Note: The methodology behind the approach discussed in this post stems from a collaborative publication between myself and Irene Anthi.

注意： 本文討論的方法背后的方法來自 我本人和 Irene Anthi 之間 的 合作出版物 。

介紹 (INTRODUCTION)

Spam SMS text messages often show up unexpectedly on our phone screens. That’s aggravating enough, but it gets worse. Whoever is sending you a spam text message is usually trying to defraud you. Most spam text messages don’t come from another phone. They often originate from a computer and are delivered to your phone via an email address or an instant messaging account.

垃圾短信經(jīng)常在我們的手機(jī)屏幕上意外顯示。 這足夠令人討厭，但情況變得更糟。 誰向您發(fā)送垃圾短信通常是在欺騙您。 大多數(shù)垃圾短信不是來自其他手機(jī)。 它們通常來自計(jì)算機(jī)，并通過電子郵件地址或即時(shí)消息傳遞帳戶傳遞到您的手機(jī)。

There exists several security mechanisms for automatically detecting whether an email or an SMS message is spam or not. These approaches often rely on machine learning. However, the introduction of such systems may also be subject to attacks.

存在幾種用于自動(dòng)檢測(cè)電子郵件或SMS消息是否為垃圾郵件的安全機(jī)制。 這些方法通常依賴于機(jī)器學(xué)習(xí)。 但是，引入此類系統(tǒng)也可能會(huì)受到攻擊。

The act of deploying attacks towards machine learning based systems is known as Adversarial Machine Learning (AML). The aim is to exploit the weaknesses of the pre-trained model which may have “blind spots” between the data points it has seen during training. More specifically, by automatically introducing slight perturbations to the unseen data points, the model may cross a decision boundary and classify the data as a different class. As a result, the model’s effectiveness can significantly be reduced.

向基于機(jī)器學(xué)習(xí)的系統(tǒng)部署攻擊的行為稱為對(duì)抗機(jī)器學(xué)習(xí)(AML)。 目的是利用預(yù)訓(xùn)練模型的弱點(diǎn)，該弱點(diǎn)在訓(xùn)練過程中看到的數(shù)據(jù)點(diǎn)之間可能有“盲點(diǎn)”。 更具體地，通過自動(dòng)向看不見的數(shù)據(jù)點(diǎn)引入輕微的擾動(dòng)，模型可以越過決策邊界并將數(shù)據(jù)分類為不同的類別。 結(jié)果，該模型的有效性會(huì)大大降低。

In the context of SMS spam detection, AML can be used to manipulate textual data by including perturbations to cause spam data to be classified as being not spam, consequently bypassing the detector.

在SMS垃圾郵件檢測(cè)的上下文中，AML可以通過包含擾動(dòng)來操縱文本數(shù)據(jù)，從而使垃圾郵件數(shù)據(jù)被歸類為非垃圾郵件，從而繞過檢測(cè)器，從而可以操縱文本數(shù)據(jù)。

數(shù)據(jù)集和數(shù)據(jù)預(yù)處理 (DATASET AND DATA PRE-PROCESSING)

The SMS Spam Collection is a set of SMS tagged messages that have been collected for SMS spam research. It contains a set of 5,574 English SMS text messages which are tagged according to whether they are spam (425 message) or not-spam (3,375).

SMS垃圾郵件收集是已收集用于SMS垃圾郵件研究的一組SMS標(biāo)記郵件。 它包含一組5574條英文SMS文本消息，這些消息根據(jù)是垃圾郵件(425條消息)還是非垃圾郵件(3375條)進(jìn)行了標(biāo)記。

Let’s first cover the pre-processing techniques we need to consider before we dive into applying any kind of machine learning techniques. We’ll perform pre-processing techniques that are standard for most Natural Language Processing (NLP) problems. These include:

首先，我們將介紹在應(yīng)用任何類型的機(jī)器學(xué)習(xí)技術(shù)之前需要考慮的預(yù)處理技術(shù)。 我們將執(zhí)行大多數(shù)自然語言處理(NLP)問題的標(biāo)準(zhǔn)預(yù)處理技術(shù)。 這些包括：

• Convert the text to lowercase.
  將文本轉(zhuǎn)換為小寫。
• Remove punctuation.
  刪除標(biāo)點(diǎn)符號(hào)。
• Remove additional white space.
  刪除其他空格。
• Remove numbers.
  刪除數(shù)字。
• Remove stop words such as “the”, “a”, “an”, “in”.
  刪除停用詞，例如“ the”，“ a”，“ an”，“ in”。
• Lemmatisation.
  合法化。
• Tokenisation.
  令牌化。

Python’s Natural Language Tool Kit (NLTK) can handle these pre-processing requirements. The output should now look something to the following:

Python的自然語言工具包(NLTK)可以處理這些預(yù)處理要求。 現(xiàn)在，輸出應(yīng)類似于以下內(nèi)容：

詞嵌入 (WORD EMBEDDINGS)

Word embedding is one of the most popular representation of text vocabulary. It is capable of capturing the context of a word in a document, its semantic and syntactic similarity to its surrounding words, and its relation with other words.

詞嵌入是最流行的文本詞匯表示形式之一。 它能夠捕獲文檔中單詞的上下文，與周圍單詞的語義和句法相似性以及與其他單詞的關(guān)系。

But how are word embeddings captured in context? Word2Vec is one of the most popular technique to learn word embeddings using a two-layer Neural Network. The Neural Network takes in the corpus of text, analyses it, and for each word in the vocabulary, generates a vector of numbers that encode important information about the meaning of the word in relation to the context in which it appears.

但是如何在上下文中捕獲單詞嵌入呢？ Word2Vec是使用兩層神經(jīng)網(wǎng)絡(luò)學(xué)習(xí)單詞嵌入的最流行技術(shù)之一。 神經(jīng)網(wǎng)絡(luò)接受文本的語料庫，對(duì)其進(jìn)行分析，然后為詞匯表中的每個(gè)單詞生成一個(gè)數(shù)字矢量，該矢量編碼有關(guān)單詞含義與單詞出現(xiàn)上下文相關(guān)的重要信息。

There are two main models: the Continuous Bag-of-Words model and the Skip-gram model. The Word2Vec Skip-gram model is a shallow Neural Network with a single hidden layer that takes in a word as input and tries to predict the context of the words that surround it as an output.

有兩個(gè)主要模型：連續(xù)詞袋模型和Skip-gram模型。 Word2Vec跳過語法模型是一個(gè)淺層神經(jīng)網(wǎng)絡(luò)，具有單個(gè)隱藏層，該隱藏層將單詞作為輸入，并嘗試預(yù)測(cè)圍繞它的單詞的上下文作為輸出。

In this case, we will be using Gensim’s Word2Vec for creating the model. Some of the important parameters are as follows:

在這種情況下，我們將使用Gensim的Word2Vec創(chuàng)建模型。 一些重要參數(shù)如下：

• size: The number of dimensions of the embeddings. The default is 100.
  size：嵌入的尺寸數(shù)。 默認(rèn)值為100。
• window: The maximum distance between a target word and the words around the target word. The default window is 5.
  窗口：目標(biāo)詞與目標(biāo)詞周圍的詞之間的最大距離。 默認(rèn)窗口是5。
• min_count: The minimum count of words to consider when training the model. Words with occurrence less than this count will be ignored. The default min_count is 5.
  min_count：訓(xùn)練模型時(shí)要考慮的最小單詞數(shù)。 出現(xiàn)次數(shù)少于此次數(shù)的單詞將被忽略。 默認(rèn)的min_count為5。
• workers: The number of partitions during training. The default workers is 3.
  工人：培訓(xùn)期間的分區(qū)數(shù)。 默認(rèn)工作線程為3。
• sg: The training algorithm, either Continuous Bag-of-Words (0) or Skip-gram (1). The default training algorithm is Continuous Bag-of-Words.
  sg：訓(xùn)練算法，連續(xù)單詞袋(0)或跳過語法(1)。 默認(rèn)的訓(xùn)練算法是“連續(xù)詞袋”。

Next, we’ll see how to use the Word2Vec model to generate the vector for the documents in the dataset. Word2Vec vectors are generated for each SMS message in the training data by traversing through the dataset. By simply using the model on each word of the text messages, we retrieve the word embedding vectors for those words. We then represent a message in the dataset by calculating the average over all of the vectors of words in the text.

接下來，我們將看到如何使用Word2Vec模型為數(shù)據(jù)集中的文檔生成向量。 通過遍歷數(shù)據(jù)集，為訓(xùn)練數(shù)據(jù)中的每個(gè)SMS消息生成Word2Vec向量。 通過簡(jiǎn)單地在文本消息的每個(gè)單詞上使用模型，我們檢索了這些單詞的單詞嵌入向量。 然后，我們通過計(jì)算文本中所有單詞向量的平均值來表示數(shù)據(jù)集中的一條消息。

模型訓(xùn)練和分類 (MODEL TRAINING AND CLASSIFICATION)

Let’s first encode our target labels spam and not_spam. This involves converting the categorical values to numerical values. We’ll then assign the features to the variable X and the target labels to the variable y. Lastly, we’ll split the pre-processed data into two datasets.

首先讓我們對(duì)目標(biāo)標(biāo)簽spam和not_spam進(jìn)行編碼。 這涉及將分類值轉(zhuǎn)換為數(shù)值。 然后，我們將要素分配給變量X ，將目標(biāo)標(biāo)簽分配給變量y 。 最后，我們將預(yù)處理后的數(shù)據(jù)分為兩個(gè)數(shù)據(jù)集。

• Train dataset: For training the SMS text categorisation model.

  訓(xùn)練數(shù)據(jù)集：用于訓(xùn)練SMS文本分類模型。

• Test dataset: For validating the performance of the model.

  測(cè)試數(shù)據(jù)集：用于驗(yàn)證模型的性能。

To split the data into 2 such datasets, we’ll use Scikit-learn’s train test split method from the model selection function. In this case, we’ll split the data into 70% training and 30% testing.

要將數(shù)據(jù)分為兩個(gè)這樣的數(shù)據(jù)集，我們將使用Scikit-learn的模型選擇功能中的訓(xùn)練測(cè)試拆分方法 。 在這種情況下，我們會(huì)將數(shù)據(jù)分為70％的訓(xùn)練和30％的測(cè)試。

For the sake of this post, we’ll use a Decision Tree classifier. In reality, you’d want to evaluate a variety of classifiers using cross-validation to determine which is the best performing. The “no free lunch” theorem suggests that there is no universally best learning algorithm. In other words, the choice of an appropriate algorithm should be based on its performance for that particular problem and the properties of data that characterise the problem.

為了這篇文章的緣故，我們將使用Decision Tree分類器。 實(shí)際上，您想使用交叉驗(yàn)證來評(píng)估各種分類器，以確定哪個(gè)是性能最好的分類器。 “沒有免費(fèi)的午餐”定理表明，沒有普遍適用的最佳學(xué)習(xí)算法。 換句話說，適當(dāng)算法的選擇應(yīng)基于針對(duì)特定問題的性能以及表征該問題的數(shù)據(jù)的屬性。

Once the model is trained, we can evaluate its performance when it tries to predict the target labels of the test set. The classification report shows that the model can predict the test samples with a high weighted-average F1-score of 0.94.

訓(xùn)練模型后，我們可以在嘗試預(yù)測(cè)測(cè)試集的目標(biāo)標(biāo)簽時(shí)評(píng)估其性能。 分類報(bào)告顯示，該模型可以預(yù)測(cè)具有0.94的高加權(quán)平均F1分?jǐn)?shù)的測(cè)試樣本。

生成對(duì)抗性樣本 (GENERATING ADVERSARIAL SAMPLES)

A well known use case of AML is in image classification. This involves adding noise that may not be perceptible to the human eye which also fools the classifier.

AML的一個(gè)眾所周知的用例是圖像分類。 這涉及增加人眼無法察覺的噪聲，這也會(huì)使分類器蒙蔽。

Adversarial machine learning in image classification圖像分類中的對(duì)抗機(jī)器學(xué)習(xí)

There are various methods by which adversarial samples can be generated. Such methods vary in complexity, the speed of their generation, and their performance. An unsophisticated approach towards crafting such samples is to manually perturb the input data points. However, manual perturbations are slow to generate and evaluate by comparison with automatic approaches.

有多種方法可以生成對(duì)抗性樣本。 此類方法的復(fù)雜性，生成速度和性能各不相同。 制作此類樣本的簡(jiǎn)單方法是手動(dòng)擾動(dòng)輸入數(shù)據(jù)點(diǎn)。 但是，與自動(dòng)方法相比，手動(dòng)擾動(dòng)的生成和評(píng)估速度較慢。

One of the most popular technique towards automatically generating perturbed samples include the Jacobian-based Saliency Map Attack (JSMA). The methods rely on the methodology, that when adding small perturbations to the original sample, the resulting sample can exhibit adversarial characteristics in that the resulting sample is now classified differently by the targeted model.

自動(dòng)生成擾動(dòng)樣本的最流行技術(shù)之一是基于雅可比的顯著性圖攻擊(JSMA)。 該方法依賴于該方法，即在向原始樣本添加較小擾動(dòng)時(shí)，所得樣本可以表現(xiàn)出對(duì)抗性特征，因?yàn)樗脴颖粳F(xiàn)在通過目標(biāo)模型進(jìn)行了不同分類。

The JSMA method generates perturbations using saliency maps. A saliency map identifies which features of the input data are the most relevant to the model decision being one class or another; these features, if altered, are most likely affect the classification of the target values. More specifically, an initial percentage of features (gamma) is chosen to be perturbed by a (theta) amount of noise. Then, the model establishes whether the added noise has caused the targeted model to misclassify or not. If the noise has not affected the model’s performance, another set of features is selected and a new iteration occurs until a saliency map appears which can be used to generate an adversarial sample.

JSMA方法使用顯著圖生成擾動(dòng)。 顯著性圖標(biāo)識(shí)輸入數(shù)據(jù)的哪些特征與一個(gè)或另一個(gè)類別的模型決策最相關(guān)； 這些功能(如果更改)很可能會(huì)影響目標(biāo)值的分類。 更具體地說，特征的初始百分比(γ)被選擇為被θ量的噪聲所干擾。 然后，模型確定添加的噪聲是否導(dǎo)致目標(biāo)模型分類錯(cuò)誤。 如果噪聲沒有影響模型的性能，則選擇另一組特征并進(jìn)行新的迭代，直到出現(xiàn)顯著圖，該顯著圖可用于生成對(duì)抗性樣本。

A pre-trained MLP is used as the underlying model for the generation of adversarial samples. Here, we explore how different combinations of the JSMA parameters affect the performance of the originally trained Decision Tree.

預(yù)先訓(xùn)練的MLP用作對(duì)抗性樣本生成的基礎(chǔ)模型。 在這里，我們探索JSMA參數(shù)的不同組合如何影響最初訓(xùn)練的決策樹的性能。

評(píng)價(jià) (EVALUATION)

To explore how different combinations of the JSMA parameters affect the performance of the trained Decision Tree, adversarial samples were generated from all spam data points present in the testing data by using a range of combinations of gamma and theta. The adversarial samples were then joined with the non-spam testing data points and presented to the trained model. The heat map reports the overall weighted-average F1-scores for all adversarial combinations of JSMA’s gamma and theta parameters.

為了探究JSMA參數(shù)的不同組合如何影響經(jīng)過訓(xùn)練的決策樹的性能，使用一系列伽瑪和theta組合從測(cè)試數(shù)據(jù)中存在的所有垃圾郵件數(shù)據(jù)點(diǎn)生成了對(duì)抗樣本。 然后將對(duì)抗性樣本與非垃圾郵件測(cè)試數(shù)據(jù)點(diǎn)合并，并提供給訓(xùn)練有素的模型。 該熱圖報(bào)告了JSMA的γ和theta參數(shù)的所有對(duì)抗性組合的總體加權(quán)平均F1得分。

The classification performance of the Decision Tree model achieved a decrease in F1-scores across all of the gamma and theta parameters. When gamma= 0.3, theta= 0.5, the model’s classification performance decreased by 18 percentage points (F1-score = 0.759). In this case, based on this dataset, gamma= 0.3, theta= 0.5 would be the optimal parameter one would use to successfully reduce the accuracy of a machine learning based SMS spam detector.

決策樹模型的分類性能在所有g(shù)amma和theta參數(shù)上的F1得分均下降。 當(dāng)gamma = 0.3，theta = 0.5時(shí)，模型的分類性能下降了18個(gè)百分點(diǎn)(F1分?jǐn)?shù)= 0.759)。 在這種情況下，基于此數(shù)據(jù)集，gamma = 0.3，theta = 0.5將是用于成功降低基于機(jī)器學(xué)習(xí)的SMS垃圾郵件檢測(cè)器準(zhǔn)確性的最佳參數(shù)。

結(jié)論 (CONCLUSION)

So, what have I learnt from this analysis?

那么，我從這項(xiàng)分析中學(xué)到了什么？

Due to their effectiveness and flexibility, machine learning based detectors are now recognised as fundamental tools for detecting whether SMS text messages are spam or not. Nevertheless, such systems are vulnerable to attacks that may severely undermine or mislead their capabilities. Adversarial attacks may have severe consequences in such infrastructures, as SMS texts may be modified to bypass the detector.

由于它們的有效性和靈活性，基于機(jī)器學(xué)習(xí)的檢測(cè)器現(xiàn)在被認(rèn)為是檢測(cè)SMS文本消息是否為垃圾郵件的基本工具。 但是，這樣的系統(tǒng)容易受到攻擊的攻擊，這些攻擊可能會(huì)嚴(yán)重破壞或誤導(dǎo)其功能。 在這種基礎(chǔ)架構(gòu)中，對(duì)抗性攻擊可能會(huì)帶來嚴(yán)重后果，因?yàn)榭梢孕薷腟MS文本以繞過檢測(cè)器。

The next steps would be to explore how such samples can support the robustness of supervised models using adversarial training. This entails including adversarial samples into the training dataset, re-training the model, and evaluating its performance on all adversarial combinations of JSMA’s gamma and theta parameters.

下一步將是探索這些樣本如何使用對(duì)抗訓(xùn)練來支持監(jiān)督模型的魯棒性。 這需要將對(duì)抗性樣本包括到訓(xùn)練數(shù)據(jù)集中，重新訓(xùn)練模型，并在JSMA的γ和theta參數(shù)的所有對(duì)抗性組合上評(píng)估其性能。

For the full notebook, check out my GitHub repo below: https://github.com/LowriWilliams/SMS_Adversarial_Machine_Learning

對(duì)于完整的筆記本，請(qǐng)?jiān)谙旅娌榭次业腉itHub存儲(chǔ)庫： https : //github.com/LowriWilliams/SMS_Adversarial_Machine_Learning

翻譯自: https://towardsdatascience.com/adversarial-attacks-on-sms-spam-detectors-12b16f1e748e

總結(jié)

以上是生活随笔為你收集整理的SMSSMS垃圾邮件检测器的专业攻击的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。