<?xml version="1.0" standalone="yes"?>
<Paper uid="P06-2058">
  <Title>Obfuscating Document Stylometry to Preserve Author Anonymity</Title>
  <Section position="4" start_page="0" end_page="444" type="metho">
    <SectionTitle>
2 Document Obfuscation
</SectionTitle>
    <Paragraph position="0"> Our approach to document obfuscation is to identify the features that a typical authorship attribution technique will use as markers and then adjust the frequencies of these terms to render them less effective on the target document.</Paragraph>
    <Paragraph position="1">  While it is obvious that one can affect the attribution result by adjusting feature values, we were concerned with: * How easy is it to identify and present the required changes to the author? * How resilient are the current authorship detection techniques to obfuscation? * How much work is involved for the author in the obfuscation process? The only related work that we are aware of is (Rao and Rohatgi 2000) who identify the problem and suggest (somewhat facetiously, they admit) using a round-trip machine translation (MT) process (e.g., English - French - English) to obscure any traces of the original author's style. They note that the current quality of MT would be problematic, but this approach might serve as a useful starting point for someone who wants to scramble the words a bit before hand-correcting egregious errors (taking care not to re-introduce their style).</Paragraph>
    <Section position="1" start_page="444" end_page="444" type="sub_section">
      <SectionTitle>
2.1 The Federalist Papers
</SectionTitle>
      <Paragraph position="0"> One of the standard document sets used in authorship attribution is the Federalist Papers, a collection of 85 documents initially published anonymously, but now known to have been written by 3 authors: Alexander Hamilton, John Madison and John Jay. Due to illness, Jay only wrote 5 of the papers, and most of the remaining papers are of established authorship (Hamilton = 51; Madison = 14; and 3 of joint authorship between Hamilton and Madison). The 12 remaining papers are disputed between Hamilton and Madison. In this work we limit ourselves to the 65 known single-author papers and the 12 disputed papers.</Paragraph>
      <Paragraph position="1"> While we refer to these 12 test documents as &amp;quot;disputed&amp;quot;, it is generally agreed (since the work of Mosteller and Wallace (1964)) that all of the disputed papers were authored by Madison. In our model, we accept that Madison is the author of these papers and adopt the fiction that he is interested in obscuring his role in their creation.</Paragraph>
    </Section>
    <Section position="2" start_page="444" end_page="444" type="sub_section">
      <SectionTitle>
2.2 Problem Statement
</SectionTitle>
      <Paragraph position="0"> A more formal problem statement is as follows: We assume that an author A (in our case, Madison) has created a document D that needs to be anonymized. The author self-selects a set K of N authors (where A [?] K) that some future agent (the &amp;quot;attacker&amp;quot; following the convention used in cryptography) will attempt to select between.</Paragraph>
      <Paragraph position="1"> The goal is to use authorship attribution techniques to create a new document D' based on D but with features that identify A as the author suppressed.</Paragraph>
    </Section>
  </Section>
  <Section position="5" start_page="444" end_page="445" type="metho">
    <SectionTitle>
3 Document Preparation
</SectionTitle>
    <Paragraph position="0"> Before we can begin with the process of obfuscating the author style in D, we need to gather a training corpus and normalize all of the documents. null</Paragraph>
    <Section position="1" start_page="444" end_page="444" type="sub_section">
      <SectionTitle>
3.1 Training Corpus
</SectionTitle>
      <Paragraph position="0"> While the training corpus for our example is trivially obtained, authors wishing to anonymize their documents would need to gather their own corpus specific for their use.</Paragraph>
      <Paragraph position="1"> The first step is to identify the set of authors K (including A) that could have possibly written the document. This can be a set of co-workers or a set of authors who have published on the topic.</Paragraph>
      <Paragraph position="2"> Once the authors have been selected, a suitable corpus for each author needs to be gathered. This can be emails or newsgroup postings or other documents. In our experiments, we did not include D in the corpus for A, although it does not seem unreasonable to do so.</Paragraph>
      <Paragraph position="3"> For our example of the Federalist Papers, K is known to be {Hamilton, Madison} and it is already neatly divided into separate documents of comparable length.</Paragraph>
    </Section>
    <Section position="2" start_page="444" end_page="445" type="sub_section">
      <SectionTitle>
3.2 Document Cleanup
</SectionTitle>
      <Paragraph position="0"> Traditional authorship attribution techniques rely primarily on associating idiosyncratic formatting, language usage and spelling (misspellings, typos, or region-specific spelling) with each author in the study. Rao and Rohatgi (2000) and Koppel and Schler (2003) both report that these words serve as powerful discriminators for author attribution. Thus, an important part of any obfuscation effort is to identify these idiosyncratic usage patterns and normalize them in the text.</Paragraph>
      <Paragraph position="1"> Koppel and Schler (2003) also note that many of these patterns can be identified using the basic spelling and grammar checking tools available in most word processing applications. Correcting the issues identified by these tools is an easy first step in ensuring the document conforms to conventional norms. This is especially important for work that will not be reviewed or edited since these idiosyncrasies are more likely to go unnoticed. null  However, there are distinctive usage patterns that are not simple grammar or spelling errors that also need to be identified. A well-known example of this is the usage of while/whilst by the authors of the Federalist Papers.</Paragraph>
      <Paragraph position="2"> Hamilton Madison Disputed while 36 0 0 whilst 1 12 9 Table 1 : Occurrence counts of &amp;quot;while&amp;quot; and &amp;quot;whilst&amp;quot; in the Federalist Papers (excluding documents authored by Jay and those which were jointly authored). In the disputed papers, &amp;quot;whilst&amp;quot; occurs in 6 of the documents (9 times total) and &amp;quot;while&amp;quot; occurs in none. To properly anonymize the disputed documents, &amp;quot;whilst&amp;quot; would need to be eliminated or normalized.</Paragraph>
      <Paragraph position="3"> This is similar to the problem with idiosyncratic spelling in that there are two ways to apply this information. The first is to simply correct the term to conform to the norms as defined by the authors in K. The second approach is to incorporate characteristic forms associated with a particular author. While both approaches can serve to reduce the author's stylometric fingerprint, the latter approach carries the risk of attempted style forgery and if applied indiscriminately may also provide clues that the document has been anonymized (if strong characteristics of multiple authors can be detected).</Paragraph>
      <Paragraph position="4"> For our experiments, we opted to leave these markers in place to see how they were handled by the system. We did, however, need to normalize the paragraph formatting, remove all capitalization and convert all footnote references to use square brackets (which are otherwise unused in the corpus).</Paragraph>
    </Section>
    <Section position="3" start_page="445" end_page="445" type="sub_section">
      <SectionTitle>
3.3 Tokenization
</SectionTitle>
      <Paragraph position="0"> To tokenize the documents, we separated sequences of letters using spaces, newlines and the following punctuation marks: .,()-:;`'?![]. No stemming or morphological analysis was performed. This process resulted in 8674 unique tokens for the 65 documents in the training set.</Paragraph>
    </Section>
  </Section>
  <Section position="6" start_page="445" end_page="447" type="metho">
    <SectionTitle>
4 Feature Selection
</SectionTitle>
    <Paragraph position="0"> The process of feature selection is one of the most crucial aspects of authorship attribution. By far the most common approach is to make use of the frequencies of common function words that are content neutral, but practitioners have also made use of other features such as letter metrics (e.g., bi-grams), word and sentence length metrics, word tags and parser rewrite rules. For this work, we opted to limit our study to word frequencies since these features are generally acknowledged to be effective for authorship attribution and are transparent, which allows the author to easily incorporate the information for document modification purposes.</Paragraph>
    <Paragraph position="1"> We wanted to avoid depending on an initial list of candidate features since there is no guarantee that the attackers will limit themselves to any of the commonly used lists. Avoiding these lists makes this work more readily useful for non-English texts (although morphology or stemming may be required).</Paragraph>
    <Paragraph position="2"> We desire two things from our feature selection process beyond the actual features. First, we need a ranking of the features so that the author can focus efforts on the most important features.</Paragraph>
    <Paragraph position="3"> The second requirement is that we need a threshold value so that the author knows how much the feature frequency needs to be adjusted.</Paragraph>
    <Paragraph position="4"> To rank and threshold the features, we used decision trees (DTs) and made use of the readily available WinMine toolkit (Chickering 2002).</Paragraph>
    <Paragraph position="5"> DTs produced by WinMine for continuously valued features such as frequencies are useful since each node in the tree provides the required threshold value. For term-ranking, we created a Decision Tree Root (DTR) ranking metric to order the terms based on how discriminating they are. DTR Rank is computed by creating a series of DTs where we remove the root feature, i.e. the most discriminating feature, before creating the next DT. In this fashion we create a ranking based on the order in which the DT algorithm determined that the term was most discriminatory. The DTR ranking algorithm is as follows:  1) Start with a set of features 2) Build DT and record root feature 3) Remove root feature from list of features 4) Repeat from step 2  It is worth noting that the entire DT need not be calculated since only the root is of interest. The off-the-shelf DT toolkit could be replaced with a custom implementation1 that returned only the root (also known as a decision stump). Since  our work is exploratory, we did not pursue optimizations along these lines.</Paragraph>
    <Paragraph position="6"> For our first set of experiments, we applied DTR ranking starting with all of the features (8674 tokens from the training set) and repeated until the DT was unable to create a tree that performed better than the baseline of p(Hamilton) = 78.46%. In this fashion, we obtained an ordered list of 2477 terms, the top 10 of which are shown in Table 2, along with the threshold and bias.</Paragraph>
    <Paragraph position="7"> The threshold value is read directly from the DT root node and the bias (which indicates whether we desire the feature value to be above or below the threshold) is determined by selecting the branch of the DT which has the highest ratio of non-A to A documents.</Paragraph>
    <Paragraph position="8"> Initially, this list looks promising, especially since known discriminating words like &amp;quot;upon&amp;quot; and &amp;quot;whilst&amp;quot; are the top two ranked terms. However, when we applied the changes to our base-line attribution model (described in detail in the Evaluation section), we discovered that while it performed well on some test documents, others were left relatively unscathed. This is shown in Figure 1 which graphs the confidence in assigning the authorship to Madison for each disputed document as each feature is adjusted. We expect the confidence to start high on the left side and move downward as more features are adjusted.</Paragraph>
    <Paragraph position="9"> After adjusting all of the identified features, half of the documents were still assigned to Madison (i.e., confidence &gt; 0.50).</Paragraph>
    <Paragraph position="10"> Choosing just the high-frequency terms was also problematic since most of them were not considered to be discriminating by DTR ranking (see Table 3). The lack of DTR rank not only means that these are poor discriminators, but it also means that we do not have a threshold value to drive the feature adjustment process.</Paragraph>
    <Paragraph position="11">  We next combined the DTR and the term frequency approaches by computing DTR one the set of features whose frequency exceeds a specified threshold for any one of the authors. Selecting a frequency of 0.001 produces a list of 35 terms, the first 14 of which are shown in Table 4.  column is the number of changes required to achieve the threshold frequency for document #49.</Paragraph>
    <Paragraph position="12"> Results for this list were much more promising and are shown in Figure 2. The confidence of attributing authorship to Madison is reduced by an average of 84.42% (s = 12.51%) and all of the documents are now correctly misclassified as being written by Hamilton.</Paragraph>
    <Paragraph position="13">  Madison graphed as each feature is adjusted. Each line corresponds to one of the 12 disputed documents. Features are ordered by DTR Rank and the attribution model is SVM30. Values above 0.5 are assigned to Madison and those below 0.5 are assigned to Hamilton.</Paragraph>
  </Section>
  <Section position="7" start_page="447" end_page="447" type="metho">
    <SectionTitle>
5 Evaluation
</SectionTitle>
    <Paragraph position="0"> Evaluating the effectiveness of any authorship obfuscation approach is made difficult by the fact that it is crucially dependent on the authorship detection method that is being utilized. An advantage of using the Federalist Papers as the test data set is that there are numerous papers documenting various methods that researchers have used to identify the authors of the disputed papers.</Paragraph>
    <Paragraph position="1"> However, because of differences in the exact data set2 and machine learning algorithm used, it is not reasonable to create an exact and complete implementation of each system. For our experiments, we used only the standard Federalist Papers documents and tested each feature set using linear-kernel SVMs, which have been shown to be effective in text categorization (Joachims 1998). To train our SVMs we used a sequential minimal optimization (SMO) implementation described in (Platt 1999).</Paragraph>
    <Paragraph position="2"> The SVM feature sets that we used for the evaluation are summarized in Table 5.</Paragraph>
    <Paragraph position="3"> For the early experiments described in the previous section we used SVM30, which incorporates the final set of 30 terms that Mosteller &amp; Wallace used for their study. As noted earlier, they made use of a different data set than we did, so we did expect to see some differences in the results. The baseline model (plotted as the left-most column of points in Figure 1 and Figure 2) assigned all of the disputed papers to Madison except one3.</Paragraph>
    <Paragraph position="4">  on, upon, there, any, an, every, his, from, may, can, do</Paragraph>
    <Section position="1" start_page="447" end_page="447" type="sub_section">
      <SectionTitle>
5.1 Feature Modification
</SectionTitle>
      <Paragraph position="0"> Rather than applying the suggested modifications to the original documents and regenerating the document feature vectors from scratch each time, we simplified the evaluation process by adjusting the feature vector directly and ignoring the impact of the edits on the overall document probabilities. The combination of insertions and deletions results in the total number of words in the document being increased by an average of 19.58 words (s = 7.79), which is less than 0.5% of the document size. We considered this value to be small enough that we could safely ignore its impact. null Modifying the feature vector directly also allows us to consider each feature in isolation, without concern for how they might interact with each other (e.g. converting whilst-while or re-writing an entire sentence). It also allows us to avoid the problem of introducing rewrites into the document with our distinctive stylometric signature instead of a hypothetical Madison rewrite. null</Paragraph>
    </Section>
    <Section position="2" start_page="447" end_page="447" type="sub_section">
      <SectionTitle>
5.2 Experiments
</SectionTitle>
      <Paragraph position="0"> We built SVMs for each feature set listed in Table 5 and applied the obfuscation technique described above by adjusting the values in the feature vector by increments of the single-word probability for each document. The results that we obtained were the same as observed with our test model - all of the models were coerced to prefer Hamilton for each of the disputed documents. null Federalists [...] with the possible exception of No. 55. For No. 55 our evidence is relatively weak [...].&amp;quot;  ers there to men by ; less in at those and any Figure 3 : Confidence in assigning disputed papers to Madison graphed as each feature is adjusted. Feature order is DTR(0.001) and the attribution model is SVM70. Figure 3 shows the graph for SVM70, the model that was most resilient to our obfuscation techniques. The results for all models are summarized in Table 6. The overall reduction achieved across all models is 86.86%.</Paragraph>
      <Paragraph position="1">  of assigning the disputed papers to Madison for each of the tested feature sets.</Paragraph>
      <Paragraph position="2"> Of particular note in the results are those for SVM03, which proved to be the most fragile model because of its low dimension. If we consider this case an outlier and remove it from study, our overall reduction becomes 83.82%.</Paragraph>
    </Section>
    <Section position="3" start_page="447" end_page="447" type="sub_section">
      <SectionTitle>
5.3 Feature Changes
</SectionTitle>
      <Paragraph position="0"> As stated earlier, an important aspect of any obfuscation approach is the number of changes required to effect the mis-attribution. Table 7 summarizes the absolute number of changes (both insertions and deletions) and also expresses this value related to the original document size.</Paragraph>
      <Paragraph position="1"> The average number of changes required per 1000 words in the document is 14.2. While it is difficult to evaluate how much effort would be required to make each of these individual changes, this value seems to be within the range that a motivated person could reasonably undertake. null More detailed summaries of the number of feature changes required for single document (#49) are given in Table 2 and Table 4.</Paragraph>
      <Paragraph position="2"> By calculating the overall number of changes required, we implicitly consider insertions and deletions to be equally weighted. However, while deletion sites in the document are easy to identify,  proposing insertion sites can be more problematic. We do not address this difference in this paper, although it is clear that more investigation is required in this area.</Paragraph>
    </Section>
  </Section>
  <Section position="8" start_page="447" end_page="449" type="metho">
    <SectionTitle>
6 Deep Obfuscation
</SectionTitle>
    <Paragraph position="0"> The techniques described above result in what we term shallow obfuscation since they focus on a small number of features and are only useful as a defense against standard attribution attacks.</Paragraph>
    <Paragraph position="1"> More advanced attribution techniques, such as that described in (Koppel and Schler 2004) look deeper into the author's stylometric profile and can identify documents that have been obfuscated in this manner.</Paragraph>
    <Paragraph position="2"> Koppel and Schler introduce an approach they term &amp;quot;unmasking&amp;quot; which involves training a series of SVM classifiers where the most strongly weighted features are removed after each iteration. Their hypothesis is that two texts from different authors will result in a steady and relatively slow decline of classification accuracy as features are being removed. In contrast, two texts from the same author will produce a relatively fast decline in accuracy. According to the authors, a slow decline indicates deep and fundamental stylistic differences in style - beyond the &amp;quot;obvious&amp;quot; differences in the usage of a few frequent words. A fast decline indicates that there is an underlying similarity once the impact of a few superficial distinguishing markers has been removed. null We repeated their experiments using 3-fold cross-validation to compare Hamilton and Madison with each other and the original (D) and obfuscated (D') documents. The small number of documents required that we train the SVM using the 50 most frequent words. Using a larger pool of feature words resulted in unstable models, especially when comparing Madison (14 documents) with D and D' (12 documents). The results of this comparison are shown in Figure 4.</Paragraph>
    <Paragraph position="3">  plots the accuracy of a classifier trained to distinguish between two authors; the x-axis plots each iteration of the unmasking process. The top three lines compare Hamilton (H) versus Madison (M), the original document (D) and the obfuscated document (D'). The bottom line is M vs. D and the middle line is M vs. D'.</Paragraph>
    <Paragraph position="4"> In this graph, the comparison of Hamilton and the modified document (MvD') exhibits the characteristic curve described by Koppel and Schler, which indicates that the original author can still be detected. However, the curve has been raised above the curve for the original document which suggests that our approach does help insulate against attacks that identify deep stylometric features.</Paragraph>
    <Paragraph position="5"> Modifying additional features continues this trend and raises the curve further. Figure 5 summarizes this difference by plotting the difference between the accuracy of the HvD' and MvD' curves for documents at different levels of feature modification. An ideal curve in this graph would be one that hugged the x-axis since this would indicate that it was as difficult to train a classifier to distinguish between M and D' as it is to distinguish between H and D'. In this graph, the &amp;quot;0&amp;quot; curve corresponds to the original document, and the &amp;quot;14&amp;quot; curve to the modified document shown in Figure 4. The &amp;quot;35&amp;quot; curve uses all of the DTR(0.001) features.</Paragraph>
    <Paragraph position="6"> This graph demonstrates that using DTR ranking to drive feature adjustment can produce documents that are increasingly harder to detect as being written by the author. While it is unsurprising that a deep level of obfuscation is not achieved when only a minimal number of features are modified, this graph can be used to measure progress so that the author can determine enough features have been modified to achieve the desired level of anonymization.</Paragraph>
    <Paragraph position="7"> Equally unsurprising is that this increased anonymization comes at an additional cost, summarized in Table 8.</Paragraph>
    <Paragraph position="8">  of features modified and corresponding changes required per 1000 words.</Paragraph>
    <Paragraph position="9"> While in this work we limited ourselves to the 35 DTR(0.001) features, further document modification can be driven by lowering the DTR probability threshold to identify additional terms in an orderly fashion.</Paragraph>
  </Section>
class="xml-element"></Paper>