Universal Adversarial Perturbations and Image Spam Classifiers
This work addresses the security of image spam detection systems, which is crucial for email filtering, but it is incremental as it builds on existing adversarial techniques.
The authors tackled the problem of evading deep learning-based image spam classifiers by developing a new adversarial attack that combines universal perturbations with natural features, achieving superior performance in reducing classifier accuracy, computation time, and perturbation distance compared to existing methods.
As the name suggests, image spam is spam email that has been embedded in an image. Image spam was developed in an effort to evade text-based filters. Modern deep learning-based classifiers perform well in detecting typical image spam that is seen in the wild. In this chapter, we evaluate numerous adversarial techniques for the purpose of attacking deep learning-based image spam classifiers. Of the techniques tested, we find that universal perturbation performs best. Using universal adversarial perturbations, we propose and analyze a new transformation-based adversarial attack that enables us to create tailored "natural perturbations" in image spam. The resulting spam images benefit from both the presence of concentrated natural features and a universal adversarial perturbation. We show that the proposed technique outperforms existing adversarial attacks in terms of accuracy reduction, computation time per example, and perturbation distance. We apply our technique to create a dataset of adversarial spam images, which can serve as a challenge dataset for future research in image spam detection.