Yanjiao Chen,Xiaotian Zhu,Xueluan Gong,Xinjing Yi,Shuyang Li

DOI: https://doi.org/10.1109/tii.2022.3198481

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:With the unprecedented development of deep learning, autonomous vehicles (AVs) have achieved tremendous progress nowadays. However, AV supported by DNN models is vulnerable to data poisoning attacks, hindering the large-scale application of autonomous driving. For example, by injecting carefully designed poisons into the training dataset of the DNN model in the traffic sign recognition system, the attacker can mislead the system to make targeted misclassification or cause a reduction in model classification accuracy. In this article, we conduct a thorough investigation of the state-of-the-art data poisoning attacks and defenses against AVs. According to whether the attacker needs to manipulate the data labeling process, we divide the state-of-the-art attack approaches into two categories, i.e., dirty-label attacks and clean-label attacks. We also differentiate the existing defense methods into two categories based on whether to modify the training data or the models, i.e., data-based defenses and model-based defenses. In addition to a detailed review of attacks and defenses in each category, we also give a qualitative comparison of the existing attacks and defenses. Besides, we provide a quantitative comparison of the existing attack and defense methods through experiments. Last but not least, we pinpoint several future directions for data poisoning attacks and defenses in AVs, providing possible ways for further research.

Zifan Zhang,Minghong Fang,Jiayuan Huang,Yuchen Liu

2024-04-23

Abstract:Federated Learning (FL) offers a distributed framework to train a global control model across multiple base stations without compromising the privacy of their local network data. This makes it ideal for applications like wireless traffic prediction (WTP), which plays a crucial role in optimizing network resources, enabling proactive traffic flow management, and enhancing the reliability of downstream communication-aided applications, such as IoT devices, autonomous vehicles, and industrial automation systems. Despite its promise, the security aspects of FL-based distributed wireless systems, particularly in regression-based WTP problems, remain inadequately investigated. In this paper, we introduce a novel fake traffic injection (FTI) attack, designed to undermine the FL-based WTP system by injecting fabricated traffic distributions with minimal knowledge. We further propose a defense mechanism, termed global-local inconsistency detection (GLID), which strategically removes abnormal model parameters that deviate beyond a specific percentile range estimated through statistical methods in each dimension. Extensive experimental evaluations, performed on real-world wireless traffic datasets, demonstrate that both our attack and defense strategies significantly outperform existing baselines.

Networking and Internet Architecture,Cryptography and Security,Machine Learning

Shaofeng Li,Wen Wu,Yan Meng,Jiachun Li,Haojin Zhu,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/icc45041.2023.10279765

2023-01-01

Abstract:In this paper, we study the abnormal behaviors detection and the corresponding data poisoning attacks in digital twin (DT)-based networks. We first analyze the abnormal behaviors existing in the DT-based networks, including environment anomalies, hardware and software faults, and network attacks. Specially, we design a machine learning (ML)-based anomaly detector to identify network attacks. Furthermore, due to the strong dependency of ML models on training data, in which the outputs of the trained ML models can be affected by the poisoned samples. We design a data poisoning attack scheme against the proposed ML-based anomaly detector, in which attackers can effectively compromise the output of anomaly detectors. Extensive experimental results adopting three commonly used ML-based models demonstrate that the attack can compromise these detectors with over 80% probability.

Mohamed Amine Ferrag,Burak Kantarci,Lucas C. Cordeiro,Merouane Debbah,Kim-Kwang Raymond Choo

2023-03-21

Abstract:Federated edge learning can be essential in supporting privacy-preserving, artificial intelligence (AI)-enabled activities in digital twin 6G-enabled Internet of Things (IoT) environments. However, we need to also consider the potential of attacks targeting the underlying AI systems (e.g., adversaries seek to corrupt data on the IoT devices during local updates or corrupt the model updates); hence, in this article, we propose an anticipatory study for poisoning attacks in federated edge learning for digital twin 6G-enabled IoT environments. Specifically, we study the influence of adversaries on the training and development of federated learning models in digital twin 6G-enabled IoT environments. We demonstrate that attackers can carry out poisoning attacks in two different learning settings, namely: centralized learning and federated learning, and successful attacks can severely reduce the model's accuracy. We comprehensively evaluate the attacks on a new cyber security dataset designed for IoT applications with three deep neural networks under the non-independent and identically distributed (Non-IID) data and the independent and identically distributed (IID) data. The poisoning attacks, on an attack classification problem, can lead to a decrease in accuracy from 94.93% to 85.98% with IID data and from 94.18% to 30.04% with Non-IID.

Cryptography and Security,Artificial Intelligence

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Yalin E. Sagduyu,Tugba Erpek,Yi Shi

DOI: https://doi.org/10.48550/arXiv.2312.17164

2023-12-28

Networking and Internet Architecture

Abstract:This paper studies the poisoning attack and defense interactions in a federated learning (FL) system, specifically in the context of wireless signal classification using deep learning for next-generation (NextG) communications. FL collectively trains a global model without the need for clients to exchange their data samples. By leveraging geographically dispersed clients, the trained global model can be used for incumbent user identification, facilitating spectrum sharing. However, in this distributed learning system, the presence of malicious clients introduces the risk of poisoning the training data to manipulate the global model through falsified local model exchanges. To address this challenge, a proactive defense mechanism is employed in this paper to make informed decisions regarding the admission or rejection of clients participating in FL systems. Consequently, the attack-defense interactions are modeled as a game, centered around the underlying admission and poisoning decisions. First, performance bounds are established, encompassing the best and worst strategies for attackers and defenders. Subsequently, the attack and defense utilities are characterized within the Nash equilibrium, where no player can unilaterally improve its performance given the fixed strategies of others. The results offer insights into novel operational modes that safeguard FL systems against poisoning attacks by quantifying the performance of both attacks and defenses in the context of NextG communications.

Xiong Xiao,Zhuo Tang,Li Yang,Yingjie Song,Jiawei Tan,Kenli Li

DOI: https://doi.org/10.1109/mnet.004.2200645

IF: 10.294

2023-01-01

IEEE Network

Abstract:As a novel distributed machine learning scheme, federated learning (FL) efficiently realizes the collaborative training of models by global participants while also protecting their data privacy. Due to the independence of participants' local data and the inability of the FL server to access the local data, many IIoT applications with strong data sensitivity are increasingly incorporating FL technology. However, it also exposes a great security vulnerability. Malicious adversaries manipulate local data to perform covert targeted poisoning attacks or other harmful behaviors to affect the global model. In addition, due to the diversity of IIoT data in actual scenarios, different data distribution scenarios can also cause different attack effects In this work, we devise a defense technique called FDSFL against multiple malicious adversaries and various targeted poisoning attacks involving both IID and non-IID data distribution scenarios. It runs on the server-side and mainly includes three execution modules: pairwise cosine similarity, clustering mechanism, and filtering strategy, which can dynamically filter malicious updates during the iterative training process. We demonstrate that our designed FDSFL outperforms the state-of-the-art in maintaining global model accuracy and reducing attack success rates through extensive experiments on three general datasets.

Zhihan Lv,Dongliang Chen,Bin Cao,Houbing Song,Haibin Lv

DOI: https://doi.org/10.1109/tc.2021.3077687

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:While Digital Twins (DTs) bring convenience to city managers, they also generate new challenges to city network security. Currently, cyberspace security becomes increasingly complicated. Intrusion detection and Deep Learning (DL) are combined with shunning security threats in service computing systems and improving network defense capabilities. DTs can be applied to network security. Peoples understanding of cyberspace security can be improved using DTs to digitally define, model, and display the network environment and security status. The intrusion detection data are optimized based on DL technology, and a network intrusion detection algorithm integrated with Deep Neural Network (DNN) model is proposed. In the cloud service system, a trust model based on Keyed-Hashing-based Self-Synchronization (KHSS) is introduced. This model predicts the security state and detects attacks according to existing malicious attacks, ensuring the network security defense systems regular operation. Finally, simulation experiments verify the Deep Belief Networks (DBN) models feasibility and the cloud trust model. The DBN algorithm proposed improves the correct detection rate of unknown samples by 4.05% compared with the Support Vector Machine (SVM) algorithm.

engineering, electrical & electronic,computer science, hardware & architecture

Ying Liu,Weiting Zhang,Letian Li,Juqin Wu,Yu Xia,Shuai Gao,Hongke Zhang

DOI: https://doi.org/10.1109/mnet.2024.3353180

IF: 10.294

2024-01-01

IEEE Network

Abstract:With the rapid growth of online applications and the increasing complexity of network architecture, network security faces significant challenges. As a promising approach, the network digital twin brings fresh opportunities for building more trustworthy networks. In this article, we analyze the challenges faced when designing cybersecurity twins and the methodology to address them. Then, the autonomous trusted network (ATN) framework is proposed, which leverages network digital twins, to enhance network security. The ATN framework incorporates flexible data aggregation, a security twin model, and an intelligent configuration model. It collects critical network data, trains security twin models using graph neural networks (GNNs), and generates intelligent configuration policies for proactive defense. By integrating network digital twins, advanced AI technologies, and programmable data planes, the ATN framework enables proactive threat detection, real-time response, and optimization, thereby enhancing the stability and reliability of networks in the face of evolving security challenges. The effectiveness of the ATN framework is demonstrated through a case study on Link-Flooding Attacks (LFA). The ATN framework effectively predicts and mitigates LFA by limiting attack traffic while ensuring the uninterrupted flow of legitimate traffic. The results show that the ATN framework outperforms traditional mitigation methods, such as traffic filtering and rerouting, in terms of promptness and efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Chao Feng,Alberto Huertas Celdrán,Zien Zeng,Zi Ye,Jan von der Assen,Gerome Bovet,Burkhard Stiller

2024-10-02

Abstract:Decentralized Federated Learning (DFL), a paradigm for managing big data in a privacy-preserved manner, is still vulnerable to poisoning attacks where malicious clients tamper with data or models. Current defense methods often assume Independently and Identically Distributed (IID) data, which is unrealistic in real-world applications. In non-IID contexts, existing defensive strategies face challenges in distinguishing between models that have been compromised and those that have been trained on heterogeneous data distributions, leading to diminished efficacy. In response, this paper proposes a framework that employs the Moving Target Defense (MTD) approach to bolster the robustness of DFL models. By continuously modifying the attack surface of the DFL system, this framework aims to mitigate poisoning attacks effectively. The proposed MTD framework includes both proactive and reactive modes, utilizing a reputation system that combines metrics of model similarity and loss, alongside various defensive techniques. Comprehensive experimental evaluations indicate that the MTD-based mechanism significantly mitigates a range of poisoning attack types across multiple datasets with different topologies.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Haitian Zhang,Guang Hua,Xinya Wang,Hao Jiang,Wen Yang

DOI: https://doi.org/10.1109/tifs.2023.3244107

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deep Neural Network (DNN) models have offered powerful solutions for a wide range of tasks, but the cost to develop such models is nontrivial, which calls for effective model protection. Although black-box distribution can mitigate some threats, model functionality can still be stolen via black-box surrogate attacks. Recent studies have shown that surrogate attacks can be launched in several ways, while the existing defense methods commonly assume attackers with insufficient in-distribution (ID) data and restricted attacking strategies. In this paper, we relax these constraints and assume a practical threat model in which the adversary not only has sufficient ID data and query times but also can adjust the surrogate training data labeled by the victim model. Then, we propose a two-step categorical inference poisoning (CIP) framework, featuring both poisoning for performance degradation (PPD) and poisoning for backdooring (PBD). In the first poisoning step, incoming queries are classified into ID and (out-of-distribution) OOD ones using an energy score (ES) based OOD detector, and the latter are further classified into high ES and low ES ones, which are subsequently passed to a strong and a weak PPD process, respectively. In the second poisoning step, difficult ID queries are detected by a proposed reliability score (RS) measurement and are passed to PBD. In doing so, the first step OOD poisoning leads to substantial performance degradation in surrogate models, the second step ID poisoning further embeds backdoors in them, while both can preserve model fidelity. Extensive experiments confirm that CIP can not only achieve promising performance against state-of-the-art black-box surrogate attacks like KnockoffNets and data-free model extraction (DFME) but also work well against stronger attacks with sufficient ID and deceptive data, better than the existing dynamic adversarial watermarking (DAWN) and deceptive perturbation defense methods. PyTorch code is available at https://github.com/Hatins/CIP_master.git.

Jiawen Kang,Yibo Lian,Changqiao Xu,Haijiang Tian,Xiaohui Kuang,D. Niyato,Zhang Tao

DOI: https://doi.org/10.1109/JSAC.2023.3310072

IF: 16.4

2023-10-01

IEEE Journal on Selected Areas in Communications

Abstract:With rapid development of emerging technologies for Internet of Things (IoT), digital twins (DT) have been proposed to support a wide variety of applications. A mobile network is expected to be integrated with DT to form a DT mobile network (DTMN). Unfortunately, DTMN still faces security threats, which have attracted great research attention. Current defense mechanisms are mostly static, i.e., responding after attacks happening. To solve the aforementioned problem, moving target defense (MTD) has been proposed as an innovative solution. However, there exist three major challenges when applying MTD into DTMN. Firstly, less emphasis was paid to collaborative scheduling between multiple MTD schemes, which can improve the security of DTMN. Secondly, MTD schemes require lots of network resources, but few works focus on the time allocation of multiple MTD schemes to reduce network resource consumption. Thirdly, existing defense strategies only rely on current information, but do not consider future information. In this paper, we propose a collaborative mutation-based MTD (CM-MTD) in DTMN. We mainly consider two MTD schemes called host address mutation (HAM) and route mutation (RM), respectively, which adjust network properties and invalidate different stages of cyber kill chain. We firstly formulate a semi-Markov decision process (SMDP) to model time-varying security events and dynamic deployment of multiple MTD schemes. Then, security events are predicted by long short-term memory (LSTM), which are regarded as network states in SMDP. Next, infeasible actions that do not satisfy network constraints will be removed from the action space of the SMDP. Lastly, we design a hierarchical deep reinforcement learning algorithm for collaborative scheduling. Simulation results highlight the effectiveness of CM-MTD compared with baseline solutions.

Engineering,Computer Science

Man Li,Huachun Zhou,Yajuan Qin

DOI: https://doi.org/10.3390/s22072532

IF: 3.9

2022-01-01

Sensors

Abstract:5G technologies provide ubiquitous connectivity. However, 5G security is a particularly important issue. Moreover, because public datasets are outdated, we need to create a self-generated dataset on the virtual platform. Therefore, we propose a two-stage intelligent detection model to enable 5G networks to withstand security issues and threats. Finally, we define malicious traffic detection capability metrics. We apply the self-generated dataset and metrics to thoroughly evaluate the proposed mechanism. We compare our proposed method with benchmark statistics and neural network algorithms. The experimental results show that the two-stage intelligent detection model can distinguish between benign and abnormal traffic and classify 21 kinds of DDoS. Our analysis also shows that the proposed approach outperforms all the compared approaches in terms of detection rate, malicious traffic detection capability, and response time.

Hairuo Xu,Tao Shu

DOI: https://doi.org/10.1016/j.jisa.2024.103739

IF: 4.96

2024-03-04

Journal of Information Security and Applications

Abstract:The distributed nature of distributed learning renders the learning process susceptible to model poisoning attacks. Most existing countermeasures are designed based on a presumed attack model, and can only perform under the presumed attack model. However, in reality a distributed learning system typically does not have the luxury of knowing the attack model it is going to be actually facing in its operation when the learning system is deployed, thus constituting a zero-day vulnerability of the system that has been largely overlooked so far. In this paper, we study the attack-model-agnostic defense mechanisms for distributed learning, which are capable of countering a wide-spectrum of model poisoning attacks without relying on assumptions of the specific attack model, and hence alleviating the zero-day vulnerability of the system. Extensive experiments are performed to verify the effectiveness of the proposed defense.

computer science, information systems

Ren Pang,Hua Shen,Xinyang Zhang,Shouling Ji,Yevgeniy Vorobeychik,Xiapu Luo,Alex Liu,Ting Wang

DOI: https://doi.org/10.1145/3372297.3417253

2020-01-01

Abstract:Despite their tremendous success in a range of domains, deep learning systems are inherently susceptible to two types of manipulations: adversarial inputs -- maliciously crafted samples that deceive target deep neural network (DNN) models, and poisoned models -- adversely forged DNNs that misbehave on pre-defined inputs. While prior work has intensively studied the two attack vectors in parallel, there is still a lack of understanding about their fundamental connections: what are the dynamic interactions between the two attack vectors? what are the implications of such interactions for optimizing existing attacks? what are the potential countermeasures against the enhanced attacks? Answering these key questions is crucial for assessing and mitigating the holistic vulnerabilities of DNNs deployed in realistic settings. Here we take a solid step towards this goal by conducting the first systematic study of the two attack vectors within a unified framework. Specifically, (i) we develop a new attack model that jointly optimizes adversarial inputs and poisoned models; (ii) with both analytical and empirical evidence, we reveal that there exist intriguing "mutual reinforcement" effects between the two attack vectors -- leveraging one vector significantly amplifies the effectiveness of the other; (iii) we demonstrate that such effects enable a large design spectrum for the adversary to enhance the existing attacks that exploit both vectors (e.g., backdoor attacks), such as maximizing the attack evasiveness with respect to various detection methods; (iv) finally, we discuss potential countermeasures against such optimized attacks and their technical challenges, pointing to several promising research directions.

Yunmin Wang,Abla Smahi,Huayu Zhang,Hui Li

DOI: https://doi.org/10.3390/s22030747

IF: 3.9

2022-01-19

Sensors

Abstract:Recently, more and more mobile devices have been connected to the Internet. The Internet environment is complicated, and network security incidents emerge endlessly. Traditional blocking and killing passive defense measures cannot fundamentally meet the network security requirements. Inspired by the heuristic establishment of multiple lines of defense in immunology, we designed and prototyped a Double Defense strategy with Endogenous Safety and Security (DDESS) based on multi-identifier network (MIN) architecture. DDESS adopts the idea of a zero-trust network, with identity authentication as the core for access control, which solves security problems of traditional IP networks. In addition, DDESS achieves individual static security defense through encryption and decryption, consortium blockchain, trusted computing whitelist, and remote attestation strategies. At the same time, with the dynamic collection of data traffic and access logs, as well as the understanding and prediction of the situation, DDESS can realize the situation awareness of network security and the cultivation of immune vaccines against unknown network attacks, thus achieving the active herd defense of network security.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yichen Wan,Youyang Qu,Wei Ni,Yong Xiang,Longxiang Gao,Ekram Hossain

DOI: https://doi.org/10.1109/comst.2024.3361451

IF: 35.6

2024-01-01

IEEE Communications Surveys & Tutorials

Abstract:Due to the greatly improved capabilities of devices, massive data, and increasing concern about data privacy, Federated Learning (FL) has been increasingly considered for applications to wireless communication networks (WCNs). Wireless FL (WFL) is a distributed method of training a global deep learning model in which a large number of participants each train a local model on their training datasets and then upload the local model updates to a central server. However, in general, nonindependent and identically distributed (non-IID) data of WCNs raises concerns about robustness, as a malicious participant could potentially inject a “backdoor” into the global model by uploading poisoned data or models over WCN. This could cause the model to misclassify malicious inputs as a specific target class while behaving normally with benign inputs. This survey provides a comprehensive review of the latest backdoor attacks and defense mechanisms. It classifies them according to their targets (data poisoning or model poisoning), the attack phase (local data collection, training, or aggregation), and defense stage (local training, before aggregation, during aggregation, or after aggregation). The strengths and limitations of existing attack strategies and defense mechanisms are analyzed in detail. Comparisons of existing attack methods and defense designs are carried out, pointing to noteworthy findings, open challenges, and potential future research directions related to security and privacy of WFL.

computer science, information systems,telecommunications

Tribhuvanesh Orekondy,Bernt Schiele,Mario Fritz

DOI: https://doi.org/10.48550/arXiv.1906.10908

2020-03-03

Abstract:High-performance Deep Neural Networks (DNNs) are increasingly deployed in many real-world applications e.g., cloud prediction APIs. Recent advances in model functionality stealing attacks via black-box access (i.e., inputs in, predictions out) threaten the business model of such applications, which require a lot of time, money, and effort to develop. Existing defenses take a passive role against stealing attacks, such as by truncating predicted information. We find such passive defenses ineffective against DNN stealing attacks. In this paper, we propose the first defense which actively perturbs predictions targeted at poisoning the training objective of the attacker. We find our defense effective across a wide range of challenging datasets and DNN model stealing attacks, and additionally outperforms existing defenses. Our defense is the first that can withstand highly accurate model stealing attacks for tens of thousands of queries, amplifying the attacker's error rate up to a factor of 85$\times$ with minimal impact on the utility for benign users.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Zhen Yin,Wei Wang,Xiaozhen Lu,Zhisheng Yin

DOI: https://doi.org/10.1109/icccworkshops62562.2024.10693731

2024-01-01

Abstract:Distributed denial-of-service (DDoS) attack is a kind of critical threat for wireless edge network that flood networks with malicious traffic, which is difficult to defense due to the traffic fluctuation. To efficiently detect and countermeasure the DDoS attack, we propose a multi-level collaborative defense strategy that facilitates lightweight and cost-effective malicious traffic detection. The interaction between attacker and defender is modeled as a two-stage Stackelberg game and the optimal defense strategy is obtained with equilibrium analysis. We utilize the gradient descent method to iteratively compute the optimal strategies for both the attacker and the defender. Simulation results show that the proposed strategy can significantly enhance the utility of the defender, while reducing the utility of the attacker. In addition, when the attacker has access to a consider-able number of nodes, our approach demonstrably outperforms existing schemes.

Xuan Liu,Zhen Bao,Dan Lu,Zuyi Li

DOI: https://doi.org/10.1109/tsg.2015.2394358

IF: 10.275

2015-01-01

IEEE Transactions on Smart Grid

Abstract:Modern power grids are becoming more prone to cyberattacks. Even worse, an attacker without the full topology and parameter information of a power grid can still execute a false data injection attack without being detected by the state estimator. This paper proposes an efficient strategy for determining the optimal attacking region that requires reduced network information. The effectiveness of the proposed algorithm is verified through extensive simulations. This paper introduces a new front in the study of smart grid cyber security: determination of a feasible attacking region by obtaining less network information. This paper is also essential and significant for finding effective protection strategies against false data injection attacks based on the deep understanding of the mechanisms and strategies of the attacks.