Machine Learning in the Presence of an Adversary: Attacking and Defending the SpamBayes Spam Filter

Udam Saini

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2008-62
May 20, 2008

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2008/EECS-2008-62.pdf

Machine learning techniques are often used for decision making in security critical applications such as intrusion detection and spam filtering. However, much of the security analysis surrounding learning algorithms is theoretical. This thesis provides a practical evaluation of the algorithms used by SpamBayes, a statistical spam filter, to determine its ability to correctly distinguish spam email for normal email when learning in the presence of an adversary.

This thesis presents both attacks against SpamBayes and defenses against these attacks. The attacks are able to subvert the spam filter by both causing a high percentage of false positives and false negatives. With only a 100 attack emails, out of an initial training corpus of 10,000, the spam filter's performance is sufficiently degraded to either cause a denial of service attack or successfully allow spam emails to bypass the filter. The defenses shown in this thesis are able to work against the attacks developed against SpamBayes and are sufficiently generic to be easily extended into other statistical machine learning algorithms.

Advisor: Anthony D. Joseph


BibTeX citation:

@mastersthesis{Saini:EECS-2008-62,
    Author = {Saini, Udam},
    Title = {Machine Learning in the Presence of an Adversary: Attacking and Defending the SpamBayes Spam Filter},
    School = {EECS Department, University of California, Berkeley},
    Year = {2008},
    Month = {May},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2008/EECS-2008-62.html},
    Number = {UCB/EECS-2008-62},
    Abstract = {Machine learning techniques are often used for decision making in security critical applications such as intrusion detection and spam filtering. However, much of the security analysis surrounding learning algorithms is theoretical. This thesis provides a practical evaluation of the algorithms used by SpamBayes, a statistical spam filter, to determine its ability to correctly distinguish spam email for normal email when learning in the presence of an adversary.  

This thesis presents both attacks against SpamBayes and defenses against these attacks. The attacks are able to subvert the spam filter by both causing a high percentage of false positives and false negatives. With only a 100 attack emails, out of an initial training corpus of 10,000, the spam filter's performance is sufficiently degraded to either cause a denial of service attack or successfully allow spam emails to bypass the filter. The defenses shown in this thesis are able to work against the attacks developed against SpamBayes and are sufficiently generic to be easily extended into other statistical machine learning algorithms.}
}

EndNote citation:

%0 Thesis
%A Saini, Udam
%T Machine Learning in the Presence of an Adversary: Attacking and Defending the SpamBayes Spam Filter
%I EECS Department, University of California, Berkeley
%D 2008
%8 May 20
%@ UCB/EECS-2008-62
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2008/EECS-2008-62.html
%F Saini:EECS-2008-62