Your search keyword '"Picek, S. (author)"' showing total 92 results

1. Rethinking the Trigger-injecting Position in Graph Backdoor Attack

Author

Xu, J. (author), Abad, Gorka (author), Picek, S. (author), Xu, J. (author), Abad, Gorka (author), and Picek, S. (author)

Abstract

Backdoor attacks have been demonstrated as a security threat for machine learning models. Traditional backdoor attacks intend to inject backdoor functionality into the model such that the backdoored model will perform abnormally on inputs with predefined backdoor triggers and still retain state-of-the-art performance on the clean inputs. While there are already some works on backdoor attacks on Graph Neural Networks (GNNs), the backdoor trigger in the graph domain is mostly injected into random positions of the sample. There is no work analyzing and explaining the backdoor attack performance when injecting triggers into the most important or least important area in the sample, which we refer to as trigger-injecting strategies MIAS and LIAS, respectively. Our results show that, generally, LIAS performs better, and the differences between the LIAS and MIAS performance can be significant. Furthermore, we explain these two strategies’ similar (better) attack performance through explanation techniques, which results in a further understanding of backdoor attacks in GNNs., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2023

2. Watermarking Graph Neural Networks based on Backdoor Attacks

Author

Xu, J. (author), Koffas, S. (author), Ersoy, Oǧuzhan (author), Picek, S. (author), Xu, J. (author), Koffas, S. (author), Ersoy, Oǧuzhan (author), and Picek, S. (author)

Abstract

Graph Neural Networks (GNNs) have achieved promising performance in various real-world applications. Building a powerful GNN model is not a trivial task, as it requires a large amount of training data, powerful computing resources, and human expertise. Moreover, with the development of adversarial attacks, e.g., model stealing attacks, GNNs raise challenges to model authentication. To avoid copyright infringement on GNNs, verifying the ownership of the GNN models is necessary.This paper presents a watermarking framework for GNNs for both graph and node classification tasks. We 1) design two strategies to generate watermarked data for the graph classification task and one for the node classification task, 2) embed the watermark into the host model through training to obtain the watermarked GNN model, and 3) verify the ownership of the suspicious model in a black-box setting. The experiments show that our framework can verify the ownership of GNN models with a very high probability (up to 99%) for both tasks. We also explore our watermarking mechanism against an adaptive attacker with access to partial knowledge of the watermarked data. Finally, we experimentally show that our watermarking approach is robust against a state-of-the-art model extraction technique and four state-of-the-art defenses against backdoor attacks., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2023

3. Modeling Strong Physically Unclonable Functions with Metaheuristics

Author

Coello, Carlos Coello (author), Krcek, M. (author), Durasevic, Marko (author), Mariot, L. (author), Jakobovic, Domagoj (author), Picek, S. (author), Coello, Carlos Coello (author), Krcek, M. (author), Durasevic, Marko (author), Mariot, L. (author), Jakobovic, Domagoj (author), and Picek, S. (author)

Abstract

Evolutionary algorithms have been successfully applied to attack Physically Unclonable Functions (PUFs). CMA-ES is recognized as the most powerful option for a type of attack called the reliability attack. In this paper, we take a step back and systematically evaluate several metaheuristics for the challenge-response pair-based attack on strong PUFs. Our results confirm that CMA-ES has the best performance, but we note several other algorithms with similar performance while having smaller computational costs., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2023

4. Label Correlation in Deep Learning-Based Side-Channel Analysis

Author

Wu, L. (author), Weissbart, L.J.A. (author), Krcek, M. (author), Li, H. (author), Perin, G. (author), Batina, Lejla (author), Picek, S. (author), Wu, L. (author), Weissbart, L.J.A. (author), Krcek, M. (author), Li, H. (author), Perin, G. (author), Batina, Lejla (author), and Picek, S. (author)

Abstract

The efficiency of the profiling side-channel analysis can be significantly improved with machine learning techniques. Although powerful, a fundamental machine learning limitation of being data-hungry received little attention in the side-channel community. In practice, the maximum number of leakage traces that evaluators/attackers can obtain is constrained by the scheme requirements or the limited accessibility of the target. Even worse, various countermeasures in modern devices increase the conditions on the profiling size to break the target. This work demonstrates a practical approach to dealing with the lack of profiling traces. Instead of learning from a one-hot encoded label, transferring the labels to their distribution can significantly speed up the convergence of guessing entropy. By studying the relationship between all possible key candidates, we propose a new metric, denoted Label Correlation (LC), to evaluate the generalization ability of the profiling model. We validate LC with two common use cases: early stopping and network architecture search, and the results indicate its superior performance., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2023

5. Maximizing the Potential of Custom RISC-V Vector Extensions for Speeding up SHA-3 Hash Functions

Author

Li, H. (author), Mentens, Nele (author), Picek, S. (author), Li, H. (author), Mentens, Nele (author), and Picek, S. (author)

Abstract

SHA-3 is considered to be one of the most secure standardized hash functions. It relies on the Keccak-f[1 600] permutation, which operates on an internal state of 1 600 bits, mostly represented as a 5 x 5 x 64-bit matrix. While existing implementations process the state sequentially in chunks of typically 32 or 64 bits, the Keccak-f[1 600] permutation can benefit a lot from speedup through parallelization. This paper is the first to explore the full potential of parallelization of Keccak-f[1 600] in RISC-V based processors through custom vector extensions on 32-bit and 64-bit architectures. We analyze the Keccak $\mathbf{f}[1 \ 600]$ permutation, composed of five different step mappings, and propose ten custom vector instructions to speed up the computation. We realize these extensions in a SIMD processor described in System Verilog. We compare the performance of our designs to existing architectures based on vectorized application-specific instruction set processors (ASIP). We show that our designs outperform all related work in throughput due to our carefully selected custom vector instructions., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2023

6. Going in Style: Audio Backdoors Through Stylistic Transformations

Author

Koffas, S. (author), Pajola, Luca (author), Picek, S. (author), Conti, M. (author), Koffas, S. (author), Pajola, Luca (author), Picek, S. (author), and Conti, M. (author)

Abstract

This work explores stylistic triggers for backdoor attacks in the audio domain: dynamic transformations of malicious samples through guitar effects. We first formalize stylistic triggers – currently missing in the literature. Second, we explore how to develop stylistic triggers in the audio domain by proposing JingleBack. Our experiments confirm the effectiveness of the attack, achieving a 96% attack success rate. Our code is available in https://github.com/skoffas/going-in-style., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2023

7. No (good) loss no gain: Systematic evaluation of loss functions in deep learning-based side-channel analysis

Author

Kerkhof, Maikel (author), Wu, L. (author), Perin, G. (author), Picek, S. (author), Kerkhof, Maikel (author), Wu, L. (author), Perin, G. (author), and Picek, S. (author)

Abstract

Deep learning is a powerful direction for profiling side-channel analysis as it can break targets protected with countermeasures even with a relatively small number of attack traces. Still, it is necessary to conduct hyperparameter tuning to reach strong attack performance, which can be far from trivial. Besides many options stemming from the machine learning domain, recent years also brought neural network elements specially designed for side-channel analysis. The loss function, which calculates the error or loss between the actual and desired output, is one of the most important neural network elements. The resulting loss values guide the weights update associated with the connections between the neurons or filters of the deep learning neural network. Unfortunately, despite being a highly relevant hyperparameter, there are no systematic comparisons among different loss functions regarding their effectiveness in side-channel attacks. This work provides a detailed study of the efficiency of different loss functions in the SCA context. We evaluate five loss functions commonly used in machine learning and three loss functions specifically designed for SCA. Our results show that an SCA-specific loss function (called CER) performs very well and outperforms other loss functions in most evaluated settings. Still, categorical cross-entropy represents a good option, especially considering the variety of neural network architectures., Cyber Security

Published

2023

8. On McEliece-Type Cryptosystems Using Self-Dual Codes With Large Minimum Weight

Author

Mariot, L. (author), Picek, S. (author), R Yorgova, R.A. (author), Mariot, L. (author), Picek, S. (author), and R Yorgova, R.A. (author)

Abstract

One of the Round 3 Finalists in the NIST post-quantum cryptography call is the Classic McEliece cryptosystem. Although it is one of the most secure cryptosystems, the large size of its public key remains a practical limitation. In this work, we propose a McEliece-type cryptosystem using large minimum distance error-correcting codes derived from self-dual codes. To the best of our knowledge, such codes have not been implemented in a code-based cryptosystem until now. Moreover, we modify the decryption step of the system by introducing a decryption algorithm based on two private keys. We determine the parameters of binary codes with large minimum distance, which, if implemented into a McEliece-type cryptosystem, would provide a security level respectively of 80, 128, and 256 bits. For the 80-bit security case, we construct a large minimum distance self-dual code of length 1064, and use it to derive a random punctured code to be used in the corresponding McEliece-type cryptosystem. Compared to the original McEliece cryptosystem, the key size is reduced by about 38.5%, although an optimal decoding set is yet to be constructed to make the new system fully defined and usable., Cyber Security

Published

2023

9. SoK: Deep Learning-based Physical Side-channel Analysis

Author

Picek, S. (author), Perin, G. (author), Mariot, L. (author), Wu, L. (author), Batina, Lejla (author), Picek, S. (author), Perin, G. (author), Mariot, L. (author), Wu, L. (author), and Batina, Lejla (author)

Abstract

Side-channel attacks represent a realistic and serious threat to the security of embedded devices for already almost three decades. A variety of attacks and targets they can be applied to have been introduced, and while the area of side-channel attacks and their mitigation is very well-researched, it is yet to be consolidated. Deep learning-based side-channel attacks entered the field in recent years with the promise of more competitive performance and enlarged attackers' capabilities compared to other techniques. At the same time, the new attacks bring new challenges and complexities to the domain, making the systematization of knowledge (SoK) even more critical.We first dissect deep learning-based side-channel attacks according to the different phases they can be used in and map those phases to the efforts conducted so far in the domain. For each phase, we identify the weaknesses and challenges that triggered the known open problems. We also connect the attacks to the threat models and evaluate their advantages and drawbacks. Finally, we provide a number of recommendations to be followed in deep learning-based side-channel attacks., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2023

10. On the exponents of APN power functions and Sidon sets, SUM-free sets, and Dickson Polynomials

Author

Carlet, Claude (author), Picek, S. (author), Carlet, Claude (author), and Picek, S. (author)

Abstract

We derive necessary conditions related to the notions, in additive combinatorics, of Sidon sets and sum-free sets, on those exponents d ∈ Z/(2n − 1)Z, which are such that F (x) = xd is an APN function over F2n (which is an important cryptographic property). We study to what extent these new conditions may speed up the search for new APN exponents d. We summarize all the necessary conditions that an exponent must satisfy for having a chance of being an APN, including the new conditions presented in this work. Next, we give results up to n = 48, providing the number of exponents satisfying all the conditions for a function to be APN. We also show a new connection between APN exponents and Dickson polynomials: F (x) = xd is APN if and only if the reciprocal polynomial of the Dickson polynomial of index d is an injective function from {y ∈ F∗2n; trn(y) = 0} to F2n \ {1}. This also leads to a new and simple connection between Reversed Dickson polynomials and reciprocals of Dickson polynomials in characteristic 2 (which generalizes to every characteristic thanks to a small modification): the squared Reversed Dickson polynomial of some index and the reciprocal of the Dickson polynomial of the same index are equal., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2023

11. Backdoor Pony: Evaluating backdoor attacks and defenses in different domains

Author

Mercier, Arthur (author), Smolin, Nikita (author), Sihlovec, Oliver (author), Koffas, S. (author), Picek, S. (author), Mercier, Arthur (author), Smolin, Nikita (author), Sihlovec, Oliver (author), Koffas, S. (author), and Picek, S. (author)

Abstract

Outsourced training and crowdsourced datasets lead to a new threat for deep learning models: the backdoor attack. In this attack, the adversary inserts a secret functionality in a model, activated through malicious inputs. Backdoor attacks represent an active research area due to diverse settings where they represent a real threat. Still, there is no framework to evaluate existing attacks and defenses in different domains. Only a few toolboxes have been implemented, but most of them focus on computer vision and are difficult to use. To bridge this gap, we implement Backdoor Pony, a framework for evaluating attacks and defenses in different domains through a user-friendly GUI., Cyber Security

Published

2023

12. The Need for Speed: A Fast Guessing Entropy Calculation for Deep Learning-Based SCA

Author

Perin, G. (author), Wu, L. (author), Picek, S. (author), Perin, G. (author), Wu, L. (author), and Picek, S. (author)

Abstract

The adoption of deep neural networks for profiling side-channel attacks opened new perspectives for leakage detection. Recent publications showed that cryptographic implementations featuring different countermeasures could be broken without feature selection or trace preprocessing. This success comes with a high price: an extensive hyperparameter search to find optimal deep learning models. As deep learning models usually suffer from overfitting due to their high fitting capacity, it is crucial to avoid over-training regimes, which require a correct number of epochs. For that, early stopping is employed as an efficient regularization method that requires a consistent validation metric. Although guessing entropy is a highly informative metric for profiling side-channel attacks, it is time-consuming, especially if computed for all epochs during training, and the number of validation traces is significantly large. This paper shows that guessing entropy can be efficiently computed during training by reducing the number of validation traces without affecting the efficiency of early stopping decisions. Our solution significantly speeds up the process, impacting the performance of the hyperparameter search and overall profiling attack. Our fast guessing entropy calculation is up to 16× faster, resulting in more hyperparameter tuning experiments and allowing security evaluators to find more efficient deep learning models., Cyber Security

Published

2023

13. FLAIRS: FPGA-Accelerated Inference-Resistant & Secure Federated Learning

Author

Li, H. (author), Rieger, Phillip (author), Zeitouni, Shaza (author), Picek, S. (author), Sadeghi, Ahmad Reza (author), Li, H. (author), Rieger, Phillip (author), Zeitouni, Shaza (author), Picek, S. (author), and Sadeghi, Ahmad Reza (author)

Abstract

Federated Learning (FL) has become very popular since it enables clients to train a joint model collaboratively without sharing their private data. However, FL has been shown to be susceptible to backdoor and inference attacks. While in the former, the adversary injects manipulated updates into the aggregation process; the latter leverages clients' local models to deduce their private data. Contemporary solutions to address the security concerns of FL are either impractical for real-world deployment due to high-performance overheads or are tailored towards addressing specific threats, for instance, privacy-preserving aggregation or backdoor defenses. Given these limitations, our research delves into the advantages of harnessing the FPGA-based computing paradigm to overcome performance bottlenecks of software-only solutions while mitigating backdoor and inference attacks. We utilize FPGA-based enclaves to address inference attacks during the aggregation process of FL. We adopt an advanced backdoor-aware aggregation algorithm on the FPGA to counter backdoor attacks. We implemented and evaluated our method on Xilinx VMK-180, yielding a significant speed-up of around 300 times on the IoT-Traffic dataset and more than 506 times on the CIFAR-10 dataset., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2023

14. Can You Hear It? Backdoor Attacks via Ultrasonic Triggers

Author

Koffas, S. (author), Xu, J. (author), Conti, M. (author), Picek, S. (author), Koffas, S. (author), Xu, J. (author), Conti, M. (author), and Picek, S. (author)

Abstract

This work explores backdoor attacks for automatic speech recognition systems where we inject inaudible triggers. By doing so, we make the backdoor attack challenging to detect for legitimate users and, consequently, potentially more dangerous. We conduct experiments on two versions of a speech dataset and three neural networks and explore the performance of our attack concerning the duration, position, and type of the trigger. Our results indicate that less than 1% of poisoned data is sufficient to deploy a backdoor attack and reach a 100% attack success rate. We observed that short, non-continuous triggers result in highly successful attacks. Still, since our trigger is inaudible, it can be as long as possible without raising any suspicions making the attack more effective. Finally, we conduct our attack on actual hardware and saw that an adversary could manipulate inference in an Android application by playing the inaudible trigger over the air., Cyber Security

Published

2022

15. The Best of Two Worlds: Deep Learning-assisted Template Attack

Author

Wu, L. (author), Perin, G. (author), Picek, S. (author), Wu, L. (author), Perin, G. (author), and Picek, S. (author)

Abstract

In the last decade, machine learning-based side-channel attacks have become a standard option when investigating profiling side-channel attacks. At the same time, the previous state-of-the-art technique, template attack, started losing its importance and was more considered a baseline to compare against. As such, most of the results reported that machine learning (and especially deep learning) could significantly outperform the template attack. Nevertheless, the template attack still has certain advantages even compared to deep learning. The most significant one is that it has only a few hyperparameters to tune, making it easier to use. We take another look at the template attack, and we devise a feature engineering phase allowing the template attack to compete or even outperform state-of-the-art deep learning-based side-channel attacks. More precisely, with a novel distance metric customized for side-channel analysis, we show how a deep learning technique called similarity learning can be used to find highly efficient embeddings of input data with one-epoch training, which can then be fed into the template attack resulting in powerful attacks., Cyber Security

Published

2022

16. The More You Know: Improving Laser Fault Injection with Prior Knowledge

Author

Krcek, M. (author), Ordas, Thomas (author), Fronte, Daniele (author), Picek, S. (author), Krcek, M. (author), Ordas, Thomas (author), Fronte, Daniele (author), and Picek, S. (author)

Abstract

We consider finding as many faults as possible on the target device in the laser fault injection security evaluation. Since the search space is large, we require efficient search methods. Recently, an evolutionary approach using a memetic algorithm was proposed and shown to find more interesting parameter combinations than random search, which is commonly used. Unfortunately, once a variation on the bench or target is introduced, the process must be repeated to find suitable parameter combinations anew.To negate the effect of variation, we propose a novel method combining a memetic algorithm with a machine learning approach called a decision tree. Our approach improves the memetic algorithm by using prior knowledge of the target introduced in the initial phase of the memetic algorithm. In our experiments, the decision tree rules enhance the performance of the memetic algorithm by finding more interesting faults in different samples of the same target. Our approach shows more than two orders of magnitude better performance than random search and up to 60% better performance than previous state-of-the-art results with a memetic algorithm. Another advantage of our approach is human-readable rules, allowing the first insights into the explainability of target characterization for laser fault injection., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

17. To Overfit, or Not to Overfit: Improving the Performance of Deep Learning-Based SCA

Author

Rezaeezade, A. (author), Perin, G. (author), Picek, S. (author), Rezaeezade, A. (author), Perin, G. (author), and Picek, S. (author)

Abstract

Profiling side-channel analysis allows evaluators to estimate the worst-case security of a target. When security evaluations relax the assumptions about the adversary’s knowledge, profiling models may easily be sub-optimal due to the inability to extract the most informative points of interest from the side-channel measurements. When used for profiling attacks, deep neural networks can learn strong models without feature selection with the drawback of expensive hyperparameter tuning. Unfortunately, due to very large search spaces, one usually finds very different model behaviors, and a widespread situation is to face overfitting with typically poor generalization capacity. Usually, overfitting or poor generalization would be mitigated by adding more measurements to the profiling phase to reduce estimation errors. This paper provides a detailed analysis of different deep learning model behaviors and shows that adding more profiling traces as a single solution does not necessarily help improve generalization. We recognize the main problem to be the sub-optimal selection of hyperparameters, which is then difficult to resolve by simply adding more measurements. Instead, we propose to use small hyperparameter tweaks or regularization as techniques to resolve the problem., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

18. On the feasibility of crawling-based attacks against recommender systems

Author

Aiolli, Fabio (author), Conti, M. (author), Picek, S. (author), Polato, M. (author), Aiolli, Fabio (author), Conti, M. (author), Picek, S. (author), and Polato, M. (author)

Abstract

Nowadays, online services, like e-commerce or streaming services, provide a personalized user experience through recommender systems. Recommender systems are built upon a vast amount of data about users/items acquired by the services. Such knowledge represents an invaluable resource. However, commonly, part of this knowledge is public and can be easily accessed via the Internet. Unfortunately, that same knowledge can be leveraged by competitors or malicious users. The literature offers a large number of works concerning attacks on recommender systems, but most of them assume that the attacker can easily access the full rating matrix. In practice, this is never the case. The only way to access the rating matrix is by gathering the ratings (e.g., reviews) by crawling the service's website. Crawling a website has a cost in terms of time and resources. What is more, the targeted website can employ defensive measures to detect automatic scraping. In this paper, we assess the impact of a series of attacks on recommender systems. Our analysis aims to set up the most realistic scenarios considering both the possibilities and the potential attacker's limitations. In particular, we assess the impact of different crawling approaches when attacking a recommendation service. From the collected information, we mount various profile injection attacks. We measure the value of the collected knowledge through the identification of the most similar user/item. Our empirical results show that while crawling can indeed bring knowledge to the attacker (up to 65% of neighborhood reconstruction on a mid-size dataset and up to 90% on a small-size dataset), this will not be enough to mount a successful shilling attack in practice., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

19. Deep Learning-Based Side-Channel Analysis Against AES Inner Rounds

Author

Swaminathan, Sudharshan (author), Chmielewski, Łukasz (author), Perin, G. (author), Picek, S. (author), Swaminathan, Sudharshan (author), Chmielewski, Łukasz (author), Perin, G. (author), and Picek, S. (author)

Abstract

Side-channel attacks (SCA) focus on vulnerabilities caused by insecure implementations and exploit them to deduce useful information about the data being processed or the data itself through leakages obtained from the device. There have been many studies exploiting these leakages, and most of the state-of-the-art attacks have been shown to work on AES implementations. The methodology is usually based on exploiting leakages for the outer rounds, i.e., the first and the last round. In some cases, due to partial countermeasures or the nature of the device itself, it might not be possible to attack the outer rounds. In this case, the attacker needs to resort to attacking the inner rounds. This work provides a generalization for inner round side-channel attacks on AES and experimentally validates it with non-profiled and profiled attacks. We formulate the computation of the hypothesis values of any byte in the intermediate rounds. The more inner the AES round is, the higher is the attack complexity in terms of the number of bits to be guessed for the hypothesis. We discuss the main limitations for obtaining predictions in inner rounds and, in particular, we compare the performance of Correlation Power Analysis (CPA) against deep learning-based profiled side-channel attacks (DL-SCA). We show that because trained deep learning models require fewer traces in the attack phase, they also have fewer complexity limitations to attack inner AES rounds than non-profiled attacks such as CPA. This paper is the first to propose deep learning-based profiled attacks on inner rounds of AES to the best of our knowledge., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

20. Profiled Side-Channel Analysis in the Efficient Attacker Framework

Author

Picek, S. (author), Heuser, Annelie (author), Perin, G. (author), Guilley, Sylvain (author), Picek, S. (author), Heuser, Annelie (author), Perin, G. (author), and Guilley, Sylvain (author)

Abstract

Profiled side-channel attacks represent the most powerful category of side-channel attacks. There, the attacker has access to a clone device to profile its leaking behavior. Additionally, it is common to consider the attacker unbounded in power to allow the worst-case security analysis. This paper starts with a different premise where we are interested in the minimum power that the attacker requires to conduct a successful attack. We propose a new framework for profiled side-channel analysis that we call the Efficient Attacker Framework. With it, we require attacks to be as powerful as possible, but we also provide a setting that inherently allows a more objective analysis among attacks. To confirm our theoretical results, we provide an experimental evaluation of our framework in the context of deep learning-based side-channel analysis., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

21. A Tale of Two Boards: On the Influence of Microarchitecture on Side-Channel Leakage

Author

Arora, Vipul (author), Buhan, Ileana (author), Perin, G. (author), Picek, S. (author), Arora, Vipul (author), Buhan, Ileana (author), Perin, G. (author), and Picek, S. (author)

Abstract

Advances in cryptography have enabled the features of confidentiality, security, and integrity on small embedded devices such as IoT devices. While mathematically strong, the platform on which an algorithm is implemented plays a significant role in the security of the final product. Side-channel attacks exploit the variations in the system’s physical characteristics to obtain information about the sensitive data. In our scenario, a software implementation of a cryptographic algorithm is flashed on devices from different manufactures with the same instruction set configured for identical execution. To analyze the influence of the microarchitecture on side-channel leakage, we acquire thirty-two sets of power traces from four physical devices. While we notice minor differences in the leakage behavior for different physical boards from the same manufacturer, our results confirm that the difference in microarchitecture implementations of the same core will leak different side-channel information. We also show that TVLA leakage prediction should be treated with caution as it is sensitive to both false positives and negatives., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

22. Deep Neural Networks Aiding Cryptanalysis: A Case Study of the Speck Distinguisher

Author

Băcuieți, Norica (author), Batina, Lejla (author), Picek, S. (author), Băcuieți, Norica (author), Batina, Lejla (author), and Picek, S. (author)

Abstract

At CRYPTO’19, A. Gohr proposed neural distinguishers for the lightweight block cipher Speck32/64, achieving better results than the state-of-the-art at that point. However, the motivation for using that particular architecture was not very clear; therefore, in this paper, we study the depth-10 and depth-1 neural distinguishers proposed by Gohr [7] with the aim of finding out whether smaller or better-performing distinguishers for Speck32/64 exist. We first evaluate whether we can find smaller neural networks that match the accuracy of the proposed distinguishers. We answer this question in the affirmative with the depth-1 distinguisher successfully pruned, resulting in a network that remained within one percentage point of the unpruned network’s performance. Having found a smaller network that achieves the same performance, we examine whether its performance can be improved as well. We also study whether processing the input before giving it to the pruned depth-1 network would improve its performance. To this end, convolutional autoencoders were found that managed to reconstruct the ciphertext pairs successfully, and their trained encoders were used as a preprocessor before training the pruned depth-1 network. We found that, even though the autoencoders achieved a nearly perfect reconstruction, the pruned network did not have the necessary complexity anymore to extract useful information from the preprocessed input, motivating us to look at the feature importance to get more insights. To achieve this, we used LIME, with results showing that a stronger explainer is needed to assess it correctly., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

23. Dynamic Backdoors with Global Average Pooling

Author

Koffas, S. (author), Picek, S. (author), Conti, M. (author), Koffas, S. (author), Picek, S. (author), and Conti, M. (author)

Abstract

Outsourced training and machine learning as a service have resulted in novel attack vectors like backdoor attacks. Such attacks embed a secret functionality in a neural network activated when the trigger is added to its input. In most works in the literature, the trigger is static, both in terms of location and pattern. The effectiveness of various detection mechanisms depends on this property. It was recently shown that countermeasures in image classification, like Neural Cleanse and ABS, could be bypassed with dynamic triggers that are effective regardless of their pattern and location. Still, such backdoors are demanding as they require a large percentage of poisoned training data. In this work, we are the first to show that dynamic backdoor attacks could happen due to a global average pooling layer without increasing the percentage of the poisoned training data. Nevertheless, our experiments in sound classification, text sentiment analysis, and image classification show this to be very difficult in practice., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

24. NeuroSCA: Evolving Activation Functions for Side-Channel Analysis

Author

Knezevic, Karlo (author), Jakobović, Domagoj (author), Picek, S. (author), Ðurasević, Marko (author), Knezevic, Karlo (author), Jakobović, Domagoj (author), Picek, S. (author), and Ðurasević, Marko (author)

Abstract

The choice of activation functions can significantly impact the performance of neural networks. Due to an ever-increasing number of new activation functions being proposed in the literature, selecting the appropriate activation function becomes even more difficult. Consequently, many researchers approach this problem from a different angle, in which instead of selecting an existing activation function, an appropriate activation function is evolved for the problem at hand. In this paper, we demonstrate that evolutionary algorithms can evolve new activation functions for side-channel analysis (SCA), outperforming ReLU and other activation functions commonly applied to that problem. More specifically, we use Genetic Programming to define and explore candidate activation functions (neuroevolution) in the form of mathematical expressions that are gradually improved. Experiments with the ASCAD database show that this approach is highly effective compared to results obtained with standard activation functions and that it can match the state-of-the-art results from the literature. More precisely, the obtained results for the ASCAD fixed key dataset demonstrate that the evolved activation functions can improve the current state-of-the-art by achieving a guessing entropy of 287 for the Hamming weight model and 115 for the Identity leakage model, compared to 447 and 120 obtained in the literature., Cyber Security

Published

2022

25. Gambling for Success: The Lottery Ticket Hypothesis in Deep Learning-Based Side-Channel Analysis

Author

Perin, G. (author), Wu, L. (author), Picek, S. (author), Perin, G. (author), Wu, L. (author), and Picek, S. (author)

Abstract

Deep learning-based side-channel analysis (SCA) represents a strong approach for profiling attacks. Still, this does not mean it is trivial to find neural networks that perform well for any setting. Based on the developed neural network architectures, we can distinguish between small neural networks that are easier to tune and less prone to overfitting but could have insufficient capacity to model the data. On the other hand, large neural networks have sufficient capacity but can overfit and are more difficult to tune. This brings an interesting trade-off between simplicity and performance. This work proposes to use a pruning strategy and recently proposed Lottery Ticket Hypothesis (LTH) as an efficient method to tune deep neural networks for profiling SCA. Pruning provides a regularization effect on deep neural networks and reduces the overfitting posed by overparameterized models. We demonstrate that we can find pruned neural networks that perform on the level of larger networks, where we manage to reduce the number of weights by more than 90% on average. This way, pruning and LTH approaches become alternatives to costly and difficult hyperparameter tuning in profiling SCA. Our analysis is conducted over different masked AES datasets and for different neural network topologies. Our results indicate that pruning, and more specifically LTH, can result in competitive deep learning models., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

26. Poster: Clean-label Backdoor Attack on Graph Neural Networks

Author

Xu, J. (author), Picek, S. (author), Xu, J. (author), and Picek, S. (author)

Abstract

Graph Neural Networks (GNNs) have achieved impressive results in various graph learning tasks. They have found their way into many applications, such as fraud detection, molecular property prediction, or knowledge graph reasoning. However, GNNs have been recently demonstrated to be vulnerable to backdoor attacks. In this work, we explore a new kind of backdoor attack, i.e., a clean-label backdoor attack, on GNNs. Unlike prior backdoor attacks on GNNs in which the adversary can introduce arbitrary, often clearly mislabeled, inputs to the training set, in a clean-label backdoor attack, the resulting poisoned inputs appear to be consistent with their label and thus are less likely to be filtered as outliers. The initial experimental results illustrate that the adversary can achieve a high attack success rate (up to 98.47%) with a clean-label backdoor attack on GNNs for the graph classification task. We hope our work will raise awareness of this attack and inspire novel defenses against it., Cyber Security

Published

2022

27. Fake It Till You Make It: Data Augmentation Using Generative Adversarial Networks for All the Crypto You Need on Small Devices

Author

Mukhtar, Naila (author), Batina, Lejla (author), Picek, S. (author), Kong, Yinan (author), Mukhtar, Naila (author), Batina, Lejla (author), Picek, S. (author), and Kong, Yinan (author)

Abstract

Deep learning-based side-channel analysis performance heavily depends on the dataset size and the number of instances in each target class. Both small and imbalanced datasets might lead to unsuccessful side-channel attacks. The attack performance can be improved by generating traces synthetically from the obtained data instances instead of collecting them from the target device, but this is a cumbersome and challenging task. We propose a novel data augmentation approach based on conditional Generative Adversarial Networks (cGAN) and Siamese networks, enhancing the attack capability. We also present a quantitative comparative deep learning-based side-channel analysis between a real raw signal leakage dataset and an artificially augmented leakage dataset. The analysis is performed on the leakage datasets for both symmetric and public-key cryptographic implementations. We investigate non-convergent networks’ effect on the generation of fake leakage signals using two cGAN based deep learning models. The analysis shows that the proposed data augmentation model results in a well-converged network that generates realistic leakage traces, which can be used to mount deep learning-based side-channel analysis successfully even when the dataset available from the device is not optimal. Our results show that the datasets enhanced with “faked” leakage traces are breakable (while not without augmentation), which might change how we perform deep learning-based side-channel analysis., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

28. More is Better (Mostly): On the Backdoor Attacks in Federated Graph Neural Networks

Author

Xu, J. (author), Wang, R. (author), Koffas, S. (author), Liang, K. (author), Picek, S. (author), Xu, J. (author), Wang, R. (author), Koffas, S. (author), Liang, K. (author), and Picek, S. (author)

Abstract

Graph Neural Networks (GNNs) are a class of deep learning-based methods for processing graph domain information. GNNs have recently become a widely used graph analysis method due to their superior ability to learn representations for complex graph data. Due to privacy concerns and regulation restrictions, centralized GNNs can be difficult to apply to data-sensitive scenarios. Federated learning (FL) is an emerging technology developed for privacy-preserving settings when several parties need to train a shared global model collaboratively. Although several research works have applied FL to train GNNs (Federated GNNs), there is no research on their robustness to backdoor attacks. This paper bridges this gap by conducting two types of backdoor attacks in Federated GNNs: centralized backdoor attacks (CBA) and distributed backdoor attacks (DBA). Our experiments show that the DBA attack success rate is higher than CBA in almost all cases. For CBA, the attack success rate of all local triggers is similar to the global trigger, even if the training set of the adversarial party is embedded with the global trigger. To explore the properties of two backdoor attacks in Federated GNNs, we evaluate the attack performance for a different number of clients, trigger sizes, poisoning intensities, and trigger densities. Finally, we explore the robustness of DBA and CBA against two state-of-the-art defenses. We find that both attacks are robust against the investigated defenses, necessitating the need to consider backdoor attacks in Federated GNNs as a novel threat that requires custom defenses., Cyber Security

Published

2022

29. On the Evaluation of Deep Learning-Based Side-Channel Analysis

Author

Wu, L. (author), Perin, G. (author), Picek, S. (author), Wu, L. (author), Perin, G. (author), and Picek, S. (author)

Abstract

Deep learning-based side-channel analysis is rapidly positioning itself as a de-facto standard for the most powerful profiling side-channel analysis.The results from the last few years show that deep learning techniques can efficiently break targets that are even protected with countermeasures. While there are constant improvements in making the deep learning-based attacks more powerful, little is done on evaluating the attacks’ performance. Indeed, how the evaluation process is done today is not different from what was done more than a decade ago from the perspective of evaluation metrics. This paper considers how to evaluate deep learning-based side-channel analysis and whether the commonly used approaches give the best results. To that end, we consider different summary statistics and the influence of algorithmic randomness on the stability of profiling models. Our results show that besides commonly used metrics like guessing entropy, one should also show the standard deviation results to assess the attack performance properly. Even more importantly, using the arithmetic mean for guessing entropy does not yield the best results, and instead, a median value should be used., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

30. Label-Only Membership Inference Attack against \\Node-Level Graph Neural Networks

Author

Conti, M. (author), Li, Jiaxin (author), Picek, S. (author), Xu, J. (author), Conti, M. (author), Li, Jiaxin (author), Picek, S. (author), and Xu, J. (author)

Abstract

Graph Neural Networks (GNNs), inspired by Convolutional Neural Networks (CNNs), aggregate the message of nodes' neighbors and structure information to acquire expressive representations of nodes for node classification, graph classification, and link prediction. Previous studies have indicated that node-level GNNs are vulnerable to Membership Inference Attacks (MIAs), which infer whether a node is in the training data of GNNs and leak the node's private information, like the patient's disease history. The implementation of previous MIAs takes advantage of the models' probability output, which is infeasible if GNNs only provide the prediction label (label-only) for the input. In this paper, we propose a label-only MIA against GNNs for node classification with the help of GNNs' flexible prediction mechanism, e.g., obtaining the prediction label of one node even when neighbors' information is unavailable. Our attacking method achieves around 60\% accuracy, precision, and Area Under the Curve (AUC) for most datasets and GNN models, some of which are competitive or even better than state-of-the-art probability-based MIAs implemented under our environment and settings. Additionally, we analyze the influence of the sampling method, model selection approach, and overfitting level on the attack performance of our label-only MIA. All of those three factors have an impact on the attack performance. Then, we consider scenarios where assumptions about the adversary's additional dataset (shadow dataset) and extra information about the target model are relaxed. Even in those scenarios, our label-only MIA achieves a better attack performance in most cases. Finally, we explore the effectiveness of possible defenses, including Dropout, Regularization, Normalization, and Jumping knowledge. None of those four defenses prevent our attack completely., Cyber Security

Published

2022

31. Hand Me Your PIN! Inferring ATM PINs of Users Typing with a Covered Hand

Author

Cardaioli, Matteo (author), Cecconello, S. (author), Conti, M. (author), Milani, Simone (author), Picek, S. (author), Saraci, Eugen (author), Cardaioli, Matteo (author), Cecconello, S. (author), Conti, M. (author), Milani, Simone (author), Picek, S. (author), and Saraci, Eugen (author)

Abstract

Automated Teller Machines (ATMs) represent the most used system for withdrawing cash. The European Central Bank reported more than 11 billion cash withdrawals and loading/unloading transactions on the European ATMs in 2019. Although ATMs have undergone various technological evolutions, Personal Identification Numbers (PINs) are still the most common authentication method for these devices. Unfortunately, the PIN mechanism is vulnerable to shoulder-surfing attacks performed via hidden cameras installed near the ATM to catch the PIN pad. To overcome this problem, people get used to covering the typing hand with the other hand. While such users probably believe this behavior is safe enough to protect against mentioned attacks, there is no clear assessment of this countermeasure in the scientific literature. This paper proposes a novel attack to reconstruct PINs entered by victims covering the typing hand with the other hand. We consider the setting where the attacker can access an ATM PIN pad of the same brand/model as the target one. Afterward, the attacker uses that model to infer the digits pressed by the victim while entering the PIN. Our attack owes its success to a carefully selected deep learning architecture that can infer the PIN from the typing hand position and movements. We run a detailed experimental analysis including 58 users. With our approach, we can guess 30% of the 5-digit PINs within three attempts - the ones usually allowed by ATM before blocking the card. We also conducted a survey with 78 users that managed to reach an accuracy of only 7.92% on average for the same setting. Finally, we evaluate a shielding countermeasure that proved to be rather inefficient unless the whole keypad is shielded., Cyber Security

Published

2022

32. A scalable SIMD RISC-V based processor with customized vector extensions for CRYSTALS-kyber

Author

Li, H. (author), Mentens, Nele (author), Picek, S. (author), Li, H. (author), Mentens, Nele (author), and Picek, S. (author)

Abstract

This paper uses RISC-V vector extensions to speed up lattice-based operations in architectures based on HW/SW co-design. We analyze the structure of the number-theoretic transform (NTT), inverse NTT (INTT), and coefficient-wise multiplication (CWM) in CRYSTALS-Kyber, a lattice-based key encapsulation mechanism. We propose 12 vector extensions for CRYSTALS-Kyber multiplication and four for finite field operations in combination with two optimizations of the HW/SW interface. This results in a speed-up of 141.7, 168.7, and 245.5 times for NTT, INTT, and CWM, respectively, compared with the baseline implementation, and a speed-up of over four times compared with the state-of-the-art HW/SW co-design using RV32IMC., Cyber Security

Published

2022

33. Focus is Key to Success: A Focal Loss Function for Deep Learning-Based Side-Channel Analysis

Author

Kerkhof, Maikel (author), Wu, L. (author), Perin, G. (author), Picek, S. (author), Kerkhof, Maikel (author), Wu, L. (author), Perin, G. (author), and Picek, S. (author)

Abstract

The deep learning-based side-channel analysis represents one of the most powerful side-channel attack approaches. Thanks to its capability in dealing with raw features and countermeasures, it becomes the de facto standard approach for the SCA community. The recent works significantly improved the deep learning-based attacks from various perspectives, like hyperparameter tuning, design guidelines, or custom neural network architecture elements. Still, insufficient attention has been given to the core of the learning process - the loss function. This paper analyzes the limitations of the existing loss functions and then proposes a novel side-channel analysis-optimized loss function: Focal Loss Ratio (FLR), to cope with the identified drawbacks observed in other loss functions. To validate our design, we 1) conduct a thorough experimental study considering various scenarios (datasets, leakage models, neural network architectures) and 2) compare with other loss functions used in the deep learning-based side-channel analysis (both “traditional” ones and those designed for side-channel analysis). Our results show that FLR loss outperforms other loss functions in various conditions while not having computational overhead like some recent loss function proposals., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

34. Guest Editorial: Trustworthy AI

Author

Jin, Yier (author), Ho, Tsung Yi (author), Picek, S. (author), Garg, Siddharth (author), Jin, Yier (author), Ho, Tsung Yi (author), Picek, S. (author), and Garg, Siddharth (author)

Abstract

Cyber Security

Published

2022

35. SCA Strikes Back: Reverse Engineering Neural Network Architectures using Side Channels

Author

Batina, Lejla (author), Bhasin, Shivam (author), Jap, Dirmanto (author), Picek, S. (author), Batina, Lejla (author), Bhasin, Shivam (author), Jap, Dirmanto (author), and Picek, S. (author)

Abstract

This paper was selected for Top Picks in Hardware and Embedded Security 2020 and it presents a physical side-channel attack aiming at reverse engineering neural networks implemented on an edge device. The attack does not need access to training data and allows for neural network recovery by feeding known random inputs. We successfully reverse engineer information about layers, neurons, activation functions, and weights associated with neurons. This attack opens a new door in the domain of security of neural networks. Follow-up works by other researchers have shown this attack to be applicable for various settings and difficult to protect against., Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Cyber Security

Published

2022

36. Can You Hear It? Backdoor Attacks via Ultrasonic Triggers

Author

Koffas, S. (author), Xu, J. (author), Conti, M. (author), Picek, S. (author), Koffas, S. (author), Xu, J. (author), Conti, M. (author), and Picek, S. (author)

Abstract

This work explores backdoor attacks for automatic speech recognition systems where we inject inaudible triggers. By doing so, we make the backdoor attack challenging to detect for legitimate users and, consequently, potentially more dangerous. We conduct experiments on two versions of a speech dataset and three neural networks and explore the performance of our attack concerning the duration, position, and type of the trigger. Our results indicate that less than 1% of poisoned data is sufficient to deploy a backdoor attack and reach a 100% attack success rate. We observed that short, non-continuous triggers result in highly successful attacks. Still, since our trigger is inaudible, it can be as long as possible without raising any suspicions making the attack more effective. Finally, we conduct our attack on actual hardware and saw that an adversary could manipulate inference in an Android application by playing the inaudible trigger over the air., Cyber Security

Published

2022

37. Exploring Feature Selection Scenarios for Deep Learning-based Side-channel Analysis

Author

Perin, G. (author), Wu, L. (author), Picek, S. (author), Perin, G. (author), Wu, L. (author), and Picek, S. (author)

Abstract

One of the main promoted advantages of deep learning in profiling side-channel analysis is the possibility of skipping the feature engineering process. Despite that, most recent publications consider feature selection as the attacked interval from the side-channel measurements is pre-selected. This is similar to the worst-case security assumptions in security evaluations when the random secret shares (e.g., mask shares) are known during the profiling phase: an evaluator can identify points of interest locations and efficiently trim the trace interval. To broadly understand how feature selection impacts the performance of deep learning-based profiling attacks, this paper investigates three different feature selection scenarios that could be realistically used in practical security evaluations. The scenarios range from the minimum possible number of features (worst-case security assumptions) to the whole available traces. Our results emphasize that deep neural networks as profiling models show successful key recovery independently of explored feature selection scenarios against first-order masked software implementations of AES-128. First, we show that feature selection with the worst-case security assumptions results in optimal profiling models that are highly dependent on the number of features and signal-to-noise ratio levels. Second, we demonstrate that attacking raw side-channel measurements with small deep neural networks also provides optimal models, that shortens the gap between worst-case security evaluations and online (realistic) profiling attacks. In all explored feature selection scenarios, the hyperparameter search always indicates a successful model with up to eight hidden layers for MLPs and CNNs, suggesting that complex models are not required for the considered datasets. Our results demonstrate the key recovery with less than ten attack traces for all datasets for at least one of the feature selection scenarios. Additionally, in several cases, we, Cyber Security

Published

2022

38. The Best of Two Worlds: Deep Learning-assisted Template Attack

Author

Wu, L. (author), Perin, G. (author), Picek, S. (author), Wu, L. (author), Perin, G. (author), and Picek, S. (author)

Abstract

In the last decade, machine learning-based side-channel attacks have become a standard option when investigating profiling side-channel attacks. At the same time, the previous state-of-the-art technique, template attack, started losing its importance and was more considered a baseline to compare against. As such, most of the results reported that machine learning (and especially deep learning) could significantly outperform the template attack. Nevertheless, the template attack still has certain advantages even compared to deep learning. The most significant one is that it has only a few hyperparameters to tune, making it easier to use. We take another look at the template attack, and we devise a feature engineering phase allowing the template attack to compete or even outperform state-of-the-art deep learning-based side-channel attacks. More precisely, with a novel distance metric customized for side-channel analysis, we show how a deep learning technique called similarity learning can be used to find highly efficient embeddings of input data with one-epoch training, which can then be fed into the template attack resulting in powerful attacks., Cyber Security

Published

2022

39. Explainability-based Backdoor Attacks against Graph Neural Networks

Author

Xu, J. (author), Xue, Minhui (author), Picek, S. (author), Xu, J. (author), Xue, Minhui (author), and Picek, S. (author)

Abstract

Backdoor attacks represent a serious threat to neural network models. A backdoored model will misclassify the trigger-embedded inputs into an attacker-chosen target label while performing normally on other benign inputs. There are already numerous works on backdoor attacks on neural networks, but only a few works consider graph neural networks (GNNs). As such, there is no intensive research on explaining the impact of trigger injecting position on the performance of backdoor attacks on GNNs. To bridge this gap, we conduct an experimental investigation on the performance of backdoor attacks on GNNs. We apply two powerful GNN explainability approaches to select the optimal trigger injecting position to achieve two attacker objectives - high attack success rate and low clean accuracy drop. Our empirical results on benchmark datasets and state-of-the-art neural network models demonstrate the proposed method's effectiveness in selecting trigger injecting position for backdoor attacks on GNNs. For instance, on the node classification task, the backdoor attack with trigger injecting position selected by GraphLIME reaches over 84% attack success rate with less than 2.5% accuracy drop., Cyber Security

Published

2021

40. ReproducedPapers.org: Openly Teaching and Structuring Machine Learning Reproducibility

Author

Yildiz, B. (author), Hung, H.S. (author), Krijthe, J.H. (author), Liem, C.C.S. (author), Loog, M. (author), Migut, M.A. (author), Oliehoek, F.A. (author), Panichella, A. (author), Pawełczak, Przemysław (author), Picek, S. (author), de Weerdt, M.M. (author), van Gemert, J.C. (author), Yildiz, B. (author), Hung, H.S. (author), Krijthe, J.H. (author), Liem, C.C.S. (author), Loog, M. (author), Migut, M.A. (author), Oliehoek, F.A. (author), Panichella, A. (author), Pawełczak, Przemysław (author), Picek, S. (author), de Weerdt, M.M. (author), and van Gemert, J.C. (author)

Abstract

We present ReproducedPapers.org : an open online repository for teaching and structuring machine learning reproducibility. We evaluate doing a reproduction project among students and the added value of an online reproduction repository among AI researchers. We use anonymous self-assessment surveys and obtained 144 responses. Results suggest that students who do a reproduction project place more value on scientific reproductions and become more critical thinkers. Students and AI researchers agree that our online reproduction repository is valuable., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Pattern Recognition and Bioinformatics, Multimedia Computing, Computer Science & Engineering-Teaching Team, Interactive Intelligence, Software Engineering, Embedded and Networked Systems, Cyber Security, Algorithmics

Published

2021

41. Reinforcement learning for hyperparameter tuning in deep learning-based side-channel analysis

Author

Rijsdijk, J. (author), Wu, L. (author), Perin, G. (author), Picek, S. (author), Rijsdijk, J. (author), Wu, L. (author), Perin, G. (author), and Picek, S. (author)

Abstract

Deep learning represents a powerful set of techniques for profiling side-channel analysis. The results in the last few years show that neural network architectures like multilayer perceptron and convolutional neural networks give strong attack performance where it is possible to break targets protected with various coun-termeasures. Considering that deep learning techniques commonly have a plethora of hyperparameters to tune, it is clear that such top attack results can come with a high price in preparing the attack. This is especially problematic as the side-channel community commonly uses random search or grid search techniques to look for the best hyperparameters. In this paper, we propose to use reinforcement learning to tune the convolutional neural network hyperparameters. In our framework, we investigate the Q-Learning paradigm and develop two reward functions that use side-channel metrics. We mount an investigation on three commonly used datasets and two leakage models where the results show that reinforcement learning can find convolutional neural networks exhibiting top performance while having small numbers of trainable parameters. We note that our approach is automated and can be easily adapted to different datasets. Several of our newly developed architectures outperform the current state-of-the-art results. Finally, we make our source code publicly available.1., Education and Research Support, Cyber Security

Published

2021

42. On the Importance of Initial Solutions Selection in Fault Injection

Author

Krcek, M. (author), Fronte, Daniele (author), Picek, S. (author), Krcek, M. (author), Fronte, Daniele (author), and Picek, S. (author)

Abstract

Fault injection attacks require the adversary to select suitable parameters for the attack. In this work, we consider laser fault injection and parameters like the location of the laser shot $(x,\ y)$, delay, pulse width, and intensity of the laser. The parameter selection process can be translated into an optimization problem. A very popular and successful method for various optimization problems is the genetic algorithm. To further improve the performance of a genetic algorithm, it is possible to combine it with local search to obtain a memetic algorithm. We conduct several experiments comparing the performance of the memetic algorithm and the random search algorithm for finding faults. We investigate the influence of different initialization techniques on the performance of the memetic algorithm. In our experiments, the memetic algorithm is significantly better at finding faults than the random search. While evaluating different initialization techniques, we did not observe significant differences when averaging results. However, when considering the stability of the results with a memetic algorithm based on different initialization techniques, we can distinguish preferable techniques, such as LHSMDU and the Taguchi method., Accepted author manuscript, Cyber Security

Published

2021

43. Evolutionary algorithms-assisted construction of cryptographic boolean functions

Author

Carlet, Claude (author), Jakobovic, Domagoj (author), Picek, S. (author), Carlet, Claude (author), Jakobovic, Domagoj (author), and Picek, S. (author)

Abstract

In the last few decades, evolutionary algorithms were successfully applied numerous times for creating Boolean functions with good cryptographic properties. Still, the applicability of such approaches was always limited as the cryptographic community knows how to construct suitable Boolean functions with deterministic algebraic constructions. Thus, evolutionary results so far helped to increase the confidence that evolutionary techniques have a role in cryptography, but at the same time, the results themselves were seldom used. This paper considers a novel problem using evolutionary algorithms to improve Boolean functions obtained through algebraic constructions. To this end, we consider a recent generalization of Hidden Weight Boolean Function construction, and we show that evolutionary algorithms can significantly improve the cryptographic properties of the functions. Our results show that the genetic algorithm performs by far the best of all the considered algorithms and improves the nonlinearity property in all Boolean function sizes. As there are no known algebraic techniques to reach the same goal, we consider this application a step forward in accepting evolutionary algorithms as a powerful tool in the cryptography domain., Cyber Security

Published

2021

44. Evolutionary algorithms for designing reversible cellular automata

Author

Mariot, L. (author), Picek, S. (author), Jakobovic, Domagoj (author), Leporati, Alberto (author), Mariot, L. (author), Picek, S. (author), Jakobovic, Domagoj (author), and Leporati, Alberto (author)

Abstract

Reversible Cellular Automata (RCA) are a particular kind of shift-invariant transformations characterized by dynamics composed only of disjoint cycles. They have many applications in the simulation of physical systems, cryptography, and reversible computing. In this work, we formulate the search of a specific class of RCA – namely, those whose local update rules are defined by conserved landscapes – as an optimization problem to be tackled with Genetic Algorithms (GA) and Genetic Programming (GP). In particular, our experimental investigation revolves around three different research questions, which we address through a single-objective, a multi-objective, and a lexicographic approach. In the single-objective approach, we observe that GP can already find an optimal solution in the initial population. This indicates that evolutionary algorithms are not needed when evolving only the reversibility of such CA, and a more efficient method is to generate at random syntactic trees that define the local update rule. On the other hand, GA and GP proved to be quite effective in the multi-objective and lexicographic approach to (1) discover a trade-off between the reversibility and the Hamming weight of conserved landscape rules, and (2) observe that conserved landscape CA cannot be used in symmetric cryptography because their Hamming weight (and thus their nonlinearity) is too low., Cyber Security

Published

2021

45. A Multi-Sensor Information Fusion Method Based on Factor Graph for Integrated Navigation System

Author

Xu, J. (author), Yang, Gongliu (author), Sun, Yiding (author), Picek, S. (author), Xu, J. (author), Yang, Gongliu (author), Sun, Yiding (author), and Picek, S. (author)

Abstract

The current navigation systems used in many autonomous mobile robotic applications, like unmanned vehicles, are always equipped with various sensors to get accurate navigation results. The key point is to fuse the information from different sensors efficiently. However, different sensors provide asynchronous measurements, some of which even appear to be nonlinear. Moreover, some sensors are vulnerable in specific environments, e.g., GPS signal is likely to work poorly in interior space, underground, and tall buildings. We propose a multi-sensor information fusion method based on a factor graph to fuse all available asynchronous sensor information and efficiently and accurately calculate a navigation solution. Assuming the sensor measurements and navigation states in a navigation system as factor nodes and variable nodes in a factor graph, respectively, the update of the states can be implemented in the framework of the factor graph. The proposed method is experimentally validated using two different datasets. A comparison with Federated Filter, which has been widely used in integrated navigation systems, demonstrates the proposed method’s effectiveness. Additionally, analyzing the navigation results with data loss verifies that the proposed method could achieve sensor plug and play in software., Interactive Intelligence, Cyber Security

Published

2021

46. Toward more efficient heuristic construction of Boolean functions

Author

Jakobovic, Domagoj (author), Picek, S. (author), Martins, Marcella S.R. (author), Wagner, Markus (author), Jakobovic, Domagoj (author), Picek, S. (author), Martins, Marcella S.R. (author), and Wagner, Markus (author)

Abstract

Boolean functions have numerous applications in domains as diverse as coding theory, cryptography, and telecommunications. Heuristics play an important role in the construction of Boolean functions with the desired properties for a specific purpose. However, there are only sparse results trying to understand the problem's difficulty. With this work, we aim to address this issue. We conduct a fitness landscape analysis based on Local Optima Networks (LONs) and investigate the influence of different optimization criteria and variation operators. We observe that the naive fitness formulation results in the largest networks of local optima with disconnected components. Also, the combination of variation operators can both increase or decrease the network size. Most importantly, we observe correlations of local optima's fitness, their degrees of interconnection, and the sizes of the respective basins of attraction. This can be exploited to restart algorithms dynamically and influence the degree of perturbation of the current best solution when restarting., Cyber Security

Published

2021

47. Explainability-based Backdoor Attacks against Graph Neural Networks

Author

Xu, J. (author), Xue, Minhui (author), Picek, S. (author), Xu, J. (author), Xue, Minhui (author), and Picek, S. (author)

Abstract

Backdoor attacks represent a serious threat to neural network models. A backdoored model will misclassify the trigger-embedded inputs into an attacker-chosen target label while performing normally on other benign inputs. There are already numerous works on backdoor attacks on neural networks, but only a few works consider graph neural networks (GNNs). As such, there is no intensive research on explaining the impact of trigger injecting position on the performance of backdoor attacks on GNNs. To bridge this gap, we conduct an experimental investigation on the performance of backdoor attacks on GNNs. We apply two powerful GNN explainability approaches to select the optimal trigger injecting position to achieve two attacker objectives - high attack success rate and low clean accuracy drop. Our empirical results on benchmark datasets and state-of-the-art neural network models demonstrate the proposed method's effectiveness in selecting trigger injecting position for backdoor attacks on GNNs. For instance, on the node classification task, the backdoor attack with trigger injecting position selected by GraphLIME reaches over 84% attack success rate with less than 2.5% accuracy drop., Cyber Security

Published

2021

48. ReproducedPapers.org: Openly Teaching and Structuring Machine Learning Reproducibility

Author

Yildiz, B. (author), Hung, H.S. (author), Krijthe, J.H. (author), Liem, C.C.S. (author), Loog, M. (author), Migut, M.A. (author), Oliehoek, F.A. (author), Panichella, A. (author), Pawełczak, Przemysław (author), Picek, S. (author), de Weerdt, M.M. (author), van Gemert, J.C. (author), Yildiz, B. (author), Hung, H.S. (author), Krijthe, J.H. (author), Liem, C.C.S. (author), Loog, M. (author), Migut, M.A. (author), Oliehoek, F.A. (author), Panichella, A. (author), Pawełczak, Przemysław (author), Picek, S. (author), de Weerdt, M.M. (author), and van Gemert, J.C. (author)

Abstract

We present ReproducedPapers.org : an open online repository for teaching and structuring machine learning reproducibility. We evaluate doing a reproduction project among students and the added value of an online reproduction repository among AI researchers. We use anonymous self-assessment surveys and obtained 144 responses. Results suggest that students who do a reproduction project place more value on scientific reproductions and become more critical thinkers. Students and AI researchers agree that our online reproduction repository is valuable., Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public., Pattern Recognition and Bioinformatics, Multimedia Computing, Computer Science & Engineering-Teaching Team, Interactive Intelligence, Software Engineering, Embedded Systems, Cyber Security, Algorithmics

Published

2021

49. Reinforcement learning for hyperparameter tuning in deep learning-based side-channel analysis

Author

Rijsdijk, J. (author), Wu, L. (author), Perin, G. (author), Picek, S. (author), Rijsdijk, J. (author), Wu, L. (author), Perin, G. (author), and Picek, S. (author)

Abstract

Deep learning represents a powerful set of techniques for profiling side-channel analysis. The results in the last few years show that neural network architectures like multilayer perceptron and convolutional neural networks give strong attack performance where it is possible to break targets protected with various coun-termeasures. Considering that deep learning techniques commonly have a plethora of hyperparameters to tune, it is clear that such top attack results can come with a high price in preparing the attack. This is especially problematic as the side-channel community commonly uses random search or grid search techniques to look for the best hyperparameters. In this paper, we propose to use reinforcement learning to tune the convolutional neural network hyperparameters. In our framework, we investigate the Q-Learning paradigm and develop two reward functions that use side-channel metrics. We mount an investigation on three commonly used datasets and two leakage models where the results show that reinforcement learning can find convolutional neural networks exhibiting top performance while having small numbers of trainable parameters. We note that our approach is automated and can be easily adapted to different datasets. Several of our newly developed architectures outperform the current state-of-the-art results. Finally, we make our source code publicly available.1., Education and Research Support, Cyber Security

Published

2021

50. Evolutionary algorithms for designing reversible cellular automata

Author

Mariot, L. (author), Picek, S. (author), Jakobovic, Domagoj (author), Leporati, Alberto (author), Mariot, L. (author), Picek, S. (author), Jakobovic, Domagoj (author), and Leporati, Alberto (author)

Abstract

Reversible Cellular Automata (RCA) are a particular kind of shift-invariant transformations characterized by dynamics composed only of disjoint cycles. They have many applications in the simulation of physical systems, cryptography, and reversible computing. In this work, we formulate the search of a specific class of RCA – namely, those whose local update rules are defined by conserved landscapes – as an optimization problem to be tackled with Genetic Algorithms (GA) and Genetic Programming (GP). In particular, our experimental investigation revolves around three different research questions, which we address through a single-objective, a multi-objective, and a lexicographic approach. In the single-objective approach, we observe that GP can already find an optimal solution in the initial population. This indicates that evolutionary algorithms are not needed when evolving only the reversibility of such CA, and a more efficient method is to generate at random syntactic trees that define the local update rule. On the other hand, GA and GP proved to be quite effective in the multi-objective and lexicographic approach to (1) discover a trade-off between the reversibility and the Hamming weight of conserved landscape rules, and (2) observe that conserved landscape CA cannot be used in symmetric cryptography because their Hamming weight (and thus their nonlinearity) is too low., Cyber Security

Published

2021