-
Flashy Backdoor: Real-world Environment Backdoor Attack on SNNs with DVS Cameras
Authors:
Roberto Riaño,
Gorka Abad,
Stjepan Picek,
Aitor Urbieta
Abstract:
While security vulnerabilities in traditional Deep Neural Networks (DNNs) have been extensively studied, the susceptibility of Spiking Neural Networks (SNNs) to adversarial attacks remains mostly underexplored. Until now, the mechanisms to inject backdoors into SNN models have been limited to digital scenarios; thus, we present the first evaluation of backdoor attacks in real-world environments.…
▽ More
While security vulnerabilities in traditional Deep Neural Networks (DNNs) have been extensively studied, the susceptibility of Spiking Neural Networks (SNNs) to adversarial attacks remains mostly underexplored. Until now, the mechanisms to inject backdoors into SNN models have been limited to digital scenarios; thus, we present the first evaluation of backdoor attacks in real-world environments.
We begin by assessing the applicability of existing digital backdoor attacks and identifying their limitations for deployment in physical environments. To address each of the found limitations, we present three novel backdoor attack methods on SNNs, i.e., Framed, Strobing, and Flashy Backdoor. We also assess the effectiveness of traditional backdoor procedures and defenses adapted for SNNs, such as pruning, fine-tuning, and fine-pruning. The results show that while these procedures and defenses can mitigate some attacks, they often fail against stronger methods like Flashy Backdoor or sacrifice too much clean accuracy, rendering the models unusable.
Overall, all our methods can achieve up to a 100% Attack Success Rate while maintaining high clean accuracy in every tested dataset. Additionally, we evaluate the stealthiness of the triggers with commonly used metrics, finding them highly stealthy. Thus, we propose new alternatives more suited for identifying poisoned samples in these scenarios. Our results show that further research is needed to ensure the security of SNN-based systems against backdoor attacks and their safe application in real-world scenarios. The code, experiments, and results are available in our repository.
△ Less
Submitted 5 November, 2024;
originally announced November 2024.
-
Context is the Key: Backdoor Attacks for In-Context Learning with Vision Transformers
Authors:
Gorka Abad,
Stjepan Picek,
Lorenzo Cavallaro,
Aitor Urbieta
Abstract:
Due to the high cost of training, large model (LM) practitioners commonly use pretrained models downloaded from untrusted sources, which could lead to owning compromised models. In-context learning is the ability of LMs to perform multiple tasks depending on the prompt or context. This can enable new attacks, such as backdoor attacks with dynamic behavior depending on how models are prompted.
In…
▽ More
Due to the high cost of training, large model (LM) practitioners commonly use pretrained models downloaded from untrusted sources, which could lead to owning compromised models. In-context learning is the ability of LMs to perform multiple tasks depending on the prompt or context. This can enable new attacks, such as backdoor attacks with dynamic behavior depending on how models are prompted.
In this paper, we leverage the ability of vision transformers (ViTs) to perform different tasks depending on the prompts. Then, through data poisoning, we investigate two new threats: i) task-specific backdoors where the attacker chooses a target task to attack, and only the selected task is compromised at test time under the presence of the trigger. At the same time, any other task is not affected, even if prompted with the trigger. We succeeded in attacking every tested model, achieving up to 89.90\% degradation on the target task. ii) We generalize the attack, allowing the backdoor to affect \emph{any} task, even tasks unseen during the training phase. Our attack was successful on every tested model, achieving a maximum of $13\times$ degradation. Finally, we investigate the robustness of prompts and fine-tuning as techniques for removing the backdoors from the model. We found that these methods fall short and, in the best case, reduce the degradation from 89.90\% to 73.46\%.
△ Less
Submitted 6 September, 2024;
originally announced September 2024.
-
Penetration Testing of 5G Core Network Web Technologies
Authors:
Filippo Giambartolomei,
Marc Barceló,
Alessandro Brighente,
Aitor Urbieta,
Mauro Conti
Abstract:
Thanks to technologies such as virtual network function the Fifth Generation (5G) of mobile networks dynamically allocate resources to different types of users in an on-demand fashion. Virtualization extends up to the 5G core, where software-defined networks and network slicing implement a customizable environment. These technologies can be controlled via application programming interfaces and web…
▽ More
Thanks to technologies such as virtual network function the Fifth Generation (5G) of mobile networks dynamically allocate resources to different types of users in an on-demand fashion. Virtualization extends up to the 5G core, where software-defined networks and network slicing implement a customizable environment. These technologies can be controlled via application programming interfaces and web technologies, inheriting hence their security risks and settings. An attacker exploiting vulnerable implementations of the 5G core may gain privileged control of the network assets and disrupt its availability. However, there is currently no security assessment of the web security of the 5G core network.
In this paper, we present the first security assessment of the 5G core from a web security perspective. We use the STRIDE threat modeling approach to define a complete list of possible threat vectors and associated attacks. Thanks to a suite of security testing tools, we cover all of these threats and test the security of the 5G core. In particular, we test the three most relevant open-source 5G core implementations, i.e., Open5GS, Free5Gc, and OpenAirInterface. Our analysis shows that all these cores are vulnerable to at least two of our identified attack vectors, demanding increased security measures in the development of future 5G core networks.
△ Less
Submitted 4 March, 2024;
originally announced March 2024.
-
Time-Distributed Backdoor Attacks on Federated Spiking Learning
Authors:
Gorka Abad,
Stjepan Picek,
Aitor Urbieta
Abstract:
This paper investigates the vulnerability of spiking neural networks (SNNs) and federated learning (FL) to backdoor attacks using neuromorphic data. Despite the efficiency of SNNs and the privacy advantages of FL, particularly in low-powered devices, we demonstrate that these systems are susceptible to such attacks. We first assess the viability of using FL with SNNs using neuromorphic data, showi…
▽ More
This paper investigates the vulnerability of spiking neural networks (SNNs) and federated learning (FL) to backdoor attacks using neuromorphic data. Despite the efficiency of SNNs and the privacy advantages of FL, particularly in low-powered devices, we demonstrate that these systems are susceptible to such attacks. We first assess the viability of using FL with SNNs using neuromorphic data, showing its potential usage. Then, we evaluate the transferability of known FL attack methods to SNNs, finding that these lead to suboptimal attack performance. Therefore, we explore backdoor attacks involving single and multiple attackers to improve the attack performance. Our primary contribution is developing a novel attack strategy tailored to SNNs and FL, which distributes the backdoor trigger temporally and across malicious devices, enhancing the attack's effectiveness and stealthiness. In the best case, we achieve a 100 attack success rate, 0.13 MSE, and 98.9 SSIM. Moreover, we adapt and evaluate an existing defense against backdoor attacks, revealing its inadequacy in protecting SNNs. This study underscores the need for robust security measures in deploying SNNs and FL, particularly in the context of backdoor attacks.
△ Less
Submitted 5 February, 2024;
originally announced February 2024.
-
Clustered Federated Learning Architecture for Network Anomaly Detection in Large Scale Heterogeneous IoT Networks
Authors:
Xabier Sáez-de-Cámara,
Jose Luis Flores,
Cristóbal Arellano,
Aitor Urbieta,
Urko Zurutuza
Abstract:
There is a growing trend of cyberattacks against Internet of Things (IoT) devices; moreover, the sophistication and motivation of those attacks is increasing. The vast scale of IoT, diverse hardware and software, and being typically placed in uncontrolled environments make traditional IT security mechanisms such as signature-based intrusion detection and prevention systems challenging to integrate…
▽ More
There is a growing trend of cyberattacks against Internet of Things (IoT) devices; moreover, the sophistication and motivation of those attacks is increasing. The vast scale of IoT, diverse hardware and software, and being typically placed in uncontrolled environments make traditional IT security mechanisms such as signature-based intrusion detection and prevention systems challenging to integrate. They also struggle to cope with the rapidly evolving IoT threat landscape due to long delays between the analysis and publication of the detection rules. Machine learning methods have shown faster response to emerging threats; however, model training architectures like cloud or edge computing face multiple drawbacks in IoT settings, including network overhead and data isolation arising from the large scale and heterogeneity that characterizes these networks.
This work presents an architecture for training unsupervised models for network intrusion detection in large, distributed IoT and Industrial IoT (IIoT) deployments. We leverage Federated Learning (FL) to collaboratively train between peers and reduce isolation and network overhead problems. We build upon it to include an unsupervised device clustering algorithm fully integrated into the FL pipeline to address the heterogeneity issues that arise in FL settings. The architecture is implemented and evaluated using a testbed that includes various emulated IoT/IIoT devices and attackers interacting in a complex network topology comprising 100 emulated devices, 30 switches and 10 routers. The anomaly detection models are evaluated on real attacks performed by the testbed's threat actors, including the entire Mirai malware lifecycle, an additional botnet based on the Merlin command and control server and other red-teaming tools performing scanning activities and multiple attacks targeting the emulated devices.
△ Less
Submitted 27 July, 2023; v1 submitted 28 March, 2023;
originally announced March 2023.
-
Growth of Zr/ZrO2 core-shell structures by Fast Thermal Oxidation
Authors:
J. F. Ramos-Justicia,
J. L. Ballester-andújar,
A. Urbieta,
P. Fernández
Abstract:
This research has been conducted to characterize and validate the resistive heating as a synthesis method for zirconium oxides (ZrO$_2$). A wire of Zr has been oxidized to form a core shell structure, in which the core is the metal wire, and the shell is an oxide layer around 10$μ$m thick. The characterization This research has been conducted to characterize and validate the resistive heating as a…
▽ More
This research has been conducted to characterize and validate the resistive heating as a synthesis method for zirconium oxides (ZrO$_2$). A wire of Zr has been oxidized to form a core shell structure, in which the core is the metal wire, and the shell is an oxide layer around 10$μ$m thick. The characterization This research has been conducted to characterize and validate the resistive heating as a synthesis method for zirconium oxides (ZrO$_2$). A wire of Zr has been oxidized to form a core shell structure, in which the core is the metal wire, and the shell is an oxide layer around 10$μ$m thick. The characterization of the samples has been performed by means of Scanning Electron Microscopy (SEM). The chemical composition was analysed by X-ray spectroscopy (EDX). X-ray diffraction (XRD) and Raman spectroscopy have been used to assess crystallinity and crystal structure. Photoluminescence (PL) and cathodoluminescence (CL) measurements have allowed us to study the distribution of defects along the shell, and to confirm the degree of uniformity. The oxygen vacancies, either as isolated defects or forming complexes with impurities, play a determinant role in the luminescent processes. Colour centres, mainly electron centres as F, F$_A$ and F$_{AA}$, give rise to several visible emissions extending from blue to green, with main components around 2eV, 2.4-2.5eV and 2.7eV. The differences between PL and CL are also discussed.
△ Less
Submitted 13 February, 2023;
originally announced February 2023.
-
Sneaky Spikes: Uncovering Stealthy Backdoor Attacks in Spiking Neural Networks with Neuromorphic Data
Authors:
Gorka Abad,
Oguzhan Ersoy,
Stjepan Picek,
Aitor Urbieta
Abstract:
Deep neural networks (DNNs) have demonstrated remarkable performance across various tasks, including image and speech recognition. However, maximizing the effectiveness of DNNs requires meticulous optimization of numerous hyperparameters and network parameters through training. Moreover, high-performance DNNs entail many parameters, which consume significant energy during training. In order to ove…
▽ More
Deep neural networks (DNNs) have demonstrated remarkable performance across various tasks, including image and speech recognition. However, maximizing the effectiveness of DNNs requires meticulous optimization of numerous hyperparameters and network parameters through training. Moreover, high-performance DNNs entail many parameters, which consume significant energy during training. In order to overcome these challenges, researchers have turned to spiking neural networks (SNNs), which offer enhanced energy efficiency and biologically plausible data processing capabilities, rendering them highly suitable for sensory data tasks, particularly in neuromorphic data. Despite their advantages, SNNs, like DNNs, are susceptible to various threats, including adversarial examples and backdoor attacks. Yet, the field of SNNs still needs to be explored in terms of understanding and countering these attacks.
This paper delves into backdoor attacks in SNNs using neuromorphic datasets and diverse triggers. Specifically, we explore backdoor triggers within neuromorphic data that can manipulate their position and color, providing a broader scope of possibilities than conventional triggers in domains like images. We present various attack strategies, achieving an attack success rate of up to 100% while maintaining a negligible impact on clean accuracy. Furthermore, we assess these attacks' stealthiness, revealing that our most potent attacks possess significant stealth capabilities. Lastly, we adapt several state-of-the-art defenses from the image domain, evaluating their efficacy on neuromorphic data and uncovering instances where they fall short, leading to compromised performance.
△ Less
Submitted 5 February, 2024; v1 submitted 13 February, 2023;
originally announced February 2023.
-
Too Many Options: A Survey of ABE Libraries for Developers
Authors:
Aintzane Mosteiro-Sanchez,
Marc Barcelo,
Jasone Astorga,
Aitor Urbieta
Abstract:
Attribute-based encryption (ABE) comprises a set of one-to-many encryption schemes that allow the encryption and decryption of data by associating it with access policies and attributes. Therefore, it is an asymmetric encryption scheme, and its computational requirements limit its deployment in IoT devices. There are different types of ABE and many schemes within each type. However, there is no co…
▽ More
Attribute-based encryption (ABE) comprises a set of one-to-many encryption schemes that allow the encryption and decryption of data by associating it with access policies and attributes. Therefore, it is an asymmetric encryption scheme, and its computational requirements limit its deployment in IoT devices. There are different types of ABE and many schemes within each type. However, there is no consensus on the default library for ABE, and those that exist implement different schemes. Developers, therefore, face the challenge of balancing efficiency and security by choosing the suitable library for their projects. This paper studies eleven ABE libraries, analyzing their main features, the mathematical libraries used, and the ABE schemes they provide. The paper also presents an experimental analysis of the four libraries which are still maintained and identifies some of the insecure ABE schemes they implement. In this experimental analysis, we implement the schemes offered by these libraries, measuring their execution times on architectures with different capabilities, i.e., ARMv6 and ARMv8. The experiments provide developers with the necessary information to choose the most suitable library for their projects, according to objective and well-defined criteria.
△ Less
Submitted 26 September, 2022;
originally announced September 2022.
-
Gotham Testbed: a Reproducible IoT Testbed for Security Experiments and Dataset Generation
Authors:
Xabier Sáez-de-Cámara,
Jose Luis Flores,
Cristóbal Arellano,
Aitor Urbieta,
Urko Zurutuza
Abstract:
The growing adoption of the Internet of Things (IoT) has brought a significant increase in attacks targeting those devices. Machine learning (ML) methods have shown promising results for intrusion detection; however, the scarcity of IoT datasets remains a limiting factor in developing ML-based security systems for IoT scenarios. Static datasets get outdated due to evolving IoT architectures and th…
▽ More
The growing adoption of the Internet of Things (IoT) has brought a significant increase in attacks targeting those devices. Machine learning (ML) methods have shown promising results for intrusion detection; however, the scarcity of IoT datasets remains a limiting factor in developing ML-based security systems for IoT scenarios. Static datasets get outdated due to evolving IoT architectures and threat landscape; meanwhile, the testbeds used to generate them are rarely published. This paper presents the Gotham testbed, a reproducible and flexible security testbed extendable to accommodate new emulated devices, services or attackers. Gotham is used to build an IoT scenario composed of 100 emulated devices communicating via MQTT, CoAP and RTSP protocols, among others, in a topology composed of 30 switches and 10 routers. The scenario presents three threat actors, including the entire Mirai botnet lifecycle and additional red-teaming tools performing DoS, scanning, and attacks targeting IoT protocols. The testbed has many purposes, including a cyber range, testing security solutions, and capturing network and application data to generate datasets. We hope that researchers can leverage and adapt Gotham to include other devices, state-of-the-art attacks and topologies to share scenarios and datasets that reflect the current IoT settings and threat landscape.
△ Less
Submitted 27 July, 2023; v1 submitted 28 July, 2022;
originally announced July 2022.
-
Sniper Backdoor: Single Client Targeted Backdoor Attack in Federated Learning
Authors:
Gorka Abad,
Servio Paguada,
Oguzhan Ersoy,
Stjepan Picek,
Víctor Julio Ramírez-Durán,
Aitor Urbieta
Abstract:
Federated Learning (FL) enables collaborative training of Deep Learning (DL) models where the data is retained locally. Like DL, FL has severe security weaknesses that the attackers can exploit, e.g., model inversion and backdoor attacks. Model inversion attacks reconstruct the data from the training datasets, whereas backdoors misclassify only classes containing specific properties, e.g., a pixel…
▽ More
Federated Learning (FL) enables collaborative training of Deep Learning (DL) models where the data is retained locally. Like DL, FL has severe security weaknesses that the attackers can exploit, e.g., model inversion and backdoor attacks. Model inversion attacks reconstruct the data from the training datasets, whereas backdoors misclassify only classes containing specific properties, e.g., a pixel pattern. Backdoors are prominent in FL and aim to poison every client model, while model inversion attacks can target even a single client.
This paper introduces a novel technique to allow backdoor attacks to be client-targeted, compromising a single client while the rest remain unchanged. The attack takes advantage of state-of-the-art model inversion and backdoor attacks. Precisely, we leverage a Generative Adversarial Network to perform the model inversion. Afterward, we shadow-train the FL network, in which, using a Siamese Neural Network, we can identify, target, and backdoor the victim's model. Our attack has been validated using the MNIST, F-MNIST, EMNIST, and CIFAR-100 datasets under different settings -- achieving up to 99\% accuracy on both source (clean) and target (backdoor) classes and against state-of-the-art defenses, e.g., Neural Cleanse, opening a novel threat model to be considered in the future.
△ Less
Submitted 28 February, 2023; v1 submitted 16 March, 2022;
originally announced March 2022.
-
End to End Secure Data Exchange in Value Chains with Dynamic Policy Updates
Authors:
Aintzane Mosteiro-Sanchez,
Marc Barcelo,
Jasone Astorga,
Aitor Urbieta
Abstract:
Data exchange among value chain partners provides them with a competitive advantage, but the risk of exposing sensitive data is ever-increasing. Information must be protected in storage and transmission to reduce this risk, so only the data producer and the final consumer can access or modify it. End-to-end (E2E) security mechanisms address this challenge, protecting companies from data breaches r…
▽ More
Data exchange among value chain partners provides them with a competitive advantage, but the risk of exposing sensitive data is ever-increasing. Information must be protected in storage and transmission to reduce this risk, so only the data producer and the final consumer can access or modify it. End-to-end (E2E) security mechanisms address this challenge, protecting companies from data breaches resulting from value chain attacks. Moreover, value chain particularities must also be considered. Multiple entities are involved in dynamic environments like these, both in data generation and consumption. Hence, a flexible generation of access policies is required to ensure that they can be updated whenever needed. This paper presents a CP-ABE-reliant data exchange system for value chains with E2E security. It considers the most relevant security and industrial requirements for value chains. The proposed solution can protect data according to access policies and update those policies without breaking E2E security or overloading field devices. In most cases, field devices are IIoT devices, limited in terms of processing and memory capabilities. The experimental evaluation has shown the proposed solution's feasibility for IIoT platforms.
△ Less
Submitted 13 September, 2022; v1 submitted 17 January, 2022;
originally announced January 2022.
-
Securing IIoT using Defence-in-Depth: Towards an End-to-End Secure Industry 4.0
Authors:
Aintzane Mosteiro-Sanchez,
Marc Barcelo,
Jasone Astorga,
Aitor Urbieta
Abstract:
Industry 4.0 uses a subset of the IoT, named Industrial IoT (IIoT), to achieve connectivity, interoperability, and decentralization. The deployment of industrial networks rarely considers security by design, but this becomes imperative in smart manufacturing as connectivity increases. The combination of OT and IT infrastructures in Industry 4.0 adds new security threats beyond those of traditional…
▽ More
Industry 4.0 uses a subset of the IoT, named Industrial IoT (IIoT), to achieve connectivity, interoperability, and decentralization. The deployment of industrial networks rarely considers security by design, but this becomes imperative in smart manufacturing as connectivity increases. The combination of OT and IT infrastructures in Industry 4.0 adds new security threats beyond those of traditional industrial networks. Defence-in-Depth (DiD) strategies tackle the complexity of this problem by providing multiple defense layers, each of these focusing on a particular set of threats. Additionally, the strict requirements of IIoT networks demand lightweight encryption algorithms. Nevertheless, these ciphers must provide E2E (End-to-End) security, as data passes through intermediate entities or middleboxes before reaching their destination. If compromised, middleboxes could expose vulnerable information to potential attackers if it is not encrypted throughout this path. This paper presents an analysis of the most relevant security strategies in Industry 4.0, focusing primarily on DiD. With these in mind, it proposes a combination of DiD, an encryption algorithm called Attribute-Based-Encryption (ABE), and object security (i.e., OSCORE) to get an E2E security approach. This analysis is a critical first step to developing more complex and lightweight security frameworks suitable for Industry 4.0.
△ Less
Submitted 14 January, 2022;
originally announced January 2022.
-
On the Security & Privacy in Federated Learning
Authors:
Gorka Abad,
Stjepan Picek,
Víctor Julio Ramírez-Durán,
Aitor Urbieta
Abstract:
Recent privacy awareness initiatives such as the EU General Data Protection Regulation subdued Machine Learning (ML) to privacy and security assessments. Federated Learning (FL) grants a privacy-driven, decentralized training scheme that improves ML models' security. The industry's fast-growing adaptation and security evaluations of FL technology exposed various vulnerabilities that threaten FL's…
▽ More
Recent privacy awareness initiatives such as the EU General Data Protection Regulation subdued Machine Learning (ML) to privacy and security assessments. Federated Learning (FL) grants a privacy-driven, decentralized training scheme that improves ML models' security. The industry's fast-growing adaptation and security evaluations of FL technology exposed various vulnerabilities that threaten FL's confidentiality, integrity, or availability (CIA). This work assesses the CIA of FL by reviewing the state-of-the-art (SoTA) and creating a threat model that embraces the attack's surface, adversarial actors, capabilities, and goals. We propose the first unifying taxonomy for attacks and defenses and provide promising future research directions.
△ Less
Submitted 16 March, 2022; v1 submitted 10 December, 2021;
originally announced December 2021.
