Feature Importance Guided Attack: A Model Agnostic Adversarial Attack

Gressel, Gilad; Hegde, Niranjan; Sreekumar, Archana; Darling, Michael

doi:10.48550/arxiv.2106.14815

Cited by 2 publications

(4 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The reason is simple: ours is more likely to occur, because 'phishers' with complete knowledge of the entire ML-PWD are extremely unlikely. Furthermore, extensive adversarial ML literature [21] has ably demonstrated that white-box attacks can break most systemsincluding ML-PWD (e.g., [8,36,59,81]).…”

Section: Security Analysismentioning

confidence: 99%

“…Unfortunately, most publicly available datasets do not allow similar procedures. A viable alternative is composing ad-hoc dataset through public feeds as done, e.g., by [36] and [77] (the latter only for URL-based ML-PWD). All these papers, however, do not release the actual dataset, preventing reproducibility and hence introducing experimental bias.…”

Section: Related Workmentioning

confidence: 99%

“…§4). Indeed, past threat models portray black-box attackers who can freely inspect the output-space and query the ML-PWD (e.g., [10,57,77]); or whitebox attackers who perfectly know the target ML model M, such as its configuration, its training data D, or the feature importance (e.g., [8,36,59]). The only papers considering attackers that are closer to our threat model are [55,67] and [8].…”

Section: Related Workmentioning

confidence: 99%

“…Yet, as shown by Liang et al [57], even such ML-PWD can be "cracked" by oblivious attackers-if they invest enough effort to reverse engineer the entire ML-PWD. Indeed, we address ML-PWD because prior work (e.g., [20,36,55,79]) assumed threat models that hardly resemble a real scenario. Phishing, by nature, is meant to be cheap [50] and most attempts end up in failure [66].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

SpacePhish: The Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning

Conti

2022

Proceedings of the 38th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Existing literature on adversarial Machine Learning (ML) focuses either on showing attacks that break every ML model, or defenses that withstand most attacks. Unfortunately, little consideration is given to the actual cost of the attack or the defense. Moreover, adversarial samples are often crafted in the "feature-space", making the corresponding evaluations of questionable value. Simply put, the current situation does not allow to estimate the actual threat posed by adversarial attacks, leading to a lack of secure ML systems.We aim to clarify such confusion in this paper. By considering the application of ML for Phishing Website Detection (PWD), we formalize the "evasion-space" in which an adversarial perturbation can be introduced to fool a ML-PWD-demonstrating that even perturbations in the "feature-space" are useful. Then, we propose a realistic threat model describing evasion attacks against ML-PWD that are cheap to stage, and hence intrinsically more attractive for real phishers. Finally, we perform the first statistically validated assessment of state-of-the-art ML-PWD against 12 evasion attacks. Our evaluation shows (i) the true efficacy of evasion attempts that are more likely to occur; and (ii) the impact of perturbations crafted in different evasion-spaces. Our realistic evasion attempts induce a statistically significant degradation (3-10% at 𝑝 <0.05), and their cheap cost makes them a subtle threat. Notably, however, some ML-PWD are immune to our most realistic attacks (𝑝=0.22). Our contribution paves the way for a much needed re-assessment of adversarial attacks against ML systems for cybersecurity.

show abstract

Section: Security Analysismentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

SpacePhish: The Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning

Conti

2022

Proceedings of the 38th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

Biathlon: Harnessing Model Resilience for Accelerating ML Inference Pipelines

Chang,

Lo,

2024

Proc. VLDB Endow.

View full text Add to dashboard Cite

Machine learning inference pipelines commonly encountered in data science and industries often require real-time responsiveness due to their user-facing nature. However, meeting this requirement becomes particularly challenging when certain input features require aggregating a large volume of data online. Recent literature on interpretable machine learning reveals that most machine learning models exhibit a notable degree of resilience to variations in input. This suggests that machine learning models can effectively accommodate approximate input features with minimal discernible impact on accuracy. In this paper, we introduce Biathlon, a novel ML serving system that leverages the inherent resilience of models and determines the optimal degree of approximation for each aggregation feature. This approach enables maximum speedup while ensuring a guaranteed bound on accuracy loss. We evaluate Biathlon on real pipelines from both industry applications and data science competitions, demonstrating its ability to meet real-time latency requirements by achieving 5.3× to 16.6× speedup with almost no accuracy loss.

show abstract

Feature Importance Guided Attack: A Model Agnostic Adversarial Attack

Cited by 2 publications

References 34 publications

SpacePhish: The Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning

SpacePhish: The Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning

Biathlon: Harnessing Model Resilience for Accelerating ML Inference Pipelines

Contact Info

Product

Resources

About