Article

A Multiple Instance Learning Strategy for Combating Good Word Attacks on Spam Filters.

Journal of Machine Learning Research (Impact Factor: 2.47). 06/2008; 9:1115-1146. DOI: 10.1145/1390681.1390719
Source: DBLP

ABSTRACT

Statistical spam filters are known to be vulnerable to adversarial attacks. One of the more common adversarial attacks, known as the good word attack, thwarts spam filters by appending to spam messages sets of "good" words, which are words that are common in legitimate email but rare in spam. We present a counterattack strategy that attempts to differentiate spam from legitimate email in the input space by transforming each email into a bag of multiple segments, and subsequently applying multiple instance logistic regression on the bags. We treat each segment in the bag as an instance. An email is classified as spam if at least one instance in the corresponding bag is spam, and as legitimate if all the instances in it are legitimate. We show that a classifier using our multiple instance counterattack strategy is more robust to good word attacks than its single instance counterpart and other single instance learners commonly used in the spam filtering domain.

Full-text preview

Available from: mit.edu
  • Source
    • "According to the aforementioned taxonomy, the evasion attack considered in this paper can be regarded as an exploratory integrity attack, in which malicious test samples are manipulated to evade detection by a classifier trained on untainted data. This is indeed one of the most common attacks in security-related tasks like spam filtering [5], [23], [24], network intrusion detection [25], and biometric recognition [1], [2]. Optimal evasion has been formulated according to slightly different optimization problems [11], [12], [16], [19], [41], [42]. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Pattern recognition and machine learning techniques have been increasingly adopted in adversarial settings such as spam, intrusion, and malware detection, although their security against well-crafted attacks that aim to evade detection by manipulating data at test time has not yet been thoroughly assessed. While previous work has been mainly focused on devising adversary-aware classification algorithms to counter evasion attempts, only few authors have considered the impact of using reduced feature sets on classifier security against the same attacks. An interesting, preliminary result is that classifier security to evasion may be even worsened by the application of feature selection. In this paper, we provide a more detailed investigation of this aspect, shedding some light on the security properties of feature selection against evasion attacks. Inspired by previous work on adversary-aware classifiers, we propose a novel adversary-aware feature selection model that can improve classifier security against evasion attacks, by incorporating specific assumptions on the adversary's data manipulation strategy. We focus on an efficient, wrapper-based implementation of our approach, and experimentally validate its soundness on different application examples, including spam and malware detection.
    Full-text · Article · Apr 2015
  • Source
    • "However, such words have been strategically injected into spam messages to avoid spam filters. To defend against this type of attack, each email is transformed into a bag of multiple segments and multiple instance logistic regression is then applied on the bags [10]. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Machine learning has become a prominent tool in various domains owing to its adaptability. However, this adaptability can be taken advantage of by an adversary to cause dysfunction of machine learning; a process known as Adversarial Learning. This paper investigates Adversarial Learning in the context of artificial neural networks. The aim is to test the hypothesis that an ensemble of neural networks trained on the same data manipulated by an adversary would be more robust than a single network. We investigate two attack types: targeted and random. We use Mahalanobis distance and covariance matrices to selected targeted attacks. The experiments use both artificial and UCI datasets. The results demonstrate that an ensemble of neural networks trained on attacked data are more robust against the attack than a single network. While many papers have demonstrated that an ensemble of neural networks is more robust against noise than a single network, the significance of the current work lies in the fact that targeted attacks are not white noise.
    Full-text · Conference Paper · Aug 2010
  • Source
    • "It was concluded that the proposed approach is very efficient, almost three orders of magnitude faster than SVM, effective and more robust to concept drift and unbalanced data. Jorgensen, Zhou, and Inge (2008) formulated a multiple instance learning approach for dealing with good word attacks, characterized by the inclusion in a Spam message of words that are typical of legitimate messages. An example is represented by a set of instances, and is classified depending on the classification of each instance, with four methods for generating the instances being proposed. "
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we present a comprehensive review of recent developments in the application of machine learning algorithms to Spam filtering, focusing on both textual- and image-based approaches. Instead of considering Spam filtering as a standard classification problem, we highlight the importance of considering specific characteristics of the problem, especially concept drift, in designing new filters. Two particularly important aspects not widely recognized in the literature are discussed: the difficulties in updating a classifier based on the bag-of-words representation and a major difference between two early naive Bayes models. Overall, we conclude that while important advancements have been made in the last years, several aspects remain to be explored, especially under more realistic evaluation settings.
    Full-text · Article · Sep 2009 · Expert Systems with Applications
Show more