The majority of machine learning methodologies operate with the assumption that their environment is benign. However, this assumption does not always hold, as it is often advantageous to adversaries to maliciously modify the training (poisoning attacks) or test data (evasion attacks). Such attacks can be catastrophic given the growth and the penetration of machine learning applications in society. Therefore, there is a need to secure machine learning enabling the safe adoption of it in adversarial cases, such as spam filtering, malware detection, and biometric recognition. This paper presents a taxonomy and survey of attacks against systems that use machine learning. It organizes the body of knowledge in adversarial machine learning so as to identify the aspects where researchers from different fields can contribute to. The taxonomy identifies attacks which share key characteristics and as such can potentially be addressed by the same defence approaches. Thus, the proposed taxonomy makes it easier to understand the existing attack landscape towards developing defence mechanisms, which are not investigated in this survey. The taxonomy is also leveraged to identify open problems that can lead to new research areas within the field of adversarial machine learning.

大多数机器学习方法都假设其环境是良性的。但是，这种假设并不总是成立，因为恶意地修改训练（中毒攻击）或测试数据（规避攻击）通常有利于对手。考虑到机器学习应用程序在社会中的增长和渗透，此类攻击可能会带来灾难性的后果。因此，需要一种安全的机器学习，以在诸如垃圾邮件过滤，恶意软件检测和生物识别等对抗性情况下安全地采用它。本文介绍了针对使用机器学习的系统的攻击的分类法和调查。它组织对抗性机器学习中的知识体系，从而确定不同领域的研究人员可以做出哪些贡献。分类法确定具有关键特征的攻击，因此可以通过相同的防御方法来解决。因此，拟议的分类法使人们更容易了解现有的针对发展防御机制的攻击态势，本调查未对此进行调查。分类法还可以用来识别开放性问题，这些问题可以导致对抗性机器学习领域中的新研究领域。