Man vs. Machine: Practical Adversarial Detection of MaliciousCrowdsourcing Workers

Gang Wang†, Tianyi Wang†‡, Haitao Zheng† and Ben Y. Zhao††Computer Science, UC Santa Barbara ‡Electronic Engineering, Tsinghua University

{gangw, tianyi, htzheng, ravenben}@cs.ucsb.edu

Abstract

Recent work in security and systems has embraced theuse of machine learning (ML) techniques for identify-ing misbehavior,e.g. email spam and fake (Sybil) usersin social networks. However, ML models are typicallyderived fromfixed datasets, and must be periodicallyretrained. In adversarial environments, attackers canadapt by modifying their behavior or even sabotagingML models by polluting training data.

In this paper1, we perform an empirical study of ad-versarial attacks against machine learning models in thecontext of detecting malicious crowdsourcing systems,where sites connect paying users with workers willing tocarry out malicious campaigns. By using human work-ers, these systems can easily circumvent deployed se-curity mechanisms,e.g. CAPTCHAs. We collect adataset of malicious workers actively performing taskson Weibo, China’s Twitter, and use it to develop ML-based detectors. We show that traditional ML techniquesare accurate (95%–99%) in detection but can be highlyvulnerable to adversarial attacks, including simpleeva-sion attacks(workers modify their behavior) and power-ful poisoning attacks(where administrators tamper withthe training set). We quantify the robustness of ML clas-sifiers by evaluating them in a range of practical adver-sarial models using ground truth data. Our analysis pro-vides a detailed look at practical adversarial attacks onML models, and helps defenders make informed deci-sions in the design and configuration of ML detectors.

1 Introduction

Today’s computing networks and services are extremelycomplex systems with unpredictable interactions be-tween numerous moving parts. In the absence of ac-curate deterministic models, applying Machine Learning

1Our work received approval from our local IRB review board.

(ML) techniques such as decision trees and support vec-tor machines (SVMs) produces practical solutions to avariety of problems. In the security context, ML tech-niques can extract statistical models from large noisydatasets, which have proven accurate in detecting mis-behavior and attacks,e.g. email spam [35, 36], networkintrusion attacks [22, 54], and Internet worms [29]. Morerecently, researchers have used them to model and detectmalicious users in online services,e.g. Sybils in socialnetworks [42, 52], scammers in e-commerce sites [53]and fraudulent reviewers on online review sites [31].

Despite a wide range of successful applications, ma-chine learning systems have a weakness: they are vulner-able to adversarial countermeasures by attackers awareof their use. First, through either reading publicationsor self-experimentation, attackers may become aware ofdetails of the ML detector,e.g. choice of classifier andparameters used, and modify their behavior toevadede-tection. Second, more powerful attackers can activelytamper with the ML models by polluting the training set,reducing or eliminating its efficacy. Adversarial machinelearning has been studied by prior work from a theoreti-cal perspective [6, 12, 27], using simplistic all-or-nothingassumptions about adversaries’ knowledge about the MLsystem in use. In reality, however, attackers are likely togain incomplete information or have partial control overthe system. An accurate assessment of the robustness ofML techniques requires evaluation underrealistic threatmodels.

In this work, we study the robustness of machinelearning models against practical adversarial attacks, inthe context of detecting malicious crowdsourcing activ-ity. Malicious crowdsourcing, also called crowdturfing,occurs when an attacker pays a group of Internet usersto carry out malicious campaigns. Recent crowdturf-ing attacks ranged from “artificial grassroots” politicalcampaigns [32, 38], product promotions that spread falserumors [10], to spam dissemination [13, 39]. Today,these campaigns are growing in popularity in dedicated

crowdturfing sites,e.g. ZhuBaJie (ZBJ)2 and SanDaHa(SDH)3, and generic crowdsourcing sites [26, 48].

The detection of crowdturfing activity is an ideal con-text to study the impact of adversarial attacks on ma-chine learning tools. First, crowdturfing is a growingthreat to today’s online services. Because tasks are per-formed by intelligent individuals, these attacks are unde-tectable by normal measures such as CAPTCHAs or ratelimits. The results of these tasks, fake blogs, slander-ous reviews, fake social network accounts, are often in-distinguishable from the real thing. Second, centralizedcrowdturfing sites like ZBJ and SDH profit directly frommalicious crowdsourcing campaigns, and therefore havestrong monetary incentive and the capability to launchadversarial attacks. These sites have the capability tomodify aggregate behavior of their users through inter-face changes or explicit policies, thereby either helpingattackers evade detection or polluting data used as train-ing input to ML models.

Datasets. For our analysis, we focus on Sina Weibo,China’s microblogging network with more than 500 mil-lion users, and a frequent target of crowdturfing cam-paigns. Most campaigns involve paying users to retweetspam messages or to follow a specific Weibo account.We extract records of 20,416 crowdturfing campaigns(1,012,923 tasks) published on confirmed crowdturfingsites over the last 3 years. We then extract a 28,947Weibo accounts belonging to crowdturfing workers. Weanalyze distinguishing features of these accounts, andbuild detectors using multiple ML models, includingSVMs, Bayesian, Decision Trees and Random Forests.

We seek answers to several key questions. First, canmachine learning models detect crowdturfing activity?Second, once detectors are active, what are possiblecountermeasures available to attackers? Third, can ad-versaries successfully manipulate ML models by tamper-ing with training data, and if so, can such efforts succeedin practice, and which models are most vulnerable?

Adversarial Attack Models. We consider two types ofpractical adversarial models against ML systems: thoselaunched by individualcrowd-workers, and those in-volving coordinated behavior driven by administrators ofcentralizedcrowdturfing sites. First, individual workerscan performevasionattacks, by adapting behavior basedon their knowledge of the target classifier (e.g. ML al-gorithms, feature space, trained models). We identify arange of threat models that vary the amount of knowl-edge by the adversary. The results should provide a com-prehensive view of how vulnerable ML systems to eva-sion, ranging from the worst case (total knowledge by at-tacker) to more practically scenarios. Second, more pow-

2http://www.zhubajie.com/c-tuiguang/3http://www.sandaha.com/

erful attacks are possible with the help of crowdturfingsite administrators, who can manipulate ML detectors bypoisoningor polluting training data. We study the im-pact on different ML algorithms from two pollution at-tacks: injecting false data samples, and altering existingdata samples.

Our study makes four key contributions:

• We demonstrate the efficacy of ML models for de-tecting crowdturfing activity. We find that RandomForests perform best out of multiple classifiers, with95% detection accuracy overall and 99% for “pro-fessional” workers.

• We develop adversarial models forevasion at-tacksranging from optimal evasion to more prac-tical/limited strategies. We find while such attackscan be very powerful in the optimal scenario (at-tacker has total knowledge), practical attacks aresignificantly less effective.

• We evaluate a powerful class ofpoisonattacks onML training data and find thatinjecting carefullycrafted data into training data can significantly re-duce detection efficacy.

• We observe a consistent tradeoff between fitting ac-curacy and robustness to adversarial attacks. Moreaccurate fits (especially to smaller, homogeneouspopulations) make models more vulnerable to de-viations introduced by adversaries. The exceptionis Random Forests, which naturally supports fittingto multiple populations, thus allowing it to maintainboth accuracy and robustness in our tests.

To the best of our knowledge, this is the first study toexamine automated detection of large-scale crowdturf-ing activity, and the first to evaluate adversarial attacksagainst machine learning models in this context. Ourresults show that accurate models are often vulnerableto adversarial attacks, and that robustness against attacksshould be a primary concern when selecting ML models.

2 Datasets and Methodology

In this section, we provide background on crowdturfing,and introduce our datasets and methodology.

2.1 Background: Crowdturfing Systems

Malicious crowdsourcing (crowdturfing) sites are webservices where attackers pay groups of human workers toperform questionable (and often malicious) tasks. Whilethese services are growing rapidly world-wide, two of thelargest are Chinese sites ZhuBaJie (ZBJ) and SanDaHa(SDH) [48]. Both sites leave records of campaigns pub-licly visible to recruit new workers, making it possiblefor us to crawl their data for analysis.

......

Crowdtur ng Sites Target Social Networks

Customer Worker Normal UserCrowdturf Account

Figure 1: Crowdturfing process.

Figure 1 illustrates how crowdturfing campaigns work.Initially, a customerposts a campaign onto the crowd-turfing site, and pays the site to carry it out. Each cam-paign is a collection of smalltasks, e.g. tasks to sendor retweet messages advertising a malware site.Workersaccept the task, and use their fake accounts in the targetsocial network(s) (e.g. Twitter) to carry out the tasks.Today, crowdturfing campaigns often spam web servicessuch as social networks, online review sites, and instant-messaging networks [48]. While workers can be any In-ternet user willing to spam for profit, customers often re-quire workers to use “high quality” accounts (i.e. estab-lished accounts with real friends) to perform tasks [48].In the rest of the paper, we refer workers’ social networkaccounts ascrowdturf accounts.

Crowdturfing on Weibo. Sina Weibo is China’s mostpopular microblogging social network with over 500 mil-lion users [30]. Like Twitter, Weibo users post 140-charactertweets, which can beretweetedby other users.Users can alsofollow each other to form asymmetric so-cial relationships. Unlike Twitter, Weibo allows users tohave conversations viacommentson a tweet.

Given its large user population, Weibo is a popular tar-get for crowdturfing systems. There are two major typesof crowdturfing campaigns. One type asks workers tofollow a customer’s Weibo account to boost their per-ceived popularity and visibility in Weibo’s ranked socialsearch. A second type pays crowd-workers to retweetspam messages or URLs to reach a large audience. Bothtypes of campaigns directly violate Weibo’s ToS [2]. Arecent statement (April 2014) from a Weibo administra-tor shows that Weibo has already begun to take actionagainst crowdturfing spam [1].

2.2 Ground Truth and Baseline Datasets

Our study utilizes a largeground-truthdataset of crowd-turfing worker accounts. We extract these accounts byfiltering through records of all campaigns and tasks tar-geting Weibo from ZBJ and SDH, and extracting all

Category # Weibo IDs # (Re) Tweets # CommentsTurfing 28,947 18,473,903 15,970,215Authent. 71,890 7,600,715 13,985,118Active 371,588 34,164,885 75,335,276

Table 1: Dataset summary.

Weibo accounts that accepted these tasks. This is possi-ble because ZBJ and SDH keep complete records of cam-paigns and transaction details (i.e. workers who com-pleted tasks, and their Weibo identities) visible.

As of March 2013, we collected a total of 20,416Weibo campaigns (over 3 years for ZBJ and SDH), with atotal of 1,012,923 individual tasks. We extracted 34,505unique Weibo account IDs from these records. 5,558 ofwhich have already been blocked by Weibo. We col-lected user profiles for the remaining 28,947 active ac-counts, including social relationships and the latest 2000tweets from each account. These accounts have per-formed at least one crowdturfing task. We refer to thisas theTurfingdataset.

Baseline Datasets for Comparison. We need a base-line dataset of “normal” users for comparison. We startby snowball sampling a large collection of Weibo ac-counts4. We ran breadth-first search (BFS) in November2012 using 100 Seeds randomly chosen from Weibo’spublic tweet stream, giving us 723K accounts. Becausethese crawled accounts can include malicious accounts,we need to do further filtering to obtain a real set of “nor-mal” users.

We extract two different baseline datasets. First, weconstruct a conservativeAuthenticateddataset, by in-cluding only Weibo users who have undergone an op-tional identity verification by phone number or Chinesenational ID (equivalent to US drivers license). A userwho has bound her Weibo account to her real-world iden-tity can be held legally liable for her actions, makingthese authenticated accounts highly unlikely to be usedas crowdturfing activity. OurAuthenticateddataset in-cludes 71,890 accounts from our snowball sample. Sec-ond, we construct a larger, more inclusive baseline set ofActiveusers. We define this set as users with at least 50followers and 10 tweets (filtering out dormant accounts5

and Sybil accounts with no followers). We also cross ref-erence these users against all known crowdturfing sitesto remove any worker accounts. The resulting datasetincludes 371,588 accounts. While it is not guaranteed tobe 100% legitimate users, it provides a broader user sam-ple that is more representative of average user behavior.

4Snowball crawls start from an initial set of seed nodes, and runsbreadth-first search to find all reachable nodes in the socialgraph [3].

5Dormant accounts are unlikely to be workers. To qualify for jobs,ZBJ/SDH workers must meet minimum number of followers/tweets.

0

20

40

60

80

100

0.01 0.1 1 10 100

CD

F o

f Use

rs (

%)

Followee to Follower Ratio

TurfingActive

Authenticated

Figure 2: Followee-to-Follower ratio.

0

20

40

60

80

100

0 0.2 0.4 0.6 0.8 1

CD

F o

f Use

rs (

%)

Reciprocity

TurfingActive

Authenticated

Figure 3: Reciprocity.

0

20

40

60

80

100

0 0.2 0.4 0.6 0.8 1

CD

F o

f Use

rs (

%)

Ratio of Tweets with Comments

TurfingActive

Authenticated

Figure 4: Ratio of commented tweets.

This is likely to provide a lower bound for detector accu-racy, since more carefully curated baselines would pro-duce higher detection accuracy. Our datasets are listed inTable 1.

2.3 Our Methodology

We have two goals: evaluating the efficacy of ML clas-sifiers to detect crowdturfing workers, and evaluating thepractical impact of adversarial attacks on ML classifiers.

• We analyze ground-truth data to identify key behav-ioral features that distinguish crowdturfing workeraccounts from normal users (§3).

• We use these features to build a number of pop-ular ML models, including Bayesian probabilisticmodels via Bayes’ theorem (i.e. conditional prob-ability), Support Vector Machines (SVMs), and al-gorithms based on single or multiple decision trees(e.g.Decision Trees, Random Forests) (§4).

• We evaluate ML models against adversarial attacksranging from weak to strong based on level ofknowledge by attackers (typically evasion attacks),and coordinated attacks potentially guided by cen-tralized administrators (possible poison or pollutionof training data).

3 Profiling Crowdturf Workers

We begin our study by searching for behavioral fea-tures that distinguish worker accounts from normal users.These features will be used to build ML detectors in §4.

User Profile Fields. We start with user profile fea-tures commonly used as indicators of abnormal behav-ior. These features include followee-to-follower ratio(FFRatio), reciprocity (i.e. portion of user’s followeeswho follow back), user tweets per day, account age, andratio of tweets with URLs and mentions.

Unfortunately, our data shows that most of these fea-tures alone cannot effectively distinguish worker ac-counts from normal users. First, FFRatio and reci-procity are commonly used to identify malicious spam-

mers [4, 43, 50]. Intuitively, spammers follow a largenumber of random users and hope for them to followback, thus they have high FFRatio and low reciprocity.However, our analysis shows worker accounts have bal-anced FFRatios, the majority of them even have morefollowers than followees (Figure 2), and their reciprocityis very close to those of normal users (Figure 3). Otherprofile features are also ineffective, including accountage, tweets per day, ratio of tweets with URLs and men-tions. For example, existing detectors usually assumeattackers create many “fresh” accounts to spam [4, 43],thus account age has potential. But we find that morethan 75% of worker accounts in our dataset have beenactive for at least one year.

These results show that crowd-worker accounts inmany respects resemble normal users, and are not eas-ily detected by profile features alone [47].

User Interactions. Next, we move on to features re-lated to user interactions. The intuition is that crowdturfworkers are task-driven, and log on to work on tasks, butspend minimal time interacting with others. User interac-tions in Weibo are dominated by comments and retweets.We perform analysis on both of them and find consistentresults which show they are good metrics to distinguishworkers from non-workers. For brevity, we limit our dis-cussion to results on comment interactions.

Figure 4 shows crowdturf accounts are less likely toreceive comments on their tweets. For 80% of crowdturfaccounts, less than 20% of their tweets are commented;while for 70% of normal users, their ratio of commentedtweets exceeds 20%. This makes sense, as the fake con-tent posted by crowdturf workers may not be interestingenough for others to comment on. We also examine thenumber of people that each user has bidirectional com-ments with (bi-commentors). Crowdturf workers rarelyinteract with other users, with 66% of accounts having atmost one bi-commentor.

Tweeting Clients. Next we look at the use of tweetingclients (devices). We can use the “device” field associ-ated with each tweet to infer how tweets are sent. Tweetclients fall into four categories: web-based browsers,apps on mobile devices, third-party account management

0

20

40

60

80

100

Turfing Active Auth.

% o

f Tot

al T

wee

ts

WebMobileAutoShareOthers

Figure 5: Tweet client usage.

0

20

40

60

80

100

1 10 100

CD

F o

f Use

rs (

%)

Max # consecutive tweets with all intervals < d

AuthenticatedActive

Turfing

Figure 6: Max size of tweeting burst(thresholdd = 1 minute).

0

20

40

60

80

100

0 0.1 0.2 0.3 0.4 0.5 0.6

CD

F o

f Use

rs (

%)

Entropy

TurfingActive

Authenticated

Figure 7: Normalized entropy oftweeting inter-arrival time.

Categ. Top Tweet ClientsWeb Weibo Web, Weibo PC, 360Browser, Weibo Pro.Mobile iPhone, Android, iPad, XiaoMiAuto PiPi, Good Nanny, AiTuiBao, Treasure BoxShare Taobao, Youku, Sina Blog, Baidu

Table 2: High-level categories for tweeting clients.

tools, and third-party websites via “share” buttons (Ta-ble 2). Figure 5 shows key differences in how differ-ent users use tweet clients. First, crowdturf workersuse mobile (10%) much less than normal users (36%−46%). One reason is that crowdturf workers rely on webbrowsers to interact with crowdturfing sites to get (sub-mit) tasks and process payment, actions not supported bymost mobile platforms.

We also observe that crowdturf workers are morelikely to use automated tools. A close inspection showsthat workers use these tools to automatically post non-spam tweets retrieved from a central content repository(e.g. a collection of hot topics). Essentially, crowdturfaccounts use these generic tweets as cover traffic for theircrowdturfing content. Third, crowdturf accounts “share”from third-party websites more often, since that is a com-mon request in crowdturfing tasks [48].

Temporal Behavior. Finally, we look at temporal char-acteristics of tweeting behavior: tweet burstiness and pe-riodicity. First, we expect task-driven workers to sendmany tweets in a short time period. We look for poten-tial bursts, where each burst is defined asm consecutivetweets with inter-arrival times< d. We examine eachuser’s maximum burst size (m) with different time thresh-olds d, e.g. Figure 6 depicts the result ford is set to 1minute. We find that crowdturf accounts are more likelyto post consecutive tweets within one-minute, somethingrarely seen from normal users. In addition, crowdturfworkers are more likely to produce big bursts (e.g. 10consecutive tweets with less than one-minute interval).

Second, workers accept tasks periodically, which canleave regular patterns in the timing of their tweets. Weuseentropy to characterize this regularity [16], where

low entropy indicates a regular process while high en-tropy indicates randomness of tweeting. We treat eachuser’s tweeting inter-arrival time as a random variable,and compute the first-order entropy [16]. Figure 7 plotsuser’s entropy, normalized by the largest entropy in ourdataset. Compared to normal users, crowdturf accountsin general have lower entropy, indicating their tweetingbehaviors have stronger periodic patterns.

4 Detecting Crowdturfing Workers

We now use the features we identified to build a numberof crowdturfing detectors using machine learning mod-els. Here, we summarize the set of features we usefor detection, and then build and evaluate a number ofmachine-learning detectors using our ground-truth data.

4.1 Key Features

We chose for our ML detectors a set of 35 features acrossfive categories shown below.

• Profile Fields (9). We use 9 user profile fields6 asfeatures: follower count, followee count, followee-to-follower ratio, reciprocity, total tweet count,tweets per day, mentions per tweet, percent oftweets with mentions, and percent of tweets withembedded URLs.

• User Interactions (8).We use 8 features based onuser interactions,i.e. comments and retweets. 4features are based on user comments: percent oftweets with comments, percent of all comments thatare outgoing, number of bi-commentors, and com-ment h-index (a user with h-index ofh has at leasthtweets each with at leasth comments). We include4 analogous retweet features.

• Tweet Clients (5).We compute and use the % oftweets sent from each tweet client type (web, mo-bile, automated tools, third-party shares and others)as a feature.

6Although profile fieldsalonecannot effectively detect crowdturfaccounts (§3), they are still useful when combined with otherfeatures.

Alg. SettingsNB DefaultBN Default, K2 functionSVMr Kernelγ =1, Cost parameterC=100SVMp Kernel degreed =3, Cost parameterC=50J48 Confidence factorC=0.25, Instance/leafM =2RF 20 trees, 30 features/tree

Table 3: Classifier configurations.

• Tweet Burstiness (12).These 12 features capturethe size and number of tweet bursts. A burst ismconsecutive tweets where gaps between consecutivetweets are at mostd minutes. For each user, we firstcompute the maximum burst size (m) while varyingthresholdd from 0.5 to 1, 30, 60, 120, 1440. Thenwe setd to 1 minute, and compute the number ofbursts while varying sizem over 2, 5, 10, 50, 100,and 500.

• Tweeting Regularity (1).This is the entropy valuecomputed from each user’s tweeting time-intervals.

4.2 Classification Algorithms

With these features, we now build classifiers to detectcrowdturf accounts. We utilize a number of popularalgorithms widely used in security contexts, includingtwo Bayesian methods: Naive Bayesian (NB) [20] andBayesNet (BN) [18]; two Support Vector Machine meth-ods [33]: SVM with radial basis function kernel (SVMr)and SVM with polynomial kernel (SVMp); and twoTree-based methods: C4.5 Decision Tree (J487) [34] andRandom Forests (RF) [7]. We leverage existing imple-mentations of these algorithms in WEKA [17] toolkits.

Classifier and Experimental Setup. We start byconstructing two experimental datasets, each contain-ing all 28K turfing accounts, plus 28K randomly sam-pled baseline users from the “authenticated” and “active”sets. We refer to them asAuthenticated+TurfingandAc-tive+Turfing.

We use a small sample of ground-truth data to tune theparameters of different classifiers. At a high-level, weuse grid search to locate the optimized parameters basedon cross-validation accuracy. For brevity, we omit thedetails of the parameter tuning process and give the finalconfigurations in Table 3. Note that features are normal-ized for SVM algorithms (we tested unnormalized ap-proach which produced higher errors). We use this con-figuration for the rest of our experiments.

Basic Classification Performance. We run each clas-sification algorithm on both experimental datasets with

7J48 is WEKA’s C4.5 implementation.

0

10

20

30

40

50

RF J48SVMr

SVMpBN NB RF J48

SVMrSVMp

BN NB

Cla

ssifi

catio

n E

rror

Rat

e (%

)

Algorithms

(Auth.+Turfing) (Active+Turfing)

False PositiveFalse Negative

Figure 8: Classification error rates. Tree-based algo-rithms and SVMs outperform Bayesian methods.

10-fold cross-validation.8 Figure 8 presents their classi-fication error rates, including false positives (classifyingnormal users as crowdturf workers) and false negatives(classifying crowdturf accounts as normal users).

We make four key observations. First, the two sim-ple Bayesian methods generally perform worse thanother algorithms. Second, Decision Tree (J48) and Ran-dom Forests (RF) are more accurate than SVMs. Thisis consistent with prior results that show SVMs excelin addressing high-dimension problems, while Tree al-gorithms usually perform better when feature dimen-sionality is low (35 in our case) [8]. Third, RandomForests outperform Decision Tree. Intuitively, RandomForests construct multiple decision trees from trainingdata, which can more accurately model the behaviors ofmultiple types of crowdturf workers [7]. In contrast, de-cision tree would have trouble fitting distinct types ofworker behaviors into a single tree. Finally, we observethat the two experiment datasets show consistent resultsin terms of relative accuracy across classifiers.

Comparing the two datasets, it is harder to differen-tiate crowdturf workers fromactiveusers than fromau-thenticatedusers. This is unsurprising, sinceauthenti-catedaccounts often represent accounts of public figures,while active users are more likely to be representativeof the normal user population. In the rest of the experi-ments, wherever the two datasets show consistent results,we only present the results onActive+Turfingfor brevity,which captures the worse case accuracy for detectors.

4.3 Detecting Professional Workers

Our machine learning detectors are generally effective inidentifying worker accounts. However, the contributionof tasks per worker is quite skewed,i.e. 90% of all tasksare completed by the top 10% most active “professional”workers (Figure 9). Intuitively, these “professional work-ers” are easier to detect than one-time workers. By focus-

8Cross-validation is used to compare the performance of differentalgorithms. We will split the data for training and testing the detectorslater.

0

20

40

60

80

100

0 20 40 60 80 100

CD

F o

f Tas

ks (

%)

Fraction of Top Workers (%)

Figure 9: % of Tasks finished by top% of workers. The majority of spamswere produced by top active workers.

0

2

4

6

8

10

12

0 1 10 100

Cla

ssifi

catio

n E

rror

Rat

e (%

)

Workers that Finished > n Tasks

False PositiveFalse Negative

SVMpSVMr

J48RF

Figure 10: Classifying different levelsof workers. Workers are filtered by #of crowdturfing tasks finished.

0.9

0.92

0.94

0.96

0.98

1

0 0.02 0.04 0.06 0.08 0.1

Tru

e P

ositi

ve R

ate

False Positive Rate

RFSVMpSVMr

J48

Figure 11: ROC curves of classi-fying professional workers (workerswho finished more than 100 tasks).

ing on them, we can potentially improve detection accu-racy while still effectively eliminate the largest majorityof crowdturf output.

We evaluate classifier accuracy in detecting profes-sional workers, by setting up a series of datasets eachconsisting of workers who performed more thann tasks(with n set to 1, 10, and 100). Each dataset also containsan equal number of randomly sampled normal users. Wefocus on the most accurate algorithms: Random Forests(RF), Decision Tree (J48) and SVM (SVMr and SVMp),and run 10-fold cross-validation on each of the datasets.

Figure 10 shows the classification results onAc-tive+Turfing. As expected, our classifiers are more ac-curate in identifying “professional” workers. Differentalgorithms converge in accuracy as we raise the mini-mum productivity of professional workers. Accuracy ishigh for crowdturf workers who performed>100 tasks:Random Forests only produce 1.2% false positive rateand 1.1% false negative rate (99% accuracy). Note thatwhile these top workers are only 8.9% of the worker pop-ulation, they are responsible for completing 90% of alltasks. In the rest of the paper, we use “professional work-ers” to refer to workers who have completed>100 tasks.

False Positives vs. False Negatives.In practice, differ-ent application scenarios will seek different tradeoffs be-tween false positives (FP) and false negatives (FN). Forexample, a system used as a pre-filter before more so-phisticated tools (e.g. manual examination) will want tominimize FN, while an independent system without ad-ditional checks will want to minimize false positives toavoid hurting good users.

Figure 11 shows the ROC9 curves of the four algo-rithms on the dataset of professional workers. Again,Random Forests perform best: they achieve extremelylow false positive rate of<0.1% with only 8% false neg-ative rate, or<0.1% false negative rate with only 7%false positive rate. We note that SVMs provide betterfalse positive and false negative tradeoffs than J48, even

9ROC (receiver operating characteristic) is a plot that illustratesclassifier’s false positives and true positives versus detection threshold.

though they have similar accuracy rates.

Imbalanced Data. We check our results on imbalanceddata, since in practice there are more normal users thancrowdturf workers. More specifically, we run our clas-sifier (RF, professional) on imbalancedtestingdata withturfing-to-normal ratio ranging from 0.1 to 1. Note thatwe can still train our classifiers on balancedtraining datasince we use supervised learning (we make sure trainingand testing data have no overlap). We find all the classi-fiers have accuracy above 98% (maximum FP 1.5%, FN1.3%) against imbalanced testing data. We omit the plotfor brevity.

Summary. Our results show that current ML sys-tems can be used to effectively detect crowdturf workers.While this is a positive result, it assumes no adversarialresponse from the crowdturfing system. The followingsections will examine detection efficacy under differentlevels of adversarial attacks.

5 Adversarial Attack: Evasion

We show that ML detectors can effectively identify “pas-sive” crowdturf accounts in Weibo. In practice, however,crowdturfing adversaries can be highly adaptive: theywill change their behaviors over time or can even in-tentionally attack the ML detectors to escape detection.We now re-evaluate the robustness of ML detectors un-der different adversarial environments, focusing on twotypes of adversaries:

1. Evasion Attack: individual crowd-workers adjusttheir behavior patterns to evade detection by trainedML detectors.

2. Poisoning Attack: administrators of crowdturfingsites participate, manipulating the ML detectortraining process by poisoning the training data.

We focus on evasion attacks in this section, and de-lay the study of poisoning attacks to §6. First, we definethe evasion attack model. We then implement evasionattacks of different strengths, and study the performance

of ML detectors accordingly. Specifically, we consider“optimal evasion” attacks, where adversaries have fullknowledge about the ML detectors and the Weibo sys-tem, and more “practical” evasion attacks, where adver-saries have limited knowledge about the detectors andthe Weibo system.

5.1 Basic Evasion Attack Model

Evasion attacks refer to individual crowdturfing workersseeking to escape detection by altering their own behav-ior to mimic normal users. For example, given knowl-edge of a deployed machine learning classifier, a workermay attempt to evade detection by selecting a subset ofuser features, and replacing their values with themedianof the observed normal user values. Since mimickingnormal users reduces crowdturfing efficiency, workersare motivated to minimize the number of features theymodify. This means they need to identify a minimal coreset of features enabling their detection.10

This attack makes two assumptions.First, it assumesthat adversaries,i.e. workers, know the list of featuresused by the classifiers. Technical publications,e.g. onspam detection [4, 43, 50], make it possible for adver-saries to make reasonable guesses on the feature space.Second, it assumes that adversaries understand the char-acteristics of normal users in terms of these features. Inpractice, this knowledge can be obtained by crawling asignificant portion of Weibo accounts.

Depending on their knowledge of the ML features andof normal user behavior, adversaries can launch evasionattacks of different strengths. We implement and evalu-ate ML models on a range of threat models with vary-ing levels of adversary knowledge and computational ca-pabilities. We start from theoptimal evasionscenario,where adversaries havecompleteknowledge of the fea-ture set. The corresponding ML detector results repre-sent worst-case performance (or lower bound) under eva-sion attacks. We also study a set ofpractical evasionmodels where adversaries have limited (and often noisy)knowledge, and constrained resources.

5.2 Optimal Evasion Attack

In this ideal case, adversaries have perfect knowledgeabout the set of features they need to modify. To un-derstand the impact of the feature choices, we look atmultiple variants of the optimal evasion models. Theseinclude theper-worker optimal evasion model, whereeach worker finds her own optimal set of features to alter,theglobal optimal evasionwhere all workers follow thesame optimal set of features to alter, andfeature-awareevasionwhere workers alter the most important features.

10For simplicity, we consider features to be independent.

We implement these evasion models on our ground-truthdataset, and evaluate ML detector accuracy. Note thatthese attacks we identify are not necessarily practical,but are designed to explore worse-case scenarios for MLmodels.

Per-worker Optimal Evasion. Intuitively, eachworker should have her own optimal strategy to alterfeatures,e.g. some workers need to add followers first,while others need to reduce tweeting burstiness. Doingso is hard in practice: each worker has to apply exhaus-tive search to identify its optimal strategy that minimizesthe set of features to modify.

We implement this scenario on ourActive+Turfingdataset. We first split the data into equal-sized trainingand testing datasets, and use the top-4 most accurate al-gorithms to build classifiers with authentic training data.We then run detection on worker accounts in the testingdataset. Here for each worker, we exhaustively test allcombinatorial combinations of possible features to mod-ify until the classifier classifies this worker as normal. Inthis way, we find the minimal set of features each usermust modify to avoid detection.

Figure 12(a) plots the evasion rate for the four MLalgorithms. Clearly, this optimal evasion model ishighly effective. By simply altering one feature, 20-50%of workers can evade detection (different workers canchoose to alter different features). And by altering fivefeatures, 99% of workers can evade all four classifiers.We also observe that the Random Forests (RF) algorithmachieves the best robustness, since it requires the mostnumber of features to be altered.

Global Optimal Evasion. The per-worker modelmakes a strong assumption that each worker can iden-tify her own optimal feature set. Next, we loosen thisassumption and only assume that all workers exercise auniform strategy. This is possible if a third-party (e.g.site admin) guides workers in altering their features.

To identify the global optimal strategy, we search ex-haustively through all possible feature combinations, andlocate the feature set (for a given size) that allows the ma-jority of workers to achieve evasion. The correspondingevasion rate result is in Figure 12(b). 99% of workerscan successfully evade all four detectors by altering 15features, which is much larger than the per-worker case(5 features). This is because any one-size-fits-all strat-egy is unlikely to be ideal for individual workers, thusthe feature set must be large enough to cover all workers.

Feature-aware Evasion. Achieving optimal evasion isdifficult, since it requires adversaries to have knowledgeof the trained classifiers. Instead, this model assumes thatadversaries can accurately identify the relatively “impor-tance” of the features. Thus workers alter the most im-portant features to try to avoid detection.

0

20

40

60

80

100

0 1 2 3 4 5

Wor

ker

Eva

sion

Rat

io (

%)

# of Features Changed

J48SVMrSVMp

RF

(a) Per-worker Optimal Evasion

0

20

40

60

80

100

0 5 10 15 20 25 30 35

Wor

ker

Eva

sion

Rat

io (

%)

# of Features Changed

J48RF

SVMrSVMp

(b) Global Optimal Evasion

0

20

40

60

80

100

0 5 10 15 20 25 30 35

Wor

ker

Eva

sion

Rat

io (

%)

# of Features Changed

RFJ48

SVMrSVMp

(c) Feature Importance Aware Evasion

Figure 12: Evasion rate of optimal evasion strategies (all workers).

We implement this attack by building the classifiersand then computing the feature importance. For this weuse theχ2 (Chi Squared) statistic [51], a classic metricto measure feature’s discriminative power in separatingdata instances of different classes11. During detection,workers alter features based on their rank.

Figure 12(c) plots evasion results for the four classi-fiers. We make two key observations. First, this feature-aware strategy is still far away from the per-worker op-timal case (Figure 12(a)), mostly because it is tryingto approximate global optimal evasion. Second, perfor-mance depends heavily on the underlying classifier. ForRF and J48, performance is already very close to thatof the global optimal case, while the two SVM algo-rithms are more resilient. A possible explanation is thattheχ2 statistic failed to catch the true feature importancefor SVM, since SVM normalizes feature values beforetraining the classifier. These results suggest that withoutknowing the specific ML algorithm used by the defend-ers, it is hard to avoid detection even knowing the impor-tance of features.

5.3 Evasion under Practical Constraints

Our results show workers can evade detection given com-plete knowledge of the feature set and ML classifiers.However, obtaining complete knowledge is very difficultin practice. Thus we examinepractical evasion threatmodels to understand their efficacy compared to optimalevasion models. We identify practical constraints facingadversaries, present several practical threat models andevaluate their impact on our detectors.

Practical Constraints. In practice, adversaries facetwo key resource constraints. First, they cannot reverse-engineer the trained classifier (i.e. the ML algorithmused or its model parameters) by querying the classifierand analyzing the output – it is too costly to establishmillions of profiles with controlled features and wait forsome of them to get banned. Thus workers cannot per-

11We also tested information gain to rank features, which producedsimilar ranking results (i.e. the same top-10 as usingχ2).

form exhaustive search to launch optimal evasion attacks,but have to reply on their partial knowledge for evasion.Second, it is difficult for adversaries to obtaincompletestatistics of normal users. They can estimate normal userstatistics via a (small) sampling of user profiles, but esti-mation errors are likely to reduce their ability to preciselymimic normal users.

Next, we will examine each constraint separately, andevaluate the likely effectiveness of attacks under themore realistic conditions.

Distance-aware Evasion. We consider the first con-straint which forces workers to rely onpartial knowl-edge to guide their evasion efforts. In this case, individ-ual workers are only aware of their own accounts andnormal user statistics. When choosing features to alter,they can prioritize features with the largest differentialbetween them and normal users. They must quantify the“distance” between each crowdturf account and normalusers on a given feature. Here, we pick two very intu-itive distance metrics and examine the effectiveness ofthe corresponding evasion attacks. For now, we ignorethe second constraint by assuming workers have perfectknowledge of average user behaviors.

• Value Distance (VD):Given a featurek, this cap-tures the distance between a crowd-workeri andnormal user statistics byVD(i,k)= |Fk(i)−Median(Nk)|

Max(Nk)−Min(Nk)

whereFk(i) is the value of featurek in workeri, andNk is normal user statistical distribution on featurek. When altering featurek, worker i replacesFk(i)with Median(Nk).

• Distribution Distance (DD): Here the distancedepends on whereFk(i) is positioned withinNk. For example, if Fk(i) is around 50%-tile of Nk, then worker i is similar to a nor-mal user. Therefore, we define the distance byDD(i,k) = |Percentile(Nk,Fk(i))− 50|/100 wherePercentile(Nk,Fk(i)) is the percentile ofFk(i) in thenormal user CDFNk. Note that whenFk(i) exceedsthe range ofNk, this distance metric becomes in-valid. However, our data suggests that this rarelyhappens (<1%).

0

20

40

60

80

100

0 5 10 15 20 25 30 35

Wor

ker

Eva

sion

Rat

io (

%)

# of Features Changed

RFJ48

SVMrSVMp

(a) Random Evasion Strategy (Random)

0

20

40

60

80

100

0 5 10 15 20 25 30 35

Wor

ker

Eva

sion

Rat

io (

%)

# of Features Changed

SVMpSVMr

J48RF

(b) Value Distance Aware Strategy (VD)

0

20

40

60

80

100

0 5 10 15 20 25 30 35

Wor

ker

Eva

sion

Rat

io (

%)

# of Features Changed

SVMpSVMr

RFJ48

(c) Distribution Distance Aware Strategy (DD)

Figure 13: Evasion rate of practical evasion strategies (all workers).

0

20

40

60

80

100

0 5 10 15 20 25 30 35

Wor

ker

Eva

sion

Rat

io (

%)

# of Features Changed

J48SVMp

RFSVMr

Figure 14: Evasion rate using distri-bution distance aware strategy (DD)for professional workers.

0

20

40

60

80

100

0 5 10 15 20 25 30 35Per

cent

ile o

f Est

imat

ed M

ed. V

alue

Feature Index

0.001% sample0.01% sample0.1% sample

Figure 15: The percentile ofesti-matedmedian value in the true nor-mal user CDF.

0

20

40

60

80

100

0 5 10 15 20 25 30 35

Wor

ker

Eva

sion

Rat

io (

%)

# of Features Changed

delta=5%delta=10%delta=15%delta=20%delta=25%

Figure 16: Impact of median value es-timation error on evasion rate, usingDD evasion on SVMp.

To evaluate the impact of practical evasion attacks,we split theActive+Turfingdata into equal-sized train-ing and testing sets. After classifier training, we sim-ulate the distance-aware evasion attacks on the testingdata. Figure 13(b) and 13(c) show evasion rates based onVD and DD respectively. As a baseline, we also showFigure 13(a) where adversariesrandomlyselect featuresto alter. Compared to random evasion, distance-basedapproaches require much less feature altering. For ex-ample, when altering 15 features, random approach onlysaves<40% of workers, while distance strategies pro-vide as high as 91% (VD-SVMp) and 98% (DD-SVMp).

The four classifiers perform very differently. RF andJ48 classifiers are much more vulnerable to DD basedevasion than to VD based evasion. While SVMs performsimilarly in both strategies. In general, Tree-based al-gorithms are more robust than SVM classifiers againstdistance-aware evasions. This is very different to whatwe observed in the optimal evasion cases (Figure 12(a)–12(b)), where SVMs are generally more robust. Thissuggests that theoretical bounds on ML algorithms maynot truly reflect their performance in practice.

Consistently, the impact of practical evasion attacksis much weaker than that of optimal evasion (i.e. per-worker optimal). Adversaries are severely constrained bylack of knowledge of detection boundaries of the classi-fiers, and have to guess based on “distance” information.The implication is that the less adversaries know aboutclassifiers, the harder it is for them to evade detection.

We also evaluate the attack impact on classifiers to de-tect professional workers. We find the general trends aresimilar and only show the results of DD-based attack inFigure 14. We note that it is easier to evade classifiersdedicated to detect professionals (compared with Fig-ure 13(c)). This is because when trained to a smaller,more homogeneous worker population, classifiers expectstrong malicious behaviors from crowd-workers. Thuseven a small deviation away from the model towards nor-mal users will help achieve evasion.

Impact of Normal User Estimation Errors. We ex-tend the above model by accounting for possible errors inestimating normal user behaviors (the second constraint).These errors exist because adversaries can only samplea limited number of users, leading to noisy estimations.Here, we investigate the impact of sampling strategies onthe attack efficacy.

For all 35 features, we vary the sampling rate,i.e. theratio of normal users sampled by adversaries, by takingrandom samples of 0.001%, 0.01% to 0.1% of theActivedataset. We repeat each instance 100 times, and com-pute the mean and standard deviation of the estimatedmedian feature values (Figure 15). We show each fea-ture’spercentilein the true CDF of theActivedataset. Inthis case, the optimal value is 50%. Clearly sampling ratedoes impact feature estimation. With the 0.001% sam-pling rate, the estimated value varies significantly acrossinstances. Raising the sample rate to 0.1% means attack-ers can accurately estimate the median value using only

a few instances. Furthermore, we see that burstiness fea-tures (e.g. features 30-34) are easy to sample, since nor-mal user values are highly skewed to zero.

Finally, we evaluate the impact of estimation errorson practical evasion attacks. This time we run distance-aware evasions based on theestimatedmedian featurevalues. For each worker’s featurek, we estimate the me-dian valueM′(k) with a given bound of error∆. Thatis, M′(k) is randomly picked from the percentiles within[50%−∆,50%+∆] on the true CDF of normal user be-haviors. By iterating through different∆ (from 5% to25%), our results show that∆ only has a minor impact.The most noticeable impact is on SVMp using DD dis-tance (Figure 16). Overall, we conclude that as long asadversaries can get a decent guess on normal user be-haviors, the residual noise in the estimation∆ should notaffect the efficacy of evasion attacks.

Summary. Our work produces two key observations.

• Given complete knowledge, evasion attacks arevery effective. However, adversaries under more re-alistic constraints are significantly less effective.

• While no classifier is robust against all attack sce-narios, there is a consistent inverse relationship be-tween single model fitting accuracy and robustnessto adversarial evasion. Highly accurate fit to asmaller, more homogeneous population (e.g. pro-fessionals) makes models more vulnerable to eva-sion attacks.

6 Adversarial Attack: Poisoning

After examining evasion attacks, we now look at howcentralized crowdturfing sites can launch more powerfulattacks to manipulate machine learning models. Specifi-cally, we consider the poisoning attack where administra-tors of crowdturfing sites intentionally pollute the train-ing dataset used to build ML classifiers, forcing defend-ers to produce inaccurate classifiers. Since the trainingdata (i.e. crowdturfing accounts) actually comes fromthese crowdturfing sites, administrators are indeed capa-ble of launching these attacks.

In the following, we examine the impact of poison-ing attacks on ML detection accuracy. We consider twomechanisms for polluting training data. The first methoddirectly adds misleading/synthetic samples to the train-ing set. Adversaries in the second method simply alterdata records, or modify operational policies to alter thecomposition of the training data used by ML models.

6.1 Injecting Misleading Samples

Perhaps the simplest way to pollute any training data isto add misleading or false samples. In our case, since

the training data has two classes (groups) of accounts,this can be done by mixing normal user samples into the“turfing” class, i.e. poisoning the turfing class, or mix-ing crowdturf samples into the “normal” user class,i.e.poisoning the normal class. Both introduce incorrectlylabeled training data to mislead the classifier.

Poisoning Turfing Class. To poison the turfing class,adversaries (e.g. ZBJ and SDH administrators) add nor-mal Weibo accounts to the public submission records intheir own systems. Since ML classifiers take ground-truth crowdturf accounts from those public records, thesebenign accounts will then be mixed into the training dataand labeled as “turfing.” The result is a model that markssome characteristics of normal users as crowdturfing be-havior, likely increasing false positive rate in detection.

We simulate the attack with our ground-truth dataset.At a high level, we train the classifiers on “polluted”training data, and then examine changes in classifiers’detection accuracy. Here we experiment with two strate-gies to pollute the turfing class. First, as a baseline strat-egy, adversariesrandomlyselect normal users as poisonsamples to inject into the turfing class. Second, adver-saries can injectspecifictypes of normal users, causingthe classifiers to producetargetedmistakes.Random Poisoning: We simulate this poisoning at-tack with Active+Turfingdataset, where adversaries in-ject random normal accounts to the turfing class. Specif-ically, for training, the turfing class (14K accounts) is amixture of crowdturf accounts and poison samples ran-domly selected fromActive, with a mixing ratio of p.The normal class is another 14K normal accounts fromActive. Then we use 28K of the rest accounts (14K turf-ing and 14K normal users) for testing. For any givenp,we repeat the experiment 10 times with different randompoison samples and training-testing partitions to computeaverage detection rates.

Results are shown in Figure 17(b). As a baseline com-parison, we also present the results of the classifiers forprofessional workers in Figure 17(a). We have three ob-servations. First, as poison-to-turfing ratiop increases,false positive rates go up for all four algorithms. Falsenegative rates are not much affected by this attack, thusare omitted from the plot.12 Second, we find that theSVM classifiers are more resilient: SVMp’s false posi-tive rate increases<5% asp approaching 1.0, while theanalogous increases exceed 10% for Random Forests andJ48. Particularly, J48 experiences more drastic fluctua-tions around average, indicating it is very sensitive to thechoice of poison samples. This is consistent with ourprior observation that more accurate single model fitting(i.e. J48 is more accurate than SVM) is more vulnerableto adversarial attacks. Similarly, highly accurate detec-

12False negative rates increase< 2% whenp approaches 1.0.

0

5

10

15

20

25

0.01 0.1 1

Fal

se P

ositi

ve R

ate

(%)

Ratio of Poison-to-Turfing

J48RF

SVMrSVMp

(a) Professional Workers

0

5

10

15

20

25

0.01 0.1 1

Fal

se P

ositi

ve R

ate

(%)

Ratio of Poison-to-Turfing

J48RF

SVMrSVMp

(b) All Workers

Figure 17: Poisoning training dataset by injecting randomnormal user samples to the turfing class.

0 5

10 15 20 25 30 35 40 45

0.01 0.1 1

Fal

se P

ositi

ve R

ate

(%)

Ratio of Poison-to-Turfing

J48RF

SVMrSVMp

(a) Injecting Accounts with> 50%tweets commented

0 5

10 15 20 25 30 35 40 45

0.01 0.1 1

Fal

se P

ositi

ve R

ate

(%)

Ratio of Poison-to-Turfing

J48RF

SVMrSVMp

(b) Injecting Accounts with< 150followers

Figure 18: Targeted poisoning. Adversaries inject specifictype of normal users to the turfing class (all workers).

tion of the more homogeneous population of professionalworkers (§4) means the models experience larger rela-tive impacts from attacks compared to classifiers over allworkers.

Note that we limited the poison-to-turfing ratio<1,since in practice adversaries cannot inject unlimited poi-son samples to defender’s training data. First, injectingnoise causes inconvenience to their own customers in lo-cating qualified workers. Second, defenders may collectground-truth records from multiple crowdturfing sites.Targeted Poisoning: Next, we exploretargetedpoi-soning to the turfing class. Here the adversaries wantto carefully inject selected poison samples so classifiersmake targeted mistakes. For example, our classifier uses“ratio of commented tweets” as a feature with the intu-ition that worker’s tweets rarely receive comments (§3).Once adversaries gain this knowledge, they can inten-tionally select accounts whose tweets often receive com-ments as the poison samples. As a result, the trainedclassifier will mistakenly learn that users with high com-ment ratio can be malicious, thus are likely to misclassifythis kind of normal users as crowd-workers.

To evaluate the impact of targeted poisoning, we per-form similar experiments, except that we select poisonsamples based on specific feature. Figure 18 shows theattacking results on two example features: ratio of tweetswith comments and follower count. Compared with Fig-ure 17, targeted poisoning can trigger higher false posi-

0

5

10

15

20

25

30

0.01 0.1 1

Fal

se N

egat

ive

Rat

e (%

)

Ratio of Poison-to-Normal

SVMrSVMp

J48RF

(a) Professional Workers

0

5

10

15

20

25

30

0.01 0.1 1

Fal

se N

egat

ive

Rat

e (%

)

Ratio of Poison-to-Normal

SVMrSVMp

J48RF

(b) All Workers

Figure 19: Poisoning training dataset by adding turfingsamples to normal class.

tives than randomly selecting poison samples. Also, theprevious observations still hold with SVM being morerobust and J48 experiencing unstable performance (largedeviation from average).

Poisoning Normal User Class. Next, we analyze theother direction where adversaries inject turfing samplesinto the “normal” class to boost thefalse negative rateof classifiers. This may be challenging in practice sincethe normal user pool – Weibo’s whole user population –is extremely large. Hence it requires injecting a signifi-cant amount of misleading samples in order to make animpact. Here from defender’s perspective, we aim to un-derstand how well different classifiers cope with “noisy”normal user data.

We repeat the previous “Random Poisoning” attack onthe normal class. Figure 19(a) and Figure 19(b) showthe attack results on classifiers for professional workersand all workers respectively. As we increase the ratio ofpoison samples, the false negatives of all four classifiersincrease. This is expected as the classifiers will mistak-enly learn crowdturf characteristics when modeling nor-mal users, thus are likely to misclassify turfing accountsas benign later. In addition, we find the robustness of dif-ferent classifiers varies, with Random Forests algorithmproducing the lowest overall false negatives. Finally, weagain observe that the more accurate classifier for profes-sional workers suffers larger relative impacts from adver-saries than classifiers for all-workers.

6.2 Altering Training Data

The above poisoning attacks focus on misleading classi-fiers to catch the wrong target. However, it does not fun-damentally prevent crowd-workers from detection, sinceworkers’ behavior patterns are still very differently fromnormal users. To this end, we explore a second poison-ing attack, where adversaries directlyalter the trainingdata by tuning crowd-workers’ behavior to mimic normalusers. The goal is to make it difficult (or even impossi-ble) to train an accurate classifier that isolates crowdturfaccounts with normal accounts.

0 2 4 6 8

10 12 14 16

NoneProfile

Interact

Client

BurstEntropy

Cla

ssifi

catio

n E

rror

Rat

e (%

)

Features Attacked

False PositiveFalse Negative

(a) Random Forests

0 2 4 6 8

10 12 14 16

NoneProfile

Interact

Client

BurstEntropy

Cla

ssifi

catio

n E

rror

Rat

e (%

)

Features Attacked

False PositiveFalse Negative

(b) J48

0 2 4 6 8

10 12 14 16

NoneProfile

Interact

Client

BurstEntropy

Cla

ssifi

catio

n E

rror

Rat

e (%

)

Features Attacked

False PositiveFalse Negative

(c) SVMr

0 2 4 6 8

10 12 14 16

NoneProfile

Interact

Client

BurstEntropy

Cla

ssifi

catio

n E

rror

Rat

e (%

)

Features Attacked

False PositiveFalse Negative

(d) SVMp

Figure 20: Performance of different classifiers when adversaries alter crowd-workers’ features to mimic normal users.The horizontal lines represent the baseline false positive(false negative) rates when no feature is altered.

To carry out this attack, adversaries (e.g. administra-tors of ZBJ and SDH) need to modify the behaviors ofnumerous crowdturf workers. This can be done by cen-trally enforcing operational policies to their own system.For example, enforcing minimal time interval betweentaking tasks to reduce the tweeting burstiness or enforc-ing screening mechanisms to reject worker accounts with“malicious” profile features. In the following, we evalu-ate the attack impact using simulations, followed by thediscussion of practical costs.

Feature Altering Attack. To simulate this attack, welet adversaries select a set of featuresF of crowdturf ac-counts and alterF to mimic the corresponding featuresof normal users. Unlike evasion attacks that can sim-ply mimic normal users’ median values, here we needto mimic the whole distribution in order to make the twoclasses indistinguishable on these features. Since the fea-ture altering is for all workers in the crowdturfing sys-tem, thus it actually applies to crowdturf accounts in bothtraining and testing datasets. Finally, note that featuresare not completely independent,i.e. changing one fea-ture may cause changes in others. To mitigate this, wetune features under the same category simultaneously.

Figure 20 shows the attack results onTurfing+Activedataset. We attack each feature category and repeat theexperiment for 10 times. Here we simulate attacking onecategory at a time, and will discuss attacking categorycombinations later. In general, the attack makes all clas-sifiers produce higher error rates compared with baselinewhere no feature is altered (the horizontal lines). How-ever the impact is mild compared to injection-based poi-soning attacks. For example, the most effective attack ison J48 when altering interaction features, which causeserror rate increased by 4%, while injection-based attackcan boost error rate by more than 20% (Figure 18). Onepossible reason is that unlike injection-based poisoning,altering-based poisoning does not cause inconsistenciesin training and testing data, but only make the two classesharder to separate.

Costs of Altering. In practice, feature altering comeswith costs, and some features may be impossible to ma-

Features Error Rate (FP %, FN %)Attacked RF J48 SVMr SVMpNone (6.2, 3.4) (6.7, 6.8) (7.7, 10.1) (7.9, 12.1)C+B (5.7, 4.4) (7.9, 8.7) (8.7, 12.2) (8.0, 14.0)B+E (6.5, 3.9) (7.1, 7.8) (8.7, 12.5) (7.3, 13.1)C+E (6.4, 4.5) (7.9, 8.2) (7.5, 11.8) (6.3, 13.8)C+B+E (5.8, 4.2) (8.3, 8.5) (8.6, 13.2) (7.7, 15.2)

Table 4: Error rates when features are altered in combi-nations. We focus on attacking low-cost features: TweetClient (C), Burstiness (B) and Entropy (E).

nipulate even by crowdturfing administrators. For in-stance,Tweeting Regularity(Entropy) andBurstinessfeatures are easier to alter. Recall that crowdturfing sys-tems can enforce minimal (random) time delay betweenworkers taking on new tasks, or use delays to increaseentropy. Changing theTweet Clientfeature is also pos-sible, since crowdturfing systems can develop mobileclient software for their workers, or simply release toolsfor workers to fake their tweeting clients.

ProfileandInteractionfeatures are more difficult to al-ter. Some features are mandatory for common tasks. Forexample, workers need to maintain a certain number offollowers in order to spread spam to reach large enoughaudiences. In addition, some features are rooted in thefact that crowd-workers don’t use their accounts organ-ically, which, making it hard to generate normal userinteractions. Although, crowdturfing systems could po-tentially use screening mechanisms to reject obviously-malicious crowdturf accounts from their system. How-ever, this high bar will greatly shrink the potential workerpopulation, and likely harm the system’s spam capacity.

Considering practical costs, we consider whether it ismore impactful to alter the combinations of features fromdifferent categories. Here we focus on altering the lowcost features inTweet Client(C), Burstiness(B) andEn-tropy (E). As shown in Table 4, attacking feature combi-nations produces slightly higher error rates than attack-ing a single feature category, but the overall effect is stillsmall (less than 4% error rate increase).

Summary and Discussion. Through our analysis, wefind that injecting misleading samples into training datacauses more significant errors than uniformly alteringworker behavior. In addition, we again observe the in-verse relationship between single model fitting accuracyand robustness.

To protect their workers, crowdturfing sites may alsotry to apply stronger access control to their public recordsin order to make training data unavailable for ML detec-tors13. However, this creates obvious inconvenience forcrowdturfing sites, since they rely on these records to at-tract new workers. Moreover, even if records were pri-vate, defenders can still obtain training data by joining as“customers,” offering tasks, and identifying accounts ofparticipating workers.

7 Related Work

Crowdturfing. Prior works used measurements oncrowdturfing sites to understand their operation and eco-nomic structure [23, 24, 26, 48]. Some systems havebeen developed to detect paid human spammers in on-line review sites [31] and Q&A systems [9, 45]. To thebest of our knowledge, our work is the first to explore de-tection of crowdturfing behaviors in adversarial settings.

OSN Spammer Detection. Researchers have de-veloped mechanisms to detect fake accounts (Sybil)and spam campaigns in online social networks, includ-ing Facebook [15, 49], Twitter [43], Renren [52] andLinkedIn [46]. Most prior works develop ML modelsusing features of spammer profiles (e.g. FFRatio, black-listed URLs) or bot-like behaviors [4, 11, 42, 47, 50].However, a recent study shows dedicated spam botscan still infiltrate social networks without being de-tected [14]. In our case, crowdturf accounts are care-fully maintained by human users, and their questionableactivities are camouflaged with synthetic cover traffic.This makes their detection challenging, until we add ad-ditional behavioral features (e.g. user-interaction, task-driven behavior).

Adversarial Machine Learning. In an earlystudy [19], researchers classify ML adversarial attacksinto two high-level categories:causativeattacks whereadversaries alter the training process to damage the clas-sifier performance, andexploratory attacks where ad-versaries try to circumvent an already-trained classi-fier. Much of existing work focuses onexploratoryat-tacks [5, 12, 25, 28] with less focusing oncausativeat-tacks [6, 37], since it’s usually more difficult for adver-saries to access training data in practice. In this paper, we

13As of late 2013, some crowdturfing sites (e.g. ZBJ) have alreadystarted to follow this direction, by limiting access to public transactionrecords to verified active participants.

studied both angles as both attacks are practically feasi-ble from crowdturfing adversaries.

Several studies have examined attacks on specific ML-based applications, from email spam detection [12] tonetwork intuition detection [37, 40, 44] to malicious(PDF) file classification [5, 25, 41] and malware detec-tion [21]. Our work focuses on crowdturfing and ex-plores a wider range of adversarial attacks, including ac-tive evasion and more powerful poison attacks against themodel training process.

8 Conclusion and Discussion

We use a large-scale ground truth dataset to develop ma-chine learning models to detect malicious crowdsourcingworkers. We show that while crowdturfing workers re-semble normal users in their profiles, ML models can ef-fectively detect regular workers (95% accuracy) or “pro-fessionals” (99% accuracy) using distinguishing featuressuch as user interactions and tweet dynamics.

More importantly, we use crowdturfing defense ascontext to explore the robustness of ML algorithmsagainst adversarial attacks. We evaluate multiple adver-sarial attack models targeting both training and testingphases of ML detectors. We find that these attacks areeffective against all machine learning algorithms, and co-ordinated attacks (such as those possible in crowdturfingsites) are particularly effective. We also note a consistenttradeoff where more accurate fits (especially to a smaller,more homogeneous population) result in higher vulner-ability to adversarial attacks. The exception appears tobe Random Forests, which often achieves both high ac-curacy and robustness to adversaries, possibly due to itsnatural support for multiple populations.

Limitations and Future Work. We note that ourstudy has several limitations. First, our analysis focuseson Weibo, and our adversary scenarios may not gener-alize fully to other platforms (e.g. review sites, instantmessage networks). However, more work is necessaryto validate our findings on other platforms. Second, ouradversarial models use simplifying assumptions,i.e. fea-tures are independent and costs for feature modificationare uniform. In addition, attackers may behave differ-ently to disrupt the operation of ML detectors.

Moving forward, one goal is to validate our adversar-ial models in practice, perhaps by carrying out a user-study on crowdturfing sites where we ask workers to ac-tively evade and disrupt ML detectors. In addition, ourresults show we must explore approaches to improve therobustness of ML-based systems. Our analysis showedthat ML algorithms react differently to different adver-sarial attacks. Thus one possible direction is to develophybrid systems that integrate input from multiple classi-

fiers, ideally without affecting overall accuracy. We alsoobserve that limiting adversaries’ knowledge of the tar-get system can greatly reduce their attack abilities. Howto effectively prevent adversaries from gaining knowl-edge or reverse-engineering models is also a topic forfuture work.

9 Acknowledgments

We would like to thank the anonymous reviewers fortheir helpful feedback, and Xifeng Yan for insightfuldiscussions. This work is supported in part by NSFgrants IIS-1321083, CNS-1224100, IIS-0916307, by theDARPA GRAPHS program (BAA-12-01), and by theDepartment of State. Any opinions, findings, and con-clusions or recommendations expressed in this materialare those of the authors and do not necessarily reflect theviews of the funding agencies.

References

[1] Sina Weibo Admin Statement on Spam.http://www.weibo.com/p/1001603697836242954625,April 2014.

[2] Sina Weibo Terms of Service.http://service.account.weibo.com/roles/guiding, 2014.(The link is accessible after login).

[3] A HN, Y.-Y., HAN , S., KWAK , H., MOON, S., AND

JEONG, H. Analysis of topological characteristics ofhuge online social networking services. InProc. of WWW(2007).

[4] BENEVENUTO, F., MAGNO, G., RODRIGUES, T., AND

ALMEIDA , V. Detecting spammers on twitter. InProc. ofCEAS(2010).

[5] B IGGIO, B., CORONA, I., MAIORCA, D., NELSON, B.,SRNDIC, N., LASKOV, P., GIACINTO , G., AND ROLI , F.Evasion attacks against machine learning at test time. InProc. of ECML PKDD(2013).

[6] B IGGIO, B., NELSON, B., AND LASKOV, P. Poisoningattacks against support vector machines. InProc. of ICML(2012).

[7] BREIMAN , L. Random forests.Machine Learning 45, 1(2001), 5–32.

[8] CARUANA , R., KARAMPATZIAKIS , N., AND YESSE-NALINA , A. An empirical evaluation of supervised learn-ing in high dimensions. InProc. of ICML(2008).

[9] CHEN, C., WU, K., SRINIVASAN , V., AND R, K. B.The best answers? think twice: Online detection of com-mercial campaigns in the cqa forums.CoRR(2012).

[10] CHEN, X. Dairy giant mengniu in smear scandal. ChinaDaily, October 2010.

[11] CHU, Z., GIANVECCHIO, S., WANG, H., AND JAJO-DIA , S. Who is tweeting on twitter: human, bot, or cy-borg? InProc. of ACSAC(2010).

[12] DALVI , N., DOMINGOS, P., MAUSAM , SANGHAI , S.,AND VERMA, D. Adversarial classification. InProc. ofKDD (2004).

[13] EATON, K. Mechanical turk’s unsavory side effect: Mas-sive spam generation. Fast Company, December 2010.

[14] FREITAS, C. A., BENEVENUTO, F., GHOSH, S., AND

VELOSO, A. Reverse engineering socialbot infiltrationstrategies in twitter.CoRR abs/1405.4927(2014).

[15] GAO, H., HU, J., WILSON, C., LI , Z., CHEN, Y., AND

ZHAO, B. Y. Detecting and characterizing social spamcampaigns. InProc. of IMC(2010).

[16] GIANVECCHIO, S., AND WANG, H. Detecting coverttiming channels: an entropy-based approach. InProc. ofCCS(2007).

[17] HALL , M., FRANK , E., HOLMES, G., PFAHRINGER,B., REUTEMANN, P., AND WITTEN, I. H. The wekadata mining software: an update.SIGKDD Explor. Newsl.11, 1 (2009).

[18] HECKERMAN, D., GEIGER, D., AND CHICKERING,D. M. Learning bayesian networks: The combinationof knowledge and statistical data.Mach. Learn. 20, 3(1995), 197–243.

[19] HUANG, L., JOSEPH, A. D., NELSON, B., RUBIN-STEIN, B. I., AND TYGAR, J. D. Adversarial machinelearning. InProc. of AISec(2011).

[20] JOHN, G. H., AND LANGLEY, P. Estimating continu-ous distributions in bayesian classifiers. InProc. of UAI(1995).

[21] KANTCHELIAN , A., AFROZ, S., HUANG, L., ISLAM ,A. C., MILLER , B., TSCHANTZ, M. C., GREENSTADT,R., JOSEPH, A. D., AND TYGAR, J. D. Approaches toadversarial drift. InProc. of AISec(2013).

[22] LAKHINA , A., CROVELLA , M., AND DIOT, C. Diag-nosing network-wide traffic anomalies. InProc. of SIG-COMM (2004).

[23] LEE, K., TAMILARASAN , P., AND CAVERLEE, J.Crowdturfers, campaigns, and social media: Tracking andrevealing crowdsourced manipulation of social media. InProc. of ICWSM(2013).

[24] LEE, K., WEBB, S., AND GE, H. The dark side ofmicro-task marketplaces: Characterizing fiverr and au-tomatically detecting crowdturfing. InProc. of ICWSM(2014).

[25] MAIORCA, D., CORONA, I., AND GIACINTO , G. Look-ing at the bag is not enough to find the bomb: an evasionof structural methods for malicious pdf files detection. InProc. of ASIACCS(2013).

[26] MOTOYAMA , M., MCCOY, D., LEVCHENKO, K., SAV-AGE, S., AND VOELKER, G. M. Dirty jobs: The role offreelance labor in web service abuse. InProc. of UsenixSecurity(2011).

[27] NELSON, B., RUBINSTEIN, B. I. P., HUANG, L.,JOSEPH, A. D., HON LAU , S., LEE, S. J., RAO, S.,TRAN, A., AND TYGAR, J. D. Near-optimal evasion ofconvex-inducing classifiers. InProc. of AISTATS(2010).

[28] NELSON, B., RUBINSTEIN, B. I. P., HUANG, L.,JOSEPH, A. D., LEE, S. J., RAO, S.,AND TYGAR, J. D.Query strategies for evading convex-inducing classifiers.J. Mach. Learn. Res. 13, 1 (2012).

[29] NEWSOME, J., KARP, B., AND SONG, D. Poly-graph: Automatically generating signatures for polymor-phic worms. InProc. of IEEE S&P(2005).

[30] ONG, J. China’s sina weibo grew 73% in 2012, pass-ing 500 million registered accounts. The Next Web, Feb.2013.

[31] OTT, M., CHOI, Y., CARDIE, C., AND HANCOCK, J. T.Finding deceptive opinion spam by any stretch of theimagination. InProc. of ACL(2011).

[32] PHAM , N. Vietnam admits deploying bloggers to supportgovernment. BBC News, January 2013.

[33] PLATT, J. C. Fast training of support vector machinesusing sequential minimal optimization. InAdvances inKernel Methods - Support Vector Learning(1998).

[34] QUINLAN , J. R. C4.5: programs for machine learning.Morgan Kaufmann Publishers Inc., 1993.

[35] RAMACHANDRAN , A., FEAMSTER, N., AND VEM-PALA , S. Filtering spam with behavioral blacklisting. InProc. of CCS(2007).

[36] ROBINSON, G. A statistical approach to the spam prob-lem. Linux J. 2003, 107 (2003).

[37] RUBINSTEIN, B. I., NELSON, B., HUANG, L., JOSEPH,A. D., LAU , S.-H., RAO, S., TAFT, N., AND TYGAR,J. D. Antidote: understanding and defending against poi-soning of anomaly detectors. InProc. of IMC(2009).

[38] SHEAR, M. D. Republicans use crowdsourcing to attackobama campaign. The New York Times, May 2012.

[39] SIMONITE , T. Hidden industry dupes social media users.MIT Review, December 2011.

[40] SOMMER, R., AND PAXSON, V. Outside the closedworld: On using machine learning for network intrusiondetection. InProc. of IEEE S&P(2010).

[41] SRNDIC, N., AND LASKOV, P. Practical evasion of alearning-based classifier: A case study. InProc. of IEEES&P (2014).

[42] STRINGHINI , G., KRUEGEL, C., AND V IGNA , G. De-tecting spammers on social networks. InProc. of ACSAC(2010).

[43] THOMASY, K., GRIERY, C., PAXSONY, V., AND

SONGY, D. Suspended accounts in retrospect: An analy-sis of twitter spam. InProc. of IMC(2011).

[44] VENKATARAMAN , S., BLUM , A., AND SONG, D. Lim-its of learning-based signature generation with adver-saries. InProc. of NDSS(2008).

[45] WANG, G., GILL , K., MOHANLAL , M., ZHENG, H.,AND ZHAO, B. Y. Wisdom in the social crowd: an anal-ysis of quora. InProc. of WWW(2012).

[46] WANG, G., KONOLIGE, T., WILSON, C., WANG, X.,ZHENG, H., AND ZHAO, B. Y. You are how you click:Clickstream analysis for sybil detection. InProc. ofUSENIX Security(2013).

[47] WANG, G., MOHANLAL , M., WILSON, C., WANG, X.,METZGER, M., ZHENG, H., AND ZHAO, B. Y. Socialturing tests: Crowdsourcing sybil detection. InProc. ofNDSS(2013).

[48] WANG, G., WILSON, C., ZHAO, X., ZHU, Y., MOHAN-LAL , M., ZHENG, H., AND ZHAO, B. Y. Serf and turf:crowdturfing for fun and profit. InProc. of WWW(2012).

[49] WILSON, C., SALA , A., PUTTASWAMY, K. P. N., AND

ZHAO, B. Y. Beyond social graphs: User interactionsin online social networks and their implications.ACMTransactions on the Web 6, 4 (November 2012).

[50] YANG, C., HARKREADER, R. C., AND GU, G. Diefree or live hard? empirical evaluation and new designfor fighting evolving twitter spammers. InProc. of RAID(2011).

[51] YANG, Y., AND PEDERSEN, J. O. A comparative studyon feature selection in text categorization. InProc. ofICML (1997).

[52] YANG, Z., WILSON, C., WANG, X., GAO, T., ZHAO,B. Y., AND DAI , Y. Uncovering social network sybils inthe wild. In IMC (2011).

[53] ZHANG, L., YANG, J., AND TSENG, B. Online model-ing of proactive moderation system for auction fraud de-tection. InProc. of WWW(2012).

[54] ZHANG, Y., GE, Z., GREENBERG, A., AND ROUGHAN,M. Network anomography. InProc. of IMC(2005).