TY - GEN
T1 - SpacePhish
T2 - 38th Annual Computer Security Applications Conference, ACSAC 2022
AU - Apruzzese, Giovanni
AU - Conti, Mauro
AU - Yuan, Ying
PY - 2022
Y1 - 2022
N2 - Existing literature on adversarial Machine Learning (ML) focuses either on showing attacks that break every ML model, or defenses that withstand most attacks. Unfortunately, little consideration is given to the actual cost of the attack or the defense. Moreover, adversarial samples are often crafted in the "feature-space", making the corresponding evaluations of questionable value. Simply put, the current situation does not allow to estimate the actual threat posed by adversarial attacks, leading to a lack of secure ML systems. We aim to clarify such confusion in this paper. By considering the application of ML for Phishing Website Detection (PWD), we formalize the "evasion-space"in which an adversarial perturbation can be introduced to fool a ML-PWD-demonstrating that even perturbations in the "feature-space"are useful. Then, we propose a realistic threat model describing evasion attacks against ML-PWD that are cheap to stage, and hence intrinsically more attractive for real phishers. Finally, we perform the first statistically validated assessment of state-of-the-art ML-PWD against 12 evasion attacks. Our evaluation shows (i) the true efficacy of evasion attempts that are more likely to occur; and (ii) the impact of perturbations crafted in different evasion-spaces. Our realistic evasion attempts induce a statistically significant degradation (3-10% at p < 0.05), and their cheap cost makes them a subtle threat. Notably, however, some ML-PWD are immune to our most realistic attacks (p=0.22). Our contribution paves the way for a much needed re-assessment of adversarial attacks against ML systems for cybersecurity.
AB - Existing literature on adversarial Machine Learning (ML) focuses either on showing attacks that break every ML model, or defenses that withstand most attacks. Unfortunately, little consideration is given to the actual cost of the attack or the defense. Moreover, adversarial samples are often crafted in the "feature-space", making the corresponding evaluations of questionable value. Simply put, the current situation does not allow to estimate the actual threat posed by adversarial attacks, leading to a lack of secure ML systems. We aim to clarify such confusion in this paper. By considering the application of ML for Phishing Website Detection (PWD), we formalize the "evasion-space"in which an adversarial perturbation can be introduced to fool a ML-PWD-demonstrating that even perturbations in the "feature-space"are useful. Then, we propose a realistic threat model describing evasion attacks against ML-PWD that are cheap to stage, and hence intrinsically more attractive for real phishers. Finally, we perform the first statistically validated assessment of state-of-the-art ML-PWD against 12 evasion attacks. Our evaluation shows (i) the true efficacy of evasion attempts that are more likely to occur; and (ii) the impact of perturbations crafted in different evasion-spaces. Our realistic evasion attempts induce a statistically significant degradation (3-10% at p < 0.05), and their cheap cost makes them a subtle threat. Notably, however, some ML-PWD are immune to our most realistic attacks (p=0.22). Our contribution paves the way for a much needed re-assessment of adversarial attacks against ML systems for cybersecurity.
KW - Adversarial Attacks
KW - Machine Learning
KW - Phishing
KW - Website
UR - http://www.scopus.com/inward/record.url?scp=85144043755&partnerID=8YFLogxK
U2 - 10.1145/3564625.3567980
DO - 10.1145/3564625.3567980
M3 - Conference contribution
AN - SCOPUS:85144043755
T3 - ACM International Conference Proceeding Series
SP - 171
EP - 185
BT - Proceedings - 38th Annual Computer Security Applications Conference, ACSAC 2022
PB - ACM
Y2 - 5 December 2022 through 9 December 2022
ER -