# Gotta Catch 'Em All: Using Honeypots to Catch Adversarial Attacks on   Neural Networks

**Authors:** Shawn Shan, Emily Wenger, Bolun Wang, Bo Li, Haitao Zheng, Ben Y. Zhao

arXiv: 1904.08554 · 2020-12-01

## TL;DR

This paper introduces a novel honeypot-based defense mechanism for neural networks that uses trapdoors to attract and identify adversarial attacks, demonstrating high detection accuracy across multiple domains and attack types.

## Contribution

The work presents the concept of trapdoors in neural networks, analytically proves their effect on attack feature similarity, and experimentally validates their effectiveness against various adversarial attacks.

## Key findings

- Trapdoors cause attack features to resemble trapdoor features.
- High detection accuracy of adversarial examples across multiple attack methods.
- Robustness of trapdoors against adaptive attack strategies.

## Abstract

Deep neural networks (DNN) are known to be vulnerable to adversarial attacks. Numerous efforts either try to patch weaknesses in trained models, or try to make it difficult or costly to compute adversarial examples that exploit them. In our work, we explore a new "honeypot" approach to protect DNN models. We intentionally inject trapdoors, honeypot weaknesses in the classification manifold that attract attackers searching for adversarial examples. Attackers' optimization algorithms gravitate towards trapdoors, leading them to produce attacks similar to trapdoors in the feature space. Our defense then identifies attacks by comparing neuron activation signatures of inputs to those of trapdoors. In this paper, we introduce trapdoors and describe an implementation of a trapdoor-enabled defense. First, we analytically prove that trapdoors shape the computation of adversarial attacks so that attack inputs will have feature representations very similar to those of trapdoors. Second, we experimentally show that trapdoor-protected models can detect, with high accuracy, adversarial examples generated by state-of-the-art attacks (PGD, optimization-based CW, Elastic Net, BPDA), with negligible impact on normal classification. These results generalize across classification domains, including image, facial, and traffic-sign recognition. We also present significant results measuring trapdoors' robustness against customized adaptive attacks (countermeasures).

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1904.08554/full.md

## Figures

23 figures with captions in the complete paper: https://tomesphere.com/paper/1904.08554/full.md

## References

55 references — full list in the complete paper: https://tomesphere.com/paper/1904.08554/full.md

---
Source: https://tomesphere.com/paper/1904.08554