SpamDam: Towards Privacy-Preserving and Adversary-Resistant SMS Spam Detection

To assess the real-world effectiveness, the while SpamRadar pipeline was applied to posts collected via the OSN-specific collector from both Weibo and Twitter. Given posts predicted through the pipeline, 200 posts per OSN were randomly sampled for manual validation. As shown in table above , our pipeline exhibits robust performance for both OSN platforms. On Twitter, it achieves an end-to-end precision of 97.8%, i.e., 97.8% images predicted as SMS spam screenshots are true cases. On the other hand, the precision slightly drops to 93.3% on Weibo.

SpamRadar is designed to be OSN-agnostic, i.e., it can be extended to new OSNs with OSN-specific crawling drivers. This has been further demonstrated through our collection and analysis of data from Reddit and Xiaohongshu, thereby affirming the generalization of our pipeline.

Given the constraints presented by the Reddit APIs, we resorted to manually identifying spam-related posts that contain images, using the same meticulously crafted keywords employed in collection of Twitter/Weibo posts. For Xiaohongshu, we developed a specialized crawling driver to gather similar spam-reporting posts, adhering to the same keyword set. Given these posts, the spam radar was applied, which was followed by manual validation for 200 sampled predictions for each OSN. As shown in table above, the SpamRadar pipeline has achieved a decent performance for both OSN platforms. Particularly, a high precision of 97.7% (127 out of 130 predicted SMS spam screenshots) is achieved for Reddit while the recall of 83.0% (127 out of 153 true SMS spam screenshots) is still acceptable. On one hand, these results demonstrate the generalization of the {\radar} to different OSNs. On the other hand, fine tuning with OSN-specific ground truth can still further enhance the pipeline, e.g., improving the precision for Xiaohongshu.

A direct performance comparison among the four models are listed in Table above. As we can see that BERT-based classification models have achieved better performance than the previously SOTA CNN model. Particularly, when evaluating on Test_All, our BERT_All model has increased the recall by 0.7% and the precision by 0.42% while decreasing the false positive rate by 2.56%.

Another key observation is that SMS spams reported on Twitter contribute most to the performance of BERT_All. Particularly, when evaluated on Test_All, the model BERT_All-Twitter trained without Twitter-reported SMS spam messages has the recall (99.29%) lower by 0.24%, the precision lower by 0.60%, and the false positive rate higher by 6.26%, when compared with BERT_All (99.53%). Instead, the model BERT_All-Weibo trained with Twitter-reported spams but not Weibo-reported spams have almost the same performance with BERT_All. A reasonable explanation is that SMS spam samples reported on Weibo are mostly distributed in China and cannot well represent the data distribution of globe-wide SMS spam campaigns. Thus, the model (BERT_All-Twitter) trained mostly on Weibo-reported spam messages cannot well capture Twitter-reported global spam messages.

The comparative performance results are summarized in table above. Among all the three anti-spam candidates except for ones implemented by our study, GPT-4 demonstrates superior accuracy in spam detection, while OOPSpam exhibits a low false positive rate of 6.1%, albeit at the cost of a low recall, suggesting a propensity to classify SMS messages as non-spam. Conversely, Perspective reports the highest false positive rate, indicating a tendency towards generating false alarms, aligning with findings reported in SpamHunter. Compared to public anti-spam options, the models developed in this study exhibit superior performance in both accuracy and precision. This enhancement is likely due to the specialized focus on SMS spam messages, which is not the primary target for many generic anti-spam services, resulting in their less satisfactory results. Specifically, when examining the BERT_All and BERT_balance models, the latter demonstrates the benefits of incorporating a balanced dataset. BERT_balancenot only achieves the highest precision of 96.1% but also maintains a significantly lower false positive rate of 4.0%. These results underscore the importance of including diverse-enough non-spam texts when training anti-spam models.

Similar to the binary SMS spam classifier, we choose the paradigm of pre-training and fine-tuning, especially considering our groundtruth dataset is of a small size. Then, the same BERT multilingual language model is selected as the pre-trained model. During the fine-tuning, the number of epochs was set as 10, with the batch size as 16, the learning rate as 1.207e-5, and the maximum sequence length as 128. The resulting model was trained on 80% of our groundtruth dataset. Evaluation upon the left 20% samples revealed a micro recall of 87.95% and a micro precision of 87.95%. Category-specific performance metrics are listed in table above. As we can see, multi-class SMS spam classification is promising. Particularly, the category-wise precision ranges from 83.33% for F-Finance to 96.00% for F-Acquaintance.

Following the multiclass classifier, the same model architecture as well as training parameters were utilized to train this multi-label classifier. The resulting model has achieved a label ranking average precision (LRAP) score of 0.9281, whereby the LRAP is a well-acknowledged metric for multi-label classification along with the best score being 1. Another metric we consider is the Hamming score. Considering \( N \) samples in the testing dataset, assume \( Y_i \) denotes the set of labels for the \( i^{th} \) sample, and \( \hat{Y}_i \) denotes the predicted labels for the same sample. Then, the Hamming score is calculated as \( \frac{1}{N}\sum_{i = 1}^{N}\frac{|Y_i \cap \hat{Y}_i|}{|Y_i \cup \hat{Y}_i|} \), and a Hamming score of 1 denotes a model has got 100% predictions right. Then, when evaluated on the testing dataset, our multi-label spam classifier has achieved a Hamming score of 0.7940. We also measured the category-wise precision and recall, as shown in table above. Overall, we can conclude that both multi-class and multi-label SMS spam classification tasks are promising and feasible, despite a non-negligible variance across spam categories.

Table showed above presents the performance stats for FL-trained binary SMS spam classifiers under different quantity-based Dirichlet distributions. And we can see that the performance of FL-trained models is comparable to that of the centrally trained counterparts.

We also observed that the attack success rate can vary significantly when encountering spam messages of different languages or different categories. Figure 1(b) presents how the success rate of the imperceptible deletion attacks varies across four languages with most spam messages observed. And we can see that the imperceptible deletion attack is only effective for English/Spanish spam messages, but has zero success rates for both Chinese and Indonesian, which is applicable to all the three effective imperceptible attacks. Then, when it comes to different spam categories, as shown in Figure 1(c), these attacks work best for the spam category of Promotion, which is expected since promotional spam messages tend to reside closest to the decision plane between spam messages and non-spam ones. Particularly, under the attack budget of 5 perturbations, the imperceptible deletion attack has achieved a success rate of 15% for spam messages belonging to Promotion while it is only 3% for F-Account.

We then evaluated the robustness of this adversarially trained spam detection model, using the aforementioned 250 SMS spam messages. As illustrated in Figure 1(d), adversarial training has significantly lowered the attacking success rates for all the three imperceptible attacks. For instance, adversarial training has lowered the success rate of deletion attack from 20.0% to 4.80%.

Table showed above illustrates how the poisoned spam detection model varies in its performance when evaluated under different poisoning rates. As we can see, a practical untargeted poisoning attack can degrade the recall performance to a notable extent but has almost no impact on the precision. Specifically, even the injection of only 1% poisoned samples (p = 1%) can degrade the recall by 1.42%, but the impact on the precision is within the margin of error. Then, as the p is over 50% which is considered impractical, we start to see a notable drop in precision, and more importantly, the significant increase in the false positive rate. Particularly, as the p has increased from 45% to 50%, the false positive rate has jumped from 6.34% to 25.77%. Regarding what p is practical, we consider a practical poisoning attacker that has control of up to hundreds of OSN accounts. We thus consider a practical poisoning rate as p ≤ 5%. Under such a practical range of the poisoning rate, we argue that this untargeted poisoning attack has minor attack impact on our SMS spam detection model, i.e., up to 1.60% drop in recall and almost no impact on the precision and false positive rate.

Figure 2(a) presents the backdoor effect in terms of mis-classifying benign testing messages that are stamped with the respective backdoor word (e.g., google), while Figure 2(b) presents the impact of these backdoor attacks on the overall model performance as gained from evaluation on the held-out testing dataset. And we can conclude that this reverse backdoor attack is very effective in terms of misleading the model to falsely alarm stamped but benign messages as spam, while maintaining a low impact on the overall model performance. Particularly, when the p is just as low as 1%, the attack success rate can be as high as 54% while the impact on the overall accuracy is just 1.58%. Then, when the $p$ is larger than 15%, the poisoned model tends to mis-classify all stamped benign messages as spam.

Similar to poisoning scenario II, backdooring via reporting stamped spam messages can achieve a high success rate when the poisoning rate is practically low (e.g., p ≤ 5%). Along with the high backdoor success rate is the low impact on the overall performance, which is no more than 2% in accuracy decrease when p ≤ 30%. A table also presents a direct comparison between backdooring with benign messages and backdooring with spam messages, with regards to their impact on overall model performance. As we can see, backdooring with spam messages consistently incurs a lower impact on model performance, and is thus more stealthy than backdooring with benign messages. By now, we can conclude that SMS spam detection built upon crowdsourced SMS spam messages is vulnerable to practical reverse backdoor attacks.

Table showed above presents the performance of these four models in terms of recall, when evaluated against spam datasets of different time periods. As you can see, the decay in performance varies significantly across models. Particularly, Model₂₀₁₂ and Model₂₀₁₅ have decayed significantly in the recall performance when predicting spam messages of 2018 or later. For instance, Model₂₀₁₂ has achieved a initial recall of 94.85% when evaluated on the testing part of the UCI dataset. However, its performance degrades to 77.67% , 82.6%, and 70.97% when evaluated respectively on spams observed in 2019Q1, 2021Q1, and 2022 Q1. On the other hand, the two models trained on less outdated datasets are subject to less degradation in performance. Particularly, compared to Model₂₀₁₂, Model₂₀₁₈ has achieved a recall higher by 27.72% when evaluated on 2022Q1 and the increase in recall is 28.88% for Model₂₀₂₁. These results not only qualify the existence of concept drift but also quantify its impact in model aging in the area of SMS spam detection, which strongly highlights the necessity of maintaining an ever-updating SMS spam dataset and keeping retraining the detection models on fresh spam messages.

Table showed above presents the performance of these models when evaluated against three different testing datasets, namely, Test_SMS, Test_Email, and the combination of both. As we can see, the model trained solely on SMS spam data (Model_SMS) achieves a recall of 85.00% and a precision of 55.03% when evaluated on Test_Email, which is likely due to that SMS spam and Email spam still differ in their respective data distribution. However, When evaluated on Test_Email, Model_{SMS & Email} achieves a comparable precision and a higher recall of 99.35% while it is only 94.34% for Model_Email. The same performance improvement is also observed for Model_Email→SMS, which suggests the SMS spam dataset can benefit the detection of Email spam while the reverse effect from Email spam to SMS spam is not obvious.

The toxic content dataset used in our experiments is the IBM toxic text dataset¹ wherein a toxic text will be assigned with one or more toxic labels. In our experiments, a text in this dataset will be considered as toxic (positive) if it has been assigned one or more toxic labels. As a result, we got a binary dataset of 201,081 non-toxic texts and 22,468 toxic texts. Adopting the same model architecture and training process of BERT_All (the binary SMS spam classifier), a model trained on 80% of this toxic text dataset has achieved a precision of 61.09%, a recall of 79.43%, and an f1-score of 69.06%, when evaluated on the left 20% texts (the toxic testing dataset). We then tried to apply the SMS spam detection model BERT_All to predicting the toxic testing dataset. However, it only achieved a precision of 5.55%, a recall of 30.21% and a F1-score of 9.38%, which means the poor portability of the SMS spam classifier on toxic text classification. Reversely and similarly, when evaluated on the SMS spam testing dataset, the toxic binary classifier also achieved a poor performance (a precision of 53.03%, a recall of 0.47% and the F1-score of 0.94%).