From: Machine learning security and privacy: a review of threats and countermeasures
Reference | Machine learning model/ algorithm | Attack type | Exploited vulnerability | Attacker’s knowledge | Attacker’s goals | Attack severity and impact | Defined threat model | Targeted feature |
---|---|---|---|---|---|---|---|---|
D. Gibert et al. [60], 2023 | Generative adversarial networks | Query-free feature-based attack | Perturbed features in executable | Black box attack | Evade ML detector with malicious executable | ML detectors are vulnerable to be evaded with query-free attacks | No | Victim detection decision |
H. Yan et al. [61], 2023 | Logistic regression, SVM, NB, decision tree, RF, xgBoost, ANN, ensemble model | Label-based evasion attack | Poisoned labeled samples | Black box attack | Transfer adversarially crafted samples to evade | Transfer-based evasion attack is a serious threat to ML and DL | No | Test time precision |
H. Bostani et al. [62], 2022 | ML-based malware detector | n-gram based attack on malware classifier | Transform malware samples into benign with n-gram based incremental strategy | Black box attack with model query access | Misclassification of android malware detector | DNN are more affected by evading surrogate models comparing to linear SVM based classifier | Yes | Test time prediction |
Md. A. Ayub et al. [28], 2020 | Multi-layer perceptron network | Jacobian-based saliency map attack | Iterative approach to insert perturbation near sensitive feature of benign samples | White box attack | Misclassify malicious sample as benign in IDS | Multi-layer perceptron can be exploited with evasion attack with minimal model’s knowledge | No | Test time prediction |
Y. Shi et al. [63], 2017 | Naïve Bayes classifier | Evasion attack with feed-forward neural networks | Feed poisoned samples with DL score under computed attack region | Exploratory black box attack | Misclassify test data samples | Controlled perturbations to labels and classification boundary may limit adversarial impact on DL | Yes | Model availability |