Presentation is loading. Please wait.

Presentation is loading. Please wait.

Man vs. Machine: Adversarial Detection of Malicious Crowdsourcing Workers Gang Wang, Tianyi Wang, Haitao Zheng, Ben Y. Zhao, UC Santa Barbara, Usenix Security.

Published byGeorgina Fitzgerald Modified over 8 years ago

Similar presentations

Presentation on theme: "Man vs. Machine: Adversarial Detection of Malicious Crowdsourcing Workers Gang Wang, Tianyi Wang, Haitao Zheng, Ben Y. Zhao, UC Santa Barbara, Usenix Security."— Presentation transcript:

1 Man vs. Machine: Adversarial Detection of Malicious Crowdsourcing Workers Gang Wang, Tianyi Wang, Haitao Zheng, Ben Y. Zhao, UC Santa Barbara, Usenix Security 2014 Fall 2014 Presenter: Kun Sun, Ph.D. Most slides are borrowed from http://www.cs.ucsb.edu/~gangw/usenix_2014.pptx

2 Outline  Motivation  Detection of Crowdturfing  Adversarial Machine Learning Attacks  Conclusion 2

3 Machine Learning for Security  Machine learning (ML) to solve security problems  Email spam detection  Intrusion/malware detection  Authentication  Identifying fraudulent accounts (Sybils) and content  Example: ML for Sybil detection in social networks 3 Training Classifier Known samples Unknown Accounts

4 Adversarial Machine Learning  Key vulnerabilities of machine learning systems  ML models derived from fixed datasets  Assuming similar distribution of training and real-world data  Strong adversaries in ML systems  Aware of usage, reverse engineering ML systems  Adaptive evasion, temper with the trained model  Practical adversarial attacks  What are the practical constrains for adversaries?  With constrains, how effective are adversarial attacks? 4

5 Context: Malicious Crowdsourcing  Astroturfing: using fake names to post positive/negative reviews of your own products online. (unlawful in US, any circumvention?)  New threat: malicious crowdsourcing = crowdturfing  Hiring a large army of real users for malicious attacks  Fake customer reviews, rumors, targeted spam  Most existing defenses fail against real users (CAPTCHA) 5

6 Online Crowdturfing Systems  Online crowdturfing systems (services)  Connect customers with online users willing to spam for money  Sites located across the globe, e.g. China, US, India  Crowdturfing in China  Largest crowdturfing sites: ZhuBaJie (ZBJ) and SanDaHa (SDH)  Million-dollar industry, tens of millions of tasks finished 6 Customer Crowd workers … Crowdturfing site Target Network

7 Machine Learning vs. Crowdturfing Machine learning to detect crowdturfing workers  Simple methods usually fail (e.g. CAPTCHA, rate limit)  Machine learning: more sophisticated modeling on user behaviors  “You are how you click” [USENIX’13] Perfect context to study adversarial machine learning 1. Highly adaptive workers seeking evasion 2. Crowdturfing site admins tamper with training data by changing all worker behaviors 7

8 Goals and Questions  Our goals  Develop defense against crowdturfing on Weibo (Chinese Twitter)  Understand the impact of adversarial countermeasures and the robustness of machine learning classifiers  Key questions  What ML algorithms can accurately detect crowdturfing workers?  What are possible ways for adversaries to evade classifiers?  Can adversaries attack ML models by tampering with training data? 8

9 Outline  Motivation  Detection of Crowdturfing  Adversarial Machine Learning Attacks  Conclusion 9

10 Methodology  Detect crowdturf workers on Weibo  Adversarial machine learning attacks  Evasion Attack: workers evade classifiers  Poisoning Attack: crowdturfing admins tamper with training data 10 Classifier Training Data Training (e.g. SVM) Poison Attack Evasion Attack

11 Ground-truth Dataset  Crowdturfing campaigns targeting Weibo  Two largest crowdturfing sites ZBJ and SDH  Complete historical transaction records for 3 years (2009-2013)  20,416 Weibo campaigns: > 1M tasks, 28,947 Weibo accounts  Collect Weibo profiles and their latest tweets  Workers: 28K Weibo accounts used by ZBJ and SDH workers  Baseline users: snowball sampled 371K baseline users 11

12 Features to Detect Crowd-workers  Search for behavioral features to detect workers  Observations  Aged, well established accounts  Balanced follower-followee ratio  Using cover traffic  Final set of useful features: 35  Baseline profile fields (9)  User interaction (comment, retweet) (8)  Tweeting device and client (5)  Burstiness of tweeting (12)  Periodical patterns (1) 12 Task-driven nature Active at posting but have less bidirectional interactions

13 Performance of Classifiers  Building classifiers on ground-truth data  Random Forests (RF)  Decision Tree (J48)  SVM radius kernel (SVMr)  SVM polynomial (SVMp)  Naïve Bayes (NB)  Bayes Network (BN)  Classifiers dedicated to detect “professional” workers  Workers who performed > 100 tasks  Responsible for 90% of total spam  More accurate to detect the professionals  99% accuracy 13 Random Forests: 95% accuracy

14 Outline  Motivation  Detection of Crowdturfing  Adversarial Machine Learning Attacks  Evasion attack  Poisoning attack  Conclusion 14

15 15 Classifier Training Data Training (e.g. SVM) Evasion Attack Detection Model Training Evasion Attack

16 Attack #1: Adversarial Evasion  Individual workers as adversaries  Workers seek to evade a classifier by mimicking normal users  Identify the key set of features to modify for evasion  Attack strategy depends on worker’s knowledge on classifier  Learning algorithm, feature space, training data  What knowledge is practically available? How does different knowledge level impact workers’ evasion? 16

17 A Set of Evasion Models  Optimal evasion scenarios  Per-worker optimal: Each worker has perfect knowledge about the classifier  Global optimal: knows the direction of the boundary  Feature-aware evasion: knows feature ranking  Practical evasion scenario  Only knows normal users statistics  Estimate which of their features are most “abnormal” 17 ? ? ? ? Practical Optimal Classification boundary

18 Evasion Attack Results  Evasion is highly effective with perfect knowledge, but less effective in practice  Most classifiers are vulnerable to evasion  Random Forests are slightly more robust (J48 Tree the worst) 18 99% workers succeed with 5 feature changes Optimal Attack Practical Attack No single classifier is robust against evasion. The key is to limit adversaries’ knowledge Need to alter 20 features

19 19 Classifier Training Data Training (e.g. SVM) Poison Attack Detection Model Training Poison Attack

20 Attack #2: Poisoning Attack  Crowdturfing site admins as adversaries  Highly motivated to protect their workers, centrally control workers  Tamper with the training data to manipulate model training  Two practical poisoning methods  Inject mislabeled samples to training data  wrong classifier  Alter worker behaviors uniformly by enforcing system policies  harder to train accurate classifiers 20 Injection Attack Inject normal accounts, but labeled as worker Wrong model, false positives! Altering Attack Difficult to classify!

21 Injecting Poison Samples  Injecting benign accounts as “workers” into training data  Aim to trigger false positives during detection 21 J48-Tree is more vulnerable than others Poisoning attack is highly effective More accurate classifier can be more vulnerable 10% of poison samples  boost false positives by 5%

22 Discussion  Key observations  Accurate machine learning classifiers can be highly vulnerable  No single classifier excels in all attack scenarios, Random Forests and SVM are more robust than Decision Tree.  Adversarial attack impact highly depends on adversaries’ knowledge  Moving forward: improve robustness of ML classifiers  Multiple classifiers in one detector (ensemble learning)  Adversarial analysis in unsupervised learning 22

23 Questions? 23

Download ppt "Man vs. Machine: Adversarial Detection of Malicious Crowdsourcing Workers Gang Wang, Tianyi Wang, Haitao Zheng, Ben Y. Zhao, UC Santa Barbara, Usenix Security."

Similar presentations

Foundations of Adversarial Learning Daniel Lowd, University of Washington Christopher Meek, Microsoft Research Pedro Domingos, University of Washington.

Foundations of Adversarial Learning Daniel Lowd, University of Washington Christopher Meek, Microsoft Research Pedro Domingos, University of Washington.
Fighting Fire With Fire: Crowdsourcing Security Solutions on the Social Web Christo Wilson Northeastern University

Fighting Fire With Fire: Crowdsourcing Security Solutions on the Social Web Christo Wilson Northeastern University
On the Hardness of Evading Combinations of Linear Classifiers Daniel Lowd University of Oregon Joint work with David Stevens.

On the Hardness of Evading Combinations of Linear Classifiers Daniel Lowd University of Oregon Joint work with David Stevens.
SDP-MARCH-Talk 恶意任务检测 姚大海 2013/11/24. papers Characterizing and Detecting Malicious Crowdsourcing Detecting Deceptive Opinion Spam Using Human Computation.

SDP-MARCH-Talk 恶意任务检测 姚大海 2013/11/24. papers Characterizing and Detecting Malicious Crowdsourcing Detecting Deceptive Opinion Spam Using Human Computation.
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
Asking Questions on the Internet

Asking Questions on the Internet
You Are How You Click Clickstream Analysis for Sybil Detection Gang Wang, Tristan Konolige, Christo Wilson †, Xiao Wang ‡ Haitao Zheng and Ben Y. Zhao.

You Are How You Click Clickstream Analysis for Sybil Detection Gang Wang, Tristan Konolige, Christo Wilson †, Xiao Wang ‡ Haitao Zheng and Ben Y. Zhao.
Lesson learnt from the UCSD datamining contest Richard Sia 2008/10/10.

Lesson learnt from the UCSD datamining contest Richard Sia 2008/10/10.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Fighting Fire With Fire: Crowdsourcing Security Threats and Solutions on the Social Web Gang Wang, Christo Wilson, Manish Mohanlal, Ben Y. Zhao Computer.

Fighting Fire With Fire: Crowdsourcing Security Threats and Solutions on the Social Web Gang Wang, Christo Wilson, Manish Mohanlal, Ben Y. Zhao Computer.
Harness Your Internet Activity. Zeroing in On Zero Days DNS OARC Spring 2014 Ralf Weber

Harness Your Internet Activity. Zeroing in On Zero Days DNS OARC Spring 2014 Ralf Weber
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.

Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active.

Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active.
Gang Wang, Christo Wilson, Xiaohan Zhao, Yibo Zhu, Manish Mohanlal, Haitao Zheng and Ben Y. Zhao Computer Science Department, UC Santa Barbara Serf and.

Gang Wang, Christo Wilson, Xiaohan Zhao, Yibo Zhu, Manish Mohanlal, Haitao Zheng and Ben Y. Zhao Computer Science Department, UC Santa Barbara Serf and.
Cost-Sensitive Bayesian Network algorithm Introduction: Machine learning algorithms are becoming an increasingly important area for research and application.

Cost-Sensitive Bayesian Network algorithm Introduction: Machine learning algorithms are becoming an increasingly important area for research and application.
1 Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Benchmark H. Güneş Kayacık Nur Zincir-Heywood Malcolm I. Heywood.

1 Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Benchmark H. Güneş Kayacık Nur Zincir-Heywood Malcolm I. Heywood.
Machine Learning1 Machine Learning: Summary Greg Grudic CSCI-4830.

Machine Learning1 Machine Learning: Summary Greg Grudic CSCI-4830.
Security Evaluation of Pattern Classifiers under Attack.

Security Evaluation of Pattern Classifiers under Attack.

Similar presentations

Ads by Google