PRAT: PRofiling Adversarial aTtacks

TL;DR

This paper introduces PRAT, a new problem of profiling adversarial attacks on deep learning models, and presents a large dataset and a Transformer-based framework for attack identification, advancing understanding of attack signatures.

Contribution

The paper formulates the PRAT problem, creates the AID dataset with 180k adversarial samples, and proposes a GLOF-based Transformer framework for attack profiling.

Findings

Effective attack signature extraction using GLOF module

High accuracy in attack family identification

Benchmark results demonstrating framework's effectiveness

Abstract

Intrinsic susceptibility of deep learning to adversarial examples has led to a plethora of attack techniques with a broad common objective of fooling deep models. However, we find slight compositional differences between the algorithms achieving this objective. These differences leave traces that provide important clues for attacker profiling in real-life scenarios. Inspired by this, we introduce a novel problem of PRofiling Adversarial aTtacks (PRAT). Given an adversarial example, the objective of PRAT is to identify the attack used to generate it. Under this perspective, we can systematically group existing attacks into different families, leading to the sub-problem of attack family identification, which we also study. To enable PRAT analysis, we introduce a large Adversarial Identification Dataset (AID), comprising over 180k adversarial samples generated with 13 popular attacks for image specific/agnostic white/black box setups. We use AID to devise a novel framework for the PRAT objective. Our framework utilizes a Transformer based Global-LOcal Feature (GLOF) module to extract an approximate signature of the adversarial attack, which in turn is used for the identification of the attack. Using AID and our framework, we provide multiple interesting benchmark results for the PRAT problem.