Gotta Catch 'Em All: Using Honeypots to Catch Adversarial Attacks on Neural Networks
Ben Y. Zhao
Proceedings of the 27th ACM Conference on Computer and Communications Security
[Full Text in PDF Format, 806KB]
Deep neural networks (DNN) are known to be vulnerable to adversarial attacks. Numerous efforts either try to patch weaknesses in trained models, or try to make it difficult or costly to compute adversarial examples that exploit them. In our work, we explore a new "honeypot" approach to protect DNN models. We intentionally inject trapdoors, honeypot weaknesses in the classification manifold that attract attackers searching for adversarial examples. Attackers' optimization algorithms gravitate towards trapdoors, leading them to produce attacks similar to trapdoors in the feature space. Our defense then identifies attacks by comparing neuron activation signatures of inputs to those of trapdoors.
In this paper, we introduce trapdoors and describe an implementation of a trapdoor-enabled defense. First, we analytically
prove that trapdoors shape the computation of adversarial attacks so that attack inputs will have feature representations
very similar to those of trapdoors. Second, we experimentally show that trapdoor-protected models can detect, with high
accuracy, adversarial examples generated by state-of-the-art attacks (PGD, optimization-based CW, Elastic Net, BPDA),
with negligible impact on normal classification. These results generalize across classification domains, including image,
facial, and traffic-sign recognition. We also present significant results measuring trapdoors'
robustness against customized adaptive attacks (countermeasures).