardening of tree ensemble classifiers, in: Proceedings of the 33nd International Conference on Machine Learning, ICML 2016, New York City, NY, USA, June 19\u201324, 2016, M.\u00a0Balcan and K.Q.\u00a0Weinberger, eds, JMLR Workshop and Conference Proceedings, Vol.\u00a048, JMLR.org, 2016, pp.\u00a02387\u20132396, http:\/\/proceedings.mlr.press\/v48\/kantchelian16.html.","key":"ref025"},{"doi-asserted-by":"crossref","unstructured":"G.\u00a0Katz, C.W.\u00a0Barrett, D.L.\u00a0Dill, K.\u00a0Julian and M.J.\u00a0Kochenderfer, Reluplex: An efficient SMT solver for verifying deep neural networks, CoRR abs\/1702.01135 (2017), http:\/\/arxiv.org\/abs\/1702.01135.","key":"ref026","DOI":"10.1007\/978-3-319-63387-9_5"},{"doi-asserted-by":"publisher","key":"ref027","DOI":"10.1145\/1081870.1081950"},{"unstructured":"A.\u00a0Madry, A.\u00a0Makelov, L.\u00a0Schmidt, D.\u00a0Tsipras and A.\u00a0Vladu, Towards deep learning models resistant to adversarial attacks, in: 6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30\u2013May 3, 2018, Conference Track Proceedings, OpenReview.net, 2018, https:\/\/openreview.net\/forum?id=rJzIBfZAb.","key":"ref028"},{"doi-asserted-by":"publisher","key":"ref029","DOI":"10.1007\/978-3-540-31987-0_2"},{"doi-asserted-by":"publisher","key":"ref030","DOI":"10.1007\/s10990-006-8609-1"},{"doi-asserted-by":"publisher","key":"ref031","DOI":"10.1609\/aaai.v34i04.5998"},{"doi-asserted-by":"publisher","key":"ref032","DOI":"10.1145\/1275497.1275501"},{"doi-asserted-by":"publisher","key":"ref033","DOI":"10.1145\/3188720"},{"doi-asserted-by":"publisher","key":"ref034","DOI":"10.1145\/2976749.2978392"},{"doi-asserted-by":"publisher","key":"ref035","DOI":"10.1109\/TEVC.2019.2890858"},{"unstructured":"C.\u00a0Szegedy, W.\u00a0Zaremba, I.\u00a0Sutskever, J.\u00a0Bruna, D.\u00a0Erhan, I.J.\u00a0Goodfellow and R.\u00a0Fergus, Intriguing properties of neural networks, in: 2nd International Conference on Learning Representations, ICLR 2014, Banff, AB, Canada, April 14\u201316, 2014, Conference Track Proceedings, Y.\u00a0Bengio and Y.\u00a0LeCun, eds, 2014, http:\/\/arxiv.org\/abs\/1312.6199.","key":"ref036"},{"unstructured":"P.\u00a0Tan, M.S.\u00a0Steinbach and V.\u00a0Kumar, Introduction to Data Mining, Addison-Wesley, 2005, http:\/\/www-users.cs.umn.edu\/%7Ekumar\/dmbook\/. ISBN 0-321-32136-7.","key":"ref037"},{"doi-asserted-by":"publisher","key":"ref038","DOI":"10.1007\/978-3-030-26250-1_24"},{"unstructured":"S.\u00a0Wang, K.\u00a0Pei, J.\u00a0Whitehouse, J.\u00a0Yang and S.\u00a0Jana, Formal security analysis of neural networks using symbolic intervals, in: 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15\u201317, 2018, W.\u00a0Enck and A.P.\u00a0Felt, eds, USENIX Association, 2018, pp.\u00a01599\u20131614, https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/wang-shiqi.","key":"ref039"},{"unstructured":"S.\u00a0Wang, K.\u00a0Pei, J.\u00a0Whitehouse, J.\u00a0Yang and S.\u00a0Jana, Efficient formal safety analysis of neural networks, in: Advances in Neural Information Processing Systems 31: Annual Conference on Neural Information Processing Systems 2018, NeurIPS 2018, December 3\u20138, 2018, Montr\u00e9al, Canada, S.\u00a0Bengio, H.M.\u00a0Wallach, H.\u00a0Larochelle, K.\u00a0Grauman, N.\u00a0Cesa-Bianchi and R.\u00a0Garnett, eds, 2018, pp.\u00a06369\u20136379, https:\/\/proceedings.neurips.cc\/paper\/2018\/hash\/2ecd2bd94734e5dd392d8678bc64cdab-Abstract.html.","key":"ref040"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-210133","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-210133","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-210133","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,11]],"date-time":"2025-03-11T06:59:36Z","timestamp":1741676376000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-210133"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,6,1]]},"references-count":40,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,1,26]]}},"alternative-id":["10.3233\/JCS-210133"],"URL":"https:\/\/doi.org\/10.3233\/jcs-210133","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"type":"print","value":"0926-227X"},{"type":"electronic","value":"1875-8924"}],"subject":[],"published":{"date-parts":[[2022,6,1]]}}}