Multi-SpacePhish Extending the Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning

2025-05-02 0 0 2.35MB 53 页 10玖币

侵权投诉

Multi-SpacePhish: Extending the Evasion-space of Adversarial Aacks against

Phishing Website Detectors using Machine Learning

YING YUAN,†University of Padua, Italy

GIOVANNI APRUZZESE,University of Liechtenstein, Liechtenstein

MAURO CONTI†,Delft University of Technology, Netherlands

Existing literature on adversarial Machine Learning (ML) focuses either on showing attacks that break every ML model, or defenses

that withstand most attacks. Unfortunately, little consideration is given to the actual cost of the attack or the defense. Moreover,

adversarial samples are often crafted in the “feature-space”, making the corresponding evaluations of questionable value. Simply put,

the current situation does not allow to estimate the actual threat posed by adversarial attacks, leading to a lack of secure ML systems.

We aim to clarify such confusion in this paper. By considering the application of ML for Phishing Website Detection (PWD), we

formalize the “evasion-space” in which an adversarial perturbation can be introduced to fool a ML-PWD—demonstrating that even

perturbations in the “feature-space” are useful. Then, we propose a realistic threat model describing evasion attacks against ML-PWD

that are cheap to stage, and hence intrinsically more attractive for real phishers. After that, we perform the rst statistically validated

assessment of state-of-the-art ML-PWD against 12 evasion attacks. Our evaluation shows (i) the true ecacy of evasion attempts that

are more likely to occur; and (ii) the impact of perturbations crafted in dierent evasion-spaces; Our realistic evasion attempts induce

a statistically signicant degradation (3–10% at

𝑝<

0.05), and their cheap cost makes them a subtle threat. Notably, however, some

ML-PWD are immune to our most realistic attacks (𝑝=0.22).

Finally, as an additional contribution of this journal publication, we are the rst to propose and empirically evaluate the intrigu-

ing case wherein an attacker introduces perturbations in multiple evasion-spaces at the same time. These new results show that

simultaneously applying perturbations in the problem- and feature-space can cause a drop in the detection rate from 0.95 to 0.

Our contribution paves the way for a much needed re-assessment of adversarial attacks against ML systems for cybersecurity.

ACM Reference Format:

Ying Yuan, Giovanni Apruzzese, and Mauro Conti. 2018. Multi-SpacePhish: Extending the Evasion-space of Adversarial Attacks against

Phishing Website Detectors using Machine Learning. In .ACM, New York, NY, USA, 53 pages. https://doi.org/XXXXXXX.XXXXXXX

1 INTRODUCTION

After more than a decade of research [

] and thousands of papers [

], it is well-known that Machine Learning (ML)

methods are vulnerable to adversarial attacks. Specically, by introducing imperceptible perturbations (down to a

single pixel or byte [

]) in the input data, it is possible to compromise the predictions made by a ML model. Such

vulnerability, however, is more dangerous in settings that implicitly assume the presence of adversaries. A cat will not

try to fool a ML model. An attacker, in contrast, will actively try to evade a ML detector—the focus of this paper.

On the surface, the situation portrayed in research is vexing. The conrmed successes of ML [

] are leading to

large-scale deployment of ML in production settings (e.g., [

]). At the same time, however, dozens of papers

showcase adversarial attacks that can crack ‘any’ ML-based detector (e.g., [

]). Although some papers propose

countermeasures (e.g., [

]), they are quickly defeated (e.g., [

]), and typically decrease the baseline performance

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not

made or distributed for prot or commercial advantage and that copies bear this notice and the full citation on the rst page. Copyrights for components

of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to

redistribute to lists, requires prior specic permission and/or a fee. Request permissions from permissions@acm.org.

Manuscript submitted to ACM

arXiv:2210.13660v3 [cs.CR] 12 Oct 2023

Digital Threats: Research and Practice, , Ying Yuan, Giovanni Apruzzese, and Mauro Conti

(e.g. [

]). As a result, recent reports [

] focusing on the integration of ML in practice reveal that: “I Never

Thought About Securing My Machine Learning Systems” [

]. This is not surprising: if ML can be so easily broken,

then why invest resources in increasing its security through –unreliable– defenses?

Sovereign entities (e.g., [

]) are endorsing the development of “trustworthy” ML systems; yet, any enhancement

should be economically justied. No system is foolproof (ML-based or not [

]), and guaranteeing protection against

omnipotent attackers is an enticing but unattainable objective. In our case, a security system should increase the cost

incurred by an attacker to achieve their goal [

]. Real attackers have a cost/benet mindset [

]: they may try to evade

a detector, but only if doing so yields positive returns. In reality, worst-case scenarios are an exception—not the norm.

Our paper is inspired by several recent works that pointed out some ‘inconsistencies’ in the adversarial attacks carried

out by prior studies. Pierazzi et al. [

] observe that real attackers operate in the “problem-space”, i.e., the perturbations

they can introduce are subject to physical constraints. If such constraints are not met, and hence the perturbation

is introduced in the “feature-space” (e.g., [

]), then there is a risk of generating an adversarial example that is not

physically realizable [

]. Apruzzese et al. [

], however, highlight that even ‘impossible’ perturbations can be applied,

but only if the attacker has internal access to the data-processing pipeline of the target system. Nonetheless, Biggio

and Roli suggest that ML security should focus on “anticipating the most likely threats” [

]. Only after proactively

assessing the impact of such threats a suitable countermeasure can be developed—if required.

We aim to promote the development of secure ML systems. However, meeting Biggio and Roli’s recommendation

presents two tough challenges for research papers. First, it is necessary to devise a realistic threat model which portrays

adversarial attacks that are not only physically realizable, but also economically viable. Devising such a threat model,

however, requires a detailed security analysis of the specic cyberthreat addressed by the detector—while factoring the

resources that attackers are willing to invest. Second, it is necessary to evaluate the impact of the attack by crafting the

corresponding perturbations. Doing so is dicult if the threat model assumes an attacker operating in the problem-space,

because such perturbations must be applied on raw-data, i.e., before any preprocessing occurs—which is hard to nd.

In this paper, we tackle both of these challenges. In particular, we focus on ML-systems for Phishing Website

Detection (PWD). Countering phishing – still a major threat today [

] – is an endless struggle. Blocklists can be

easily evaded [

], and to cope against adaptive attackers some detectors are equipped with ML (e.g. [

]). Yet, as shown

by Liang et al. [

], even such ML-PWD can be “cracked” by oblivious attackers—if they invest enough eort to reverse

engineer the entire ML-PWD. Indeed, we address ML-PWD because prior work (e.g., [

]) assumed threat

models that hardly resemble a real scenario. Phishing, by nature, is meant to be cheap [

] and most attempts end up

in failure [

]. It is unlikely

that a phisher invests many resources just to evade ML-PWD: even if a website is not

detected, the user may be ‘hooked’, but is not ‘phished’ yet. As a result, the state-of-the-art on adversarial ML for PWD

is immature—from a pragmatic perspective.

Contribution and Organization. Let us explain how we aim to spearhead the security enhancements to ML-PWD.

We begin by introducing the fundamentals concepts (PWD, ML, and adversarial ML) at the base of our paper in §2,

which also serves as a motivation. Then, we make the following four contributions.

•

We formalize the evasion-space of adversarial attacks against ML-PWD (§3), rooted in exhaustive analyses of a

generic ML-PWD. Such evasion-space explains ‘where’ a perturbation can be introduced to fool a ML-PWD. Our

formalization highlights that even adversarial samples created by direct feature manipulation can be realistic,

validating all the attacks performed by past work.

1It is unlikely, but not impossible. Hence, as recommended by Arp et al [20], it is positive that such cases have also been studied by prior work.

Multi-SpacePhish Digital Threats: Research and Practice, ,

•

By using our formalization as a stepping stone, we propose a realistic threat model for evasion attacks against

ML-PWD (§4). Our threat model is grounded on detailed security considerations from the viewpoint of a typical

phisher, who is conned in the ‘website-space’. Nevertheless, our model can be relaxed by assuming attackers

with greater capabilities (which require a higher cost).

•

We combine and practically demonstrate the two previous contributions. We perform an extensive, reproducible,

and statistically validated evaluation of adversarial attacks against state-of-the-art ML-PWD. By using diverse

datasets, ML algorithms and features, we develop 18 ML-PWD (§5), each of which is assessed against 12 dierent

evasion attacks built upon our threat model (§6).

•

By analyzing the results (§7) of our evaluation: (i) we show the impact of attacks that are very likely to occur

against both baseline and adversarially robust ML-PWD; and (ii) we are the rst to fairly compare the eectiveness

of evasion attacks in the problem-space with those in the feature-space.

•

As an an additional contribution of this journal paper, we propose and empirically assess 37 new perturbations

that envision an attacker who can operate in multiple spaces (§8).

Our results highlight that more realistic attacks are not as disruptive as claimed by past works (§9)but their

low-cost makes them a threat that induces statistically signicant degradations. Intriguingly, however, some “cheap”

perturbations can lead to devastating impact. Finally, our evaluation serves as a ‘benchmark’ for future studies: we

provide the complete results in the Appendix, whereas the source-code is publicly available in a dedicated website:

https://spacephish.github.io.

2 BACKGROUND AND MOTIVATION

Our paper lies at the intersection of Phishing Website Detection (PWD) and Machine Learning (ML) security. To set-up

the stage for our contribution and motivate its necessity, we rst summarize PWD (§2.1), and then explain the role of

ML in PWD (§2.2). Finally, we provide an overview of the adversarial ML domain (§2.3).

2.1 Phishing Website Detection

Although having been studied for nearly two decades [

], phishing attacks are still a rampant menace [

]: according

to the FBI [

], the number of reported phishing attempts has increased by 900% from 2018 to 2020 (26k up to 240k). Aside

from the well-known risks to single users (e.g., fraud, credential theft [

]), phishing is still one of the most common

vectors to penetrate an organization’s perimeter. Intuitively, the best countermeasure to phishing is its prevention

through proper education [

100

]. Despite recent positive trends, however, such education is far from comprehensive: the

latest “State of the Phish” report [

] states that more than 33% of companies do not have any training program for their

employees, and more than 50% only evaluate such education through simulations. As a result, there is still a need of IT

solutions that mitigate the phishing threat by its early detection. In our case, this entails identifying a phishing website

before a user lands on its webpage, therefore defusing the risk of falling victim to a phishing attack. We provide in

Fig. 1an exemplary architecture of a Phishing Website Detector (PWD).

Despite extensive eorts, PWD remains an open issue. This is due to the intrinsic limitations of the most common

detection approaches reliant on blocklisting (e.g., [

]). Such techniques have been improved and nowadays they

even involve automatic updates with recent feeds (e.g., PhishTank [

]). However, blocklists are a double-edged sword:

on the good side, they are very precise and are hence favored due to the low rate of false alarms; on the bad side,

they are only eective against known phishing websites [

]. The latter is a problem: expert attackers are aware of

blocklists and hence move their phishing ‘hooks’ from site to site, bypassing most PWD. As shown by Tian et al. [

Digital Threats: Research and Practice, , Ying Yuan, Giovanni Apruzzese, and Mauro Conti

Phishing Website Detector

Benign

Phishing

AnalysisPreprocessing

Website

output

Fig. 1. Exemplary PWD. Aer preliminary preprocessing, a website is analyzed by a detector to determine its legitimacy.

such strategies can elude over 90% of popular blocklists for more than one month. To counter such adaptive attackers,

much attention has been given to data-driven detection schemes—including those within the Machine Learning (ML)

paradigm [90]. Indeed, ML allows to greatly enhance the detection capabilities of PWD. Let us explain why.

2.2 Machine Learning for PWD

The cornerstone of ML is having “machines that automatically learn from experience” [

], and such experience comes

in the form of data. By applying a given ML algorithm

, e.g. Random Forest (RF), to analyze a given dataset

, it

is possible to train a ML model

that is able to ‘predict’ previously unseen data. We provide a schematic of such

workow in Fig. 2. In the case of PWD, a ML model

can be deployed in a detector (e.g., in the hexagon in Fig. 1) to

infer whether a given webpage is benign or phishing.

Dataset

train

ML model

Algorithm

future

data

predict

Fig. 2. Machine Learning workflow. By training Aon D, a ML model Mis developed. Such Mcan be used to predict future data.

The main advantage of ML models is their intrinsic ability of noticing weak patterns in the data that are overlooked

by a human, and then leveraging such patterns to devise ‘exible’ detectors that can counter even adaptive attackers.

As a matter of fact, Tian et al. [

] show that a ML model based on RF is eective even against “squatting” phishing

websites—while retaining a low-rate of false alarms (only 3%). Moreover, acquiring suitable data (i.e., recent and labelled)

for ML-PWD is not dicult—compared to other cyber-detection problems for which ML has been proposed [19].

Such advantages have been successfully leveraged by many research eorts (e.g., [

]). Existing ML-empowered

PWD can leverage dierent types of information (i.e., features) to perform their detection. Such information can pertain

either to a website’s URL [

] or to its representation, e.g., by analyzing the actual image of a webpage as rendered by

the browser [

], or by inspecting the HTML [

]. For example, Mohammad et al. [

] observed that phishing websites

usually have long URLs; and often contain many ‘external’ links (pointing to, e.g., the legitimate ‘branded’ website, or

Multi-SpacePhish Digital Threats: Research and Practice, ,

the server for storing the phished data), which can be inferred from the underlying HTML. Although some works use

only URL-related features (e.g., [

]) – which can also be integrated in phishing email lters (e.g., [

]) – more recent

proposals use combinations of features (e.g., [

]); potentially, such features can be derived by querying third-party

services (e.g., DNS servers [49]).

The cost-eectiveness of ML-PWD increased their adoption: even commercial browsers (e.g., Google Chrome [

])

integrate ML models in their phishing lters (which can be further enhanced via customized add-ons [

]); moreover,

ML-PWD can also be deployed in corporate SIEM [

]. However, it is well-known that no security solution is foolproof:

in our case, ML models can be thwarted by exploiting the so-called adversarial attacks [16].

2.3 Adversarial Aacks against ML

The increasing diusion of ML led to question its security in adversarial environments, giving birth to “adversarial

machine learning” research [

]. Attacks against ML exploit adversarial samples, which leverage perturbations to

the input data of a ML model that induce predictions favorable to the attacker. Even imperceptible perturbations can

mislead procient ML models: for instance, Su et al. [

] modify a single pixel of an image to fool an object detector;

whereas Apruzzese et al. [15] evade botnet detectors by extending the network communications with few junk bytes.

An adversarial attack is described with a threat model, which explains the relationship of a given attacker with the

defender’s system. The attacker has a goal and, by leveraging their knowledge and capabilities, they will adopt a specic

strategy [

]. Common terms associated with the attacker’s knowledge are white-box and black-box: the former denotes

attackers who know everything about the defender; whereas the latter denotes attackers who know nothing [

103

The capabilities describe how the attacker can interact with the target system, e.g., they: can inuence only the inference

or also the training stage of the ML model; can use the ML model as an “oracle” by inspecting the output to a given

input; and can be subject to constraints on the creation of the adversarial perturbation (e.g., a limited amount of queries).

Despite thousands of papers focusing on this topic, a universal and pragmatic solution has not been found yet.

Promising defenses are invalidated within the timespan of a few months (e.g. distillation was proposed in [

] and

broken in [

]). Even “certied” defenses [

] can only work by assuming that the perturbation is bounded within

some magnitude—which is not a constraint to which real attackers must abide (as pointed out by Carlini et al. [

]).

From a pragmatic perspective, any defense has a cost: rst, because it must be developed; second, because it can induce

additional overhead. The latter is particularly relevant in cybersecurity, because it may decrease the performance of the

ML model when no adversarial attack occurs. For instance, a well-known defense is feature removal [

], which entails

developing ML models that do not analyze the features expected to be targeted by a perturbation. Doing this, however,

leads to less information provided to the ML model, hence inducing performance degradation (e.g., [

]). Even when

countermeasures have a small impact (e.g., [

]), this is not negligible in cyber-detection: attacks are a “needle in a

haystack” [

], and even a 1% increase in false positives is detrimental [

]. Therefore, ML engineers will not devise

any protection mechanism unless the corresponding threat is shown to be dangerous in reality [57].

The Problem. Unfortunately, research papers intrinsically impair the development of secure ML systems, because

the aim is often to “outperform the state-of-the-art”. In adversarial ML, this leads to papers that either showcase

devastating attacks stemming from extremely powerful adversaries (i.e., white-box [

]); or viceversa, i.e., show that

even oblivious attackers can thwart ML systems [

]. However, real ‘adaptive’ attackers (i.e., those that ML methods

should be protected against) do not conform to these two extremes. Indeed, having complete knowledge of the target

system requires a huge resource investment (especially if such system is devoted to cybersecurity), which may be better

spent elsewhere; conversely, it is unlikely that opponents will launch attacks while knowing nothing of the defender.

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10 玖币 0人已下载

立即下载

摘要：

Multi-SpacePhish:ExtendingtheEvasion-spaceofAdversarialAttacksagainstPhishingWebsiteDetectorsusingMachineLearningYINGYUAN,†UniversityofPadua,ItalyGIOVANNIAPRUZZESE,UniversityofLiechtenstein,LiechtensteinMAUROCONTI†,DelftUniversityofTechnology,NetherlandsExistingliteratureonadversarialMachineLearning...

展开>> 收起<<

Multi-SpacePhish Extending the Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning.pdf

共53页,预览5页

还剩页未读，继续阅读

声明：本站为文档C2C交易模式，即用户上传的文档直接被用户下载，本站只是中间服务平台，本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私，请立即通知玖贝云文库，我们立即给予删除！

Multi-SpacePhish Extending the Evasion-space of Adversarial Attacks against Phishing Website Detectors using Machine Learning

相关推荐

开通VIP享超值会员特权

作者详情

相关内容

热门标签

举报选择: