Neural network applications have become popular in both enterprise and personal settings. Network solutions are tuned meticulously for each task, and designs that can robustly resolve queries end up in high demand. As the commercial value of accurate and performant machine learning models increases, so too does the demand to protect neural architectures as confidential investments. We explore the vulnerability of neural networks deployed as black boxes across accelerated hardware through electromagnetic side channels.
We examine the magnetic flux emanating from a graphics processing unit’s power cable, as acquired by a cheap $3 induction sensor, and find that this signal betrays the detailed topology and hyperparameters of a black-box neural network model. The attack acquires the magnetic signal for one query with unknown input values, but known input dimensions. The network reconstruction is possible due to the modular layer sequence in which deep neural networks are evaluated. We find that each layer component’s evaluation produces an identifiable magnetic signal signature, from which layer topology, width, function type, and sequence order can be inferred using a suitably trained classifier and a joint consistency optimization based on integer programming.
We study the extent to which network specifications can be recovered, and consider metrics for comparing network similarity. We demonstrate the potential accuracy of this side channel attack in recovering the details for a broad range of network architectures, including random designs. We consider applications that may exploit this novel side channel exposure, such as adversarial transfer attacks. In response, we discuss countermeasures to protect against our method and other similar snooping techniques.
more »
« less
Positioning Helper Nodes to Improve Robustness of Wireless Mesh Networks to Jamming Attacks
Wireless communication systems are susceptible to both unintentional interference and intentional jamming attacks. For mesh and ad-hoc networks, interference affects the network topology and can cause the network to partition, which may completely disrupt the applications or missions that depend on the network. Defensive techniques can be applied to try to prevent such disruptions to the network topology. Most previous research in this area is on improving network resilience by adapting the network topology when a jamming attack occurs. In this paper, we consider making a network more robust to jamming attacks before any such attack has happened. We consider a network in which the positions of most of the radios in the network are not under the control of the network operator, but the network operator can position a few “helper nodes” to add robustness against jamming. For instance, most of the nodes are radios on vehicles participating in a mission, and the helper nodes are mounted on mobile robots or UAVs. We develop techniques to determine where to position the helper nodes to maximize the robustness of the network to certain jamming attacks aimed at disrupting the network topology. Using our recent results for quickly determining how to attack a network, we use the harmony search algorithm to find helper node placements that maximize the number of jammers needed to disrupt the network
more »
« less
- Award ID(s):
- 1642973
- NSF-PAR ID:
- 10046904
- Date Published:
- Journal Name:
- IEEE Global Communications Conference
- ISSN:
- 2334-0983
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
null (Ed.)Considered is a multi-channel wireless network for secret communication that uses the signal-to-interference-plus-noise ratio (SINR) as the performance measure. An eavesdropper can intercept encoded messages through a degraded channel of each legitimate transmitter-receiver communication pair. A friendly interferer, on the other hand, may send cooperative jamming signals to enhance the secrecy performance of the whole network. Besides, the state information of the eavesdropping channel may not be known completely. The transmitters and the friendly interferer have to cooperatively decide on the optimal jamming power allocation strategy that balances the secrecy performance with the cost of employing intentional interference, while the eavesdropper tries to maximize her eavesdropping capacity. To solve this problem, we propose and analyze a non-zero-sum game between the network defender and the eavesdropper who can only attack a limited number of channels. We show that the Nash equilibrium strategies for the players are of threshold type. We present an algorithm to find the equilibrium strategy pair. Numerical examples demonstrate the equilibrium and contrast it to baseline strategies.more » « less
-
We investigate the secure degrees of freedom (s.d.o.f.) of three new channel models: broadcast channel with combating helpers, interference channel with selfish users, and multiple access wiretap channel with deviating users. The goal of introducing these channel models is to investigate various malicious interactions that arise in networks, including active adversaries. That is in contrast with the common assumption in the literature that the users follow a certain protocol altruistically and transmit both message-carrying and cooperative jamming signals in an optimum manner. In the first model, over a classical broadcast channel with confidential messages (BCCM), there are two helpers, each associated with one of the receivers. In the second model, over a classical interference channel with confidential messages (ICCM), there is a helper and users are selfish. By casting each problem as an extensive-form game and applying recursive real interference alignment, we show that, for the first model, the combating intentions of the helpers are neutralized and the full s.d.o.f. is retained; for the second model, selfishness precludes secure communication and no s.d.o.f. is achieved. In the third model, we consider the multiple access wiretap channel (MAC-WTC), where multiple legitimate users wish to have secure communication with a legitimate receiver in the presence of an eavesdropper. We consider the case when a subset of users deviate from the optimum protocol that attains the exact s.d.o.f. of this channel. We consider two kinds of deviation: when some of the users stop transmitting cooperative jamming signals, and when a user starts sending intentional jamming signals. For the first scenario, we investigate possible responses of the remaining users to counteract such deviation. For the second scenario, we use an extensive-form game formulation for the interactions of the deviating and well-behaving users. We prove that a deviating user can drive the s.d.o.f. to zero; however, the remaining users can exploit its intentional jamming signals as cooperative jamming signals against the eavesdropper and achieve an optimum s.d.o.f.more » « less
-
Software-Defined Networking (SDN) is a dynamic, and manageable network architecture which is more cost-effective than existing network architectures. The idea behind this architecture is to centralize intelligence from the network hardware and funnel this intelligence to the management system (controller) [2]-[4]. Since the centralized SDN controller controls the entire network and manages policies and the flow of the traffic throughout the network, it can be considered as the single point of failure [1]. It is important to find some ways to identify different types of attacks on the SDN controller [8]. Distributed Denial of Service (DDoS) attack is one of the most dangerous attacks on SDN controller. In this work, we implement DDoS attack on the Ryu controller in a tree network topology using Mininet emulator. Also, we use a machine learning method, Vector Machines (SVM) to detect DDoS attack. We propose to install flows in switches, and we consider time attack pattern of the DDoS attack for detection. Simulation results show the effects of DDoS attacks on the Ryu controller is reduced by 36% using our detection method.more » « less
-
null (Ed.)Despite achieving remarkable performance, deep graph learning models, such as node classification and network embedding, suffer from harassment caused by small adversarial perturbations. However, the vulnerability analysis of graph matching under adversarial attacks has not been fully investigated yet. This paper proposes an adversarial attack model with two novel attack techniques to perturb the graph structure and degrade the quality of deep graph matching: (1) a kernel density estimation approach is utilized to estimate and maximize node densities to derive imperceptible perturbations, by pushing attacked nodes to dense regions in two graphs, such that they are indistinguishable from many neighbors; and (2) a meta learning-based projected gradient descent method is developed to well choose attack starting points and to improve the search performance for producing effective perturbations. We evaluate the effectiveness of the attack model on real datasets and validate that the attacks can be transferable to other graph learning models.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- The DOI is not currently available.
