Publications

For a more updated list of papers and citations, please check also my Google Scholar profile page at https://scholar.google.it/citations?user=OoUIOYwAAAAJ&hl=en

Pre-prints

  1. B. Montaruli, L. Demetrio, A. Valenza, B. Biggio, L. Compagna, D. Balzarotti, D. Ariu, and L. Piras. Adversarial ModSecurity: Countering Adversarial SQL Injections with Robust Machine Learning. ArXiv e-prints, 2023.
  2. A. Demontis, M. Pintor, L. Demetrio, K. Grosse, H.-Y. Lin, C. Fang, B. Biggio, and F. Roli. A Survey on Reinforcement Learning Security with Application to Autonomous Driving. ArXiv e-prints, 2022.
  3. A. E. Cinà, K. Grosse, A. Demontis, B. Biggio, F. Roli, and M. Pelillo. Machine Learning Security against Data Poisoning: Are We There Yet?. ArXiv e-prints, 2022.
  4. A. E. Cinà, A. Demontis, B. Biggio, F. Roli, and M. Pelillo. Energy-latency attacks via sponge poisoning. arXiv preprint arXiv:2203.08147, 2022.
  5. A. E. Cinà, K. Grosse, S. Vascon, A. Demontis, B. Biggio, F. Roli, and M. Pelillo. Backdoor learning curves: Explaining backdoor poisoning beyond influence functions. arXiv preprint arXiv:2106.07214, 2021.
  6. L. Demetrio and B. Biggio. secml-malware: Pentesting Windows Malware Classifiers with Adversarial EXEmples in Python. arXiv preprint arXiv:2104.12848, 2021.

Journal Papers

  1. A. E. Cinà, K. Grosse, A. Demontis, S. Vascon, W. Zellinger, B. A. Moser, A. Oprea, B. Biggio, M. Pelillo, and F. Roli. Wild Patterns Reloaded: A Survey of Machine Learning Security against Training Data Poisoning. ACM Comput. Surv., 55(13s):294:1–294:39, jul 2023.
  2. Y. Zheng, X. Feng, Z. Xia, X. Jiang, A. Demontis, M. Pintor, B. Biggio, and F. Roli. Why adversarial reprogramming works, when it fails, and how to tell the difference. Information Sciences, 632:130-143, 2023.
  3. Y. Zheng, X. Feng, Z. Xia, X. Jiang, M. Pintor, A. Demontis, B. Biggio, and F. Roli. Stateful detection of adversarial reprogramming. Information Sciences, 642:119093, 2023.
  4. Y. Mirsky, A. Demontis, J. Kotak, R. Shankar, D. Gelei, L. Yang, X. Zhang, M. Pintor, W. Lee, Y. Elovici, and B. Biggio. The Threat of Offensive AI to Organizations. Computers & Security, 124:103006, 2023.
  5. Y. Zheng, L. Demetrio, A. E. Cinà, X. Feng, Z. Xia, X. Jiang, A. Demontis, B. Biggio, and F. Roli. Hardening RGB-D object recognition systems against adversarial patch attacks. Information Sciences, 651:119701, 2023.
  6. K. Grosse, L. Bieringer, T. R. Besold, B. Biggio, and K. Krombholz. Machine Learning Security in Industry: A Quantitative Survey. IEEE Transactions on Information Forensics and Security, 18:1749-1762, 2023.
  7. M. Pintor, D. Angioni, A. Sotgiu, L. Demetrio, A. Demontis, B. Biggio, and F. Roli. ImageNet-Patch: A Dataset for Benchmarking Machine Learning Robustness against Adversarial Patches. Pattern Recognition, 134:109064, 2023.
  8. L. Demetrio, B. Biggio, and F. Roli. Practical Attacks on Machine Learning: A Case Study on Adversarial Windows Malware. IEEE Security & Privacy, 20(05):77-85, sep 2022.
  9. M. Melis, M. Scalas, A. Demontis, D. Maiorca, B. Biggio, G. Giacinto, and F. Roli. Do Gradient-based Explanations Tell Anything about Adversarial Robustness to Android Malware?. International Journal of Machine Learning and Cybernetics, 13(1):217–232, 2022.
  10. L. Oneto, N. Navarin, B. Biggio, F. Errica, A. Micheli, F. Scarselli, M. Bianchini, L. Demetrio, P. Bongini, A. Tacchella, and A. Sperduti. Towards Learning Trustworthily, Automatically, and with Guarantees on Graphs: An Overview. Neurocomputing, 493:217-243, 2022.
  11. F. Crecchi, M. Melis, A. Sotgiu, D. Bacciu, and B. Biggio. FADER: Fast Adversarial Example Rejection. Neurocomputing, 470:257-268, 2022.
  12. K. Grosse, T. Lee, B. Biggio, Y. Park, M. Backes, and I. Molloy. Backdoor Smoothing: Demystifying Backdoor Attacks on Deep Neural Networks. Computers & Security, 120:102814, 2022.
  13. M. Pintor, L. Demetrio, A. Sotgiu, M. Melis, A. Demontis, and B. Biggio. secml: Secure and explainable machine learning in Python. SoftwareX, 18:101095, 2022.
  14. M. Kravchik, L. Demetrio, B. Biggio, and A. Shabtai. Practical Evaluation of Poisoning Attacks on Online Anomaly Detectors in Industrial Control Systems. Computers & Security, 122:102901, 2022.
  15. S. Melacci, G. Ciravegna, A. Sotgiu, A. Demontis, B. Biggio, M. Gori, and F. Roli. Domain Knowledge Alleviates Adversarial Attacks in Multi-Label Classifiers. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(12):9944-9959, 2022.
  16. L. Demetrio, S. E. Coull, B. Biggio, G. Lagorio, A. Armando, and F. Roli. Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection. ACM Trans. Priv. Secur., September 2021.
  17. P. Temple, G. Perrouin, M. Acher, B. Biggio, J.-M. Jézéquel, and F. Roli. Empirical Assessment of Generating Adversarial Configurations for Software Product Lines. Empirical Software Engineering, 2021.
  18. H.-Y. Lin and B. Biggio. Adversarial Machine Learning: Attacks From Laboratories to the Real World. Computer, 54(5):56-60, 2021.
  19. L. Demetrio, B. Biggio, G. Lagorio, F. Roli, and A. Armando. Functionality-Preserving Black-Box Optimization of Adversarial Windows Malware. IEEE Transactions on Information Forensics and Security, 16:3469-3478, 2021.
  20. D. Maiorca, A. Demontis, B. Biggio, F. Roli, and G. Giacinto. Adversarial Detection of Flash Malware: Limitations and Open Issues. Computers & Security, 96:101901, 2020.
  21. A. Sotgiu, A. Demontis, M. Melis, B. Biggio, G. Fumera, X. Feng, and F. Roli. Deep Neural Rejection against Adversarial Examples. EURASIP J. Information Security, 2020.
  22. A. Demontis, M. Melis, B. Biggio, D. Maiorca, D. Arp, K. Rieck, I. Corona, G. Giacinto, and F. Roli. Yes, Machine Learning Can Be More Secure! A Case Study on Android Malware Detection. IEEE Transactions on Dependable and Secure Computing, 16(4):711-724, July 2019.
  23. D. Maiorca, B. Biggio, and G. Giacinto. Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks. ACM Comput. Surv., 52(4):78:1–78:36, 2019.
  24. D. Maiorca and B. Biggio. Digital Investigation of PDF Files: Unveiling Traces of Embedded Malware. IEEE Security & Privacy, 17(01):63-71, Jan. 2019.
  25. B. Biggio and F. Roli. Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning. Pattern Recognition, 84:317-331, 2018.
  26. B. Biggio, G. Fumera, G. L. Marcialis, and F. Roli. Statistical Meta-Analysis of Presentation Attacks for Secure Multibiometric Systems. IEEE Transactions on Pattern Analysis and Machine Intelligence, 39(3):561-575, March 2017.
  27. S. Rota Bulò, B. Biggio, I. Pillai, M. Pelillo, and F. Roli. Randomized Prediction Games for Adversarial Machine Learning. IEEE Transactions on Neural Networks and Learning Systems, 28(11):2466-2478, 2017.
  28. A. Demontis, M. Melis, B. Biggio, G. Fumera, and F. Roli. Super-sparse Learning in Similarity Spaces. IEEE Computational Intelligence Magazine, 11(4):36-45, Nov 2016.
  29. F. Zhang, P.P.K. Chan, B. Biggio, D.S. Yeung, and F. Roli. Adversarial Feature Selection Against Evasion Attacks. IEEE Transactions on Cybernetics, 46(3):766-777, 2016.
  30. B. Biggio, G. Fumera, P. Russu, L. Didaci, and F. Roli. Adversarial Biometric Recognition: A review on biometric system security from the adversarial machine-learning perspective. IEEE Signal Processing Magazine, 32(5):31-41, Sept 2015.
  31. H. Xiao, B. Biggio, B. Nelson, H. Xiao, C. Eckert, and F. Roli. Support Vector Machines under Adversarial Label Contamination. Neurocomputing, Special Issue on Advances in Learning with Label Noise, 160(0):53 - 62, 2015.
  32. G. Ennas, B. Biggio, and M. C. Di Guardo. Data-driven Journal Meta-ranking in Business and Management. Scientometrics, 105(3):1911-1929, 2015.
  33. B. Biggio, G. Fumera, and F. Roli. Security Evaluation of Pattern Classifiers Under Attack. IEEE Transactions on Knowledge and Data Engineering, 26(4):984-996, April 2014.
  34. B. Biggio, G. Fumera, and F. Roli. Pattern Recognition Systems under Attack: Design Issues and Research Challenges. Int’l J. Patt. Recogn. Artif. Intell., 28(7):1460002, 2014.
  35. B. Biggio, Z. Akhtar, G. Fumera, G. L. Marcialis, and F. Roli. Security Evaluation of Biometric Authentication Systems under Real Spoofing Attacks. IET Biometrics, 1(1):11-24, March 2012.
  36. B. Biggio, G. Fumera, I. Pillai, and F. Roli. A Survey and Experimental Evaluation of Image Spam Filtering Techniques. Pattern Recognition Letters, 32(10):1436 - 1446, 2011.
  37. B. Biggio, G. Fumera, and F. Roli. Multiple Classifier Systems for Robust Classifier Design in Adversarial Environments. Int’l J. Mach. Learn. and Cybernetics, 1(1):27–41, 2010.

Conference Papers

  1. A. Shapira, A. Zolfi, L. Demetrio, B. Biggio, and A. Shabtai. Phantom Sponges: Exploiting Non-Maximum Suppression to Attack Deep Object Detectors. In IEEE/CVF Winter Conference on Applications of Computer Vision (WACV). 2023.
  2. G. Piras, M. Pintor, A. Demontis, and B. Biggio. Samples on Thin Ice: Re-evaluating Adversarial Pruning of Neural Networks. In International Conference on Machine Learning and Cybernetics, ICMLC. IEEE SMC, 2023.
  3. G. Floris, R. Mura, L. Scionis, G. Piras, M. Pintor, A. Demontis, and B. Biggio. Improving Fast Minimum-Norm Attacks with Hyperparameter Optimization. In ESANN. 2023.
  4. M. Pintor, L. Demetrio, A. Sotgiu, H.-Y. Lin, C. Fang, A. Demontis, and B. Biggio. Detecting Attacks against Deep Reinforcement Learning for Autonomous Driving. In International Conference on Machine Learning and Cybernetics, ICMLC. IEEE SMC, 2023.
  5. B. Montaruli, L. Demetrio, M. Pintor, L. Compagna, D. Balzarotti, and B. Biggio. Raze to the Ground: Query-Efficient Adversarial HTML Attacks on Machine-Learning Phishing Webpage Detectors. In Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security, AISec ‘23. ACM, 2023.
  6. D. Lazzaro, A. E. Cinà, M. Pintor, A. Demontis, B. Biggio, F. Roli, and M. Pelillo. Minimizing Energy Consumption of Deep Learning Models by Energy-Aware Training. In G. L. Foresti, A. Fusiello, and E. Hancock, editors, Image Analysis and Processing – ICIAP 2023, 515–526. Cham, 2023. Springer Nature Switzerland.
  7. L. Bieringer, K. Grosse, M. Backes, B. Biggio, and K. Krombholz. Industrial practitioners’ mental models of adversarial machine learning. In Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022), 97–116. Boston, MA, August 2022. USENIX Association.
  8. B. A. Moser, M. Lewandowski, S. Kargaran, W. Zellinger, B. Biggio, and C. Koutschan. Tessellation-Filtering ReLU Neural Networks. In L. D. Raedt, editor, Proceedings of the Thirty-First International Joint Conference on Artificial Intelligence, IJCAI-22, 3335–3341. International Joint Conferences on Artificial Intelligence Organization, 7 2022. Main Track.
  9. A. Sotgiu, M. Pintor, and B. Biggio. Explainability-Based Debugging of Machine Learning for Vulnerability Discovery. In Proc. 17th International Conference on Availability, Reliability and Security, ARES ‘22, 1-8. New York, NY, USA, 2022. Association for Computing Machinery.
  10. G. Piras, M. Pintor, L. Demetrio, and B. Biggio. Explaining Machine Learning DGA Detectors from DNS Traffic Data. In ITASEC 2022, volume 3260 of CEUR-WS, 150-168. 2022.
  11. D. Angioni, L. Demetrio, M. Pintor, and B. Biggio. Robust Machine Learning for Malware Detection over Time. In ITASEC 2022, volume 3260 of CEUR-WS, 169-180. 2022.
  12. M. Pintor, L. Demetrio, A. Sotgiu, A. Demontis, N. Carlini, B. Biggio, and F. Roli. Indicators of Attack Failure: Debugging and Improving Optimization of Adversarial Examples. In Neural Information Processing Systems (NeurIPS). 2022.
  13. A. E. Cinà, S. Vascon, A. Demontis, B. Biggio, F. Roli, and M. Pelillo. The Hammer and the Nut: Is Bilevel Optimization Really Needed to Poison Linear Classifiers?. In International Joint Conference on Neural Networks (IJCNN), 1-8. Shenzhen, China, 2021. IEEE.
  14. M. Pintor, F. Roli, W. Brendel, and B. Biggio. Fast Minimum-norm Adversarial Attacks through Adaptive Norm Constraints. In M. Ranzato, A. Beygelzimer, Y. Dauphin, P.S. Liang, and J. W. Vaughan, editors, Advances in Neural Information Processing Systems (NeurIPS), volume 34, 20052–20062. Curran Associates, Inc., 2021.
  15. L. Oneto, N. Navarin, B. Biggio, F. Errica, A. Micheli, F. Scarselli, M. Bianchini, and A. Sperduti. Complex Data: Learning Trustworthily, Automatically, and with Guarantees. In ESANN. 2021.
  16. M. Pintor, L. Demetrio, G. Manca, B. Biggio, and F. Roli. Slope: A First-order Approach for Measuring Gradient Obfuscation. In ESANN. 2021.
  17. G. Buchgeher, G. Czech, A. S. Ribeiro, W. Kloihofer, P. Meloni, P. Busia, G. Deriu, M. Pintor, B. Biggio, C. Chesta, L. Rinelli, D. Solans, and M. Portela. Task-Specific Automation in Deep Learning Processes. In G. Kotsis, A. M. Tjoa, I. Khalil, B. Moser, A. Mashkoor, J. Sametinger, A. Fensel, J. Martinez-Gil, L. Fischer, G. Czech, F. Sobieczky, and S. Khan, editors, Database and Expert Systems Applications - DEXA 2021 Workshops, 159–169. Cham, 2021. Springer International Publishing.
  18. D. Solans, B. Biggio, and C. Castillo. Poisoning Attacks on Algorithmic Fairness. In F. Hutter, K. Kersting, J. Lijffijt, and I. Valera, editors, Machine Learning and Knowledge Discovery in Databases (ECML PKDD 2020), Lecture Notes in Computer Science, 162–177. Cham, 2021. Springer International Publishing.
  19. M. Kravchik, B. Biggio, and A. Shabtai. Poisoning Attacks on Cyber Attack Detectors for Industrial Control Systems. In Proceedings of the 36th Annual ACM Symposium on Applied Computing, SAC ‘21, 116–125. New York, NY, USA, 2021. Association for Computing Machinery.
  20. A. Demontis, M. Melis, M. Pintor, M. Jagielski, B. Biggio, A. Oprea, C. Nita-Rotaru, and F. Roli. Why Do Adversarial Attacks Transfer? Explaining Transferability of Evasion and Poisoning Attacks. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, 2019.
  21. P. Meloni, D. Loi, P. Busia, G. Deriu, A. D. Pimentel, D. Sapra, T. Stefanov, S. Minakova, F. Conti, L. Benini, M. Pintor, B. Biggio, B. Moser, N. Shepelev, N. Fragoulis, I. Theodorakopoulos, M. Masin, and F. Palumbo. Optimization and Deployment of CNNs at the Edge: The ALOHA experience. In ACM International Conference on Computing Frontiers, 326 – 332. 2019.
  22. R. Labaca-Castro, B. Biggio, and G. Dreo Rodosek. Poster: Attacking Malware Classifiers by Crafting Gradient-Attacks That Preserve Functionality. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ‘19, 2565–2567. New York, NY, USA, 2019. ACM.
  23. L. Demetrio, B. Biggio, G. Lagorio, F. Roli, and A. Armando. Explaining Vulnerabilities of Deep Learning to Adversarial Malware Binaries. In 3rd Italian Conference on Cyber Security, ITASEC, volume 2315. CEUR Workshop Proceedings, 2019.
  24. F. Crecchi, D. Bacciu, and B. Biggio. Detecting Adversarial Examples through Nonlinear Dimensionality Reduction. In ESANN. 2019.
  25. P. Temple, M. Acher, G. Perrouin, B. Biggio, J.-M. Jezequel, and F. Roli. Towards Quality Assurance of Software Product Lines with Adversarial Configurations. In Proceedings of the 23rd International Systems and Software Product Line Conference - Volume A, SPLC ‘19, 277–288. New York, NY, USA, 2019. Association for Computing Machinery.
  26. M. Jagielski, A. Oprea, B. Biggio, C. Liu, C. Nita-Rotaru, and B. Li. Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning. In IEEE Symposium on Security and Privacy, SP ‘18, 931-947. IEEE CS, 2018.
  27. M. Melis, D. Maiorca, B. Biggio, G. Giacinto, and F. Roli. Explaining Black-box Android Malware Detection. In 26th European Signal Processing Conf., EUSIPCO, 524-528. Rome, Italy, 2018. IEEE.
  28. P. Meloni, D. Loi, G. Deriu, A. D. Pimentel, D. Saprat, M. Pintor, B. Biggio, O. Ripolles, D. Solans, F. Conti, L. Benini, T. Stefanov, S. Minakova, B. Moser, N. Shepeleva, M. Masin, F. Palumbo, N. Fragoulis, and I. Theodorakopoulos. Architecture-aware design and implementation of CNN algorithms for embedded inference: The ALOHA project. In Proceedings of the International Conference on Microelectronics (ICM), volume 2018-December, 52 – 55. 2018.
  29. P. Meloni, D. Loi, G. Deriu, A. D. Pimentel, D. Sapra, B. Moser, N. Shepeleva, F. Conti, L. Benini, O. Ripolles, D. Solans, M. Pintor, B. Biggio, T. Stefanov, S. Minakova, N. Fragoulis, I. Theodorakopoulos, M. Masin, and F. Palumbo. ALOHA: An Architectural-Aware Framework for Deep Learning at the Edge. In Proceedings of the Workshop on INTelligent Embedded Systems Architectures and Applications, INTESA ‘18, 19–26. New York, NY, USA, 2018. Association for Computing Machinery.
  30. B. Kolosnjaji, A. Demontis, B. Biggio, D. Maiorca, G. Giacinto, C. Eckert, and F. Roli. Adversarial Malware Binaries: Evading Deep Learning for Malware Detection in Executables. In 26th European Signal Processing Conf., EUSIPCO, 533-537. Rome, 2018. IEEE.
  31. D. Maiorca, P. Russu, I. Corona, B. Biggio, and G. Giacinto. Detection of Malicious Scripting Code through Discriminant and Adversary-Aware API Analysis. In A. Armando, R. Baldoni, and R. Focardi, editors, First Italian Conference on Cybersecurity (ITASEC17), number 1816 in CEUR Workshop Proceedings, 96-105. Aachen, 2017.
  32. M. Melis, A. Demontis, B. Biggio, G. Brown, G. Fumera, and F. Roli. Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub Humanoid. In ICCVW Vision in Practice on Autonomous Robots (ViPAR), 751-759. IEEE, 2017.
  33. L. Muñoz-González, B. Biggio, A. Demontis, A. Paudice, V. Wongrassamee, E. C. Lupu, and F. Roli. Towards Poisoning of Deep Learning Algorithms with Back-gradient Optimization. In B. M. Thuraisingham, B. Biggio, D. M. Freeman, B. Miller, and A. Sinha, editors, 10th ACM Workshop on Artificial Intelligence and Security, AISec ‘17, 27–38. New York, NY, USA, 2017. ACM.
  34. A. Demontis, B. Biggio, G. Fumera, G. Giacinto, and F. Roli. Infinity-norm Support Vector Machines against Adversarial Label Contamination. In A. Armando, R. Baldoni, and R. Focardi, editors, First Italian Conference on Cybersecurity (ITASEC17), number 1816 in CEUR Workshop Proceedings, 106-115. Aachen, 2017.
  35. I. Corona, B. Biggio, M. Contini, L. Piras, R. Corda, M. Mereu, G. Mureddu, D. Ariu, and F. Roli. DeltaPhish: Detecting Phishing Webpages in Compromised Websites. In S. N. Foley, D. Gollmann, and E. Snekkenes, editors, 22nd European Symposium on Research in Computer Security (ESORICS), volume 10492 of LNCS, 370–388. Cham, 2017. Springer International Publishing.
  36. P. Piredda, D. Ariu, B. Biggio, I. Corona, L. Piras, G. Giacinto, and F. Roli. Deepsquatting: Learning-Based Typosquatting Detection at Deeper Domain Levels. In AI*IA, volume 10640 of LNCS, 347–358. Springer, 2017.
  37. B. Biggio. Machine Learning under Attack: Vulnerability Exploitation and Security Measures. In 4th ACM Workshop on Information Hiding & Multimedia Security, IH&MMSec ‘16, 1-2. New York, NY, USA, 2016. ACM.
  38. A. Demontis, P. Russu, B. Biggio, G. Fumera, and F. Roli. On Security and Sparsity of Linear Classifiers for Adversarial Settings. In A. Robles-Kelly, M. Loog, B. Biggio, F. Escolano, and R. Wilson, editors, Joint IAPR Int’l Workshop on Structural, Syntactic, and Statistical Pattern Recognition, volume 10029 of LNCS, 322-332. Cham, 2016. Springer International Publishing.
  39. D. M. Freeman, S. Jain, M. Dürmuth, B. Biggio, and G. Giacinto. Who are you? A statistical approach to measuring user authenticity. In Proc. 23rd Annual Network & Distributed System Security Symposium (NDSS). The Internet Society, 2016.
  40. P. Russu, A. Demontis, B. Biggio, G. Fumera, and F. Roli. Secure Kernel Machines against Evasion Attacks. In 9th ACM Workshop on Artificial Intelligence and Security, AISec ‘16, 59-69. New York, NY, USA, 2016. ACM.
  41. B. Biggio, M. Melis, G. Fumera, and F. Roli. Sparse Support Faces. In Int’l Conf. on Biometrics (ICB), 208-213. May 2015.
  42. M. Melis, L. Piras, B. Biggio, G. Giacinto, G. Fumera, and F. Roli. Fast Image Classification with Reduced Multiclass Support Vector Machines. In V. Murino and E. Puppo, editors, Image Analysis and Processing, volume 9280 of LNCS, 78-88. Springer International Publishing, 2015.
  43. B. Biggio, I. Corona, Z.-M. He, P. P. K. Chan, G. Giacinto, D. S. Yeung, and F. Roli. One-and-a-Half-Class Multiple Classifier Systems for Secure Learning Against Evasion Attacks at Test Time. In F. Schwenker, F. Roli, and J. Kittler, editors, Multiple Classifier Systems, volume 9132 of Lecture Notes in Computer Science, 168-180. Springer International Publishing, 2015.
  44. H. Xiao, B. Biggio, G. Brown, G. Fumera, C. Eckert, and F. Roli. Is Feature Selection Secure against Training Data Poisoning?. In F. Bach and D. Blei, editors, JMLR W&CP - Proc. 32nd Int’l Conf. Mach. Learning (ICML), volume 37, 1689-1698. 2015.
  45. A. Demontis, B. Biggio, G. Fumera, and F. Roli. Super-Sparse Regression for Fast Age Estimation from Faces at Test Time. In V. Murino and E. Puppo, editors, Image Analysis and Processing, volume 9280 of LNCS, 551–562. Springer International Publishing, 2015.
  46. B. Biggio. On Learning and Recognition of Secure Patterns. In ACM Workshop on Artificial Intelligence and Security, AISec ‘14, 1–2. New York, NY, USA, 2014. ACM.
  47. B. Biggio, K. Rieck, D. Ariu, C. Wressnegger, I. Corona, G. Giacinto, and F. Roli. Poisoning Behavioral Malware Clustering. In 2014 Workshop on Artificial Intelligent and Security, AISec ‘14, 27–36. New York, NY, USA, 2014. ACM.
  48. B. Biggio, S. R. Bulò, I. Pillai, M. Mura, E. Z. Mequanint, M. Pelillo, and F. Roli. Poisoning complete-linkage hierarchical clustering. In P. Franti, G. Brown, M. Loog, F. Escolano, and M. Pelillo, editors, Joint IAPR Int’l Workshop on Structural, Syntactic, and Statistical Pattern Recognition, volume 8621 of Lecture Notes in Computer Science, 42-52. Joensuu, Finland, 2014. Springer Berlin Heidelberg.
  49. B. Biggio, I. Pillai, S. R. Bulò, D. Ariu, M. Pelillo, and F. Roli. Is Data Clustering in Adversarial Settings Secure?. In Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, AISec ‘13, 87-98. New York, NY, USA, 2013. ACM.
  50. B. Biggio, L. Didaci, G. Fumera, and F. Roli. Poisoning attacks to compromise face templates. In 6th IAPR Int’l Conf. on Biometrics (ICB 2013), 1–7. Madrid, Spain, 2013.
  51. B. Biggio, I. Corona, D. Maiorca, B. Nelson, N. Šrndić, P. Laskov, G. Giacinto, and F. Roli. Evasion attacks against machine learning at test time. In H. Blockeel, K. Kersting, S. Nijssen, and F. Železný, editors, Machine Learning and Knowledge Discovery in Databases (ECML PKDD), Part III, volume 8190 of LNCS, 387–402. Springer Berlin Heidelberg, 2013.
  52. F. Roli, B. Biggio, and G. Fumera. Pattern Recognition Systems under Attack. In J. Ruiz-Shulcloper and G. S. di Baja, editors, Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications, volume 8258 of Lecture Notes in Computer Science, 1–8. Springer, 2013.
  53. B. Biggio, B. Nelson, and P. Laskov. Poisoning attacks against support vector machines. In J. Langford and J. Pineau, editors, 29th Int’l Conf. on Machine Learning, 1807-1814. Omnipress, 2012.
  54. B. Biggio, G. Fumera, and F. Roli. Learning sparse kernel machines with biometric similarity functions for identity recognition. In IEEE 5th Int’l Conf. on Biometrics: Theory, Applications and Systems (BTAS), 325-330. 2012.
  55. B. Biggio, G. Fumera, F. Roli, and L. Didaci. Poisoning Adaptive Biometric Systems. In G. Gimel’farb, E. Hancock, A. Imiya, A. Kuijper, M. Kudo, S. Omachi, T. Windeatt, and K. Yamada, editors, Structural, Syntactic, and Statistical Pattern Recognition, volume 7626 of Lecture Notes in Computer Science, 417-425. Springer Berlin Heidelberg, 2012.
  56. B. Biggio, B. Nelson, and P. Laskov. Support Vector Machines Under Adversarial Label Noise. In Journal of Machine Learning Research - Proc. 3rd Asian Conf. Machine Learning, volume 20, 97-112. November 2011.
  57. B. Nelson, B. Biggio, and P. Laskov. Microbagging Estimators: An Ensemble Approach to Distance-weighted Classifiers. In Journal of Machine Learning Research - Proc. 3rd Asian Conf. Machine Learning, volume 20, 63-79. Taoyuan, Taiwan, November 2011.
  58. B. Biggio, G. Fumera, and F. Roli. Design of robust classifiers for adversarial environments. In IEEE Int’l Conf. on Systems, Man, and Cybernetics (SMC), 977-982. oct. 2011.
  59. Z. Akhtar, B. Biggio, G. Fumera, and G. L. Marcialis. Robustness of Multi-modal Biometric Systems under Realistic Spoof Attacks against All Traits. In 2nd Int’l IEEE Workshop on Biometric Measurements and Systems for Security and Medical Applications (BioMS 2011), 5-10. Milan, Italy, September 2011.
  60. B. Biggio, I. Corona, G. Fumera, G. Giacinto, and F. Roli. Bagging Classifiers for Fighting Poisoning Attacks in Adversarial Classification Tasks. In C. Sansone, J. Kittler, and F. Roli, editors, 10th International Workshop on Multiple Classifier Systems (MCS), volume 6713 of Lecture Notes in Computer Science, 350–359. Springer-Verlag, June 2011.
  61. B. Nelson, B. Biggio, and P. Laskov. Understanding the Risk Factors of Learning in Adversarial Environments. In 4th ACM Workshop on Artificial Intelligence and Security, AISec ‘11, 87–92. Chicago, IL, USA, 2011.
  62. B. Biggio, Z. Akhtar, G. Fumera, G. L. Marcialis, and F. Roli. Robustness of multi-modal biometric verification systems under realistic spoofing attacks. In Int’l Joint Conf. on Biometrics (IJCB), 1-6. 2011.
  63. B. Biggio, G. Fumera, and F. Roli. Multiple Classifier Systems under attack. In N. E. Gayar, J. Kittler, and F. Roli, editors, 9th International Workshop on Multiple Classifier Systems (MCS), volume 5997 of Lecture Notes in Computer Science, 74-83. Springer, 2010.
  64. B. Biggio, G. Fumera, and F. Roli. Multiple Classifier Systems for Adversarial Classification Tasks. In J. A. Benediktsson, J. Kittler, and F. Roli, editors, Proceedings of the 8th International Workshop on Multiple Classifier Systems, volume 5519 of Lecture Notes in Computer Science, 132-141. Springer, 2009.
  65. B. Biggio, G. Fumera, I. Pillai, and F. Roli. Improving Image Spam Filtering Using Image Text Features. In Fifth Conference on Email and Anti-Spam (CEAS). Mountain View, CA, USA, 21 August 2008.
  66. B. Biggio, G. Fumera, and F. Roli. Adversarial Pattern Classification using Multiple Classifiers and Randomisation. In 12th Joint IAPR International Workshop on Structural and Syntactic Pattern Recognition (SSPR 2008), volume 5342 of Lecture Notes in Computer Science, 500-509. Orlando, Florida, USA, 04/12/2008 2008. Springer-Verlag.
  67. B. Biggio, G. Fumera, and F. Roli. Evade Hard Multiple Classifier Systems. In Workshop on Supervised and Unsupervised Ensemble Methods and their Applications (SUEMA). 2008.
  68. B. Biggio, G. Fumera, and F. Roli. Bayesian Analysis of Linear Combiners. In M. Haindl, J. Kittler, and F. Roli, editors, Multiple Classifier Systems, 7th International Workshop, MCS 2007, Prague, Czech Republic, May 23-25, 2007, Proceedings, volume 4472 of Lecture Notes in Computer Science, 292-301. Springer, 23/05/2007 2007.
  69. B. Biggio, G. Fumera, I. Pillai, and F. Roli. Image Spam Filtering Using Visual Information. In 14th International Conference on Image Analysis and Processing, 105–110. Modena, Italy, 10-14 September 2007. IEEE Computer Society.
  70. B. Biggio, G. Fumera, I. Pillai, and F. Roli. Image Spam Filtering by Content Obscuring Detection. In Fourth Conference on Email and Anti-Spam (CEAS). Microsoft Research Silicon Valley, Mountain View, California, 2-3 August 2007.
  71. G. Fumera, I. Pillai, F. Roli, and B. Biggio. Image spam filtering using textual and visual information. In MIT Spam Conference. Cambridge, MA, USA, 30 March 2007.
  72. F. Roli, B. Biggio, G. Fumera, I. Pillai, and R. Satta. Image Spam Filtering by Detection of Adversarial Obfuscated Text. In NIPS Workshop on Machine Learning in Adversarial Environments for Computer Security. Whistler, British Columbia, Canada, 2007.

Book Chapters

  1. G. L. Marcialis, B. Biggio, and G. Fumera. Anti-spoofing: Multimodal. In S. Z. Li and A. K. Jain, editors, Encyclopedia of Biometrics, pages 103-105. Springer US, 2015.
  2. G. Fumera, G. L. Marcialis, B. Biggio, F. Roli, and S. C. Schuckers. Multimodal Anti-Spoofing in Biometric Recognition Systems. In S. Marcel, M. Nixon, and S. Z. Li, editors, Handbook of Biometric Anti-Spoofing, Advances in Computer Vision and Pattern Recognition, pages 165-184. Springer London, 2014.
  3. B. Biggio, I. Corona, B. Nelson, BenjaminI.P. Rubinstein, D. Maiorca, G. Fumera, G. Giacinto, and F. Roli. Security Evaluation of Support Vector Machines in Adversarial Environments. In Y. Ma and G. Guo, editors, Support Vector Machines Applications, pages 105-153. Springer International Publishing, Cham, 2014.
  4. B. Biggio, G. Fumera, and F. Roli. Bayesian Linear Combination of Neural Networks. In M. Bianchini, M. Maggini, F. Scarselli, and L. C. Jain, editors, Innovations in Neural Information Paradigms and Applications, volume 247 of Studies in Computational Intelligence, pages 201-230. Springer Berlin Heidelberg, 2009.
  5. B. Biggio, G. Fumera, and F. Roli. Evade Hard Multiple Classifier Systems. In O. Okun and G. Valentini, editors, Supervised and Unsupervised Ensemble Methods and Their Applications, volume 245 of Studies in Computational Intelligence, pages 15-38. Springer Berlin / Heidelberg, 2008.

Proceedings / Edited Books

  1. A. Torsello, L. Rossi, M. Pelillo, B. Biggio, and A. Robles-Kelly, editors. Structural, Syntactic, and Statistical Pattern Recognition - Joint IAPR International Workshops, S+SSPR 2020, Padua, Italy, January 21-22, 2021, Proceedings, volume 12644 of Lecture Notes in Computer Science, Springer, 2021.
  2. N. Vasiloglou, B. Biggio, and N. Carlini, editors. Deep Learning and Security Workshop (DLS 2020), 2020 IEEE Security and Privacy Workshops (SPW), 2020.
  3. L. Cavallaro, J. Kinder, S. Afroz, B. Biggio, N. Carlini, Y. Elovici, and A. Shabtai, editors. AISec ‘19: Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security, New York, NY, USA, 2019. Association for Computing Machinery.
  4. K. Rieck, B. Biggio, and N. Vasiloglou, editors. Deep Learning and Security Workshop (DLS 2019), 2019 IEEE Security and Privacy Workshops (SPW), 2019.
  5. S. Afroz, B. Biggio, Y. Elovici, D. Freeman, and A. Shabtai, editors. AISec ‘18: Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security, New York, NY, USA, 2018. Association for Computing Machinery.
  6. X. Bai, E. R. Hancock, T. K. Ho, R. C. Wilson, B. Biggio, and A. Robles-Kelly, editors. Structural, Syntactic, and Statistical Pattern Recognition - Joint IAPR International Workshop, S+SSPR 2018, Beijing, China, August 17-19, 2018, Proceedings, volume 11004 of Lecture Notes in Computer Science, Springer, 2018.
  7. B. M. Thuraisingham, B. Biggio, D. M. Freeman, B. Miller, and A. Sinha, editors. AISec ‘17: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, New York, NY, USA, 2017. ACM.
  8. A. Robles-Kelly, M. Loog, B. Biggio, F. Escolano, and R. C. Wilson, editors. Structural, Syntactic, and Statistical Pattern Recognition - Joint IAPR International Workshop, S+SSPR 2016, Mérida, Mexico, November 29 - December 2, 2016, Proceedings, volume 10029 of Lecture Notes in Computer Science, 2016.

Miscellaneous

  1. B. Biggio, G. Fumera, G. L. Marcialis, and F. Roli. Security of pattern recognition systems in adversarial environments. Convegno Gruppo Italiano Ricercatori Pattern Recognition, 2012.
  2. B. Biggio, G. Fumera, I. Pillai, F. Roli, and R. Satta. Evading SpamAssassin with Obfuscated Text Images. Virus Bulletin, November 2007.

PhD Thesis

  1. B. Biggio. Adversarial Pattern Classification. PhD Thesis, University of Cagliari, Cagliari (Italy), 2010.