The paper investigates a family of poisoning attacks against Support Vector Machines (SVMs). These attacks involve injecting specially crafted training data to increase the SVM's test error. The authors motivate these attacks by noting that most learning algorithms assume their training data comes from a natural or well-behaved distribution, which is often not the case in security-sensitive settings. They propose a gradient ascent strategy to construct malicious data, which can be kernelized and applied in the input space even for non-linear kernels. The method reliably identifies good local maxima of the non-convex validation error surface, significantly increasing the classifier's test error. The paper includes experimental results demonstrating the effectiveness of the proposed attack on both artificial and real-world datasets, such as the MNIST handwritten digit recognition task. The authors also discuss potential improvements and future work, including addressing the optimization method's restriction to small changes, optimizing multi-point attacks, and incorporating real-world inverse feature-mapping problems.The paper investigates a family of poisoning attacks against Support Vector Machines (SVMs). These attacks involve injecting specially crafted training data to increase the SVM's test error. The authors motivate these attacks by noting that most learning algorithms assume their training data comes from a natural or well-behaved distribution, which is often not the case in security-sensitive settings. They propose a gradient ascent strategy to construct malicious data, which can be kernelized and applied in the input space even for non-linear kernels. The method reliably identifies good local maxima of the non-convex validation error surface, significantly increasing the classifier's test error. The paper includes experimental results demonstrating the effectiveness of the proposed attack on both artificial and real-world datasets, such as the MNIST handwritten digit recognition task. The authors also discuss potential improvements and future work, including addressing the optimization method's restriction to small changes, optimizing multi-point attacks, and incorporating real-world inverse feature-mapping problems.