Abstract
Deep learning (DL) models are enabling a significant paradigm shift in a diverse range of fields, including natural language processing and computer vision, as well as the design and automation of complex integrated circuits. While the deep models – and optimizations based on them, e.g., Deep Reinforcement Learning (RL) – demonstrate a superior performance and a great capability for automated representation learning, earlier works have revealed the vulnerability of DL to various attacks. The vulnerabilities include adversarial samples, model poisoning, and fault injection attacks. On the one hand, these security threats could divert the behavior of the DL model and lead to incorrect decisions in critical tasks. On the other hand, the susceptibility of DL to potential attacks might thwart trustworthy technology transfer as well as reliable DL deployment. In this work, we investigate the existing defense techniques to protect DL against the above-mentioned security threats. Particularly, we review end-to-end defense schemes for robust deep learning in both centralized and federated learning settings. Our comprehensive taxonomy and horizontal comparisons reveal an important fact that defense strategies developed using DL/software/hardware co-design outperform the DL/software-only counterparts and show how they can achieve very efficient and latency-optimized defenses for real-world applications. We believe our systemization of knowledge sheds light on the promising performance of hardware-software co-design of DL security methodologies and can guide the development of future defenses.
- [1] . 2018. Sanity checks for saliency maps. Advances in Neural Information Processing Systems 31 (2018).Google Scholar
- [2] . 2018. Threat of adversarial attacks on deep learning in computer vision: A survey. IEEE Access 6 (2018), 14410–14430.Google ScholarCross Ref
- [3] . 2020. Byzantine-resilient non-convex stochastic gradient descent. In International Conference on Learning Representations.Google Scholar
- [4] . 2018. Did you hear that? Adversarial examples against automatic speech recognition. CoRR abs/1801.00554 (2018).
arxiv:1801.00554 http://arxiv.org/abs/1801.00554Google Scholar - [5] . 2021. BaFFLe: Backdoor detection via feedback-based federated learning. In 2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS’21). IEEE, 852–863.Google ScholarCross Ref
- [6] . 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In Proceedings of the 35th International Conference on Machine Learning, ICML 2018.Google Scholar
- [7] . 2018. Synthesizing robust adversarial examples. In Proceedings of the 35th International Conference on Machine Learning.Google Scholar
- [8] . 2020. How to backdoor federated learning. In International Conference on Artificial Intelligence and Statistics. PMLR, 2938–2948.Google Scholar
- [9] . 2020. Secure single-server aggregation with (poly) logarithmic overhead. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1253–1269.Google ScholarDigital Library
- [10] . 2017. Machine learning with adversaries: Byzantine tolerant gradient descent. Advances in Neural Information Processing Systems 30 (2017).Google Scholar
- [11] . 2017. Practical secure aggregation for privacy-preserving machine learning. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 1175–1191.Google ScholarDigital Library
- [12] . 2021. AKSEL: Fast Byzantine SGD. In 24th International Conference on Principles of Distributed Systems (OPODIS’20).Google Scholar
- [13] . 2018. Practical fault attack on deep neural networks. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2204–2206.Google ScholarDigital Library
- [14] . 2021. Greenformers: Improving computation and memory efficiency in transformer models via low-rank approximation. arXiv preprint arXiv:2108.10808 (2021).Google Scholar
- [15] . 2022. Enable deep learning on mobile devices: Methods, systems, and applications. ACM Transactions on Design Automation of Electronic Systems (TODAES) 27, 3 (2022), 1–50.Google ScholarDigital Library
- [16] . 2016. Hidden voice commands. In 25th USENIX Security Symposium (USENIX Security’16). USENIX Association, Austin, TX.Google Scholar
- [17] . 2017. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39–57.Google ScholarCross Ref
- [18] . 2018. Audio adversarial examples: Targeted attacks on speech-to-text. In 2018 IEEE Security and Privacy Workshops (SPW’18). IEEE, 1–7.Google Scholar
- [19] . 2018. Adversarial attacks and defences: A survey. arXiv preprint arXiv:1810.00069 (2018).Google Scholar
- [20] . 2023. RoVISQ: Reduction of video service quality via adversarial attacks on deep learning-based video compression. In Network and Distributed System Security Symposium (NDSS’23).Google Scholar
- [21] . 2018. Detecting backdoor attacks on deep neural networks by activation clustering. arXiv preprint arXiv:1811.03728 (2018).Google Scholar
- [22] . 2019. DeepInspect: A black-box Trojan detection and mitigation framework for deep neural networks. In IJCAI, Vol. 2. 8.Google Scholar
- [23] . 2021. ProFlip: Targeted Trojan attack with progressive bit flips. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 7718–7727.Google ScholarCross Ref
- [24] . 2017. Distributed statistical machine learning in adversarial settings: Byzantine gradient descent. Proceedings of the ACM on Measurement and Analysis of Computing Systems 1, 2 (2017), 1–25.Google ScholarDigital Library
- [25] . 2020. Devil’s whisper: A general approach for physical adversarial attacks against commercial black-box speech recognition devices. In 29th USENIX Security Symposium (USENIX Security’20). USENIX Association, Boston, MA.Google Scholar
- [26] . 2021. Defense for adversarial videos by self-adaptive JPEG compression and optical texture. In Proceedings of the 2nd ACM International Conference on Multimedia in Asia (Virtual Event, Singapore) (
MMAsia’20 ). Association for Computing Machinery, New York, NY, USA, Article55 , 7 pages.DOI: Google ScholarDigital Library - [27] . 2020. SentiNet: Detecting localized universal attacks against deep learning systems. In 2020 IEEE Security and Privacy Workshops (SPW’20). IEEE, 48–54.Google Scholar
- [28] . 2021. EIFFeL: Ensuring integrity for federated learning. arXiv preprint arXiv:2112.12727 (2021).Google Scholar
- [29] . 2019. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning. PMLR, 1310–1320.Google Scholar
- [30] . 2019. AGGREGATHOR: Byzantine machine learning via robust gradient aggregation. In The Conference on Systems and Machine Learning (SysML’19).Google Scholar
- [31] . 2020. Februus: Input purification defense against Trojan attacks on deep neural network systems. In Annual Computer Security Applications Conference. 897–912.Google ScholarDigital Library
- [32] . 2021. Black-box detection of backdoor attacks with limited information and data. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 16482–16491.Google ScholarCross Ref
- [33] . 2021. Distributed momentum for Byzantine-resilient stochastic gradient descent. In 9th International Conference on Learning Representations (ICLR’21).Google Scholar
- [34] . 2021. Trojan signatures in DNN weights. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 12–20.Google ScholarCross Ref
- [35] . 2020. GPT-3: Its nature, scope, limits, and consequences. Minds and Machines 30, 4 (2020), 681–694.Google ScholarDigital Library
- [36] . 2019. Evaluating adversarial evasion attacks in the context of wireless communications. IEEE Transactions on Information Forensics and Security 15 (2019), 1102–1113.Google ScholarDigital Library
- [37] . 2017. Interpretable explanations of black boxes by meaningful perturbation. In Proceedings of the IEEE International Conference on Computer Vision. 3429–3437.Google ScholarCross Ref
- [38] . 2020. Unmask: Adversarial detection and defense through robust feature alignment. In 2020 IEEE International Conference on Big Data (Big Data’20). IEEE, 1081–1088.Google ScholarCross Ref
- [39] . 2021. 2-in-1 accelerator: Enabling random precision switch for winning both adversarial robustness and efficiency. In MICRO-54: 54th Annual IEEE/ACM International Symposium on Microarchitecture. 225–237.Google Scholar
- [40] . 2020. Ptolemy: Architecture support for robust deep learning. In 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO’20). IEEE, 241–255.Google Scholar
- [41] . 2018. Black-box generation of adversarial text sequences to evade deep learning classifiers. In 2018 IEEE Security and Privacy Workshops (SPW’18). IEEE, 50–56.Google Scholar
- [42] . 2020. Backdoor attacks and countermeasures on deep learning: A comprehensive review. arXiv preprint arXiv:2007.10760 (2020).Google Scholar
- [43] Zahra Ghodsi, Mojan Javaheripi, Nojan Sheybani, Xinqiao Zhang, Ke Huang, and Farinaz Koushanfar. 2022. zPROBE: Zero peek robustness checks for federated learning. arXiv preprint arXiv:2206.12100 (2022).Google Scholar
- [44] . 2023. Adversarial scratches: Deployable attacks to CNN classifiers. Pattern Recognition 133 (2023), 108985.
DOI: Google ScholarDigital Library - [45] . 2017. Adversarial and clean data are not twins. arXiv preprint arXiv:1704.04960 (2017).Google Scholar
- [46] . 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).Google Scholar
- [47] . 2015. Explaining and harnessing adversarial examples. Stat. (2015).Google Scholar
- [48] . 2017. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280 (2017).Google Scholar
- [49] . 2017. BadNets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017).Google Scholar
- [50] . 2019. BadNets: Evaluating backdooring attacks on deep neural networks. IEEE Access 7 (2019), 47230–47244.Google ScholarCross Ref
- [51] . 2022. An overview of backdoor attacks against deep neural networks and possible defences. IEEE Open Journal of Signal Processing (2022).Google ScholarCross Ref
- [52] . 2019. Tabor: A highly accurate approach to inspecting and restoring Trojan backdoors in AI systems. arXiv preprint arXiv:1908.01763 (2019).Google Scholar
- [53] . 2020. Spectre: Defending against backdoor attacks using robust covariance estimation. In International Conference on Machine Learning.Google Scholar
- [54] . 2020. Defending and harnessing the bit-flip based adversarial weight attack. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 14095–14103.Google ScholarCross Ref
- [55] . 2019. Terminal brain damage: Exposing the graceless degradation in deep neural networks under hardware fault attacks. In 28th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 19). 497–514.Google Scholar
- [56] . 2021. Exploring architectural ingredients of adversarially robust deep neural networks. Advances in Neural Information Processing Systems 34 (2021), 5545–5559.Google Scholar
- [57] . 2022. Exposing vulnerabilities of deepfake detection systems with robust attacks. Digital Threats 3, 3, Article
30 (Sep. 2022), 23 pages.DOI: Google ScholarDigital Library - [58] . 2021. \(\lbrace\)WaveGuard\(\rbrace\): Understanding and mitigating audio adversarial examples. In 30th USENIX Security Symposium (USENIX Security’21). 2273–2290.Google Scholar
- [59] . 2021. Adversarial deepfakes: Evaluating vulnerability of deepfake detectors to adversarial examples. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision. 3348–3357.Google ScholarCross Ref
- [60] . 2022. FastStamp: Accelerating neural steganography and digital watermarking of images on FPGAs. In 2022 IEEE/ACM International Conference on Computer Aided Design (ICCAD’22). IEEE.Google ScholarDigital Library
- [61] . 2017. Generating Adversarial Examples for Speech Recognition. Technical Report.Google Scholar
- [62] . 2022. AccHashtag: Accelerated hashing for detecting fault-injection attacks on embedded neural networks. ACM Journal on Emerging Technologies in Computing Systems (JETC) (2022).Google Scholar
- [63] . 2022. LiteTransformerSearch: Training-free on-device search for efficient autoregressive language models. Advances in Neural Information Processing Systems (2022).Google Scholar
- [64] . 2021. HASHTAG: Hash signatures for online detection of fault-injection attacks on deep neural networks. In 2021 IEEE/ACM International Conference on Computer Aided Design (ICCAD’21). IEEE, 1–9.Google ScholarDigital Library
- [65] . 2020. CleaNN: Accelerated Trojan shield for embedded neural networks. In 2020 IEEE/ACM International Conference on Computer Aided Design (ICCAD’20). IEEE, 1–9.Google ScholarDigital Library
- [66] . 2020. CuRTAIL: Characterizing and thwarting adversarial deep learning. IEEE Transactions on Dependable and Secure Computing 18, 2 (2020), 736–752.Google ScholarDigital Library
- [67] . 2022. FL-Defender: Combating targeted attacks in federated learning. arXiv preprint arXiv:2207.00872 (2022).Google Scholar
- [68] . 2020. A taxonomy of attacks on federated learning. IEEE Security & Privacy 19, 2 (2020), 20–28.Google ScholarCross Ref
- [69] . 2018. AVFI: Fault injection for autonomous vehicles. In 2018 48th Annual IEEE/IFIPInternational Conference on Dependable Systems and Networks Workshops (DSN-W’18). IEEE, 55–56.Google ScholarCross Ref
- [70] . 2021. Learning from history for Byzantine robust optimization. In International Conference on Machine Learning. PMLR, 5311–5319.Google Scholar
- [71] . 2014. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. ACM SIGARCH Computer Architecture News 42, 3 (2014), 361–372.Google ScholarDigital Library
- [72] . 2020. Universal litmus patterns: Revealing backdoor attacks in CNNs. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 301–310.Google ScholarCross Ref
- [73] . 2017. ImageNet classification with deep convolutional neural networks. Commun. ACM 60, 6 (2017), 84–90.Google ScholarDigital Library
- [74] . 2016. Adversarial machine learning at scale. CoRR (2016).
arXiv:1611.01236 Google Scholar - [75] . 2020. FCDM: A methodology based on sensor pattern noise fingerprinting for fast confidence detection to adversarial attacks. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 39, 12 (2020), 4791–4804.Google ScholarCross Ref
- [76] . 2015. Deep learning. Nature 521, 7553 (2015).Google ScholarCross Ref
- [77] . 2018. TextBugger: Generating adversarial text against real-world applications. arXiv preprint arXiv:1812.05271 (2018).Google Scholar
- [78] . 2021. RADAR: Run-time adversarial weight attack detection and accuracy recovery. arXiv preprint arXiv:2101.08254 (2021).Google Scholar
- [79] . 2020. Defending bit-flip attack through DNN weight reconstruction. In 2020 57th ACM/IEEE Design Automation Conference (DAC’20). IEEE, 1–6.Google ScholarCross Ref
- [80] . 2021. Adversarial attacks on black box video classifiers: Leveraging the power of geometric transformations. Advances in Neural Information Processing Systems 34 (2021).Google Scholar
- [81] . 2020. Learning to detect malicious clients for robust federated learning. arXiv preprint arXiv:2002.00211 (2020).Google Scholar
- [82] . 2019. Stealthy adversarial perturbations against real-time video classification systems. In Proceedings 2019 Network and Distributed System Security Symposium.Google ScholarCross Ref
- [83] . 2022. Backdoor learning: A survey. IEEE Transactions on Neural Networks and Learning Systems (2022).Google Scholar
- [84] . 2020. DeepDyve: Dynamic verification for deep neural networks. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 101–112.Google ScholarDigital Library
- [85] . 2021. Robust detection of machine-induced audio attacks in intelligent audio systems with microphone array. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 1884–1899.Google ScholarDigital Library
- [86] . 2020. Concurrent weight encoding-based detection for bit-flip attack on neural network accelerators. In Proceedings of the 39th International Conference on Computer-Aided Design. 1–8.Google ScholarDigital Library
- [87] . 2019. ABS: Scanning neural networks for back-doors by artificial brain stimulation. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 1265–1282.Google ScholarDigital Library
- [88] . 2017. Trojaning attack on neural networks. (2017).Google Scholar
- [89] . 2018. Trojaning attack on neural networks. In NDSS.Google Scholar
- [90] . 2017. Fault injection attack on deep neural network. In 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD’17). IEEE, 131–138.Google ScholarDigital Library
- [91] . 2021. Defending against multiple and unforeseen adversarial videos. IEEE Transactions on Image Processing 31 (2021), 962–973.Google ScholarDigital Library
- [92] . 2020. Enhancing cross-task black-box transferability of adversarial examples with dispersion reduction. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 940–949.Google ScholarCross Ref
- [93] . 2019. NIC: Detecting adversarial samples with neural network invariant checking. In Proceedings of the 26th Network and Distributed System Security Symposium (NDSS’19).Google ScholarCross Ref
- [94] . 2018. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations.Google Scholar
- [95] . 2017. Communication-efficient learning of deep networks from decentralized data. In Artificial Intelligence and Statistics. PMLR, 1273–1282.Google Scholar
- [96] . 2022. Mel frequency spectral domain defenses against adversarial attacks on speech recognition systems. ArXiv abs/2203.15283 (2022).Google Scholar
- [97] . 2016. DeepFool: A simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2574–2582.Google ScholarCross Ref
- [98] . 2020. Frequency-guided word substitutions for detecting textual adversarial examples. arXiv preprint arXiv:2004.05887 (2020).Google Scholar
- [99] . 2023. A robust analysis of adversarial attacks on federated learning environments. Computer Standards & Interfaces (2023), 103723.Google ScholarDigital Library
- [100] . 2015. Deep learning applications and challenges in big data analytics. Journal of Big Data 2, 1 (2015), 1–21.Google ScholarCross Ref
- [101] . 2020. Toward robustness and privacy in federated learning: Experimenting with local and central differential privacy. arXiv e-prints (2020), arXiv–2009.Google Scholar
- [102] . 2021. Adversarial threats to DeepFake detection: A practical perspective. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) Workshops. 923–932.Google ScholarCross Ref
- [103] . 2019. Universal adversarial perturbations for speech recognition systems. In Interspeech.Google Scholar
- [104] Thien Duc Nguyen, Phillip Rieger, Huili Chen, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Shaza Zeitouni, Farinaz Koushanfar, Ahmad-Reza Sadeghi, and Thomas Schneider. 2022. FLAME: Taming backdoors in federated learning. In 31st USENIX Security Symposium (USENIX Security’22). 1415–1432.Google Scholar
- [105] . 2016. The limitations of deep learning in adversarial settings. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 372–387.Google ScholarCross Ref
- [106] . 2019. Robust aggregation for federated learning. arXiv preprint arXiv:1912.13445 (2019).Google Scholar
- [107] . 2021. Over-the-air adversarial flickering attacks against video recognition networks. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR’21). 515–524.Google ScholarCross Ref
- [108] . 2019. Combating adversarial misspellings with robust word recognition. arXiv preprint arXiv:1905.11268 (2019).Google Scholar
- [109] . 2020. Loss-sensitive generative adversarial networks on Lipschitz densities. International Journal of Computer Vision 128, 5 (2020), 1118–1140.Google ScholarDigital Library
- [110] . 2019. Defending neural backdoors via generative distribution modeling. Advances in Neural Information Processing Systems 32 (2019).Google Scholar
- [111] . 2019. Imperceptible, robust, and targeted adversarial examples for automatic speech recognition. In International Conference on Machine Learning.Google Scholar
- [112] . 2018. Isolated and ensemble audio preprocessing methods for detecting adversarial examples against automatic speech recognition. In Conference on Computational Linguistics and Speech Processing (ROCLING’18).Google Scholar
- [113] . 2019. Bit-flip attack: Crushing neural network with progressive bit search. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 1211–1220.Google ScholarCross Ref
- [114] . 2020. TBT: Targeted neural network attack with bit Trojan. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 13198–13207.Google ScholarCross Ref
- [115] . 2020. T-BFA: Targeted bit-flip adversarial weight attack. arXiv preprint arXiv:2007.12336 (2020).Google Scholar
- [116] . 2021. RA-BNN: Constructing robust & accurate binary neural network to simultaneously defend adversarial bit-flip attack and improve accuracy. arXiv preprint arXiv:2103.13813 (2021).Google Scholar
- [117] . 2016. Flip feng shui: Hammering a needle in the software stack. In 25th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 16). 1–18.Google Scholar
- [118] . 2022. DeepSight: Mitigating backdoor attacks in federated learning through deep model inspection. arXiv preprint arXiv:2201.00763 (2022).Google Scholar
- [119] . 2018. DeepFense: Online accelerated defense against adversarial deep learning. In 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD’18). IEEE, 1–8.Google ScholarDigital Library
- [120] . 2019. BayesOpt adversarial attack. In International Conference on Learning Representations.Google Scholar
- [121] . 2018. Adversarial attacks on deep-learning based radio signal classification. IEEE Wireless Communications Letters 8, 1 (2018), 213–216.Google ScholarCross Ref
- [122] . 2018. Adversarial attacks against automatic speech recognition systems via psychoacoustic hiding. arXiv preprint arXiv:1808.05665 (2018).Google Scholar
- [123] . 2021. Backdoor scanning for deep neural networks through k-arm optimization. In International Conference on Machine Learning. PMLR, 9525–9536.Google Scholar
- [124] . 2018. A review of machine learning and deep learning applications. In 2018 Fourth International Conference on Computing Communication Control and Automation (ICCUBEA’18). IEEE, 1–6.Google ScholarCross Ref
- [125] . 2014. Deep inside convolutional networks: Visualising image classification models and saliency maps. In Workshop at International Conference on Learning Representations.Google Scholar
- [126] . 2020. Byzantine-resilient secure federated learning. IEEE Journal on Selected Areas in Communications (2020).Google Scholar
- [127] . 2019. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation 23, 5 (2019), 828–841.Google ScholarCross Ref
- [128] . 2013. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199 (2013).Google Scholar
- [129] . 2020. An embarrassingly simple approach for Trojan attack in deep neural networks. In Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 218–228.Google ScholarDigital Library
- [130] . 2007. Signal recovery from random measurements via orthogonal matching pursuit. IEEE Transactions on Information Theory 53, 12 (2007), 4655–4666.Google ScholarDigital Library
- [131] . 2019. A hybrid approach to privacy-preserving federated learning. In Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security. 1–11.Google ScholarDigital Library
- [132] . 2015. Cocaine Noodles: Exploiting the gap between human and machine speech recognition. In 9th USENIX Workshop on Offensive Technologies (WOOT’15). USENIX Association, Washington, D.C.Google Scholar
- [133] . 2016. Drammer: Deterministic rowhammer attacks on mobile platforms. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 1675–1689.Google ScholarDigital Library
- [134] . 2017. Attention is all you need. Advances in Neural Information Processing Systems 30 (2017).Google Scholar
- [135] . 2021. Secure Byzantine-robust distributed learning via clustering. arXiv preprint arXiv:2110.02940 (2021).Google Scholar
- [136] . 2019. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In 2019 IEEE Symposium on Security and Privacy (SP’19). IEEE, 707–723.Google Scholar
- [137] . 2020. Attack of the tails: Yes, you really can backdoor federated learning. Advances in Neural Information Processing Systems 33 (2020), 16070–16084.Google Scholar
- [138] . 2021. Adversarial attack generation empowered by min-max optimization. Advances in Neural Information Processing Systems 34 (2021), 16020–16033.Google Scholar
- [139] . 2021. A new lightweight in situ adversarial sample detector for edge deep neural network. IEEE Journal on Emerging and Selected Topics in Circuits and Systems 11, 2 (2021), 252–266.Google ScholarCross Ref
- [140] . 2020. DNNGuard: An elastic heterogeneous DNN accelerator architecture against adversarial attacks. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 19–34.Google ScholarDigital Library
- [141] . 2022. Detecting textual adversarial examples through randomized substitution and vote. In Uncertainty in Artificial Intelligence. PMLR, 2056–2065.Google Scholar
- [142] . 2022. Defense strategies toward model poisoning attacks in federated learning: A survey. In 2022 IEEE Wireless Communications and Networking Conference (WCNC’22). IEEE, 548–553.Google ScholarDigital Library
- [143] . 2020. Federated learning with differential privacy: Algorithms and performance analysis. IEEE Transactions on Information Forensics and Security 15 (2020), 3454–3469.Google ScholarDigital Library
- [144] . 2019. Sparse adversarial perturbations for videos. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 33. 8973–8980.Google ScholarDigital Library
- [145] . 2020. Mitigating backdoor attacks in federated learning. arXiv preprint arXiv:2011.01767 (2020).Google Scholar
- [146] . 2020. Boosting the transferability of adversarial samples via attention. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 1161–1170.Google ScholarCross Ref
- [147] . 2019. AdvIT: Adversarial frames identifier based on temporal consistency in videos. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 3968–3977.Google ScholarCross Ref
- [148] . 2018. Characterizing adversarial examples based on spatial consistency information for semantic segmentation. In Proceedings of the European Conference on Computer Vision (ECCV’18). 217–234.Google ScholarDigital Library
- [149] . 2021. CRFL: Certifiably robust federated learning against backdoor attacks. In International Conference on Machine Learning. PMLR, 11372–11382.Google Scholar
- [150] . 2019. DBA: Distributed backdoor attacks against federated learning. In International Conference on Learning Representations.Google Scholar
- [151] . 2018. Generalized Byzantine-tolerant SGD. arXiv preprint arXiv:1802.10116 (2018).Google Scholar
- [152] . 2022. Universal 3-Dimensional perturbations for black-box attacks on video recognition systems. In 2022 IEEE Symposium on Security and Privacy (SP’22).Google Scholar
- [153] . 2021. Security of neural networks from hardware perspective: A survey and beyond. In Proceedings of the 26th Asia and South Pacific Design Automation Conference. 449–454.Google ScholarDigital Library
- [154] . 2021. Detecting AI Trojans using meta neural analysis. In 2021 IEEE Symposium on Security and Privacy (SP’21). IEEE, 103–120.Google Scholar
- [155] . 2018. Robust audio adversarial example for a physical attack. CoRR abs/1810.11793 (2018).
arxiv:1810.11793 http://arxiv.org/abs/1810.11793Google Scholar - [156] . 2021. LightSecAgg: Rethinking secure aggregation in federated learning. arXiv preprint arXiv:2109.14236 (2021).Google Scholar
- [157] . 2019. Characterizing audio adversarial examples using temporal dependency. In 7th International Conference on Learning Representations, ICLR 2019.Google Scholar
- [158] . 2021. Detection defense against adversarial attacks with saliency map. International Journal of Intelligent Systems (2021).Google Scholar
- [159] . 2018. Byzantine-robust distributed learning: Towards optimal statistical rates. In International Conference on Machine Learning. PMLR, 5650–5659.Google Scholar
- [160] . 2018. CommanderSong: A systematic approach for practical adversarial voice recognition. In 27th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 18).Google Scholar
- [161] . 2022. Text revealer: Private text reconstruction via model inversion attacks against transformers. arXiv preprint arXiv:2209.10505 (2022).Google Scholar
- [162] . 2021. TAD: Trigger approximation based black-box Trojan detection for AI. arXiv preprint arXiv:2102.01815 (2021).Google Scholar
- [163] . 2021. TREATED: Towards universal defense against textual adversarial attacks. arXiv preprint arXiv:2109.06176 (2021).Google Scholar
Index Terms
- Systemization of Knowledge: Robust Deep Learning using Hardware-software co-design in Centralized and Federated Settings
Recommendations
Tutorial: Toward Robust Deep Learning against Poisoning Attacks
Deep Learning (DL) has been increasingly deployed in various real-world applications due to its unprecedented performance and automated capability of learning hidden representations. While DL can achieve high task performance, the training process of a DL ...
Survey on federated learning threats: Concepts, taxonomy on attacks and defences, experimental study and challenges
AbstractFederated learning is a machine learning paradigm that emerges as a solution to the privacy-preservation demands in artificial intelligence. As machine learning, federated learning is threatened by adversarial attacks against the ...
Highlights- We claim that adversarial attacks are a significant challenge in federated learning.
MESAS: Poisoning Defense for Federated Learning Resilient against Adaptive Attackers
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityFederated Learning (FL) enhances decentralized machine learning by safeguarding data privacy, reducing communication costs, and improving model performance with diverse data sources. However, FL faces vulnerabilities such as untargeted poisoning attacks ...
Comments