Yuzhe Gu,Na Jiang,Yanjiao Chen,Xueluan Gong

DOI: https://doi.org/10.1007/978-3-031-28990-3_16

2023-01-01

Abstract:Recently, the Internet of Things (IoT) technology has made tremendous progress, and it is beginning to enter many areas of social life, such as autonomous driving, medical care, etc. Due to the massive data in IoT, deep neural networks (DNN) are often involved in helping process and analyzing data, but DNNs still face many security threats. Adversarial example attack is a common attack against DNN models, which interferes with model decisions through processed samples. It will undoubtedly threaten DNN-based IoT systems. This paper presents the possible attack scenarios of adversarial example attacks in IoT systems and extensively studies the defense methods of adversarial example attacks in IoT systems.

Zhenqin Yin,Lingjian Ye,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2024.3431587

IF: 12.3

2024-01-01

IEEE Transactions on Industrial Informatics

Abstract:In recent years, more and more open environment have led to confidential links and data exposure, which seriously threatens the security of industrial systems. Adversarial attacks can easily fool machine learning models by adding tiny perturbations to input data. Industrial fault detection and classification (FDC) system is an indispensable part of ensuring production safety, but it is also not immune to the impact of adversarial risks. Once it is under attack, the disastrous consequences that may be caused to the industrial system are unimaginable. Adversarial training is among the most effective defense methods to protect those data-driven intelligent systems. This article studies a novel reweighted adversarial training approach called adversarial weight prediction networks. By assigning more appropriate weights to different data samples, we can make better use of the limited model capacity of the industrial FDC system. Particularly, predicting weights through a synchronized network overcomes the limitations of insufficient information and nontransferability of existing statistical methods. Performance evaluation on three industrial cases containing structured and image data shows the superior generalization and stability of our proposed method.

Guangjing Wang,Ce Zhou,Yuanda Wang,Bocheng Chen,Hanqing Guo,Qiben Yan

2023-11-20

Abstract:Artificial Intelligence (AI) systems such as autonomous vehicles, facial recognition, and speech recognition systems are increasingly integrated into our daily lives. However, despite their utility, these AI systems are vulnerable to a wide range of attacks such as adversarial, backdoor, data poisoning, membership inference, model inversion, and model stealing attacks. In particular, numerous attacks are designed to target a particular model or system, yet their effects can spread to additional targets, referred to as transferable attacks. Although considerable efforts have been directed toward developing transferable attacks, a holistic understanding of the advancements in transferable attacks remains elusive. In this paper, we comprehensively explore learning-based attacks from the perspective of transferability, particularly within the context of cyber-physical security. We delve into different domains -- the image, text, graph, audio, and video domains -- to highlight the ubiquitous and pervasive nature of transferable attacks. This paper categorizes and reviews the architecture of existing attacks from various viewpoints: data, process, model, and system. We further examine the implications of transferable attacks in practical scenarios such as autonomous driving, speech recognition, and large language models (LLMs). Additionally, we outline the potential research directions to encourage efforts in exploring the landscape of transferable attacks. This survey offers a holistic understanding of the prevailing transferable attacks and their impacts across different domains.

Cryptography and Security,Artificial Intelligence,Computation and Language,Computer Vision and Pattern Recognition

Yue Zhuo,Yuri A. W. Shardt,Zhiqiang Ge

DOI: https://doi.org/10.1016/j.eng.2021.07.033

IF: 12.834

2022-01-01

Engineering

Abstract:Recently developed fault classification methods for industrial processes are mainly data-driven. Notably, models based on deep neural networks have significantly improved fault classification accuracy owing to the inclusion of a large number of data patterns. However, these data-driven models are vulnerable to adversarial attacks; thus, small perturbations on the samples can cause the models to provide incorrect fault predictions. Several recent studies have demonstrated the vulnerability of machine learning methods and the existence of adversarial samples. This paper proposes a black-box attack method with an extreme constraint for a safe-critical industrial fault classification system: Only one variable can be perturbed to craft adversarial samples. Moreover, to hide the adversarial samples in the visualization space, a Jacobian matrix is used to guide the perturbed variable selection, making the adversarial samples in the dimensional reduction space invisible to the human eye. Using the one-variable attack (OVA) method, we explore the vulnerability of industrial variables and fault types, which can help understand the geometric characteristics of fault classification systems. Based on the attack method, a corresponding adversarial training defense method is also proposed, which efficiently defends against an OVA and improves the prediction accuracy of the classifiers. In experiments, the proposed method was tested on two datasets from the Tennessee–Eastman process (TEP) and steel plates (SP). We explore the vulnerability and correlation within variables and faults and verify the effectiveness of OVAs and defenses for various classifiers and datasets. For industrial fault classification systems, the attack success rate of our method is close to (on TEP) or even higher than (on SP) the current most effective first-order white-box attack method, which requires perturbation of all variables.

Yue Zhuo,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2022.3197190

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:In modern industries, data-driven fault detection and classification (FDC) systems can efficiently maintain industrial security and stability, while the security of the data-driven FDC system itself is rarely or even never considered. The security problem named adversarial vulnerability is the intrinsic of data-driven machine learning models, which will give incorrect predictions under the maliciously perturbed input data. This paper presents a work on this new security topic of the data-driven FDC systems, by 1) summarizing and comparing various recent and typical adversarial attack and defense methods for fault classifiers; 2) proposing novel attack and defense techniques for unsupervised fault detectors; 3) constructing a novel industrial adversarial security benchmark on FDC systems in the Tennessee-Eastman process (TEP) dataset; 4) exploring and discussing which attack is most potentially threatening for FDC systems and which defense technique is most applicable to mitigate attacks. The results reveal unique security properties of FDC systems, mainly including 1) for fault classifiers, black-box attack is close to the attack strength of white-box FGSM and the universal transferable attack is not significantly stronger than random noise; 2) weak adversarial training is excellent with high adversarial accuracy improvement and negligible clean accuracy decrease; 3) fault detectors are intrinsically more robust, and can be well protected by strong adversarial training. More intriguing properties and profound insights are demonstrated in the paper. This pioneering work could guide researchers and practitioners in discovering and navigating the field of FDC system adversarial robustness, outlining the research directions and open problems.

Xiaoyu Jiang,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3104056

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Data-driven artificial intelligence (AI) models have been widely used in industrial systems helping big data analytic due to its convenience and flexibility. However, adversarial attacks have the ability to mislead AI models to make incorrect predictions just by adding specific perturbation to actual samples. With the high integration of industrial systems and information technology, the reliability and safety of AI models in industrial systems have been seriously threatened. In the article, fault diagnosis models and soft sensing models rely on AI technology are verified to be vulnerable facing adversarial attack. To this end, the concept of information fingerprint for industrial data is introduced to distinguish actual samples from adversarial samples with small perturbation. With fault diagnosis models and soft sensing models as the background, information fingerprint exaction networks based on deep learning is developed to extract the information fingerprint for further analysis. It utilizes supervised contrastive pretraining and unsupervised training to realize parameter learning for the structure of siamese neural network and autoencoder. Finally, the effectiveness and feasibility of the proposed information fingerprint for adversarial sample detection are verified in two industrial benchmark cases.

Xiaoyu Jiang,Zhiqiang Ge

DOI: https://doi.org/10.1109/tai.2022.3145335

2022-01-01

IEEE Transactions on Artificial Intelligence

Abstract:With the rapid development of information technology, intelligent upgrading of the manufacturing industry has broken the closed environment of traditional industrial control systems (ICS); thus, the information security of ICS has been seriously threatened. As part of ICS, the process monitoring system (PMS) is heavily subject to external risks. Data-driven PMSs have been widely used as initial lines of defense to ensure ICS safety. Once the PMS is under attack, the consequences on the whole ICS will be unimaginable. Unfortunately, the safety issues of the PMS have received inadequate attention. This article reveals PMS’s vulnerabilities through effective attacks. A novel method called subspace transfer network (STN) is proposed to conduct adversarial and poisoning attacks on the PMS simultaneously. Then the attack task flow is defined and explained to make online adversarial attacks and data poisoning on PMS. Meanwhile, aiming at two poisoning goals, targeted and untargeted attacks of STN are designed, respectively. Finally, the PMS’s fragility is verified in two industrial benchmarks.

Islam Debicha,Thibault Debatty,Jean-Michel Dricot,Wim Mees,Tayeb Kenaza

DOI: https://doi.org/10.1007/978-981-16-8059-5_20

2021-12-23

Abstract:In the last decade, the use of Machine Learning techniques in anomaly-based intrusion detection systems has seen much success. However, recent studies have shown that Machine learning in general and deep learning specifically are vulnerable to adversarial attacks where the attacker attempts to fool models by supplying deceptive input. Research in computer vision, where this vulnerability was first discovered, has shown that adversarial images designed to fool a specific model can deceive other machine learning models. In this paper, we investigate the transferability of adversarial network traffic against multiple machine learning-based intrusion detection systems. Furthermore, we analyze the robustness of the ensemble intrusion detection system, which is notorious for its better accuracy compared to a single model, against the transferability of adversarial attacks. Finally, we examine Detect & Reject as a defensive mechanism to limit the effect of the transferability property of adversarial network traffic against machine learning-based intrusion detection systems.

Cryptography and Security,Machine Learning

Xiangyin Kong,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3093386

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:Neural-network-based soft sensors are widely employed in the industrial process. Such models have great significance to smart manufacturing. Considering the strict requirements of industrial production, it is vital to ensure the safety and robustness of these models in their actual deployment. However, recent research has shown that neural networks are quite vulnerable to adversarial attacks. By imposing tiny perturbation to the original sample, the fabricated adversarial sample can cheat these models to make wrong decisions. Such a phenomenon may bring serious trouble to the practical application of soft sensors. This article focuses on the adversarial attacks on industrial soft sensors. For the first time, we verify and analyze the effectiveness and deficiencies of the existing attack methods in the industrial soft sensor scenario. Based on solving these defects, this article proposes a novel perspective for attacking soft sensors. We analyze the optimization mechanism behind this new idea and then design two algorithms to perform attacks. The proposed methods more conform to the actual situation. Besides, compared with the existing approaches, the proposed methods have potentials to cause severer damages since their attacks are not only more concealed but also more likely to cheat the technicians to execute wrong operations. The research and analyses of the proposed methods lay a solid foundation for more thorough defenses against various attacks, which is quite necessary for making the deployed soft sensors more robust and secure.

Eirini Anthi,Lowri Williams,Matilda Rhode,Pete Burnap,Adam Wedgbury

DOI: https://doi.org/10.48550/arXiv.2004.05005

2020-04-10

Abstract:The proliferation and application of machine learning based Intrusion Detection Systems (IDS) have allowed for more flexibility and efficiency in the automated detection of cyber attacks in Industrial Control Systems (ICS). However, the introduction of such IDSs has also created an additional attack vector; the learning models may also be subject to cyber attacks, otherwise referred to as Adversarial Machine Learning (AML). Such attacks may have severe consequences in ICS systems, as adversaries could potentially bypass the IDS. This could lead to delayed attack detection which may result in infrastructure damages, financial loss, and even loss of life. This paper explores how adversarial learning can be used to target supervised models by generating adversarial samples using the Jacobian-based Saliency Map attack and exploring classification behaviours. The analysis also includes the exploration of how such samples can support the robustness of supervised models using adversarial training. An authentic power system dataset was used to support the experiments presented herein. Overall, the classification performance of two widely used classifiers, Random Forest and J48, decreased by 16 and 20 percentage points when adversarial samples were present. Their performances improved following adversarial training, demonstrating their robustness towards such attacks.

Machine Learning,Cryptography and Security,Signal Processing

Jiming Chen,Xiangshan Gao,Ruilong Deng,Yang He,Chongrong Fang,Peng Cheng

DOI: https://doi.org/10.1109/tdsc.2020.3037500

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Deploying machine learning (ML)-based intrusion detection systems (IDS) is an effective way to improve the security of industrial control systems (ICS). However, ML models themselves are vulnerable to adversarial examples, generated by deliberately adding subtle perturbation to the input sample that some people are not aware of, causing the model to give a false output with high confidence. In this article, our goal is to investigate the possibility of stealthy cyber attacks towards IDS, including injection attack, function code attack and reconnaissance attack, and enhance its robustness to adversarial attack. However, adversarial algorithms are subject to communication protocol and legal range of data in ICS, unlike only limited by the distance between original samples and newly generated samples in image domain. We propose two strategies - optimal solution attack and GAN attack - oriented to flexibility and volume of data, formulating an optimization problem to find stealthy attacks, where the former is appropriate for not too large and more flexible samples while the latter provides a more efficient solution for larger and not too flexible samples. Finally, we conduct experiments on a semi-physical ICS testbed with a high detection performance ensemble ML-based detector to show the effectiveness of our attacks. The results indicate that new samples of reconnaissance and function code attack produced by both optimal solution and GAN algorithm possess 80 percent higher probability to evade the detector, still maintaining the same attack effect. In the meantime, we adopt adversarial training as a method to defend against adversarial attack. After training on the mixture of orginal dataset and newly generated samples, the detector becomes more robust to adversarial examples.

Yajie Wang,Yu-an Tan,Thar Baker,Neeraj Kumar,Quanxin Zhang

DOI: https://doi.org/10.1109/tii.2022.3168874

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:Industry 5.0 is aimed at merging the cognitive computing capabilities of deep neural networks (DNNs) with human resourcefulness in collaborative operations. DNNs have been widely used in Industrial Artificial Intelligence of Things (Industrial AIoT) systems. However, DNNs are vulnerable to adversarial attacks, which bring a considerable risk to Industrial AIoT systems. The adversary uses adversarial examples crafted on the local ensemble model to attack black-box target of Industrial AIoT systems, resulting in catastrophic consequences. It is essential to study ensemble adversarial attack and defense strategies in black-box scenarios. Nevertheless, current ensemble attacks' performance is limited by the diversity of local models and ensemble strategies, and defensive strategies are inefficient. To solve these problems, we propose two novel deep fusion methods from both an attacker's and a defender's perspective. For initiating attacks, we propose deep fusion attack. The erosion models are applied to compensate for local models' insufficiency in diversity. We fuse erosion models in the output space, and the feature space simultaneously and continuously accumulate historical gradients to retain adversarial information, thereby improving transferability. Extensive experimental results show that our approach achieves superior performance in black-box attacks, and the average success rate of our attack reaches a compelling 87.4%. For constructing defenses, we propose deep fusion defense, using a fusion of multiple predictions with erosion models as a novel approach. We successfully increase the model's robustness by more than 90% on the ImageNet dataset.

Ramesh Kumar Sah,Hassan Ghasemzadeh

DOI: https://doi.org/10.1145/3641861

2024-03-19

ACM Transactions on Embedded Computing Systems

Abstract:Machine learning algorithms are increasingly used for inference and decision-making in embedded systems. Data from sensors are used to train machine learning models for various smart functions of embedded and cyber-physical systems ranging from applications in healthcare, autonomous vehicles, and national security. However, recent studies have shown that machine learning models can be fooled by adding adversarial noise to their inputs. The perturbed inputs are called adversarial examples. Furthermore, adversarial examples designed to fool one machine learning system are also often effective against another system. This property of adversarial examples is called adversarial transferability and has not been explored in wearable systems to date. In this work, we take the first stride in studying adversarial transferability in wearable sensor systems from four viewpoints: (1) transferability between machine learning models; (2) transferability across users/subjects of the embedded system; (3) transferability across sensor body locations; and (4) transferability across datasets used for model training. We present a set of carefully designed experiments to investigate these transferability scenarios. We also propose a threat model describing the interactions of an adversary with the source and target sensor systems in different transferability settings. In most cases, we found high untargeted transferability, whereas targeted transferability success scores varied from to . The transferability of adversarial examples depends on many factors such as the inclusion of data from all subjects, sensor body position, number of samples in the dataset, type of learning algorithm, and the distribution of source and target system dataset. The transferability of adversarial examples decreased sharply when the data distribution of the source and target system became more distinct. We also provide guidelines and suggestions for the community for designing robust sensor systems. Code and dataset used in our analysis is publicly available here.

computer science, software engineering, hardware & architecture

Yuhao Mao,Chong Fu,Saizhuo Wang,Shouling Ji,Xuhong Zhang,Zhenguang Liu,Jun Zhou,Alex X. Liu,Raheem Beyah,Ting Wang

DOI: https://doi.org/10.1109/sp46214.2022.9833783

2022-01-01

Abstract:One intriguing property of adversarial attacks is their “transferability” – an adversarial example crafted with respect to one deep neural network (DNN) model is often found effective against other DNNs as well. Intensive research has been conducted on this phenomenon under simplistic controlled conditions. Yet, thus far there is still a lack of comprehensive understanding about transferability-based attacks (“transfer attacks”) in real-world environments.To bridge this critical gap, we conduct the first large-scale systematic empirical study of transfer attacks against major cloud-based MLaaS platforms, taking the components of a real transfer attack into account. The study leads to a number of interesting findings which are inconsistent to the existing ones, including: (i) Simple surrogates do not necessarily improve real transfer attacks. (ii) No dominant surrogate architecture is found in real transfer attacks. (iii) It is the gap between posterior (output of the softmax layer) rather than the gap between logit (so-called κ value) that increases transferability. Moreover, by comparing with prior works, we demonstrate that transfer attacks possess many previously unknown properties in real-world environments, such as (i) Model similarity is not a well-defined concept. (ii) L 2 norm of perturbation can generate high transferability without usage of gradient and is a more powerful source than L ∞ norm. We believe this work sheds light on the vulnerabilities of popular MLaaS platforms and points to a few promising research directions. 1

Ehsan Nowroozi,Yassine Mekdad,Mohammad Hajian Berenjestanaki,Mauro Conti,Abdeslam EL Fergougui

DOI: https://doi.org/10.48550/arXiv.2110.04488

2022-03-31

Abstract:Convolutional Neural Networks (CNNs) models are one of the most frequently used deep learning networks, and extensively used in both academia and industry. Recent studies demonstrated that adversarial attacks against such models can maintain their effectiveness even when used on models other than the one targeted by the attacker. This major property is known as transferability, and makes CNNs ill-suited for security applications. In this paper, we provide the first comprehensive study which assesses the robustness of CNN-based models for computer networks against adversarial transferability. Furthermore, we investigate whether the transferability property issue holds in computer networks applications. In our experiments, we first consider five different attacks: the Iterative Fast Gradient Method (I-FGSM), the Jacobian-based Saliency Map (JSMA), the Limited-memory Broyden Fletcher Goldfarb Shanno BFGS (L- BFGS), the Projected Gradient Descent (PGD), and the DeepFool attack. Then, we perform these attacks against three well- known datasets: the Network-based Detection of IoT (N-BaIoT) dataset, the Domain Generating Algorithms (DGA) dataset, and the RIPE Atlas dataset. Our experimental results show clearly that the transferability happens in specific use cases for the I- FGSM, the JSMA, and the LBFGS attack. In such scenarios, the attack success rate on the target network range from 63.00% to 100%. Finally, we suggest two shielding strategies to hinder the attack transferability, by considering the Most Powerful Attacks (MPAs), and the mismatch LSTM architecture.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning,Networking and Internet Architecture

Nicolas Papernot,P. Mcdaniel,I. Goodfellow

2016-05-24

Abstract:Many machine learning models are vulnerable to adversarial examples: inputs that are specially crafted to cause a machine learning model to produce an incorrect output. Adversarial examples that affect one model often affect another model, even if the two models have different architectures or were trained on different training sets, so long as both models were trained to perform the same task. An attacker may therefore train their own substitute model, craft adversarial examples against the substitute, and transfer them to a victim model, with very little information about the victim. Recent work has further developed a technique that uses the victim model as an oracle to label a synthetic training set for the substitute, so the attacker need not even collect a training set to mount the attack. We extend these recent techniques using reservoir sampling to greatly enhance the efficiency of the training procedure for the substitute model. We introduce new transferability attacks between previously unexplored (substitute, victim) pairs of machine learning model classes, most notably SVMs and decision trees. We demonstrate our attacks on two commercial machine learning classification systems from Amazon (96.19% misclassification rate) and Google (88.94%) using only 800 queries of the victim model, thereby showing that existing machine learning approaches are in general vulnerable to systematic black-box attacks regardless of their structure.

Computer Science

Jindong Gu,Xiaojun Jia,Pau de Jorge,Wenqain Yu,Xinwei Liu,Avery Ma,Yuan Xun,Anjun Hu,Ashkan Khakzar,Zhijiang Li,Xiaochun Cao,Philip Torr

2024-05-02

Abstract:The emergence of Deep Neural Networks (DNNs) has revolutionized various domains by enabling the resolution of complex tasks spanning image recognition, natural language processing, and scientific problem-solving. However, this progress has also brought to light a concerning vulnerability: adversarial examples. These crafted inputs, imperceptible to humans, can manipulate machine learning models into making erroneous predictions, raising concerns for safety-critical applications. An intriguing property of this phenomenon is the transferability of adversarial examples, where perturbations crafted for one model can deceive another, often with a different architecture. This intriguing property enables black-box attacks which circumvents the need for detailed knowledge of the target model. This survey explores the landscape of the adversarial transferability of adversarial examples. We categorize existing methodologies to enhance adversarial transferability and discuss the fundamental principles guiding each approach. While the predominant body of research primarily concentrates on image classification, we also extend our discussion to encompass other vision tasks and beyond. Challenges and opportunities are discussed, highlighting the importance of fortifying DNNs against adversarial vulnerabilities in an evolving landscape.

Computer Vision and Pattern Recognition

Hangsheng Zhang,Dongqi Han,Yinlong Liu,Zhiliang Wang,Jiyan Sun,Shangyuan Zhuang,Jiqiang Liu,Jinsong Dong

2024-01-19

Abstract:espite being widely used in network intrusion detection systems (NIDSs), machine learning (ML) has proven to be highly vulnerable to adversarial attacks. White-box and black-box adversarial attacks of NIDS have been explored in several studies. However, white-box attacks unrealistically assume that the attackers have full knowledge of the target NIDSs. Meanwhile, existing black-box attacks can not achieve high attack success rate due to the weak adversarial transferability between models (e.g., neural networks and tree models). Additionally, neither of them explains why adversarial examples exist and why they can transfer across models. To address these challenges, this paper introduces ETA, an Explainable Transfer-based Black-Box Adversarial Attack framework. ETA aims to achieve two primary objectives: 1) create transferable adversarial examples applicable to various ML models and 2) provide insights into the existence of adversarial examples and their transferability within NIDSs. Specifically, we first provide a general transfer-based adversarial attack method applicable across the entire ML space. Following that, we exploit a unique insight based on cooperative game theory and perturbation interpretations to explain adversarial examples and adversarial transferability. On this basis, we propose an Important-Sensitive Feature Selection (ISFS) method to guide the search for adversarial examples, achieving stronger transferability and ensuring traffic-space constraints.

Cryptography and Security

Guo-Qiang Zeng,Jun-Min Shao,Kang-Di Lu,Guang-Gang Geng,Jian Weng

DOI: https://doi.org/10.1049/csy2.12117

2024-01-01

IET Cyber-Systems and Robotics

Abstract:With the development of deep learning and federated learning (FL), federated intrusion detection systems (IDSs) based on deep learning have played a significant role in securing industrial control systems (ICSs). However, adversarial attacks on ICSs may compromise the ability of deep learning‐based IDSs to accurately detect cyberattacks, leading to serious consequences. Moreover, in the process of generating adversarial samples, the selection of replacement models lacks an effective method, which may not fully expose the vulnerabilities of the models. The authors first propose an automated FL‐based method to generate adversarial samples in ICSs, called AFL‐GAS, which uses the principle of transfer attack and fully considers the importance of replacement models during the process of adversarial sample generation. In the proposed AFL‐GAS method, a lightweight neural architecture search method is developed to find the optimised replacement model composed of a combination of four lightweight basic blocks. Then, to enhance the adversarial robustness, the authors propose a multi‐objective neural architecture search‐based IDS method against adversarial attacks in ICSs, called MoNAS‐IDSAA, by considering both classification performance on regular samples and adversarial robustness simultaneously. The experimental results on three widely used intrusion detection datasets in ICSs, such as secure water treatment (SWaT), Water Distribution, and Power System Attack, demonstrate that the proposed AFL‐GAS method has obvious advantages in evasion rate and lightweight compared with other four methods. Besides, the proposed MoNAS‐IDSAA method not only has a better classification performance, but also has obvious advantages in model adversarial robustness compared with one manually designed federated adversarial learning‐based IDS method.

Lei Wu,Zhanxing Zhu,Cheng Tai,Weinan E

DOI: https://doi.org/10.48550/arxiv.1802.09707

2018-01-01

Abstract:State-of-the-art deep neural networks are known to be vulnerable to adversarial examples, formed by applying small but malicious perturbations to the original inputs. Moreover, the perturbations can \textit{transfer across models}: adversarial examples generated for a specific model will often mislead other unseen models. Consequently the adversary can leverage it to attack deployed systems without any query, which severely hinder the application of deep learning, especially in the areas where security is crucial. In this work, we systematically study how two classes of factors that might influence the transferability of adversarial examples. One is about model-specific factors, including network architecture, model capacity and test accuracy. The other is the local smoothness of loss function for constructing adversarial examples. Based on these understanding, a simple but effective strategy is proposed to enhance transferability. We call it variance-reduced attack, since it utilizes the variance-reduced gradient to generate adversarial example. The effectiveness is confirmed by a variety of experiments on both CIFAR-10 and ImageNet datasets.