The researchers at sAIfer Lab have been the first to formalize and discover the impact of gradient-based attacks on machine-learning models, both at training and at test time, pioneering data poisoning and adversarial examples.

SAIfer lab has pioneered the field of Adversarial Machine Learning since 2007.  Starting from our work on image-based spam detection, we have been among the first to conceptualize the issues related to the use of Machine Learning in Computer Security, modeling the presence of attackers that can manipulate data to subvert the prediction of a Machine-Learning model.

To this end, we designed specific threat models for ML-based systems, identifying the main vulnerabilities along with the novel attack surface that attackers can exploit to deceive an ML-based system [TKDE,wild_patterns].
We have led the way in formalizing training-time and test-time attacks to ML models as optimization problems, which can be solved via gradient descent [ECML,ICML]. In particular, we revealed the impact of  poisoning attacks against support vector machines in 2012 in a paper that was awarded the 2022 ICML Test of Time for its long-lasting impact.

In 2013, we demonstrated the first gradient-based evasion attack to fool ML-based systems at test time, including linear models, SVMs, and neural networks. One year later, Adversarial Examples were incidentally discovered in the attempt to explain how deep networks work, using the same mechanism (i.e., by optimizing an input perturbation via gradient descent) [intriguing_2014].

Furthermore, we have been among the first to study the impact of Adversarial Machine Learning on real-world security applications such as Malware Detection and Web Security in which, differently from image data, ad-hoc input perturbations need to be modeled and carefully designed to retain the intrusive functionality of the underlying attack [EXE,WAF,TDSC].

SAIfer Lab, bringing together experts in Machine Learning and Cybersecurity, intersects these two fields to study and implement practical solutions towards the design of more secure learning algorithms. Specifically, we study and assess the effect of intentional attacks targeting machine learning models, and provide suitable countermeasures to mitigate these threats.

[TKDE] Biggio, Battista, Giorgio Fumera, and Fabio Roli. "Security evaluation of pattern classifiers under attack." IEEE transactions on knowledge and data engineering 26.4 (2013): 984-996.
[ECML] Biggio, Battista, et al. "Evasion attacks against machine learning at test time." Machine Learning and Knowledge Discovery in Databases: European Conference, ECML PKDD 2013.
[ICML] Biggio, Battista, Blaine Nelson, and Pavel Laskov. "Poisoning attacks against support vector machines." Proceedings of the 29th International Conference on Machine Learning. 2012.
[wild_patterns] Biggio, Battista, and Fabio Roli. "Wild patterns: Ten years after the rise of adversarial machine learning." Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018.
[intriguing2014] Christian Szegedy et al., "Intriguing properties of neural networks." 2nd International Conference on Learning Representations, ICLR 2014.
[EXE] Demetrio, L., Coull, S., Biggio, B., Lagorio, G., Armando, A., & Roli, F.."Adversarial exemples: A survey and experimental evaluation of practical attacks on machine learning for windows malware detection." ACM Transactions on Privacy and Security (TOPS), 2021.
[WAF] Luca Demetrio, Andrea Valenza, Gabriele Costa, & Giovanni Lagorio. "WAF-A-MoLE: evading web application firewalls through adversarial machine learning." In SAC '20: The 35th ACM/SIGAPP Symposium on Applied Computing, 2020.
[TDSC] Demetrio, L., Biggio, B., Lagorio, G., Roli, F., & Armando, A. (2021). "Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware." IEEE Trans. Inf. Forensics Secur., 16, 3469–3478. doi:10.1109/TIFS.2021.3082330