An efficient framework for generating robust adversarial examples

Machine learning (ML) based classifiers are vulnerable to evasion attacks, as shown by recent attacks. However, there is a lack of systematic study of evasion attacks on ML‐based anti‐phishing detection. In this study, we show that evasion attacks are not only effective on practical ML‐based classifiers, but can also be efficiently launched without destructing the functionalities and appearance. For this purpose, we propose three mutation‐based attacks, differing in the knowledge of the target classifier, addressing a key technical challenge: automatically crafting an adversarial sample from a known phishing website in a way that can mislead classifiers. To launch attacks in the white‐ and gray‐box scenarios, we also propose a sample‐based collision attack to gain the knowledge of the target classifier. We demonstrate the efficacy of our evasion attacks on the state‐of‐the‐art, Google's phishing page filter, achieved 100% attack success rate in less than one second per website. Moreover, the transferability attack on BitDefender's industrial phishing page classifier, TrafficLight, achieved up to 81.25% attack success rate. We further propose a similarity‐based method to mitigate such evasion attacks, Pelican, which compares the similarity of an unknown website with recently detected phishing websites. We demonstrate that Pelican can effectively detect evasion attacks, hence could be integrated into ML‐based classifiers. We also highlight two strategies of classification rule selection to enhance the robustness of classifiers. Our findings contribute to design more robust phishing website classifiers in practice.

Section: Methodsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Advanced evasion attacks and mitigations on practical ML‐based phishing website classifiers

Song

Lei

Chen

et al. 2021

“…Different from traditional media, the supervision of massive digital media contents demands efficient deep neural networks (DNNs). [7][8][9][10][11][12] However, a large number of existing works show that DNNs are surprisingly vulnerable to adversarial examples, [13][14][15] resulting in security risks. For example, as shown in Figure 1, by intentionally adding humanimperceptible perturbations on illegal or sensitive images, they can fool state-of-the-art supervision models with erroneous predictions, which leads to negative impacts on information security in media convergence.…”

Section: Introductionmentioning

confidence: 99%

Attention‐guided transformation‐invariant attack for black‐box adversarial examples

Zhu

Dai

et al. 2022

With the development of media convergence, information acquisition is no longer limited to traditional media, such as newspapers and televisions, but more from digital media on the Internet, where media contents should be under supervision by platforms. At present, the media content analysis technology of Internet platforms relies on deep neural networks (DNNs). However, DNNs show vulnerability to adversarial examples, which results in security risks. Therefore, it is necessary to adequately study the internal mechanism of adversarial examples to build more effective supervision models. When coming to practical applications, supervision models are mostly faced with black‐box attacks, where cross‐model transferability of adversarial examples has attracted increasing attention. In this paper, to improve the transferability of adversarial examples, we propose an attention‐guided transformation‐invariant adversarial attack method, which incorporates an attention mechanism to disrupt the most distinctive features and simultaneously ensures adversarial attack invariance under different transformations. Specifically, we dynamically weight the latent features according to an attention mechanism and disrupt them accordingly. Meanwhile, considering the lack of semantics in low‐level features, high‐level semantics are introduced as spatial guidance to make low‐level feature perturbations concentrate on the most discriminative regions. Moreover, since the attention heatmaps may vary significantly across different models, a transformation‐invariant aggregated attack strategy is proposed to alleviate overfitting to the proxy model attention. Comprehensive experimental results show that the proposed method can significantly improve the transferability of adversarial examples.

“…However, these strategies either reduce the generalizability of the model or are not effective over some adversarial examples. Complete defense methods do not explicitly detect adversarial examples; as a result, they remain vulnerable to stronger attacks 12,13 . For another type of defense algorithm, detection only 14–16 uses the differences between adversarial examples and the original images to detect potential adversarial examples and reject their further processing.…”

Section: Introductionmentioning

confidence: 99%

A data‐driven adversarial examples recognition framework via adversarial feature genomes

Chen

et al. 2022

Adversarial examples pose many security threats to convolutional neural networks (CNNs). Most defense algorithms prevent these threats by finding differences between the original images and adversarial examples. However, the found differences do not contain features about the classes, so these defense algorithms can only detect adversarial examples without recovering the correct labels. In this regard, we propose the Adversarial Feature Genome (AFG), a novel type of data that contain both the differences and features about classes. This method is inspired by an observed phenomenon, namely, the Adversarial Feature Separability, where the difference between the feature maps of the original images and adversarial examples becomes larger with deeper layers. On top of that, we further develop an adversarial example recognition framework that detects adversarial examples and can recover the correct labels. In the experiments, the detection and classification of adversarial examples by AFGs has an accuracy of more than 90.01% in various attack scenarios. To the best of our knowledge, our method is the first method that focuses on both attack detecting and recovering. AFG gives a new data‐driven perspective to improve the robustness of CNNs.