ReLUSyn: Synthesizing Stealthy Attacks for Deep Neural Network Based Cyber-Physical Systems

TL;DR

This paper introduces Ripple False Data Injection Attacks (rfdia), a new stealthy attack method on DNN-based cyber-physical systems, using minimal perturbations modeled as an optimization problem to cause targeted output changes.

Contribution

We propose a novel attack technique, rfdia, that exploits minimal input perturbations propagated through DNN layers, and develop an automated synthesis method using MILP for DNN-based CPS.

Findings

Successfully demonstrated attacks on medical and aircraft systems.

Automated synthesis of stealthy attacks using MILP.

Identified critical inputs and minimal perturbations for targeted attacks.

Abstract

Cyber Physical Systems (cps) are deployed in many mission-critical settings, such as medical devices, autonomous vehicular systems and aircraft control management systems. As more and more CPS adopt Deep Neural Networks (Deep Neural Network (dnns), these systems can be vulnerable to attacks. . Prior work has demonstrated the susceptibility of CPS to False Data Injection Attacks (False Data Injection Attacks (fdias), which can cause significant damage. We identify a new category of attacks on these systems. In this paper, we demonstrate that DNN based CPS are also subject to these attacks. These attacks, which we call Ripple False Data Injection Attacks (rfdia), use minimal input perturbations to stealthily change the dnn output. The input perturbations propagate as ripples through multiple dnn layers to affect the output in a targeted manner. We develop an automated technique to synthesize rfdias against DNN-based CPS. Our technique models the attack as an optimization problem using Mixed Integer Linear Programming (Mixed Integer Linear Program (milp)). We define an abstraction for dnnbased cps that allows us to automatically: 1) identify the critical inputs, and 2) find the smallest perturbations that produce output changes. We demonstrate our technique on three practical cps with two mission-critical applications: an (Artifical Pancreas System (aps)) and two aircraft control management systems (Horizontal Collision Avoidance System (hcas) and Collision Avoidance System-Xu (acas-xu)).