Let the Noise Speak: Harnessing Noise for a Unified Defense Against Adversarial and Backdoor Attacks

TL;DR

This paper addresses the vulnerability of ML models to adversarial and backdoor attacks by proposing NoiSec, a unified defense that detects malicious inputs through reconstruction noise rather than input content. NoiSec uses a denoising autoencoder to separate noise, a feature extractor to obtain noise representations from the penultimate layer, and a Gaussian Mixture Model-based anomaly detector to distinguish benign from malicious noise, enabling attack-agnostic detection in both white-box and black-box settings. The approach is validated on diverse datasets (including F-MNIST, CIFAR-10, GTSRB, Med-MNIST, Speech Command, and Activity) and against five adversarial and three backdoor attacks, achieving high AUROC scores (e.g., ~0.93 in white-box adversarial settings, ~0.88–0.93 in black-box, and ~0.937 on CIFAR-10 backdoor tasks) and demonstrating robustness to adaptive attackers with low false positives. NoiSec’s noise-centric paradigm and strong empirical performance offer a practical, scalable defense for safety-critical ML deployments, with code and artifacts publicly available.

Abstract

The exponential adoption of machine learning (ML) is propelling the world into a future of distributed and intelligent automation and data-driven solutions. However, the proliferation of malicious data manipulation attacks against ML, namely adversarial and backdoor attacks, jeopardizes its reliability in safety-critical applications. The existing detection methods are attack-specific and built upon some strong assumptions, limiting them in diverse practical scenarios. Thus, motivated by the need for a more robust, unified, and attack-agnostic defense mechanism, we first investigate the shared traits of adversarial and backdoor attacks. Based on our observation, we propose NoiSec, a reconstruction-based intrusion detection system that brings a novel perspective by shifting focus from the reconstructed input to the reconstruction noise itself, which is the foundational root cause of such malicious data alterations. NoiSec disentangles the noise from the test input, extracts the underlying features from the noise, and leverages them to recognize systematic malicious manipulation. Our comprehensive evaluation of NoiSec demonstrates its high effectiveness across various datasets, including basic objects, natural scenes, traffic signs, medical images, spectrogram-based audio data, and wireless sensing against five state-of-the-art adversarial attacks and three backdoor attacks under challenging evaluation conditions. NoiSec demonstrates strong detection performance in both white-box and black-box adversarial attack scenarios, significantly outperforming the closest baseline models, particularly in an adaptive attack setting. We will provide the code for future baseline comparison. Our code and artifacts are publicly available at https://github.com/shahriar0651/NoiSec.

Figures (9)

• Figure 1: Effectiveness of using noise to discriminate between malicious (adversarial/backdoor) and benign inputs. The unique feature representations (bar plots at the bottom) of different types of noise (natural, malicious, and benign) indicate the effectiveness of the proposed defense.
• Figure 2: An overview of the two implementation phases of NoiSec.
• Figure 3: Adversarial examples across attacks.
• Figure 4: Performance evaluation of NoiSec's FE and AD against different adversarial attacks on CIFAR-10 dataset. (a) KS test results comparing the feature distribution between ($\tau_{ben}$ vs $\tau_{nat}$), and ($\tau_{mal}$ vs $\tau_{nat}$) for effective feature extraction. (b) ROC curves and AUROC scores showing effective anomaly detection.
• Figure 5: Performance evaluation of NoiSec under adaptive attacks where the attacker can adjust the attack strength to avoid detection.