Reverse engineering adversarial attacks with fingerprints from adversarial examples

TL;DR

This paper demonstrates that adversarial attack algorithms can be reverse engineered and classified using neural network fingerprints, achieving high accuracy even with estimated perturbations, advancing attribution methods in adversarial machine learning.

Contribution

It introduces a novel approach to classify adversarial attack algorithms from examples, including a fingerprinting method using signal processing, with high accuracy demonstrated on multiple attack types.

Findings

ResNet50 classifies attack perturbations with 99.4% accuracy.

JPEG algorithm serves as an effective fingerprint with 85.05% accuracy.

Fingerprinting can be performed without access to actual perturbations.

Abstract

In spite of intense research efforts, deep neural networks remain vulnerable to adversarial examples: an input that forces the network to confidently produce incorrect outputs. Adversarial examples are typically generated by an attack algorithm that optimizes a perturbation added to a benign input. Many such algorithms have been developed. If it were possible to reverse engineer attack algorithms from adversarial examples, this could deter bad actors because of the possibility of attribution. Here we formulate reverse engineering as a supervised learning problem where the goal is to assign an adversarial example to a class that represents the algorithm and parameters used. To our knowledge it has not been previously shown whether this is even possible. We first test whether we can classify the perturbations added to images by attacks on undefended single-label image classification models. Taking a "fight fire with fire" approach, we leverage the sensitivity of deep neural networks to adversarial examples, training them to classify these perturbations. On a 17-class dataset (5 attacks, 4 bounded with 4 epsilon values each), we achieve an accuracy of 99.4% with a ResNet50 model trained on the perturbations. We then ask whether we can perform this task without access to the perturbations, obtaining an estimate of them with signal processing algorithms, an approach we call "fingerprinting". We find the JPEG algorithm serves as a simple yet effective fingerprinter (85.05% accuracy), providing a strong baseline for future work. We discuss how our approach can be extended to attack agnostic, learnable fingerprints, and to open-world scenarios with unknown attacks.