Distributionally Adversarial Attack

Recent work on adversarial attack has shown that Projected Gradient Descent (PGD) Adversary is a universal first-order adversary, and the classifier adversarially trained by PGD is robust against a wide range of first-order attacks. It is worth noting that the original objective of an attack/defense model relies on a data distribution $p(\mathbf{x})$, typically in the form of risk maximization/minimization, e.g., $\max/\min\mathbb{E}_{p(\mathbf(x))}\mathcal{L}(\mathbf{x})$ with $p(\mathbf{x})$ some unknown data distribution and $\mathcal{L}(\cdot)$ a loss function. However, since PGD generates attack samples independently for each data sample based on $\mathcal{L}(\cdot)$, the procedure does not necessarily lead to good generalization in terms of risk optimization. In this paper, we achieve the goal by proposing distributionally adversarial attack (DAA), a framework to solve an optimal {\em adversarial-data distribution}, a perturbed distribution that satisfies the $L_\infty$ constraint but deviates from the original data distribution to increase the generalization risk maximally. Algorithmically, DAA performs optimization on the space of potential data distributions, which introduces direct dependency between all data points when generating adversarial samples. DAA is evaluated by attacking state-of-the-art defense models, including the adversarially-trained models provided by {\em MIT MadryLab}. Notably, DAA ranks {\em the first place} on MadryLab's white-box leaderboards, reducing the accuracy of their secret MNIST model to $88.79\%$ (with $l_\infty$ perturbations of $\epsilon = 0.3$) and the accuracy of their secret CIFAR model to $44.71\%$ (with $l_\infty$ perturbations of $\epsilon = 8.0$). Code for the experiments is released on \url{https://github.com/tianzheng4/Distributionally-Adversarial-Attack}.Comment: accepted to AAAI-1

FID: Function Modeling-based Data-Independent and Channel-Robust Physical-Layer Identification

Trusted identification is critical to secure IoT devices. However, the limited memory and computation power of low-end IoT devices prevent the direct usage of conventional identification systems. RF fingerprinting is a promising technique to identify low-end IoT devices since it only requires the RF signals that most IoT devices can produce for communication. However, most existing RF fingerprinting systems are data-dependent and/or not robust to impacts from wireless channels. To address the above problems, we propose to exploit the mathematical expression of the physical-layer process, regarded as a function $\mathbf{\mathcal{F}(\cdot)}$, for device identification. $\mathbf{\mathcal{F}(\cdot)}$ is not directly derivable, so we further propose a model to learn it and employ this function model as the device fingerprint in our system, namely $\mathcal{F}$ID. Our proposed function model characterizes the unique physical-layer process of a device that is independent of the transmitted data, and hence, our system $\mathcal{F}$ID is data-independent and thus resilient against signal replay attacks. Modeling and further separating channel effects from the function model makes $\mathcal{F}$ID channel-robust. We evaluate $\mathcal{F}$ID on thousands of random signal packets from $33$ different devices in different environments and scenarios, and the overall identification accuracy is over $99\%$.Comment: Accepted to INFOCOM201

FDINet: Protecting against DNN Model Extraction via Feature Distortion Index

Machine Learning as a Service (MLaaS) platforms have gained popularity due to their accessibility, cost-efficiency, scalability, and rapid development capabilities. However, recent research has highlighted the vulnerability of cloud-based models in MLaaS to model extraction attacks. In this paper, we introduce FDINET, a novel defense mechanism that leverages the feature distribution of deep neural network (DNN) models. Concretely, by analyzing the feature distribution from the adversary's queries, we reveal that the feature distribution of these queries deviates from that of the model's training set. Based on this key observation, we propose Feature Distortion Index (FDI), a metric designed to quantitatively measure the feature distribution deviation of received queries. The proposed FDINET utilizes FDI to train a binary detector and exploits FDI similarity to identify colluding adversaries from distributed extraction attacks. We conduct extensive experiments to evaluate FDINET against six state-of-the-art extraction attacks on four benchmark datasets and four popular model architectures. Empirical results demonstrate the following findings FDINET proves to be highly effective in detecting model extraction, achieving a 100% detection accuracy on DFME and DaST. FDINET is highly efficient, using just 50 queries to raise an extraction alarm with an average confidence of 96.08% for GTSRB. FDINET exhibits the capability to identify colluding adversaries with an accuracy exceeding 91%. Additionally, it demonstrates the ability to detect two types of adaptive attacks.Comment: 13 pages, 7 figure