Protecting deep learning algorithm from adversarial attacks

Abstract

Deep Neural Networks (DNNs) are susceptible to adversarial examples where small imperceptible changes, known as perturbations, are introduced to legitimate inputs, causing erroneous misclassifications. With the existence of side-channel attacks that can sniff out model architecture, stronger targeted adversarial attacks can be employed increasing the success rate of such attacks, leaving DNNs particularly vulnerable. Current detection methods do not generalise well and may be model-agnostic, producing unreliable results in different conditions. In this work, we investigate the use of Hardware Performance Counters (HPC) as a lightweight and hardware-level indicator for distinguishing between adversarial and legitimate, benign inputs. Hardware level metrics such as CPU Cycles, Cach Miss, Cache Accessed, Branch, Branch Miss and Instruction were collected via perf tool during inference of a modified ResNet18 model trained on Imagenette dataset, in hopes of identifying prominent features. Various binary Classifiers such as Random Forest and XGBoost were trained based on the collected features. Although our findings did not provide conclusive evidence of a reliable detection method, insights into the challenges of using HPC for adversarial defence were provided. We discuss potential limitations, including noise in HPC measurement and the proposed approach, and suggest directions for future related works that uses HPC for adversarial robustness.