CaltechAUTHORS
  A Caltech Library Service
Login

Detecting Adversarial Examples via Neural Fingerprinting

Dathathri, Sumanth and Zheng, Stephan and Murray, Richard M. and Yue, Yisong (2018) Detecting Adversarial Examples via Neural Fingerprinting. . (Submitted) https://resolver.caltech.edu/CaltechAUTHORS:20190205-112328842

[img] PDF - Submitted Version
See Usage Policy.
1MB

Use this Persistent URL to link to this item: https://resolver.caltech.edu/CaltechAUTHORS:20190205-112328842

Abstract

Deep neural networks are vulnerable to adversarial examples, which dramatically alter model output using small input changes. We propose Neural Fingerprinting, a simple, yet effective method to detect adversarial examples by verifying whether model behavior is consistent with a set of secret fingerprints, inspired by the use of biometric and cryptographic signatures. The benefits of our method are that 1) it is fast, 2) it is prohibitively expensive for an attacker to reverse-engineer which fingerprints were used, and 3) it does not assume knowledge of the adversary. In this work, we pose a formal framework to analyze fingerprints under various threat models, and characterize Neural Fingerprinting for linear models. For complex neural networks, we empirically demonstrate that Neural Fingerprinting significantly improves on state-of-the-art detection mechanisms by detecting the strongest known adversarial attacks with 98-100% AUC-ROC scores on the MNIST, CIFAR-10 and MiniImagenet (20 classes) datasets. In particular, the detection accuracy of Neural Fingerprinting generalizes well to unseen test-data under various black- and whitebox threat models, and is robust over a wide range of hyperparameters and choices of fingerprints.


Item Type:Report or Paper (Discussion Paper)
Related URLs:
URLURL TypeDescription
http://arxiv.org/abs/1803.03870arXivDiscussion Paper
ORCID:
AuthorORCID
Murray, Richard M.0000-0002-5785-7481
Yue, Yisong0000-0001-9127-1989
Additional Information:This work is supported in part by NSF grants #1564330, #1637598, #1545126; STARnet, a Semiconductor Research Corporation program, sponsored by MARCO and DARPA; and gifts from Bloomberg and Northrop Grumman. The authors would like to thank Xingjun Ma for providing the relevant baseline numbers for comparison.
Funders:
Funding AgencyGrant Number
NSFIIS-1564330
NSFCCF-1637598
NSFCNS-1545126
STARnetUNSPECIFIED
Semiconductor Research CorporationUNSPECIFIED
Microelectronics Advanced Research Corporation (MARCO)UNSPECIFIED
Defense Advanced Research Projects Agency (DARPA)UNSPECIFIED
Bloomberg Data ScienceUNSPECIFIED
Northrop GrummanUNSPECIFIED
Record Number:CaltechAUTHORS:20190205-112328842
Persistent URL:https://resolver.caltech.edu/CaltechAUTHORS:20190205-112328842
Usage Policy:No commercial reproduction, distribution, display or performance rights in this work are provided.
ID Code:92670
Collection:CaltechAUTHORS
Deposited By: Tony Diaz
Deposited On:05 Feb 2019 19:33
Last Modified:09 Mar 2020 13:19

Repository Staff Only: item control page

CaltechAUTHORS is powered by EPrints 3.3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.