A White-Box Adversarial Attack Against a Digital Twin
2025-04-30
0
0
772.01KB
3 页
10玖币
侵权投诉
A White-Box Adversarial Aack Against a Digital Twin
Wilson Patterson
Mississippi State University
Mississippi State, MS, USA
wep104@msstate.edu
Ivan Fernandez
Mississippi State University
Mississippi State, MS, USA
iaf28@msstate.edu
Subash Neupane
Mississippi State University
Mississippi State, MS, USA
sn922@msstate.edu
Milan Parmar
Mississippi State University
Mississippi State, MS, USA
parmar@cse.msstate.edu
Sudip Mittal
Mississippi State University
Mississippi State, MS, USA
mittal@cse.msstate.edu
Shahram Rahimi
Mississippi State University
Mississippi State, MS, USA
rahimi@cse.msstate.edu
ABSTRACT
Recent research has shown that Machine Learning/Deep Learning
(ML/DL) models are particularly vulnerable to adversarial pertur-
bations, which are small changes made to the input data in order
to fool a machine learning classier. The Digital Twin, which is
typically described as consisting of a physical entity, a virtual coun-
terpart, and the data connections in between, is increasingly being
investigated as a means of improving the performance of physical
entities by leveraging computational techniques, which are enabled
by the virtual counterpart. This paper explores the susceptibility of
Digital Twin (DT), a virtual model designed to accurately reect a
physical object using ML/DL classiers that operate as Cyber Phys-
ical Systems (CPS), to adversarial attacks. As a proof of concept,
we rst formulate a DT of a vehicular system using a deep neural
network architecture and then utilize it to launch an adversarial
attack. We attack the DT model by perturbing the input to the
trained model and show how easily the model can be broken with
white-box attacks.
1 INTRODUCTION & BACKGROUND
The evolution of computing, communication, and sensing technolo-
gies have resulted in the implementation of internet-controlled Cy-
ber Physical Systems (CPS). Cyber-attacks have evolved in tandem
with the development of new technologies to become more eective
against this CPS ecosystem. As demonstrated by the Stuxnet attack
[
1
] and the Colonial Pipeline hack [
2
], attackers can now digitally
disrupt physical equipment. These cyber-attacks have the ability
to target systems so as to acquire valuable intel, obtain personal
information, or steal money. This creates a new area of concern for
the safety and security of CPSs, as cyber-threats are now physical
and may endanger human lives.
A Digital Twin (DT) is an important part of the CPS ecosystem.
It is dened as an ultra-realistic, “multi-physics, multi-scale, proba-
bilistic simulation of a vehicle or system that uses the best available
physical models, sensor updates, eet history, etc., to mirror the life
of its twin" [
3
,
4
]. DTs have been implemented in a variety of elds
and play a vital role in the function of many CPSs. The reliance on
DT devices for automotive industry, military, and medical functions
has increased the potential risk of adverse eects, if these systems
become compromised. Medical cyber-physical systems (MCPS) [
5
]
are examples of systems that, if compromised, could allow an at-
tacker to not only access a patient’s data but also attack physical
devices used to diagnose, monitor, or control their health. Finlayson
et al. [
6
] have demonstrated that a calculated Adversarial Machine
Learning (AML) attack can be used to apply perturbations to highly
accurate medical image classiers, resulting in the misclassication
of medical images to occur with a high degree of certainty. Vehi-
cles are another source of physical safety concern. Many modern
vehicles are outtted with sensors that monitor the vehicle’s func-
tions or enable self-driving capabilities. AML attacks can target
the ML models that drive the decisions of autonomous systems,
causing misclassication of road signs or other inputs for trac
conditions [
7
]. Eorts must be undertaken to secure DTs to improve
trustworthiness of the entire CPS ecosystem.
Adversarial attacks are classied as either white-box or black-box
attacks. In a white-box setting, the attacker has complete knowledge
of the ML model’s architecture, gradients, and parameters. Whereas
in a black-box setting, the attacker might have some knowledge
of the ML but no access to the architecture, gradients, or param-
eters. The fast gradient sign method (FGSM) was introduced by
Goodfellow et al. [
8
] as a white-box attack that aims to misclassify
adversarial inputs. By using the model parameter, FGSM attempts
to produce an incorrect prediction by calculating the amount of
perturbation to add to an input that maximizes the loss function.
The Adversarial Robustness Toolbox (ART) [
9
] is a Python library
that implements state-of-the-art attacks and defenses. ART was
developed by IBM, which is now hosted by the Linux Foundation
AI and Data Foundation. ART is framework-independent and can
handle all major machine-learning tasks.
In this paper, we will focus on exploiting the integrity of a DT
system. We will demonstrate a white-box adversarial attack against
our DT system using a Machine Learning (ML) model as a proof-
of-concept. By applying calculated perturbations, we will cause
confusion between the physical half of the twin and its digital
counterpart, resulting in misclassications.
2 ARCHITECTURE & RESULTS
In this section, we describe the system’s architecture, as shown in
Figure 1, as well as the results of our experiments. Vehicles can
be viewed as a specialized form of CPS that are outtted with a
variety of sensors that generate a massive amount of operational
data. This data is typically collected in a time series format over
a period of time and can be used to build intelligent systems such
as DT using ML. The physical assets, in our case a vehicle, can
then be approximated using DTs to study the behavior of various
sensor channels. The advantages of this approach are manifold. For
example, a DT model that monitors sensor channel behaviors and
detects abnormal patterns early on will not only aid in extending
arXiv:2210.14018v1 [cs.CR] 25 Oct 2022
摘要:
展开>>
收起<<
AWhite-BoxAdversarialAttackAgainstaDigitalTwinWilsonPattersonMississippiStateUniversityMississippiState,MS,USAwep104@msstate.eduIvanFernandezMississippiStateUniversityMississippiState,MS,USAiaf28@msstate.eduSubashNeupaneMississippiStateUniversityMississippiState,MS,USAsn922@msstate.eduMilanParmarMis...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
分类:图书资源
价格:10玖币
属性:3 页
大小:772.01KB
格式:PDF
时间:2025-04-30
作者详情
-
Optimal Persistent Monitoring of Mobile Targets in One Dimension Jonas Hall1 Sean Andersson12 Christos G. Cassandras13 Abstract This work shows the existence of opti-10 玖币0人下载
-
Optimal metabolic strategies for microbial growth in stationary random environments Anna Paola Muntoni and Andrea De Martino10 玖币0人下载
相关内容
-
行政事业单位内部控制报告-关于印发编外聘用人员管理制度和编外聘用人员年度考核制度
分类:办公文档
时间:2025-03-03
标签:无
格式:DOC
价格:5.9 玖币
-
行政事业单位内部控制报告-风险评估管理制度
分类:办公文档
时间:2025-03-03
标签:无
格式:DOCX
价格:5.9 玖币
-
行政事业单位内部控制报告-采购管理内部控制制度
分类:办公文档
时间:2025-03-03
标签:无
格式:DOCX
价格:5.9 玖币
-
行政事业单位内部控制报告-部署单位内部控制专题培训和风险评估工作会议纪要
分类:办公文档
时间:2025-03-03
标签:无
格式:DOC
价格:5.9 玖币
-
行政事业单位内部控制报告-关键岗位轮岗及专项审计制度
分类:办公文档
时间:2025-03-03
标签:关键
格式:DOCX
价格:5.9 玖币
渝公网安备50010702506394
