Learning from the Good Ones: Risk Profiling-Based Defenses Against Evasion Attacks on DNNs

TL;DR

This paper introduces a risk profiling framework that selectively trains static defenses on less vulnerable instances, significantly improving evasion attack detection in safety-critical DNN applications.

Contribution

It proposes a novel risk-aware selective training method that enhances static defenses against evasion attacks by focusing on resilient data instances.

Findings

Recall increased by up to 27.5% with selective training.

Minimal impact on precision during improved detection.

Effective in safety-critical blood glucose management system.

Abstract

Safety-critical applications such as healthcare and autonomous vehicles use deep neural networks (DNN) to make predictions and infer decisions. DNNs are susceptible to evasion attacks, where an adversary crafts a malicious data instance to trick the DNN into making wrong decisions at inference time. Existing defenses that protect DNNs against evasion attacks are either static or dynamic. Static defenses are computationally efficient but do not adapt to the evolving threat landscape, while dynamic defenses are adaptable but suffer from an increased computational overhead. To combine the best of both worlds, in this paper, we propose a novel risk profiling framework that uses a risk-aware strategy to selectively train static defenses using victim instances that exhibit the most resilient features and are hence more resilient against an evasion attack. We hypothesize that training existing defenses on instances that are less vulnerable to the attack enhances the adversarial detection rate by reducing false negatives. We evaluate the efficacy of our risk-aware selective training strategy on a blood glucose management system that demonstrates how training static anomaly detectors indiscriminately may result in an increased false negative rate, which could be life-threatening in safety-critical applications. Our experiments show that selective training on the less vulnerable patients achieves a recall increase of up to 27.5\% with minimal impact on precision compared to indiscriminate training.