AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning (1811.03194v3)

Abstract: Perceptual ad-blocking is a novel approach that detects online advertisements based on their visual content. Compared to traditional filter lists, the use of perceptual signals is believed to be less prone to an arms race with web publishers and ad networks. We demonstrate that this may not be the case. We describe attacks on multiple perceptual ad-blocking techniques, and unveil a new arms race that likely disfavors ad-blockers. Unexpectedly, perceptual ad-blocking can also introduce new vulnerabilities that let an attacker bypass web security boundaries and mount DDoS attacks. We first analyze the design space of perceptual ad-blockers and present a unified architecture that incorporates prior academic and commercial work. We then explore a variety of attacks on the ad-blocker's detection pipeline, that enable publishers or ad networks to evade or detect ad-blocking, and at times even abuse its high privilege level to bypass web security boundaries. On one hand, we show that perceptual ad-blocking must visually classify rendered web content to escape an arms race centered on obfuscation of page markup. On the other, we present a concrete set of attacks on visual ad-blockers by constructing adversarial examples in a real web page context. For seven ad-detectors, we create perturbed ads, ad-disclosure logos, and native web content that misleads perceptual ad-blocking with 100% success rates. In one of our attacks, we demonstrate how a malicious user can upload adversarial content, such as a perturbed image in a Facebook post, that fools the ad-blocker into removing another users' non-ad content. Moving beyond the Web and visual domain, we also build adversarial examples for AdblockRadio, an open source radio client that uses machine learning to detects ads in raw audio streams.

Insights into Perceptual Ad-Blocking and its Vulnerabilities

The paper "AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning" presents a critical analysis of perceptual ad-blocking technologies, which are designed to detect online advertisements based on visual content. This approach is relatively novel in the field of ad-blocking, diverging from traditional methods that rely predominantly on filter lists, which identify ads based on metadata such as URLs and page markup. The paper argues that perceptual signals, while potentially offering a more user-centric modality for ad identification, do not escape the ongoing arms race with ad networks and publishers, and could in fact introduce new vulnerabilities.

Analysis of Perceptual Ad-Blockers

The authors conduct a detailed security analysis of perceptual ad-blockers and demonstrate their vulnerabilities, particularly to adversarial machine learning attacks. They present a unified architecture encompassing prior academic and commercial ad-blocking methodologies and evaluate diverse perceptual ad-blocking techniques against various adversarial attacks with focus on evading or detecting ad-blocking.

Key Findings

1. Segmentation and Classification Vulnerabilities:
   • Perceptual ad-blockers have to visually classify rendered web content to evade obfuscation techniques used by ad networks and publishers. However, this introduces vulnerabilities as the perceptual classifiers, often reliant on traditional computer vision or machine learning techniques, are susceptible to adversarial examples. These adversarial perturbations are computed to deceive the visual classifiers into misclassifying ads or non-ad content, thereby substantially undermining their effectiveness.
2. Adversarial Examples:
   • The authors demonstrate the construction of adversarial examples for various classifiers, including those using perceptual hashing, optical character recognition (OCR), neural networks, and object detection models such as YOLOv3. They exhibit how these imperceptible perturbations can either evade detection or falsely trigger the ad-blocker's actions.
3. Potential for New Arms Race:
   • While perceptual ad-blockers could potentially succeed in ending the markup arms race, their reliance on visual classifiers simply shifts the challenge to adversarial machine learning, thereby igniting a new form of arms race against powerful evasion and detection attacks.
4. Abuse of Ad-Blockers:
   • The paper elucidates how perceptual ad-blocking not only fails to unambiguously 'block' adversarial ads but also introduces risks of misuse to bypass security boundaries. For example, malicious content crafted to hijack the ad-blocker's high privilege could erroneously block legitimate content.
5. Expansive Threat Model:
   • The threat model faced by perceptual ad-blockers is considerably complex, since adversaries can leverage offline digital adversarial attacks to effectuate real-time false-negatives and false-positives during ad-blocking, weakening the temporal and operational robustness of these classifiers.

Implications for Future Research

This work implies that while the conceptual appeal of perceptual ad-blocking remains, there is an inherent disadvantage due to the robustness of adversarial machine learning attacks, which could outweigh the proposed benefits of perceptual ad-blockers. The theoretical and practical predicaments highlighted necessitate advanced investigations into potential defenses against adversarial examples and endorsement of novel perceptual frameworks that enhance ad-blocking resilience within this sophisticated, evolving landscape.

Furthermore, the possible expansion of perceptual ad-blocking to other domains, such as virtual reality and smart devices, emphasizes the need for cross-disciplinary collaborations to bolster the anti-adversarial capacities of visual classifiers. This could entail innovations in the neural architectures used for perceptual analysis and the development of robust real-time detection mechanisms that remain effective under adversarial conditions.

In conclusion, perceptual ad-blocking introduces both promising advances and challenges. It is crucial for the research community to devise strategies that accommodate evolving technological paradigms while ensuring optimal user experiences and maintaining privacy and security assurances.