Universal Adversarial Perturbations and Image Spam Classifiers

TL;DR

This paper evaluates adversarial attack techniques on deep learning-based image spam classifiers, finding universal perturbations most effective, and introduces a new natural perturbation method that enhances attack success and efficiency.

Contribution

It introduces a novel transformation-based adversarial attack combining natural features with universal perturbations for improved image spam evasion.

Findings

Universal perturbations outperform other methods in attack success.

The proposed method reduces detection accuracy more effectively.

The technique is faster and produces less perceptible perturbations.

Abstract

As the name suggests, image spam is spam email that has been embedded in an image. Image spam was developed in an effort to evade text-based filters. Modern deep learning-based classifiers perform well in detecting typical image spam that is seen in the wild. In this chapter, we evaluate numerous adversarial techniques for the purpose of attacking deep learning-based image spam classifiers. Of the techniques tested, we find that universal perturbation performs best. Using universal adversarial perturbations, we propose and analyze a new transformation-based adversarial attack that enables us to create tailored "natural perturbations" in image spam. The resulting spam images benefit from both the presence of concentrated natural features and a universal adversarial perturbation. We show that the proposed technique outperforms existing adversarial attacks in terms of accuracy reduction, computation time per example, and perturbation distance. We apply our technique to create a dataset of adversarial spam images, which can serve as a challenge dataset for future research in image spam detection.