The preprocessing pipeline from the previous entry stripped punctuation, removed stop words, stemmed tokens, and rejoined the result into clean strings. The classifier still cannot read any of it. Machine learning models operate on numbers, not words, which means every message must be converted into a numerical vector before training can begin. This conversion step, feature extraction, defines the exact mathematical surface the classifier will learn from, and the exact mathematical surface an attacker can manipulate.<\/p>\n\n\n\n
A spam message reading “free prize now” and a ham message reading “meeting at noon” will each become a row of integers in a matrix, where each column corresponds to a term from the dataset’s vocabulary. The classifier will learn to separate these rows. But the vocabulary itself, the set of terms the model is even allowed to see, is built from choices made during feature extraction. Those choices determine what signals survive and what blind spots exist. From a red teaming perspective, every blind spot is an evasion path.<\/p>\n\n\n\n
The most straightforward way to represent text numerically is the bag-of-words model. It works by constructing a vocabulary of every unique term in the dataset, then representing each message as a vector of term counts. Each position in the vector corresponds to one term, and the value at that position records how many times the term appears in the message.<\/p>\n\n\n\n
The name is literal. The model treats each document as a bag of words, discarding all information about word order. “Claim your free prize” and “prize your free claim” produce identical vectors. For general text understanding, this is a significant loss. For spam classification, it is often acceptable because the presence of certain terms matters more than their arrangement. The word “free” appearing in a message is a stronger spam signal than the specific sentence structure surrounding it.<\/p>\n\n\n\n
To recover some ordering information, the model can include bigrams, which are pairs of consecutive words. A unigram vocabulary might contain “free” and “prize” as separate features. A bigram vocabulary adds “free prize” as a distinct feature, capturing the fact that these two words appeared next to each other. The bigram “free prize” is a stronger spam indicator than either word alone, because it reflects a phrase pattern characteristic of promotional spam rather than a coincidental co-occurrence.<\/p>\n\n\n\n
However, bigrams only capture local adjacency. The global structure of the sentence, its syntax, its rhetorical flow, its intent, is still lost. The bag-of-words model, even with bigrams, is a lossy compression of language into frequency counts.<\/p>\n\n\n\n
Scikit-learn’s The filtering thresholds are where the security-relevant decisions happen.<\/p>\n\n\n\n Three parameters control what enters the vocabulary:<\/p>\n\n\n\n After this step, Consider five short documents to see how the vocabulary is built and how term filtering works:<\/p>\n\n\n\n With The resulting unigram matrix records simple presence and frequency:<\/p>\n\n\n\n With The full bigram matrix is considerably wider than the unigram-only version. Every pair of consecutive words that survives the frequency filters becomes a new column. In a real dataset with thousands of messages, this expansion can produce vocabularies of tens or hundreds of thousands of features, most of which are zero for any given message. The resulting matrix is extremely sparse.<\/p>\n\n\n\n Everything described so far is standard machine learning practice. From a red teaming perspective, the interesting question is what this feature space looks like to an attacker.<\/p>\n\n\n\nCountVectorizer<\/code> implements the bag-of-words approach in three stages. First, it tokenises each message into individual terms and bigrams based on the specified n-gram range. Second, it builds a vocabulary by filtering terms according to frequency thresholds. Third, it transforms each message into a vector of term counts using that vocabulary.<\/p>\n\n\n\nfrom sklearn.feature_extraction.text import CountVectorizer\n\n# Initialise CountVectorizer with bigrams and frequency thresholds\nvectorizer = CountVectorizer(min_df=1, max_df=0.9, ngram_range=(1, 2))\n\n# Fit and transform the message column\nX = vectorizer.fit_transform(df[\"message\"])\n\n# Convert labels to binary\ny = df[\"label\"].apply(lambda x: 1 if x == \"spam\" else 0)\n<\/code><\/pre>\n\n\n\n\n
min_df=1<\/code>\u00a0means a term must appear in at least one document to be included. Setting this to 1 keeps every term, including rare ones that might appear in only a single message.<\/li>\n\n\n\nmax_df=0.9<\/code>\u00a0removes any term appearing in more than 90% of documents. These are words so common across both spam and ham that they provide no discriminative value.<\/li>\n\n\n\nngram_range=(1, 2)<\/code>\u00a0includes both unigrams (individual words) and bigrams (consecutive word pairs), giving the model access to limited phrase-level patterns.<\/li>\n<\/ul>\n\n\n\nX<\/code> is a sparse matrix where each row is a message and each column is a vocabulary term. The values are raw counts. This matrix is what the classifier trains on.<\/p>\n\n\n\nWalking through the vocabulary construction<\/h2>\n\n\n\n
\n
max_df=0.9<\/code>, any term appearing in more than 90% of documents is removed. With five documents, the threshold is 4.5, so a term must appear in all five to be excluded. “The” appears in all five and gets dropped. Every other unigram survives because none exceeds the threshold.<\/p>\n\n\n\nDocument<\/th> free<\/th> prize<\/th> is<\/th> waiting<\/th> for<\/th> you<\/th> spam<\/th> message<\/th> offers<\/th> a<\/th> now<\/th> filter<\/th> might<\/th> detect<\/th> this<\/th> important<\/th> news<\/th> says<\/th> won<\/th> trip<\/th> truly<\/th><\/tr><\/thead> 1<\/td> 1<\/td> 1<\/td> 1<\/td> 1<\/td> 1<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td><\/tr> 2<\/td> 1<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td> 1<\/td> 1<\/td> 1<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td><\/tr> 3<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td> 1<\/td> 1<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td><\/tr> 4<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td> 1<\/td> 1<\/td> 1<\/td> 1<\/td> 0<\/td><\/tr> 5<\/td> 0<\/td> 0<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n ngram_range=(1, 2)<\/code>, the vocabulary expands to include bigrams. “Free prize” now appears as its own feature in Documents 1 and 2, separate from the individual unigrams “free” and “prize”. The bigram “spam filter” captures a phrase pattern absent from individual word counts, and “is important” links two words that individually carry weak signal but together indicate a specific type of ham message.<\/p>\n\n\n\nDocument<\/th> free<\/th> prize<\/th> …<\/th> free prize<\/th> prize is<\/th> is waiting<\/th> spam message<\/th> spam filter<\/th> is important<\/th> …<\/th><\/tr><\/thead> 1<\/td> 1<\/td> 1<\/td> …<\/td> 1<\/td> 1<\/td> 1<\/td> 0<\/td> 0<\/td> 0<\/td> …<\/td><\/tr> 2<\/td> 1<\/td> 1<\/td> …<\/td> 1<\/td> 0<\/td> 0<\/td> 1<\/td> 0<\/td> 0<\/td> …<\/td><\/tr> 3<\/td> 0<\/td> 0<\/td> …<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td> 0<\/td> …<\/td><\/tr> 4<\/td> 1<\/td> 0<\/td> …<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> …<\/td><\/tr> 5<\/td> 0<\/td> 0<\/td> …<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 0<\/td> 1<\/td> …<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n The feature space as an attack surface<\/h2>\n\n\n\n