Security advancements of computer systems have caused adversaries to explore alternative entry points for their attacks. Instead of attacking the systems directly, attack vectors that are initiated by social interactions have increased in popularity[45, 1]. ese types of attacks are known to exploit a variety of social inuences to deceive victims into performing a harmful action intended by the adversary [22, 12]. Typical defense solutions attempt to detect these attacks using machine learning techniques. Numerous of these solutions have reporting impressive detection rates for these types of attacks. However, the existence of these seemingly eective solutions remain in strong contrast to the high frequency of attacks in real-world settings .
Having this contradicting discrepancy, motivated the research of this thesis, that seek to explore a fundamental property of such defenses, namely their performance against an adaptive adversary. is type of performance is adversarial robustness, and is fundamentally dierent from the ability to detect empirical attacks. is stems from the fact that adversarial robustness seeks to reect the expected performance against attacks that actively attempt evade detection, which a solution might experience in realworld settings.
In this thesis, I initially set out to explore the adversarial robustness of defenses against a widely established type of deception attack, phishing attacks. In this process, dene a set of axioms for the functional properties of attacks, that serve as guideline for assessing detection strategies that inuential and recent methods have adopted. A part of this assessment, is a demonstration of relatively simple perturbation techniques that emphasize the fragility of the detection solutions. Additionally, it is shown that a detection solution that apply a deep metric model , is more vulnerable to known testtime attacks than initially reported. Consequently, suggesting a fragility of deep metric models similar to traditional classiers that rely on neural network architectures.
A prerequisite for the assessment, was to establish a dataset for the study of machine learning approaches. is lead to the design a tool for gathering highly detailed information about websites and their interconnected structure of content.
The discovered fragility of deep metric models, motivated a formalization of a robust optimization for such models. This formalization contributed to the design of a powerful attack algorithm for test-time attacks, that account for previous uncertainties of sampling method and perturbation target. With the established attack algorithm in place, a proposed robust training objective enhance robustness among commonly used datasets within the field.
Overall, this research highlights that both inuential and recent methods for detecting deception attacks contain relatively simple failure modes, when exposed to an adversary that seek evasion. Improvements to the underlying methods of recent solutions, demonstrated that their robustness can be enhanced. However, these results remain empirical thus further guarantees and proofs of attainable adversarial robustness are still open problems.
See his publications