Yi Xiang Marcus Tan

Yi Xiang Marcus Tan, Penny Chong, Jiamei Sun et al.

Few-shot classifiers have been shown to exhibit promising results in use cases where user-provided labels are scarce. These models are able to learn to predict novel classes simply by training on a non-overlapping set of classes. This can be largely attributed to the differences in their mechanisms as compared to conventional deep networks. However, this also offers new opportunities for novel attackers to induce integrity attacks against such models, which are not present in other machine learning setups. In this work, we aim to close this gap by studying a conceptually simple approach to defend few-shot classifiers against adversarial attacks. More specifically, we propose a simple attack-agnostic detection method, using the concept of self-similarity and filtering, to flag out adversarial support sets which destroy the understanding of a victim classifier for a certain class. Our extended evaluation on the miniImagenet (MI) and CUB datasets exhibit good attack detection performance, across three different few-shot classifiers and across different attack strengths, beating baselines. Our observed results allow our approach to establishing itself as a strong detection method for support set poisoning attacks. We also show that our approach constitutes a generalizable concept, as it can be paired with other filtering functions. Finally, we provide an analysis of our results when we vary two components found in our detection approach.

Yi Xiang Marcus Tan, Penny Chong, Jiamei Sun et al.

Few-shot classifiers excel under limited training samples, making them useful in applications with sparsely user-provided labels. Their unique relative prediction setup offers opportunities for novel attacks, such as targeting support sets required to categorise unseen test samples, which are not available in other machine learning setups. In this work, we propose a detection strategy to identify adversarial support sets, aimed at destroying the understanding of a few-shot classifier for a certain class. We achieve this by introducing the concept of self-similarity of a support set and by employing filtering of supports. Our method is attack-agnostic, and we are the first to explore adversarial detection for support sets of few-shot classifiers to the best of our knowledge. Our evaluation of the miniImagenet (MI) and CUB datasets exhibits good attack detection performance despite conceptual simplicity, showing high AUROC scores. We show that self-similarity and filtering for adversarial detection can be paired with other filtering functions, constituting a generalisable concept.

Yi Xiang Marcus Tan, Yuval Elovici, Alexander Binder

We investigate to what extent alternative variants of Artificial Neural Networks (ANNs) are susceptible to adversarial attacks. We analyse the adversarial robustness of conventional, stochastic ANNs and Spiking Neural Networks (SNNs) in the raw image space, across three different datasets. Our experiments reveal that stochastic ANN variants are almost equally as susceptible as conventional ANNs when faced with simple iterative gradient-based attacks in the white-box setting. However we observe, that in black-box settings, stochastic ANNs are more robust than conventional ANNs, when faced with boundary attacks, transferability and surrogate attacks. Consequently, we propose improved attacks and defence mechanisms for stochastic ANNs in black-box settings. When performing surrogate-based black-box attacks, one can employ stochastic models as surrogates to observe higher attack success on both stochastic and deterministic targets. This success can be further improved with our proposed Variance Mimicking (VM) surrogate training method, against stochastic targets. Finally, adopting a defender's perspective, we investigate the plausibility of employing stochastic switching of model mixtures as a viable hardening mechanism. We observe that such a scheme does provide a partial hardening.

Yi Xiang Marcus Tan, Alfonso Iacovazzi, Ivan Homoliak et al.

Mouse dynamics is a potential means of authenticating users. Typically, the authentication process is based on classical machine learning techniques, but recently, deep learning techniques have been introduced for this purpose. Although prior research has demonstrated how machine learning and deep learning algorithms can be bypassed by carefully crafted adversarial samples, there has been very little research performed on the topic of behavioural biometrics in the adversarial domain. In an attempt to address this gap, we built a set of attacks, which are applications of several generative approaches, to construct adversarial mouse trajectories that bypass authentication models. These generated mouse sequences will serve as the adversarial samples in the context of our experiments. We also present an analysis of the attack approaches we explored, explaining their limitations. In contrast to previous work, we consider the attacks in a more realistic and challenging setting in which an attacker has access to recorded user data but does not have access to the authentication model or its outputs. We explore three different attack strategies: 1) statistics-based, 2) imitation-based, and 3) surrogate-based; we show that they are able to evade the functionality of the authentication models, thereby impacting their robustness adversely. We show that imitation-based attacks often perform better than surrogate-based attacks, unless, however, the attacker can guess the architecture of the authentication model. In such cases, we propose a potential detection mechanism against surrogate-based attacks.