Adversarial Perturbations of Physical Signals

Robert L. Bassett,Austin Van Dellen,Anthony P. Austin
2024-02-27
Abstract:We investigate the vulnerability of computer-vision-based signal classifiers to adversarial perturbations of their inputs, where the signals and perturbations are subject to physical constraints. We consider a scenario in which a source and interferer emit signals that propagate as waves to a detector, which attempts to classify the source by analyzing the spectrogram of the signal it receives using a pre-trained neural network. By solving PDE-constrained optimization problems, we construct interfering signals that cause the detector to misclassify the source even though the perturbations to the spectrogram of the received signal are nearly imperceptible. Though such problems can have millions of decision variables, we introduce methods to solve them efficiently. Our experiments demonstrate that one can compute effective and physically realizable adversarial perturbations for a variety of machine learning models under various physical conditions.
Machine Learning,Cryptography and Security,Signal Processing,Optimization and Control
What problem does this paper attempt to address?
This paper discusses the vulnerability of computer vision signal classifiers to adversarial perturbations under physical constraints. The researchers simulated a scenario where a submarine and an interference emitter interact with a detector by emitting acoustic signals, while the detector uses a pre-trained neural network to analyze the received signal's spectrogram for classification. They constructed adversarial signals that can cause misclassification by the detector, even though these perturbations are almost imperceptible in the spectrogram of the received signal, by solving an optimization problem constrained by partial differential equations (PDE). Despite the potentially millions of decision variables involved in such problems, the authors proposed efficient methods to solve them. Experimental results demonstrate that effective and physically realizable adversarial perturbations can be computed for various machine learning models and different physical conditions. This research is particularly important under the assumption of physical access, where the attacker can only indirectly manipulate the classifier input through sensors rather than having direct logical access. In the paper, the signals are represented as frequency content images (spectrograms) that vary over time, and they are processed by neural networks for classification. The study found that physically feasible adversarial perturbations can be successfully constructed even in the presence of environmental noise. The methodology of the paper includes problem formalization, discretization, computation, and presentation of experimental results, demonstrating how to efficiently solve optimization problems constrained by PDE and proving the effectiveness of the methods with practical application examples. By restricting the frequency range of the interference signal to ensure its physical feasibility, the researchers were able to mislead the detector without significantly altering the spectrogram of the received signal. The experimental results show that this approach can successfully cause misclassification in various machine learning models.