Adversarial Perturbations of Physical Signals

TL;DR

The paper addresses the robustness of spectrogram-based classifiers to physically realizable adversarial perturbations by formulating the attack as a PDE-constrained optimization over a perturbation $f(t)$ that interacts with a source signal through the wave equation $\frac{\partial^{2}u}{\partial t^{2}} = c^{2}\nabla^{2}u + q(x,t)$ and a detector's spectrogram $\hat{s} = 10\log_{10}|\mathcal{F}s|^{2}$. Its main contribution is an efficient computational framework that precomputes an operator $\mathbf{Y} = \mathbf{A}^{-T}\mathbf{D}$ to avoid repeated PDE solves, enabling large-scale perturbation searches under a frequency constraint $\mathcal{P}\mathcal{F}f = 0$ and realistic noise. Experiments across Inception V3, GoogLeNet, and VGG-19 show that small-amplitude perturbations can induce misclassification on validation spectrograms, with substantial speedups over naive adjoint-based methods. The work highlights robustness risks for neural networks in security-sensitive sensing and points to extensions to other physics (e.g., Maxwell equations) and to universal perturbations as promising future directions.

Abstract

We investigate the vulnerability of computer-vision-based signal classifiers to adversarial perturbations of their inputs, where the signals and perturbations are subject to physical constraints. We consider a scenario in which a source and interferer emit signals that propagate as waves to a detector, which attempts to classify the source by analyzing the spectrogram of the signal it receives using a pre-trained neural network. By solving PDE-constrained optimization problems, we construct interfering signals that cause the detector to misclassify the source even though the perturbations to the spectrogram of the received signal are nearly imperceptible. Though such problems can have millions of decision variables, we introduce methods to solve them efficiently. Our experiments demonstrate that one can compute effective and physically realizable adversarial perturbations for a variety of machine learning models under various physical conditions.

Figures (4)

• Figure 1: Problem setup. The submarine at $x_s(t)$ emits an acoustic signal $g(t)$. The interferer at $x_i(t)$ emits a perturbing signal $f(t)$. The detector at $x_d$ receives a signal $s(t)$, the result of $f$ and $g$ propagating through $\Omega$ as waves.
• Figure 2: Sample spectrograms from the data used to train the neural networks $\Phi$ used by the detector. (a) 100 signal. (b) 300 signal. (c) 600 signal. (d) 750 signal. Spectrograms containing signals with frequency less than or equal to 400 are labeled as containing a malicious intruder. Otherwise the spectrograms are labeled benign.
• Figure 3: The original (a) was correctly classified as malicious by Inception V3 with 99.0% confidence. When the interfering signal is added, the perturbed spectrogram (b) is misclassified by the same network as benign with 99.99% confidence. The waveform of the interfering signal is given in (c).
• Figure 4: The original (a) was classified as malicious by GoogLeNet with 95.7% confidence. When the interfering signal is added, the perturbed spectrogram (b) is classified by the same network as benign with 99.99% confidence. Though it is difficult to find visible differences between these spectrograms, they do exist. One example can be found by looking closely in the region corresponding to .4 and 1150. The waveform of the interfering signal is given in (c).