Adversarial attacks on text classification models using layer‐wise relevance propagation

Bayesian estimation of parameters in the Dirichlet mixture process of the Beta-Liouville distribution (i.e., the infinite Beta-Liouville mixture model) has recently gained considerable attention due to its modeling capability for proportional data. However, applying the conventional variational inference (VI) framework cannot derive an analytically tractable solution since the variational objective function cannot be explicitly calculated. In this paper, we adopt the recently proposed extended VI framework to derive the closed-form solution by further lower bounding the original variational objective function in the VI framework. This method is capable of simultaneously determining the model's complexity and estimating the model's parameters. Moreover, due to the nature of Bayesian nonparametric

Section: Resultsmentioning

confidence: 99%

Section: Text Categorizationmentioning

confidence: 99%

Extended variational inference for Dirichlet process mixture of Beta‐Liouville distributions for proportional data modeling

Lai

Guan

Luo

et al. 2021

“…Prior research shows that ML-based classifiers are vulnerable to evasion attacks, for example. [12][13][14][15][16][17][18][19] Such attacks have been extensively studied in image recognition and malware detection, but little has done in anti-phishing. This is potentially due to the new challenge in this domain: unlike adversarial images which only need to preserve the appearance and adversarial malware which only need to preserve the functionality, adversarial phishing websites have to preserve appearance and functionalities simultaneously, to be more effective for web phishing.…”

Section: Introductionmentioning

confidence: 99%

“…Prior research shows that ML‐based classifiers are vulnerable to evasion attacks, for example 12–19 . Such attacks have been extensively studied in image recognition and malware detection, but little has done in anti‐phishing.…”

Section: Introductionmentioning

confidence: 99%

Advanced evasion attacks and mitigations on practical ML‐based phishing website classifiers

Song

Lei

Chen

et al. 2021

Machine learning (ML) based classifiers are vulnerable to evasion attacks, as shown by recent attacks. However, there is a lack of systematic study of evasion attacks on ML‐based anti‐phishing detection. In this study, we show that evasion attacks are not only effective on practical ML‐based classifiers, but can also be efficiently launched without destructing the functionalities and appearance. For this purpose, we propose three mutation‐based attacks, differing in the knowledge of the target classifier, addressing a key technical challenge: automatically crafting an adversarial sample from a known phishing website in a way that can mislead classifiers. To launch attacks in the white‐ and gray‐box scenarios, we also propose a sample‐based collision attack to gain the knowledge of the target classifier. We demonstrate the efficacy of our evasion attacks on the state‐of‐the‐art, Google's phishing page filter, achieved 100% attack success rate in less than one second per website. Moreover, the transferability attack on BitDefender's industrial phishing page classifier, TrafficLight, achieved up to 81.25% attack success rate. We further propose a similarity‐based method to mitigate such evasion attacks, Pelican, which compares the similarity of an unknown website with recently detected phishing websites. We demonstrate that Pelican can effectively detect evasion attacks, hence could be integrated into ML‐based classifiers. We also highlight two strategies of classification rule selection to enhance the robustness of classifiers. Our findings contribute to design more robust phishing website classifiers in practice.

“…1 It has become a fundamental component of many computer vision tasks. However, most CNNs are suscept to adversarial examples [2][3][4] which leads to high-confidence misclassification, resulting from small crafted perturbation to the original image. The effect of adversarial examples testifies that CNNs have serious security issues despite their excellent performance.…”

mentioning

confidence: 99%

A data‐driven adversarial examples recognition framework via adversarial feature genomes

Chen

et al. 2022

Adversarial examples pose many security threats to convolutional neural networks (CNNs). Most defense algorithms prevent these threats by finding differences between the original images and adversarial examples. However, the found differences do not contain features about the classes, so these defense algorithms can only detect adversarial examples without recovering the correct labels. In this regard, we propose the Adversarial Feature Genome (AFG), a novel type of data that contain both the differences and features about classes. This method is inspired by an observed phenomenon, namely, the Adversarial Feature Separability, where the difference between the feature maps of the original images and adversarial examples becomes larger with deeper layers. On top of that, we further develop an adversarial example recognition framework that detects adversarial examples and can recover the correct labels. In the experiments, the detection and classification of adversarial examples by AFGs has an accuracy of more than 90.01% in various attack scenarios. To the best of our knowledge, our method is the first method that focuses on both attack detecting and recovering. AFG gives a new data‐driven perspective to improve the robustness of CNNs.