A significant threat to the recent, wide deployment of machine learning-based systems, including deep neural networks (DNNs), is adversarial learning attacks. The main focus here is on evasion attacks against (DNN-based) classifiers at test time. While much work has focused on devising attacks that make perturbations to a test pattern (e.g., an image) which are humanimperceptible and yet still induce a change in the classifier's decision, until recently there has been relative paucity of work in defending against such attacks. Some works robustify the classifier to make correct decisions on perturbed patterns. This is an important objective for some applications involving evasion attacks and for "natural adversary" scenarios. However, we analyze the possible evasion attack mechanisms and show that, in some important cases, when the image has been attacked, correctly classifying it has no utility: i) when the image to be 1 This work was supported in part by a gift from Cisco and a grant from the DDDAS program at AFOSR. arXiv:1712.06646v2 [cs.LG] 28 Jun 2018 attacked is (even arbitrarily) selected from the attacker's cache; ii) when the sole recipient of the classifier's decision is the attacker. Moreover, in some application domains and scenarios it is highly actionable to detect the attack irrespective of correctly classifying in the face of it (with classification still performed if no attack is detected). We hypothesize that, even if humanimperceptible, adversarial perturbations are machine-detectable. We propose a purely unsupervised anomaly detector (AD) that, unlike previous works: i) models the joint density of a deep layer using highly suitable null hypothesis density models (matched in particular to the nonnegative support for RELU layers); ii) exploits multiple DNN layers; iii) leverages a "source" and "destination" class concept, source class uncertainty, the class confusion matrix, and DNN weight information in constructing a novel decision statistic grounded in the Kullback-Leibler divergence. Tested on MNIST and CIFAR-10 image databases under three prominent attack strategies, our approach outperforms previous detection methods, achieving strong ROC AUC detection accuracy on two attacks and better accuracy than recently reported for a variety of methods on the strongest (CW) attack. We also evaluate a fully white box attack on our system. Finally, we evaluate other important measures such as classification accuracy versus detection rate and multiple performance measures versus attack strength.1. Layer and Null Model Choices: [16] chose l = L − 1, the penultimate layer of the DNN,