SINBAD: Saliency-informed detection of breakage caused by ad blocking

Read original: arXiv:2405.05196 - Published 5/9/2024 by Saiid El Hajj Chehade (EPFL), Sandra Siby (Imperial College London), Carmela Troncoso (EPFL)

🔎

Overview

Researchers introduce SINBAD, an automated tool to detect when privacy-enhancing filter lists break legitimate website functionality.
SINBAD improves on the state-of-the-art by 20% in detecting breakage.
It is the first tool to detect dynamic breakage and breakage caused by style-oriented filter rules.

Plain English Explanation

Privacy-enhancing filter lists are rules that block various online content, like ads or trackers, to protect user privacy. However, these filter lists can sometimes inadvertently break the normal functioning of legitimate websites, causing issues for users.

The researchers created a tool called SINBAD to automatically detect when a filter list is causing this kind of "breakage" on websites. SINBAD is more accurate than previous tools at finding these problems. It can also detect two new types of breakage:

Dynamic Breakage: When a filter list breaks website functionality that changes or updates over time.
Style-oriented Breakage: When a filter list interferes with the visual styling or layout of a website.

The key innovations that make SINBAD successful are:

Using Real User Feedback: The researchers built their training dataset using actual user reports of website breakage, so SINBAD focuses on issues that real people care about.
Prioritizing Important Website Regions: SINBAD uses "web saliency" to automatically identify the most important parts of a website to check for breakage.
Analyzing Website Subtrees: SINBAD examines the underlying structure of webpages in detail to pinpoint which specific filter rules are causing problems.

Technical Explanation

The researchers developed SINBAD, a novel automated tool for detecting when privacy-enhancing filter lists break the functionality of legitimate websites. SINBAD improves the state-of-the-art in breakage detection accuracy by 20%, and is the first system capable of detecting dynamic breakage and breakage caused by style-oriented filter rules.

The key innovations that enable SINBAD's success are:

User-Reported Breakage Dataset: The researchers created a high-quality training dataset by mining user-reported breakage issues from online forums. This ensures SINBAD focuses on breakage that users actually perceive as problematic.
Web Saliency for Prioritization: SINBAD uses "web saliency" techniques to automatically identify the most user-relevant regions of a website. This allows the system to prioritize its automated interactions and testing on the parts of the page that are most important to users.
Subtree Analysis: SINBAD analyzes webpages at the level of the underlying HTML structure, breaking down pages into subtrees. This fine-grained analysis enables precise identification of which specific filter rules are causing breakage.

Critical Analysis

The researchers acknowledge several limitations and areas for future work. First, SINBAD currently focuses on detecting breakage, but does not provide automated solutions for fixing the underlying filter rule issues. Developing automated rule repair capabilities would be a valuable extension.

Additionally, the user-reported dataset used to train SINBAD may not be fully comprehensive, as it relies on users to actively report problems. Exploring ways to more proactively collect breakage reports, perhaps by instrumenting browser extensions, could further improve the system.

Finally, while SINBAD demonstrates strong performance on the evaluated dataset, its generalization to new types of websites and filter lists could be further validated. Expanding the diversity of the test set would help assess SINBAD's robustness.

Overall, SINBAD represents an important step forward in improving the reliability of privacy-enhancing filter lists. By automating the detection of breakage issues, the system can help filter list maintainers proactively address problems before they impact users at scale. Future work to automate the repair process and expand the scope of detection would further strengthen this line of research.

Conclusion

The researchers present SINBAD, a novel automated tool for detecting when privacy-enhancing filter lists break the functionality of legitimate websites. SINBAD significantly outperforms the state-of-the-art, and is the first system capable of detecting dynamic breakage and breakage caused by style-oriented filter rules.

The key innovations behind SINBAD's success are its use of real user-reported breakage data, prioritization of important website regions using web saliency, and fine-grained analysis of webpage structure. These advances allow SINBAD to identify problematic filter rules with high accuracy.

While SINBAD represents an important step forward, the researchers identify several avenues for future work, including automating the repair of broken filter rules and expanding the system's coverage to new types of websites and filter lists. Continued research in this area can help ensure that privacy-enhancing tools do not inadvertently disrupt the user experience on the web.

This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!

Follow @aimodelsfyi on 𝕏 →

Related Papers

🔎

SINBAD: Saliency-informed detection of breakage caused by ad blocking

Saiid El Hajj Chehade (EPFL), Sandra Siby (Imperial College London), Carmela Troncoso (EPFL)

Privacy-enhancing blocking tools based on filter-list rules tend to break legitimate functionality. Filter-list maintainers could benefit from automated breakage detection tools that allow them to proactively fix problematic rules before deploying them to millions of users. We introduce SINBAD, an automated breakage detector that improves the accuracy over the state of the art by 20%, and is the first to detect dynamic breakage and breakage caused by style-oriented filter rules. The success of SINBAD is rooted in three innovations: (1) the use of user-reported breakage issues in forums that enable the creation of a high-quality dataset for training in which only breakage that users perceive as an issue is included; (2) the use of 'web saliency' to automatically identify user-relevant regions of a website on which to prioritize automated interactions aimed at triggering breakage; and (3) the analysis of webpages via subtrees which enables fine-grained identification of problematic filter rules.

5/9/2024

Carbon Filter: Real-time Alert Triage Using Large Scale Clustering and Fast Search

Jonathan Oliver, Raghav Batta, Adam Bates, Muhammad Adil Inam, Shelly Mehta, Shugao Xia

Alert fatigue is one of the biggest challenges faced by the Security Operations Center (SOC) today, with analysts spending more than half of their time reviewing false alerts. Endpoint detection products raise alerts by pattern matching on event telemetry against behavioral rules that describe potentially malicious behavior, but can suffer from high false positives that distract from actual attacks. While alert triage techniques based on data provenance may show promise, these techniques can take over a minute to inspect a single alert, while EDR customers may face tens of millions of alerts per day; the current reality is that these approaches aren't nearly scalable enough for production environments. We present Carbon Filter, a statistical learning based system that dramatically reduces the number of alerts analysts need to manually review. Our approach is based on the observation that false alert triggers can be efficiently identified and separated from suspicious behaviors by examining the process initiation context (e.g., the command line) that launched the responsible process. Through the use of fast-search algorithms for training and inference, our approach scales to millions of alerts per day. Through batching queries to the model, we observe a theoretical maximum throughput of 20 million alerts per hour. Based on the analysis of tens of million alerts from customer deployments, our solution resulted in a 6-fold improvement in the Signal-to-Noise ratio without compromising on alert triage performance.

5/9/2024

Dismantling Common Internet Services for Ad-Malware Detection

Florian Nettersheim, Stephan Arlt, Michael Rademacher

Online advertising represents a main instrument for publishers to fund content on the World Wide Web. Unfortunately, a significant number of online advertisements often accommodates potentially malicious content, such as cryptojacking hidden in web banners - even on reputable websites. In order to protect Internet users from such online threats, the thorough detection of ad-malware campaigns plays a crucial role for a safe Web. Today, common Internet services like VirusTotal can label suspicious content based on feedback from contributors and from the entire Web community. However, it is open to which extent ad-malware is actually taken into account and whether the results of these services are consistent. In this pre-study, we evaluate who defines ad-malware on the Internet. In a first step, we crawl a vast set of websites and fetch all HTTP requests (particularly to online advertisements) within these websites. Then we query these requests both against popular filtered DNS providers and VirusTotal. The idea is to validate, how much content is labeled as a potential threat. The results show that up to 0.47% of the domains found during crawling are labeled as suspicious by DNS providers and up to 8.8% by VirusTotal. Moreover, only about 0.7% to 3.2% of these domains are categorized as ad-malware. The overall responses from the used Internet services paint a divergent picture: All considered services have different understandings to the definition of suspicious content. Thus, we outline potential research efforts to the automated detection of ad-malware. We further bring up the open question of a common definition of ad-malware to the Web community.

4/23/2024

FAIR: Filtering of Automatically Induced Rules

Divya Jyoti Bajpai, Ayush Maheshwari, Manjesh Kumar Hanawal, Ganesh Ramakrishnan

The availability of large annotated data can be a critical bottleneck in training machine learning algorithms successfully, especially when applied to diverse domains. Weak supervision offers a promising alternative by accelerating the creation of labeled training data using domain-specific rules. However, it requires users to write a diverse set of high-quality rules to assign labels to the unlabeled data. Automatic Rule Induction (ARI) approaches circumvent this problem by automatically creating rules from features on a small labeled set and filtering a final set of rules from them. In the ARI approach, the crucial step is to filter out a set of a high-quality useful subset of rules from the large set of automatically created rules. In this paper, we propose an algorithm (Filtering of Automatically Induced Rules) to filter rules from a large number of automatically induced rules using submodular objective functions that account for the collective precision, coverage, and conflicts of the rule set. We experiment with three ARI approaches and five text classification datasets to validate the superior performance of our algorithm with respect to several semi-supervised label aggregation approaches. Further, we show that achieves statistically significant results in comparison to existing rule-filtering approaches.

7/8/2024