AdvHunter: Detecting Adversarial Perturbations in Black-Box Neural Networks through Hardware Performance Counters
Article No.: 184, Pages 1 - 6
Abstract
The paper introduces AdvHunter, a novel strategy to detect adversarial examples (AEs) in Deep Neural Networks (DNNs). AdvHunter operates effectively in practical black-box scenarios, where only hard-label query access is available, a situation often encountered with proprietary DNNs. This differentiates it from existing defenses, which usually rely on white-box access or need to be integrated during the training phase - requirements often not feasible with proprietary DNNs. AdvHunter functions by monitoring data flow dynamics within the computational environment during the inference phase of DNNs. It utilizes Hardware Performance Counters to monitor microarchitectural activities and employs principles of Gaussian Mixture Models to detect AEs. Extensive evaluation across various datasets, DNN architectures, and adversarial perturbations demonstrate the effectiveness of AdvHunter.
References
[1]
Manaar Alam and Debdeep Mukhopadhyay. 2019. How Secure are Deep Learning Algorithms from Side-Channel based Reverse Engineering?. In 56th Annual Design Automation Conference, DAC 2019, Las Vegas, NV, USA.
[2]
Ahmed Aldahdooh et al. 2023. Revisiting model's uncertainty and confidences for adversarial example detection. Applied Intelligence 53, 1 (2023), 509--531.
[3]
Reza Azimi et al. 2005. Online performance analysis by statistical sampling of microprocessor performance counters. In 19th Annual International Conference on Supercomputing, ICS 2005, Cambridge, Massachusetts, USA.
[4]
Yi Cai et al. 2023. Ensemble-in-One: Ensemble Learning within Random Gated Networks for Enhanced Adversarial Robustness. In 37th AAAI Conference on Artificial Intelligence, AAAI 2023, Washington, DC, USA.
[5]
Anirban Chakraborty et al. 2021. A survey on adversarial attacks and defences. CAAI Transactions on Intelligence Technology 6, 1 (2021), 25--45.
[6]
Jacob Clarysse et al. 2023. Why adversarial training can hurt robust accuracy. In 11th International Conference on Learning Representations, ICLR 2023, Kigali, Rwanda.
[7]
Ruyi Ding et al. 2023. EMShepherd: Detecting Adversarial Samples via Side-channel Leakage. In ACM Asia Conference on Computer and Communications Security, ASIA CCS 2023, Melbourne, VIC, Australia.
[8]
Yinpeng Dong et al. 2018. Boosting Adversarial Attacks With Momentum. In IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2018, Salt Lake City, UT, USA.
[9]
Ian J. Goodfellow et al. 2015. Explaining and Harnessing Adversarial Examples. In 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA.
[10]
Jaewon Jung et al. 2023. Fast Adversarial Training with Dynamic Batch-level Attack Control. In 60th ACM/IEEE Design Automation Conference, DAC 2023, San Francisco, CA, USA.
[11]
Sanjay Kariyappa and Moinuddin K. Qureshi. 2020. Defending Against Model Stealing Attacks With Adaptive Misinformation. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2020, Seattle, WA, USA.
[12]
Geoffrey J. McLachlan and David Peel. 2000. Finite Mixture Models. Wiley.
[13]
Seyed-Mohsen Moosavi-Dezfooli et al. 2016. DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks. In IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2016, Las Vegas, NV, USA.
[14]
Daryna Oliynyk et al. 2023. I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences. Comput. Surveys 55, 14 (2023), 324:1--324:41.
[15]
Zhuang Qian et al. 2022. A survey of robust adversarial training in pattern recognition: Fundamental, theory, and methodologies. Pattern Recognition 131 (2022), 108889.
[16]
Florian Tramèr. 2022. Detecting Adversarial Examples Is (Nearly) As Hard As Classifying Them. In International Conference on Machine Learning, ICML 2022, Baltimore, Maryland, USA.
[17]
Yuhang Wu et al. 2021. Beating Attackers At Their Own Games: Adversarial Example Detection Using Adversarial Gradient Directions. In 35th AAAI Conference on Artificial Intelligence, AAAI 2021, Virtual Event.
[18]
Yijun Yang et al. 2022. What You See is Not What the Network Infers: Detecting Adversarial Examples Based on Semantic Contradiction. In 29th Annual Network and Distributed System Security Symposium, NDSS 2022, San Diego, CA, USA.
Index Terms
- AdvHunter: Detecting Adversarial Perturbations in Black-Box Neural Networks through Hardware Performance Counters
Index terms have been assigned to the content through auto-classification.
Recommendations
Detecting and Mitigating Adversarial Perturbations for Robust Face Recognition
AbstractDeep neural network (DNN) architecture based models have high expressive power and learning capacity. However, they are essentially a black box method since it is not easy to mathematically formulate the functions that are learned within its many ...
Generalizing universal adversarial perturbations for deep neural networks
AbstractPrevious studies have shown that universal adversarial attacks can fool deep neural networks over a large set of input images with a single human-invisible perturbation. However, current methods for universal adversarial attacks are based on ...
Detect and Remove Watermark in Deep Neural Networks via Generative Adversarial Networks
Information SecurityAbstractDeep neural networks (DNN) have achieved remarkable performance in various fields. However, training a DNN model from scratch requires expensive computing resources and a lot of training data, which are difficult to obtain for most individual ...
Comments
Information & Contributors
Information
Published In
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 07 November 2024
Check for updates
Qualifiers
- Research-article
Conference
DAC '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,770 of 5,499 submissions, 32%
Upcoming Conference
DAC '25
- Sponsor:
- sigda
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 108Total Downloads
- Downloads (Last 12 months)108
- Downloads (Last 6 weeks)67
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in