Abstract
Perceptual ad-blocking is a novel approach that uses visual cues to detectonline advertisements. Compared to classical filter lists, perceptualad-blocking is believed to be less prone to an arms race with web publishersand ad-networks. In this work we use techniques from adversarial machinelearning to demonstrate that this may not be the case. We show that perceptualad-blocking engenders a new arms race that likely disfavors ad-blockers.Unexpectedly, perceptual ad-blocking can also introduce new vulnerabilitiesthat let an attacker bypass web security boundaries and mount DDoS attacks. Wefirst analyze the design space of perceptual ad-blockers and present a unifiedarchitecture that incorporates prior academic and commercial work. We thenexplore a variety of attacks on the ad-blocker's full visual-detectionpipeline, that enable publishers or ad-networks to evade or detect ad-blocking,and at times even abuse its high privilege level to bypass web securityboundaries. Our attacks exploit the unreasonably strong threat model thatperceptual ad-blockers must survive. Finally, we evaluate a concrete set ofattacks on an ad-blocker's internal ad-classifier by instantiating adversarialexamples for visual systems in a real web-security context. For sixad-detection techniques, we create perturbed ads, ad-disclosures, and nativeweb content that misleads perceptual ad-blocking with 100% success rates. Forexample, we demonstrate how a malicious user can upload adversarial content(e.g., a perturbed image in a Facebook post) that fools the ad-blocker intoremoving other users' non-ad content.