Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks

Shawn Shan; Emily Wenger; Bolun Wang; Bo Li; Haitao Zheng; Ben Y. Zhao

doi:10.1145/3372297.3417231

Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks

Shawn Shan, Emily Wenger, Bolun Wang, Bo Li, Haitao Zheng, Ben Y. Zhao

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Deep neural networks (DNN) are known to be vulnerable to adversarial attacks. Numerous efforts either try to patch weaknesses in trained models, or try to make it difficult or costly to compute adversarial examples that exploit them. In our work, we explore a new "honeypot"approach to protect DNN models. We intentionally inject trapdoors, honeypot weaknesses in the classification manifold that attract attackers searching for adversarial examples. Attackers' optimization algorithms gravitate towards trapdoors, leading them to produce attacks similar to trapdoors in the feature space. Our defense then identifies attacks by comparing neuron activation signatures of inputs to those of trapdoors. In this paper, we introduce trapdoors and describe an implementation of a trapdoor-enabled defense. First, we analytically prove that trapdoors shape the computation of adversarial attacks so that attack inputs will have feature representations very similar to those of trapdoors. Second, we experimentally show that trapdoor-protected models can detect, with high accuracy, adversarial examples generated by state-of-the-art attacks (PGD, optimization-based CW, Elastic Net, BPDA), with negligible impact on normal classification. These results generalize across classification domains, including image, facial, and traffic-sign recognition. We also present significant results measuring trapdoors' robustness against customized adaptive attacks (countermeasures).

Original language	English (US)
Title of host publication	CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	67-83
Number of pages	17
ISBN (Electronic)	9781450370899
DOIs	https://doi.org/10.1145/3372297.3417231
State	Published - Oct 30 2020
Event	27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020 - Virtual, Online, United States Duration: Nov 9 2020 → Nov 13 2020

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020
Country/Territory	United States
City	Virtual, Online
Period	11/9/20 → 11/13/20

Keywords

adversarial examples
honeypots
neural networks

ASJC Scopus subject areas

Software
Computer Networks and Communications

Online availability

10.1145/3372297.3417231

Library availability

Discover UIUC Full Text

Cite this

Shan, S., Wenger, E., Wang, B., Li, B., Zheng, H., & Zhao, B. Y. (2020). Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks. In CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (pp. 67-83). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3372297.3417231

Gotta Catch'Em All : Using Honeypots to Catch Adversarial Attacks on Neural Networks. / Shan, Shawn; Wenger, Emily; Wang, Bolun et al.

CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2020. p. 67-83 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Shan, S, Wenger, E, Wang, B, Li, B, Zheng, H & Zhao, BY 2020, Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks. in CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 67-83, 27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020, Virtual, Online, United States, 11/9/20. https://doi.org/10.1145/3372297.3417231

Shan S, Wenger E, Wang B, Li B, Zheng H, Zhao BY. Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks. In CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2020. p. 67-83. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/3372297.3417231

@inproceedings{7a4437cf51874a2682e591184be8371e,

title = "Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks",

abstract = "Deep neural networks (DNN) are known to be vulnerable to adversarial attacks. Numerous efforts either try to patch weaknesses in trained models, or try to make it difficult or costly to compute adversarial examples that exploit them. In our work, we explore a new {"}honeypot{"}approach to protect DNN models. We intentionally inject trapdoors, honeypot weaknesses in the classification manifold that attract attackers searching for adversarial examples. Attackers' optimization algorithms gravitate towards trapdoors, leading them to produce attacks similar to trapdoors in the feature space. Our defense then identifies attacks by comparing neuron activation signatures of inputs to those of trapdoors. In this paper, we introduce trapdoors and describe an implementation of a trapdoor-enabled defense. First, we analytically prove that trapdoors shape the computation of adversarial attacks so that attack inputs will have feature representations very similar to those of trapdoors. Second, we experimentally show that trapdoor-protected models can detect, with high accuracy, adversarial examples generated by state-of-the-art attacks (PGD, optimization-based CW, Elastic Net, BPDA), with negligible impact on normal classification. These results generalize across classification domains, including image, facial, and traffic-sign recognition. We also present significant results measuring trapdoors' robustness against customized adaptive attacks (countermeasures).",

keywords = "adversarial examples, honeypots, neural networks",

author = "Shawn Shan and Emily Wenger and Bolun Wang and Bo Li and Haitao Zheng and Zhao, {Ben Y.}",

note = "Funding Information: We are thankful for significant time and effort contributed by Nicholas Carlini in helping us develop stronger adaptive attacks on trapdoors. We have learned much in the process. We also thank our shepherd Ting Wang and anonymous reviewers for their constructive feedback. This work is supported in part by NSF grants CNS-1949650, CNS-1923778, CNS-1705042, and by the DARPA GARD program. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of any funding agencies. Publisher Copyright: {\textcopyright} 2020 ACM.; 27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020 ; Conference date: 09-11-2020 Through 13-11-2020",

year = "2020",

month = oct,

day = "30",

doi = "10.1145/3372297.3417231",

language = "English (US)",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "67--83",

booktitle = "CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - Gotta Catch'Em All

T2 - 27th ACM SIGSAC Conference on Computer and Communications Security, CCS 2020

AU - Shan, Shawn

AU - Wenger, Emily

AU - Wang, Bolun

AU - Li, Bo

AU - Zheng, Haitao

AU - Zhao, Ben Y.

N1 - Funding Information: We are thankful for significant time and effort contributed by Nicholas Carlini in helping us develop stronger adaptive attacks on trapdoors. We have learned much in the process. We also thank our shepherd Ting Wang and anonymous reviewers for their constructive feedback. This work is supported in part by NSF grants CNS-1949650, CNS-1923778, CNS-1705042, and by the DARPA GARD program. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of any funding agencies. Publisher Copyright: © 2020 ACM.

PY - 2020/10/30

Y1 - 2020/10/30

N2 - Deep neural networks (DNN) are known to be vulnerable to adversarial attacks. Numerous efforts either try to patch weaknesses in trained models, or try to make it difficult or costly to compute adversarial examples that exploit them. In our work, we explore a new "honeypot"approach to protect DNN models. We intentionally inject trapdoors, honeypot weaknesses in the classification manifold that attract attackers searching for adversarial examples. Attackers' optimization algorithms gravitate towards trapdoors, leading them to produce attacks similar to trapdoors in the feature space. Our defense then identifies attacks by comparing neuron activation signatures of inputs to those of trapdoors. In this paper, we introduce trapdoors and describe an implementation of a trapdoor-enabled defense. First, we analytically prove that trapdoors shape the computation of adversarial attacks so that attack inputs will have feature representations very similar to those of trapdoors. Second, we experimentally show that trapdoor-protected models can detect, with high accuracy, adversarial examples generated by state-of-the-art attacks (PGD, optimization-based CW, Elastic Net, BPDA), with negligible impact on normal classification. These results generalize across classification domains, including image, facial, and traffic-sign recognition. We also present significant results measuring trapdoors' robustness against customized adaptive attacks (countermeasures).

AB - Deep neural networks (DNN) are known to be vulnerable to adversarial attacks. Numerous efforts either try to patch weaknesses in trained models, or try to make it difficult or costly to compute adversarial examples that exploit them. In our work, we explore a new "honeypot"approach to protect DNN models. We intentionally inject trapdoors, honeypot weaknesses in the classification manifold that attract attackers searching for adversarial examples. Attackers' optimization algorithms gravitate towards trapdoors, leading them to produce attacks similar to trapdoors in the feature space. Our defense then identifies attacks by comparing neuron activation signatures of inputs to those of trapdoors. In this paper, we introduce trapdoors and describe an implementation of a trapdoor-enabled defense. First, we analytically prove that trapdoors shape the computation of adversarial attacks so that attack inputs will have feature representations very similar to those of trapdoors. Second, we experimentally show that trapdoor-protected models can detect, with high accuracy, adversarial examples generated by state-of-the-art attacks (PGD, optimization-based CW, Elastic Net, BPDA), with negligible impact on normal classification. These results generalize across classification domains, including image, facial, and traffic-sign recognition. We also present significant results measuring trapdoors' robustness against customized adaptive attacks (countermeasures).

KW - adversarial examples

KW - honeypots

KW - neural networks

UR - http://www.scopus.com/inward/record.url?scp=85095312253&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85095312253&partnerID=8YFLogxK

U2 - 10.1145/3372297.3417231

DO - 10.1145/3372297.3417231

M3 - Conference contribution

AN - SCOPUS:85095312253

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 67

EP - 83

BT - CCS 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 9 November 2020 through 13 November 2020

ER -

Gotta Catch'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this