Adversarial Attacks on Deep Learning Systems for User Identification based on Motion Sensors

TL;DR

This paper investigates how adversarial attacks can compromise deep learning models used for user identification via motion sensors on mobile devices, highlighting vulnerabilities and the impact of such attacks.

Contribution

It is the first study to quantify the impact of adversarial examples on motion sensor-based user identification models and compares different adversarial generation methods.

Findings

Certain adversarial methods are model-specific.

Other methods are more universal across models.

Deep neural networks for user identification are highly vulnerable.

Abstract

For the time being, mobile devices employ implicit authentication mechanisms, namely, unlock patterns, PINs or biometric-based systems such as fingerprint or face recognition. While these systems are prone to well-known attacks, the introduction of an explicit and unobtrusive authentication layer can greatly enhance security. In this study, we focus on deep learning methods for explicit authentication based on motion sensor signals. In this scenario, attackers could craft adversarial examples with the aim of gaining unauthorized access and even restraining a legitimate user to access his mobile device. To our knowledge, this is the first study that aims at quantifying the impact of adversarial attacks on machine learning models used for user identification based on motion sensors. To accomplish our goal, we study multiple methods for generating adversarial examples. We propose three research questions regarding the impact and the universality of adversarial examples, conducting relevant experiments in order to answer our research questions. Our empirical results demonstrate that certain adversarial example generation methods are specific to the attacked classification model, while others tend to be generic. We thus conclude that deep neural networks trained for user identification tasks based on motion sensors are subject to a high percentage of misclassification when given adversarial input.