Professional Documents
Culture Documents
Discovery of Theme-Topic Labels for Phishing Email Subject Lines via Zero-Shot Learning and Emotional Model
In this experiment, I attempted to infer possible topics and sentiments related to subject lines of phishing emails (Including
ours and common summarized topic sentences [1]). According to [4,5], blacklisted words in email subject lines have been
found the most informative features for phish/benign email classification in terms of information gain. The main target of this
topic modeling has been done with the ZeroShot learning scheme provided by HuggingFace modules. ZeroShot learning NLP
models powered by ROBERTA, BERT models are capable of inferring the relatedness of sentences to given topic classes. These
topic classes are given on the fly so there is no need a customized training. The above-mentioned transformer NLP models
were already trained with a huge number of documents. The relatedness of given classes (i.e. "security", "urgency") to the
given sentences (i.e. the subject line(s)) are computed through the neighborhood of word vectors, long short term relations
and the attention paradigm as well. The challenge of this study is finding out the right discriminative set of classes that best
fit the subjects of emails in which we, as human beings, intuitively could validate. The email subject lines were provided
below. Our campaigns' subject lines were taken from Lucy System.
I first attempted to find a paper in the literature that can shed a light on this problem. Although our need was to find a resource
stating common concepts, themes, or topics which are were used in subject lines of phishing emails. According to my best
knowledge, there exists no satisfactory document which directly concludes this context. The studies [1,4,5,6] have addressed
only various common words or sampled frequent subject lines. Thus, it is arguable to select the most appropriate concepts or
topics in phishing emails. I, therefore, intuitively proposed some set of classes such as
{security,account,meeting,post,work,travel,joy,urgency} or {security, login, meeting, announcement, marketing, work,
vacation, event, health, urgency}. Furthermore, I also employed Plutchik's wheel of emotions [7] as another alternative to
infer the emotion belonging to a subject line. The Plutchik Model of Emotions provides a simple logical way to express various
primary and opposite emotions on a polar coordinate system. Accordingly, it involves 8 basic emotions such as joy, trust, fear,
surprise, sadness, anticipation, anger, and disgust. Besides, it organizes these 8 basic emotions based on the physiological
purpose of each. Moreover, the wheel also includes the combinations of emotions such as love, submission, awe, disapproval,
remorse, contempt, aggressiveness, optimism.
In this mini-study, I attempted to obtain higher cohesion between the suggested set of classes and labeling of zero-shot NLP
topic/theme classification. To be more specific, the predictions are computed via the cross-entropy softmax function and each
prediction comes up with a probability score. In order to provide the abovementioned "cohesion", I relied on the prediction
probability score at the inference stage. As is known, the zero-shot learning scheme learns a classifier on one set of labels and
then evaluates on a different set of labels that the classifier has never seen before. For instance, GPT-2 models were directly
used on different downstream tasks such as machine translation without any fine-tuning pre-processing stage. Similarly, the
learned representations in an unsupervised fashion would be used to classify unseen classes based on latent relations among
the words and sequences.
As the dataset, I have collected several subject lines which are reported as frequently found subject lines in [1,6]. In addition,
I have also added lines of our campaigns. As a result, I collected 138 subject lines which are given below. I translated all these
lines to English in the case when they are in german. Next, I created a different 9 sets of classes (5 our proposal while 4 of
them were gathered from Plutchik's wheels of emotions. Here, our objective is to evaluate how the ZSL performs better in
terms higher prediction probability score. During the experiments, I used 3 different assessment schemes each applying
different probability threshold values (i.e 0.5, 0.4 and 0). The higher the probability threshold we apply, the more reliability
we can achieve. My initial results suggest that the set of "ectasy, admiration ,terror, amazement, grief, loathing, rage, vigilance"
achieves the best cohesion in terms of acquired probability scores in all 3 different settings. Note that, these scores currently
do not provide any evidence for any kind of correlation between labels and the difficulty level of campaigns. However, my
next attempt will be exploring the pure relation between the subject line thema/emotion and click rates.
FROM [6]
"Job Opportunity",
"Strategy Meeting",
"What is Chen Guangcheng fighting for?",
"FW: for the extension of the measures against North Korea",
"2012 U.S.Army orders for weapons",
"FW: results of homemaking 2007 annual business plan (min quarter 1 included)",
"DSO-DARPA-BAA-11-65",
"Wage Data 2012",
"U.S.Air Force Procurement Plan 2012",
"About seconded expatriate management in overseas offices",
"FW:[CLASSIFIED] 2012 USA Government of the the Health Reform",
"T.T COPY",
"USA to Provide Declassified FISA Documents",
"FY2011-12 Annual Merit Compensation Guidelines for Staff",
"Contact List Update",
"DOD Technical Cooperation Program",
"DoD Protection of Whistleblowing Spies",
"FW:UK Non Paper on arrangements for the Arms Trade Treaty (ATT) Secretariat",
"Mail delivery failed: returning message to sender",
"Delivery Status Notification (Failure)",
"Become A Paid Mystery Shopper Today! Join and Shop For Free!",
"Re:",
"failure notice",
"Delivery Status Notification (Delay)",
"Returned mail: see transcript for details",
"Get a job as Paid Mystery Shopper! Shop for free and get Paid!",
"Application number: AA700003125331",
"Your package is available for pickup",
"Your statement is ready for your review",
"Unpaid invoice 2913.",
"Track your parcel",
"You have received A Hallmark E-Card!",
"Your Account Opening is completed.",
"Delivery failure",
"Undelivered Mail Returned to Sender",
"Laura would like to be your friend on hi5!",
"You have got a new message on Facebook!",
RESULTS
[1] https://www.techrepublic.com/article/these-subject-lines-are-the-most-clicked-for-phishing/
[3] @article{bergholz2010new, title={New filtering approaches for phishing email},author={Bergholz, Andr{\'e} and De Beer,
Jan and Glahn, Sebastian and Moens, Marie-Francine and Paa{\ss}, Gerhard and Strobel, Siehyun}, journal={Journal of
computer security}, volume={18}, number={1}, pages={7--35}, year={2010}, publisher={IOS Press}}
[4] @inproceedings{hamid2011hybrid, title={Hybrid feature selection for phishing email detection},author={Hamid, Isredza
Rahmi A and Abawajy, Jemal}, booktitle={International Conference on Algorithms and Architectures for Parallel
Processing}, pages={266--275}, year={2011}, organization={Springer}}
[5] @inproceedings{ma2009detecting, title={Detecting phishing emails using hybrid features}, author={Ma, Liping and
Ofoghi, Bahadorrezda and Watters, Paul and Brown, Simon}, booktitle={2009 Symposia and Workshops on Ubiquitous,
Autonomic and Trusted Computing}, pages={493--497},year={2009},organization={IEEE}}