The anxiety reverberated all the way to the state capital, Lansing, where Governor Rick Snyder was weeks away from winning reelection. His chief legal counsel, Michael Gadola, wrote in an email: “To anyone who grew up in Flint as I did, the notion that I would be getting my drinking water from the Flint River is downright scary. Too bad the [emergency manager] didn’t ask me what I thought, though I’m sure he heard it from plenty of others. My mom is a city resident. Nice to know she’s drinking water with elevated chlorine levels and fecal coliform … They should try to get back on the Detroit system as a stopgap ASAP before this thing gets too far out of control.”

We investigate a family of poisoning attacks against Support Vector Machines (SVM). Such attacks inject specially crafted training data that increases the SVM's test error. Central to the motivation for these attacks is the fact that most learning algorithms assume that their training data comes from a natural or well-behaved distribution. However, this assumption does not generally hold in security-sensitive settings. As we demonstrate, an intelligent adversary can, to some extent, predict the change of the SVM's decision function due to malicious input and use this ability to construct malicious data. The proposed attack uses a gradient ascent strategy in which the gradient is computed based on properties of the SVM's optimal solution. This method can be kernelized and enables the attack to be constructed in the input space even for non-linear kernels. We experimentally demonstrate that our gradient ascent procedure reliably identifies good local maxima of the non-convex validation error surface, which significantly increases the classifier's test error.