COMSNETS 2023 Cybersecurity and Privacy Workshop
Detecting Sensitive Information from Unstructured
Text in a Data-Constrained Environment
Saurabh Anand
2023 15th International Conference on COMmunication Systems & NETworkS (COMSNETS) | 978-1-6654-7706-2/23/$31.00 ©2023 IEEE | DOI: 10.1109/COMSNETS56262.2023.10041388
TCS Research, India TCS Research, India
[email protected]
[email protected]
[email protected]
Abstract—For an enterprise, it is important to handle sensitive
customer data properly because any data breach or violation
can lead to hefty penalties. Past work has looked at various
techniques for detecting sensitive data in free-flowing text for
a given regulation. However, most of them either produce
many false positives or are very specific to certain types of
data, for example, email, account number, or social security
number. Moreover, machine learning-based methods are difficult
to use as finding large amounts of labeled data for training a
supervised model poses a serious challenge. In this work, we
aim to address the issue of sensitive data discovery in a data-
constrained environment by utilizing pre-trained models. We
compare their effectiveness in the financial and health domains.
Further, we improve the performance of pre-trained models by
employing morphological-level features and propose a hybrid
model architecture. Our experimental results show that pre-
trained models in a data-constrained environment can reduce the
turnaround time for sensitive data discovery, thus saving money
and effort.
Index Terms—Sensitive Data, User Privacy, Named Entity
Recognition, Pre-trained Language Models
I. I NTRODUCTION
A data breach is a cybersecurity incident where confidential
information is intentionally or unintentionally exposed to
unauthorized parties. For an enterprise, a data breach incident
is a serious concern as it can result in monetary losses due to
legal penalties, loss of customers, and a negative effect on their
reputation [1]. It also impacts the end-user, whose data is lost
in the breach, as it can increase their chances of being a victim
of identity theft. For example, in 2017, the credit reporting
company Equifax had sensitive information on approximately
140 million consumers stolen. This was an unprecedented data
breach due to its size and the implications for Equifax and its
customers [2]. With increased digitalization and an exponential
increase in data, such incidents are frequently reported. For
example, in 2020, Capital One reported that the sensitive
information of over 100 million people had been compromised
[3]. Similarly in health domain, another incident occurred with
a health insurer Excellus Health Plan Inc., where personal
health information of 9.3 million customers was breached [4].
Despite extensive research to detect and prevent data breaches,
they remain an active threat to enterprises and individuals
alike.
For an enterprise, it is important to maintain the end user’s
privacy while processing the data to generate valuable insights
about their services. Various data protection regulations, such
Authorized licensed use limited to: Newcastle University. Downloaded on May 30,2024 at 14:01:22 UTC from IEEE Xplore. Restrictions apply.
978-1-6654-7706-2/23/$31.00 ©2023 IEEE
Manish Shukla Sachin Lodha
TCS Research, India
as the Global Data Protection Regulation (GDPR), Payment
Card Industry-Data Security Standard (PCI-DSS), and the
Health Insurance Portability and Accountability Act (HIPAA),
have mandated enterprises to treat the personal data of their
customers with great caution. Any form of data leakage or
privacy violation can have serious consequences for an enter-
prise. For this, the enterprise needs to know the kind and nature
of data residing on each device, as it will help in installing
appropriate security tools and enabling required access rights
for its employees. However, within an enterprise, the personal
and sensitive information of a customer can be present in
unstructured, structured, and semi-structured forms. Manual
analysis of these documents can be difficult, expensive, time
consuming and often prone to error. Therefore, it becomes
imperative for enterprises to have a balance between security
and operational costs.
In order to keep track of sensitive information, enterprises
need to extract and identify sensitive information present
in unstructured data sources. Past research has looked into
content fingerprinting, locality-sensitive hashes [1], regular
expressions [5], and machine learning-based approaches [6],
[7]. Some of these techniques either generate too many false
positives (content fingerprinting and regular expressions), take
too long to be a practical solution due to pairwise comparison
(locality-sensitive hashes), or require a large amount of labeled
data for training machine learning models. To a certain extent,
Named Entity Recognition (NER) using pre-trained models
has been utilized for identifying named entities in unstructured
text, for example, usernames, locations, quantities, and brands
[7]. However, there is still a significant gap when it comes
to sensitive data identification in unstructured text. The main
reason for this is the lack of labeled datasets for training
machine learning models because of sensitive nature of data.
In this work, we focus on the identification of financial as
well as health related sensitive data in unstructured text for
a given context in a data-constrained environment. Context,
in this regard, means the privacy regulation under which the
text is analyzed. This is a typical setup in an enterprise as
the majority of the data that is dealt with is in unstructured
format [8]. Even though we address the issue of data scarcity
for sensitive information discovery in free-flowing text, our
proposed approach is equally applicable to other text-based
problems in the cybersecurity domain, for example, spear-
phishing, insider threat, email analytics, etc. We investigate the
159

feasibility of pre-trained language models to identify sensitive
data in unstructured text. More specifically, we evaluate the
accuracy of different pre-trained language models without any
domain or language-dependent pre-training for the extraction
of sensitive information from unstructured data for the English
language. Further, we improve over the current pre-trained
models and propose a new model architecture with improved
performance. Our contributions are as follows:
1) The paper analyzes the performance of different pre-
trained models on sensitive data discovery task in finan-
cial as well as health domain.
2) Experimental results show that pre-trained models in a
data-constrained environment can lead to better result.
Also, with better feature engineering in financial and
health domain, the performance of pre-trained models
is improved.
3) We propose a new Char-BERT-CRF model to iden-
tify sensitive information, which captures morphological
features along with word level features. Experimental
results show that our model achieves reasonable perfor-
mance in a data-constrained environment.
The rest of the paper is organized as follows. Section II
describes the Related Work. Section III presents a detailed
description on Approach followed in this work. Section IV
describes different experiments and results. Section V includes
the discussion part. Finally, Section VI concludes the work.
II. R ELATED W ORK
Depending on the difficulty of task and the desired outcome,
multiple techniques have been used to find sensitive data in
free-flowing text.
Pattern Matching. Some of the past work has used pattern
matching for extraction and identification of sensitive data in
unstructured text. Yongyan Guo et al. [5] proposed a system
based on content-based (regular expressions) and context-
based (deep learning; BiLSTM-CRF) detection of sensitive
information. Similarly, Mariana Dias et al. [9] used rule-based
techniques to extract entities, such as email addresses, postal
codes, and some dates in the Portuguese language. Pattern
matching based systems tend to have high precision for certain
kinds of data and need constant maintenance that can be very
time-consuming and expensive.
Machine Learning and Deep Learning. Silva et al. [7]
used publicly available natural language processing (NLP)
tools such as Spacy, NLTK, and Stanford CoreNLP to identify
generic sensitive data such as names, places, organizations, etc.
They experimented with the Groningen Meaning Bank dataset
and manually collected and annotated US voter registration
data. Their combined data consists of 170K lines, which was
sufficient to train and test machine learning models. Hassan
et al. [10] trained a word embedding model and analyzed
the semantic relationships of sensitive entities. Their proposed
method requires a large corpus to train the word embeddings
and it is limited by the choice of the window size. Troung et
al. [6] focused on the extraction of sensitive information from
both structured and unstructured data in financial institutions.
Authorized licensed use limited to: Newcastle University. Downloaded on May 30,2024 at 14:01:22 UTC from IEEE Xplore. Restrictions apply.
160
COMSNETS 2023 Cybersecurity and Privacy Workshop
They used CNN with CRF for structured and unstructured data
and evaluated their model with synthetic and real-world data.
While most of the aforementioned work provides good accu-
racy in sensitive data discovery, they need a decent amount of
real-world training data to perform well, which is hard to get
because of the sensitive nature of the data. Our work focuses
on the use of pre-trained models and shows the effectiveness of
these models in a scenario where training data is scarce. Zhang
et al. [11] improved the accuracy of clinical named entity
recognition based models by utilizing transfer learning. The
authors of [12] made use of multi-task learning to obtain useful
information from different datasets. By utilizing a global
attention mechanism, Xu et al. [13] improved the performance
of clinical named entity recognition models. All of these deep
learning techniques, however, rely on token representations
that are not contextualized. Moreover, these techniques require
good amount of data for their models to provide good accuracy
in clinical named entity extraction tasks. In this work, we
mainly focus on contextualized representations and pre-trained
models in a data-constrained environment. Similar to our work,
Zhou et al. [14] pre-trained two deep contextualized models
C-ELMO and C-Flair using corpus from PubMed Central
and utilized pre-trained contextualized embedding along with
static word embedding on MACCROBAT2018 dataset and fed
them into a BiLSTM-CRF model for clinical named entity
extraction task. However, their model fails to capture long-
range dependencies within a document and as opposed to
theirs, our work captures long-range dependencies better.
Few Shot and Zero Shot Learning. Few-shot and zero-
shot learning NER techniques are useful in a scenario where
training data is scarce. Researchers have used few-shot NER
[15] and zero-shot NER techniques [15] in an environment
where no or little training data is available. However, experi-
mental results in these studies show that the accuracy of such a
system can be very low and could lead to the loss of sensitive
information. Therefore, we focus on pre-trained models and
propose a hybrid deep learning-based system for sensitive data
discovery.
III. A PPROACH
Our objective is to extract sensitive information that is
present in unstructured data. To achieve this goal, we used
generic and vanilla version of the pre-trained language models,
evaluated the performance of different models on sensitive data
discovery task.
A. Data Preprocessing
1) Tokenization: Sentences were split into discrete tokens
and all the non-ASCII characters, whitespaces at the end and
beginning of all sentences were removed. We used WordPiece
tokenization to further partition the tokens [16].
2) Character Tokenization: We also implemented character
level tokenization to employ character level features into our
model to better understand the structure of each word. Each
token is converted to a sequence of characters with a maximum
sequence length of ‘N’ characters, which is a configurable
 COMSNETS 2023 Cybersecurity and Privacy Workshop

TABLE I: Example for financial data generation

Original Sentence
Bank will notify Borrower
when it debits Borrower account.
Bank will disburse such Equipment
Advance in by the internal transfer to Borrower
deposit account with Bank .
Template Generated
<ORG> will notify <PER>
when it debits <PER> account.
<ORG> will disburse such Equipment
Advance in by the internal transfer to <PER>
deposit account with <ORG> .
Generated Sentence
Wells Fargo will notify Jake Milton
when it debits Jake Milton account.
BARCLAYS will disburse such Equipment
Advance in by the internal transfer to Ray Adam
deposit account with BARCLAYS .

parameter that is equal to the length of largest sequence in the
dataset. For the dataset used in this paper, the value of ’N’ is
35.
B. Model Enhancement
Named Entity Recognition is one of the techniques that
can be used to extract sensitive data from free flowing text.
We evaluated different pre-trained models on sensitive data
discovery task in financial and health domain. However, some
entities in the dataset such as credit card numbers, account
numbers, age, date, etc. are numeric entities. Pre-trained
models trained on general corpora fail to capture the features
of such numeric entities.
To overcome the above mentioned issue, we improved fea-
ture engineering by incorporating the character level features
along with word level features. Character level features are
generated by dealing with text at character level leading to
better representation of text. This is beneficial when dealing
with numeric entities. Hence, we developed a model that
uses embedding layer architecture of CharacterBERT [17]
for character level embeddings and BERT [18] for word
level embeddings. We extract the sensitive entities by using a
Conditional Random Field [19] as decoder and applying it on
the concatenated embeddings. Figure 1 shows the architecture
of our model. We used the sequence labeling strategy, which
is commonly referred to as ‘BIO’ sequence labeling strategy.
The ‘B’ prefix indicate the beginning of a tag. The ‘I’ prefix
indicates that the word is inside a chunk and ‘O’ prefix
indicates that the word does not belong to any category. Table
II shows the different sensitive entities used.
Sensitive Entities
CRF
CONCATENATION
BERT CharacterBERT
654,#21,##23,##76... 6,5,4,2,1,2,3,7,6,5,4,2,4
Fig. 1: Char-BERT-CRF Architecture. In CharacterBERT, the
inputs are sequence of characters in a word and in BERT, the
inputs are sequence of words in a sentence.
CharacterBERT. While CharacterBERT is identical to
vanilla BERT in every manner, it builds initial context-
independent representations differently. At its embeddings
layer, it uses a Character-CNN module to represent each
word with help of characters that constitute it. Each token
is converted to a sequence of characters of length ‘N’ and
then fed to multiple 1-d CNNs with different filters. The
output from each CNN is max-pooled and concatenated to
produce the final representation. As followed by [17], each
representation is then sent to Highway layers that control the
flow of information with help of gating units. We followed the
same architecture for generating character level features.
BERT. For obtaining word level contextual representation,
we adopt the BERT model architecture, more specifically
BERT-base architecture (L = 12, H = 768, A = 12). The
character and word level representation are then concatenated
to obtain final representations.
Conditional Random Fields (CRF). The final output rep-
resentations are then fed to CRFs, which acts as decoder and
classifies each token to different categories. The CRFs are
excellent in capturing adjacent labels dependency which is a
crucial part in sequence labelling task.
C. Training and Evaluation
For character level embeddings, we employed only the
embedding layer architecture of CharacterBERT [17]. Each
token is divided into a sequence of characters with a maximum
length of ‘N’ and fed into multiple 1-d CNNs. We used ReLU
as activation function and different filter sizes given as (1, 32),
(2, 32), (3, 64), (4, 128), (5, 256), (6, 512) and (7, 1024).
We initialize our BERT model using pre-trained weights
through Hugging Face [20]. We feed the final concatenated
representation to CRF decoder model, which outputs each
entity type, including ‘O’ for other entities. We used a dropout
probability of 0.5 and an Adam Optimizer with a learning rate
of 5e-5. We use linear learning rate warm up for first 10% of
iterations with maximum sequence length of 258 and a batch
size of 16. We aim to evaluate different pre-trained models and
deep learning models with respect to accuracy on financial and
health datasets.
IV. E XPERIMENTS
A. Baseline Models
Considering sensitive data discovery as a sequence labeling
problem, we compare and evaluate different pre-trained and
deep learning models in terms of Precision, Recall and F1-
score. We implemented: (1) BiLSTM-CRF [21], (2) Char-
BiLSTM-CRF [22] and different hybrid combination of pre-

Authorized licensed use limited to: Newcastle University. Downloaded on May 30,2024 at 14:01:22 UTC from IEEE Xplore. Restrictions apply.
161

TABLE II: Types of sensitive entities in financial dataset
Sensitive Information Type Sensitive Entity
Personal Sensitive Entities Location
Person Name
Social Security Number
Email ID
Financial Sensitive Entities Bank Name
Credit Card Number
CVV Number
Expiry Date
Permanent Identification Number
Bank Account Number
International Bank Account Number
trained models such as (3) RoBERTa-CRF [21], (4) ALBERT-
CRF [21], (5) DistilBERT-CRF [21], (6) BERT-CRF [21]. The
pre-trained models are trained on general corpora extracted
from English Wikipedia and BookCorpus [23]. These models
are included because they are most widely used in any
sequence labeling task. We also compared our model with
different baseline models [12], [14], [22]. Our model in a data-
constrained environment gives better results as compared to
different baseline models.
B. Datasets
1) Synthetic Dataset: For any supervised learning, espe-
cially deep learning based solution, data is of utmost impor-
tance as it determines the final quality of any model. Especially
in a scenario where contextual information is important, the
quality of the model changes with the quality of the corpus
used. Since there is no publicly available annotated dataset
containing sensitive entities for training models, therefore
we have used synthetic data. Table II contains the list of
financial entities that are considered in this paper. We have
included these entities in dataset because sensitive entities
in financial domain mostly include cardholder’s data such as
name, account numbers, expiry date, etc.
For the generation of some entities such as Name, Organi-
zation and Location, we followed a template-based approach1 .
We collected some sentences containing the above mentioned
entities and converted them to templates based on their labels.
For example, if original sentence contains ORGANIZATION
(ORG) entity, then a template based generic sentence is
produced by replacing that ORGANIZATION entity with tem-
plate ‘<ORG>’. Now in template sentence that is generated,
we replaced a particular placeholder (‘<entity-type>’) with
fake PIIs of similar entity type. Table I shows an example
of a template generated from a public dataset. The sentences
were collected from publicly available annotated datasets [24],
[25].
For the generation of other entities such as Credit Card
Number, Account numbers, etc., we collected some random
samples of sentences that maintain the contextual information.
Here. contextual information helps in differentiating between
similar looking values. For example, a 13-digit number can
be ‘credit card number’ or ‘account number’. To increase
1 https://microsoft.github.io/presidio/
Authorized licensed use limited to: Newcastle University. Downloaded on May 30,2024 at 14:01:22 UTC from IEEE Xplore. Restrictions apply.
162
COMSNETS 2023 Cybersecurity and Privacy Workshop
the number of sentences while maintaining the contextual
information, we used the Pegasus model [26]. The model
uses an encoder-decoder architecture for sequence to sequence
learning task such as summarization, paraphrase generation,
etc. In our work, it helped to increase the number of sentences
by generating similar sentences, regarding a particular entity
while maintaining the contextual information. The number of
sentences, tokens and entities in training and testing set are
(10349, 4758), (204291, 54213) and (11, 11) respectively.
Figure 2 shows the number of entities in each set as a part of
the dataset used to Train and Test the various models.
Sensitive entites
ACCOUNT NUMBER Train Set
IBAN Test Set
EXPIRY DATE
EMAIL ID
PIN
CVV
SOCIAL SECURITY NUMBER
CREDIT CARD NUMBER
ORGANIZATION
LOCATION
PERSON
500 1000 1500 2000 2500 3000 3500 4000 4500
Number of Entities
Fig. 2: Sensitive entity distribution in financial dataset.
2) Real World Dataset: A Credit card and Bank complaint
dataset 2 is used for evaluating the performance of different
models. The sensitive entities in the dataset are redacted with
‘XXXXX’ to preserve the privacy of different customers.
We manually inserted random sensitive entities in place of
redacted terms and included only those sentences that con-
tained financial entities used in our work and not the entire
dataset. The final dataset contains about 513 sentences, with
8 unique entities overall.
3) MACCROBAT2018: Additionally, we used the publicly
available MACCROBAT2018 dataset [14]. The authors found
content relating to medical concepts within 3100 clinical text
documents, including clinical case reports and free text compo-
nents of electronic health records. In total, they annotated 200
case reports containing 3652 sentences altogether, and these
phrases comprise a total of 36 distinct entities and event types.
We randomly divided 10% of the case reports for development
and 10% for testing.
C. Results
We evaluated the effectiveness of different pre-trained mod-
els and baselines models with respect to accuracy on sensitive
data discovery task. Table III shows the performance of models
trained and tested on financial data.
Figure 3a shows the performance of different models on
health dataset. We can observe that models are showing less
accuracy because of poor representation of entities in the
dataset.
Figure 5 displays the changes in performance of different
metrics with respect to changes in training data. We can
2 https://data.world/dataquest/bank-and-credit-card-complaints
 COMSNETS 2023 Cybersecurity and Privacy Workshop

TABLE III: Precision, Recall and F1-score on financial dataset.

MICRO-Averaged MACRO-Averaged 0.48

BiLSTM 0.88, 0.82, 0.85 0.88, 0.80, 0.84 0.46

BiLSTM-CRF 0.90, 0.84, 0.87 0.90, 0.81, 0.85
0.44
ALBERT-CRF 0.95, 0.88, 0.91 0.94, 0.87, 0.90

F1 Score
DistilBERT-CRF 0.92, 0.84, 0.88 0.92, 0.83, 0.87 0.42

BERT-CRF 0.93, 0.88, 0.90 0.92, 0.85, 0.89 0.40

Char-BiLSTM-CRF 0.92, 0.85, 0.88 0.90, 0.85, 0.87
0.38
Char-BERT-CRF 0.93, 0.91, 0.92 0.91, 0.90, 0.91
0.36
Vanilla Models
0.34
0.7 Hybrid Models
Precision 0.6 Hybrid
Recall Vanilla
0.6 F1-Score 0.5
0 50 100
Train Data
0.5
0.4
0.4

0.3
0.3
Fig. 4: Graph representing change in performance with respect
0.2
0.2
to change in health training data percent.
0.1 0.1

0.0 0.0 V. D ISCUSSION

AlBERT RoBERTA DistilBERT BERT
RF

RF

RF
CR

CR
C

-C

C
T-

A-

T-

T-
RT

In this work, we trained and tested several models for

RT
ER

ER

ER
BE
BE
B

ilB

-B
Al

ar
ist
Ro

Ch
D

extracting sensitive information from free-flowing text in fi-

(a)
Fig. 3: Figure 3a showing accuracy of different pre-trained
models on health dataset. Figure 3b showing performance of
Hybrid model and Vanilla model on health dataset.
observe that the accuracy of models increases with an in-
crease in training data. Comparatively, pre-trained models’
performances are consistently accurate as compared to BiL-
STM models. Figure 4 shows the changes in performance of
different models with respect to training data on health dataset.
Figure 3b displays the F1-score of different hybrid models and
vanilla models. In hybrid models, we have used pre-trained
models with CRF as decoder, whereas in vanilla models, we
follow the initial design of pre-trained models. Hybrid models
show more accuracy with respect to vanilla models on the
MACCROBAT2018 dataset. On the same dataset, the proposed
solution of Ma et al. [22] has an accuracy of 0.61, Wang et
al. [12] achieves an accuracy of 0.64, and the model of Zhou
et al. [14] achieves an accuracy of 0.65. In comparison, our
proposed model performs better with an accuracy of 0.67 on
the MACCROBAT2018 dataset.
TABLE IV: Evaluation results on financial Real-World Data
F1-score
BiLSTM
BiLSTM-CRF
ALBERT-CRF
DistilBERT-CRF
BERT-CRF
Char-BiLSTM-CRF
Char-BERT-CRF
We annotated a small portion of real-world data and eval-
uated the performances of different models on real-world
financial data. From Table IV, we can observe that the per-
formance of different models decreases when tested on real-
world data. This can be attributed to annotation strategy given
for real-world data, wherein only redacted terms are marked
as sensitive entites, ignoring the other entities in the sentence.
(b) nancial and health domain. While comparing common metrics
such as precision, recall and F1-score on financial dataset, the
pre-trained models showed better accuracy as compared to the
BiLSTM-based models. The same can be observed from Table
III. Figure 3a shows the performance of different pre-trained
models on health dataset. The accuracy of pre-trained models
is lower than usual when trained and tested on health datasets.
The reason behind this is that the MACCROBAT2018 dataset
lacks uniformity as some entities are poorly represented in the
dataset. Moreover, the context around some entities is poorly
expressed in the dataset, leading to less accuracy for certain
entities. When looking at the performance metrics of different
models in Table III, employing character level representation
in BERT-CRF and BiLSTM-CRF models improved the ac-
curacies when compared with their counterparts. Also from
Figure 3a the performance of BERT-CRF model increased
when we added the character level representation to the model.
The reason behind this is that pre-trained models are trained
on generic corpora and therefore fail to capture the features
of numerical entities such as credit card number, account
numbers, age, date, etc.
To check the effectiveness of pre-trained models in a data-
constrained environment, we trained them on different subset
of training data and tested them on remaining subset of
0.54 data. Figure 5 compares the performance of pre-trained and
0.55 BiLSTM-based models with respect to change in training
0.60 data percent in the financial domain. It can be observed that
0.62
0.64 performance of models increases with an increase in dataset
0.58 size. Pre-trained models suffer less and are more robust in
0.68 data-constrained environment when compared with BiLSTM-
based models. Figure 4 shows the F1-score of different hybrid
and vanilla models with varying amounts of health data. As
expected, the F1-score of different models increased with an
increase in training data size. All in all, these results indicate
that these pre-trained models reduce the need for manually
labeled data, which is a huge problem in the cybersecurity
domain.
Figure 3b shows the performance of hybrid pre-trained mod-

Authorized licensed use limited to: Newcastle University. Downloaded on May 30,2024 at 14:01:22 UTC from IEEE Xplore. Restrictions apply.
163

1.0 1.0
0.8 0.8
0.6 0.6
Precision
Recall
Pre-trained Models
Bilstm
0.4 0.4
0.2 0.2
0.0 0.0
0 50 100
Train Data
(a)
Fig. 5: Graph representing change in performance with respect to change in financial training data percent.
els and vanilla pre-trained models on health dataset. Overall,
hybrid models show more accuracy when compared with their
vanilla counterparts in terms of F1-score. This is because
when computing the probability distribution of outputs, vanilla
models only consider the current word in the input sequence,
whereas hybrid models compute outputs by considering not
only the current word but also the rest of the sequence. In
other words, hybrid models improve the models’ ability to
learn and generalize well on downstream tasks.
Future Work. Several avenues exist for future research. In
the domain of sensitive data discovery, no real-world annotated
dataset is available publicly. For any deep learning or machine
learning solution to work, there is a need for a good quality
dataset. Further research may include the use of generative
models such as GANs for generating realistic and good-quality
synthetic datasets. In this study, we focused on general domain
pre-trained models, and domain-specific models were not
explored. Future work could include exploring other models
and their performance on a limited training dataset scenario. A
large proportion of sensitive entities contain numeric data and
pre-trained models trained on general corpora tend to struggle
with numeric data due to poor representation of large numbers.
Further work is required to improve the representation of
numeric data within pre-trained models.
VI. C ONCLUSION
In this paper, we address the issue of extracting sensitive
information from free-flowing text. We experimented with
different pre-trained models in a data-constrained environment,
where these models provided good accuracy. We proposed a
Char-BERT-CRF model, which combines character level and
word level contextual representation and feeds them into a
CRF decoder for better extraction of numeric sensitive entities.
Also, our study shows that it is possible to come up with a
sensitive data discovery solution by employing different pre-
trained models in a data-constrained environment.
R EFERENCES
[1] Cheng et al., “Enterprise data breach: causes, challenges, prevention,
and future directions,” Wiley Interdisciplinary Reviews: Data Mining
and Knowledge Discovery, vol. 7, no. 5, p. e1211, 2017.
[2] Zou et al., “”i’ve got nothing to lose”: Consumers’ risk perceptions and
protective actions after the equifax data breach,” SOUPS, pp. 197–216,
2018.
[3] Neto et al., “A case study of the capital one data breach,” Stuart E. and
Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case
Study of the Capital One Data Breach (January 1, 2020), 2020.
Authorized licensed use limited to: Newcastle University. Downloaded on May 30,2024 at 14:01:22 UTC from IEEE Xplore. Restrictions apply.
COMSNETS 2023 Cybersecurity and Privacy Workshop
1.0
0.8
0.6
F1 Score
Pre-trained Models Pre-trained Models
Bilstm Bilstm
0.4
0.2
0.0
0 50 100 0 50 100
Train Data Train Data
(b) (c)
[4] HIPAA JOURNAL. (January, 2021) Excellus health plan
settles hipaa violation case and pays $5.1 million penalty.
[Online]. Available: https://www.hipaajournal.com/excellus-health-plan-
settles-hipaa-violation-case-and-pays-5-1-million-penalty/
[5] Y. Guo et al., “Exsense: Extract sensitive information from unstructured
data,” Computers & Security, vol. 102, p. 102156, 2021.
[6] A. Truong et al., “Sensitive data detection with high-throughput
neural network models for financial institutions,” arXiv preprint
arXiv:2012.09597, 2020.
[7] P. Silva et al., “Using nlp and machine learning to detect data privacy
violations,” IEEE INFOCOM Workshops, pp. 972–977, 2020.
[8] Allahyari et al., “A brief survey of text mining: Classification, clustering
and extraction techniques,” arXiv preprint arXiv:1707.02919, 2017.
[9] M. Dias et al., “Named entity recognition for sensitive data discovery
in portuguese,” Applied Sciences, vol. 10, no. 7, p. 2303, 2020.
[10] Hassan et al., “Automatic anonymization of textual documents: detecting
sensitive information via word embeddings,” TrustCom, pp. 358–365,
2019.
[11] Zhang et al., “Improving clinical named-entity recognition with transfer
learning,” Stud Health Technol Inform, vol. 252, pp. 182–187, 2018.
[12] X. Wang et al., “Cross-type biomedical named entity recognition with
deep multi-task learning,” Bioinformatics, vol. 35, no. 10, pp. 1745–
1752, 2019.
[13] G. Xu et al., “Improving clinical named entity recognition with global
neural attention,” in Asia-Pacific Web (APWeb) and Web-Age Information
Management (WAIM) Joint International Conference on Web and Big
Data. Springer, 2018, pp. 264–279.
[14] Y. Zhou et al., “Clinical named entity recognition using contextualized
token representations,” arXiv preprint arXiv:2106.12608, 2021.
[15] Y. Wang et al., “Learning from language description: Low-shot
named entity recognition via decomposed framework,” arXiv preprint
arXiv:2109.05357, 2021.
[16] Y. Wu et al., “Google’s neural machine translation system: Bridg-
ing the gap between human and machine translation,” arXiv preprint
arXiv:1609.08144, 2016.
[17] H. E. Boukkouri et al., “Characterbert: Reconciling elmo and bert
for word-level open-vocabulary representations from characters,” arXiv
preprint arXiv:2010.10392, 2020.
[18] J. Devlin et al., “BERT: Pre-training of deep bidirectional transformers
for language understanding.” Association for Computational Linguis-
tics, 2019, pp. 4171–4186.
[19] J. Lafferty et al., “Conditional random fields: Probabilistic models for
segmenting and labeling sequence data,” 2001.
[20] T. Wolf et al., “Huggingface’s transformers: State-of-the-art natural
language processing,” arXiv preprint arXiv:1910.03771, 2019.
[21] J. Li et al., “A survey on deep learning for named entity recognition,”
IEEE Transactions on Knowledge and Data Engineering, vol. 34, no. 1,
pp. 50–70, 2020.
[22] X. Ma and E. Hovy, “End-to-end sequence labeling via bi-directional
lstm-cnns-crf,” pp. 1064–1074, 2016.
[23] Y. Zhu et al., “Aligning books and movies: Towards story-like visual
explanations by watching movies and reading books,” in Proceedings of
the IEEE international conference on computer vision, 2015, pp. 19–27.
[24] Z. Wang et al., “Crossweigh: Training named entity tagger from imper-
fect annotations,” pp. 5154–5163, 2019.
[25] J. Alvarado et al., “Domain adaption of named entity recognition to
support credit risk assessment,” pp. 84–90, 2015.
[26] J. Zhang et al., “Pegasus: Pre-training with extracted gap-sentences for
abstractive summarization,” pp. 11 328–11 339, 2020.
164