This paper presents a gradient-based approach for evaluating the security of machine learning classifiers against evasion attacks. The method systematically assesses how different classifiers perform under attack scenarios with varying levels of adversary knowledge and manipulation capability. The approach is evaluated on the task of malware detection in PDF files, demonstrating that such systems can be easily evaded. The paper also suggests countermeasures to improve classifier security. The evasion attack involves manipulating test samples to mislead the classifier. The adversary aims to find a sample that is misclassified with high confidence, minimizing the discriminant function of the classifier. The attack is constrained by a maximum distance from the original sample. The paper introduces a modified optimization problem that incorporates a density estimator to favor attack points that resemble legitimate samples, improving the chances of successful evasion. The method is tested on two scenarios: perfect knowledge (PK) and limited knowledge (LK). In the PK scenario, the adversary has full knowledge of the classifier, while in the LK scenario, the adversary only knows the feature representation and classifier type. The paper shows that even with limited knowledge, the adversary can effectively evade the classifier. The approach is applied to linear and non-linear classifiers, including support vector machines (SVMs) and neural networks. The results show that SVMs with linear kernels are easily evaded, while neural networks are more robust. The paper also discusses the limitations of the approach and suggests future improvements, such as incorporating more effective strategies for generating surrogate data and improving classifier estimates. The study highlights the importance of evaluating classifier security in adversarial settings and suggests ways to enhance the robustness of machine learning systems in security-sensitive applications.This paper presents a gradient-based approach for evaluating the security of machine learning classifiers against evasion attacks. The method systematically assesses how different classifiers perform under attack scenarios with varying levels of adversary knowledge and manipulation capability. The approach is evaluated on the task of malware detection in PDF files, demonstrating that such systems can be easily evaded. The paper also suggests countermeasures to improve classifier security. The evasion attack involves manipulating test samples to mislead the classifier. The adversary aims to find a sample that is misclassified with high confidence, minimizing the discriminant function of the classifier. The attack is constrained by a maximum distance from the original sample. The paper introduces a modified optimization problem that incorporates a density estimator to favor attack points that resemble legitimate samples, improving the chances of successful evasion. The method is tested on two scenarios: perfect knowledge (PK) and limited knowledge (LK). In the PK scenario, the adversary has full knowledge of the classifier, while in the LK scenario, the adversary only knows the feature representation and classifier type. The paper shows that even with limited knowledge, the adversary can effectively evade the classifier. The approach is applied to linear and non-linear classifiers, including support vector machines (SVMs) and neural networks. The results show that SVMs with linear kernels are easily evaded, while neural networks are more robust. The paper also discusses the limitations of the approach and suggests future improvements, such as incorporating more effective strategies for generating surrogate data and improving classifier estimates. The study highlights the importance of evaluating classifier security in adversarial settings and suggests ways to enhance the robustness of machine learning systems in security-sensitive applications.