What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction

Yang, Yijun; Gao, Ruiyuan; Li, Yu; Lai, Qiuxia; Xu, Qiang

doi:10.48550/arxiv.2201.09650

Cited by 1 publication

(1 citation statement)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• EMShepherd protects the DNN model user's data privacy as it is agnostic to the model's inputs, which instead are always required by prior reconstruction-based detection methods [42,62]. The sensitive inputs should not be shared with third-party detectors.…”

Section: Advantagesmentioning

confidence: 99%

EMShepherd: Detecting Adversarial Samples via Side-channel Leakage

Ding¹,

Gongye²,

Wang³

et al. 2023

Preprint

View full text Add to dashboard Cite

Deep Neural Networks (DNN) are vulnerable to adversarial perturbations -small changes crafted deliberately on the input to mislead the model for wrong predictions. Adversarial attacks have disastrous consequences for deep learning empowered critical applications. Existing defense and detection techniques both require extensive knowledge of the model, testing inputs and even execution details. They are not viable for general deep learning implementations where the model internal is unknown, a common 'black-box' scenario for model users. Inspired by the fact that electromagnetic (EM) emanations of a model inference are dependent on both operations and data and may contain footprints of different input classes, we propose a framework, EMShepherd, to capture EM traces of model execution, perform processing on traces and exploit them for adversarial detection. Only benign samples and their EM traces are used to train the adversarial detector: a set of EM classifiers and class-specific unsupervised anomaly detectors. When the victim model system is under attack by an adversarial example, the model execution will be different from executions for the known classes, and the EM trace will be different. We demonstrate that our air-gapped EMShepherd can effectively detect different adversarial attacks on a commonly used FPGA deep learning accelerator for both Fashion MNIST and CIFAR-10 datasets. It achieves a 100% detection rate on most types of adversarial samples, which is comparable to the state-of-the-art 'white-box' software-based detectors. CCS CONCEPTS• Security and privacy → Side-channel analysis and countermeasures; Embedded systems security.

show abstract

Section: Advantagesmentioning

confidence: 99%