Evade Hard Multiple Classifier Systems Battista Biggio, Giorgio Fumera, and Fabio Roli Abstract E xperimental and theoretical evidences showed that multiple classifier sys- tems (MCSs) can outperform single classifiers in terms of classification accu- racy. MCSs are currently used in several kinds of applications, among which security applications like biometric identity recognition, intrusion detection in computer networks and spam filtering. However security systems operate in adversarial environments against intelligent adversaries who try to evade them, and are therefore characterised by the requirement of a high robustness to evasion besides a high classification accuracy. The effectiveness of MCSs in improving the hardness of evasion has not been investigated yet, and their use in security system is based mainly on intuitive and qualitative motiva- tions, besides some experimental evidence. In this chapter we address the issue of investigating why and how MCSs can improve the hardness of eva- sion of security systems in adversarial environments. To this aim we develop analytical models of adversarial classification problems (also exploiting a the- oretical framework recently proposed by other authors), and apply them to analyse two strategies currently used to implement MCSs in several applica- tions. We then give an experimental investigation of the considered strategies on a case study in spam filtering, using a large corpus of publicly available spam and legitimate e-mails, and the SpamAssassin widely used open source spam filter. Key words: Multiple classifier systems; adversarial classification; hardness of evasion; spam filtering. Department of Electrical and Electronic Engineering, University of Cagliari, Piazza d’Armi, 09123 Cagliari, Italy {battista.biggio, fumera, roli}@diee.unica.it 1