Dynamic Black-box Backdoor Attacks on IoT Sensory Data
Ajesh Koyatan Chathoth, Stephen Lee
TL;DR
This work addresses the security vulnerability of deep learning models used for IoT sensor data by introducing dynamic, per-input backdoor triggers in a black-box setting. It develops an autoencoder-based trigger generator that creates small perturbations $\delta$ so that $x' = x + \delta$ is misclassified to a target label $y_{adv}$, optimizing a total loss $L_{total}=L_{B}+\lambda L_{P}$ with $L_{P}=||\delta||^2$. The attacks achieve high attack success rates across gait authentication and HAR datasets with minimal perturbations, and remain effective under several defenses, including activation clustering, pruning, and adversarial training. The results highlight the limitations of existing defenses for sensor-based backdoors and emphasize the need for developing time-series, IoT-specific protective mechanisms against dynamic black-box backdoors.
Abstract
Sensor data-based recognition systems are widely used in various applications, such as gait-based authentication and human activity recognition (HAR). Modern wearable and smart devices feature various built-in Inertial Measurement Unit (IMU) sensors, and such sensor-based measurements can be fed to a machine learning-based model to train and classify human activities. While deep learning-based models have proven successful in classifying human activity and gestures, they pose various security risks. In our paper, we discuss a novel dynamic trigger-generation technique for performing black-box adversarial attacks on sensor data-based IoT systems. Our empirical analysis shows that the attack is successful on various datasets and classifier models with minimal perturbation on the input data. We also provide a detailed comparative analysis of performance and stealthiness to various other poisoning techniques found in backdoor attacks. We also discuss some adversarial defense mechanisms and their impact on the effectiveness of our trigger-generation technique.