Subvert Your Spam Filter Blaine Nelson Marco Barreno fuching Jack Chi Anthony D Joseph Benjamin I P Rubinstein Udam Saini Charles Sutton JD Tygar Kai Xia University of California Berkeley ID: 415132
Download Presentation The PPT/PDF document "Exploiting Machine Learning to" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Exploiting Machine Learning to Subvert Your Spam Filter
Blaine Nelson / Marco
Barreno
/
fuching
Jack Chi / Anthony D. Joseph
Benjamin I. P. Rubinstein /
Udam
Saini
/ Charles Sutton / J.D.
Tygar
/ Kai Xia
University of California, Berkeley
April, 2008
Presented by:
GyuYoung
LeeSlide2
Do you know ?
☞
Spam Filtering System ☞ Machine learning is applied to Spam Filtering ☞ Adversary can exploit machine learning Making Spam Filter to be useless User give up using Spam Filter
IntroductionSlide3
Which part is most weak ?
☞
Machine LearningHow can we attack ?☞ Poisoning Training SetSpam Filtering SystemSlide4
Poisoning Training Set
False
Negative
False
PositiveSlide5
If attacker wins at contaminating attack?
High false positives
☞ User loses so many legitimate e-mailsHigh false negatives ☞ User encounters so many spam e-mailsHigh unsure messages ☞ so many human decision
required No time saving
▣
Finally, user
gives
up using
spam filter
Poisoning EffectSlide6
Bayesian spam filterThree classificationsSpam
Ham(non-spam)
UnsureScoreSpam filter generate one score for ham and another for spamBayesian Spam Filtering - Concept
message
Spam score
Ham score
spam
high
low
ham
low
high
unsure
high
high
unsure
low
low
Strength
↓ false positives
↓ false negatives
Weakness
↑
unsures
(need human decision)Slide7
Spamicity of words included in the e-mail
Measure them respectively
Combine themEvaluate the possibility that the e-mail can be spam Bayesian Spam Filtering - StepsSlide8
① Measure Spamicity of words
respectively
Bayesian Spam Filtering - DetailsSlide9
②
Combine
Spamicity of wordsBayesian Spam Filtering - StepsSlide10
③
Evaluate the possibility that the e-mail can be spam
☞ If (Pr > Threshold) then regard the e-mail as SpamBayesian Spam Filtering -
StepsSlide11
Traditional attack
: modify spam emails evade spam filterAttack in this paper : subvert the spam filter drop legitimate emailsAttack StrategiesSlide12
Dictionary attack
Include
entire dictionary☞ spam score of all tokens Legitimate email ☞ marked as spamFocused attackInclude only tokens in
a particular target e-mail
Target message
☞
marked as spam
Attack StylesSlide13
We can find
1% attack emails
Accuracy falls significantlyFilter unusableExperiments – dictionary attackSlide14
Probability of guessingGuessing p increase
Attack is more Effective
We can findSuccess of target attack depends on prior knowledgeExperiments – focused attack #1Slide15
ConditionFix Guessing p to 0.5
X-axis
N of msgs in the attackY-axis% of msgs misclassifiedWe can findTarget e-mail is quickly blocked by the filterExperiments – focused attack #2Slide16
RONI (Reject on Negative Impact) defense
Idea
☞ Measuring each email’s impact ☞ Removing deleterious messages from training set Method☞ Measuring the effect of email☞
Testing performance difference with and without that e-mailEffect
☞
P
erfectly identify all dictionary
attacks
☞
Hard
to
identify
focused attack
emails
Defenses – RONISlide17
Dynamic threshold defense
Method
☞ Dynamically adjusts two spots of thresholdEffect ☞ Compared to SpamBayes alone, ☞ Misclassification is significantly reducedDefenses – dynamic thresholdSlide18
Adversary can disable SpamBayes filter
Dictionary
attack Only 1% control 36% misclassificationRONI can defense it effectivelyDynamic threshold can mitigate it effectivelyFocused attackhard to defend by attack’s knowledgeThese Techniques can be effectiveSimilar learning algorithms (ex) Bogo FilterOther learning system (ex) worm or intrusion detection
Conclusion