Enhancing Stateful Detection of Adversarial Attacks with Soft-labels' Temporality and Robust Similarity Approximations

📅 2026-06-19
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the limitations of existing query-similarity-based stateful detection methods, which are vulnerable to weaknesses in approximate similarity functions and fail to account for the temporal characteristics of adversarial attacks, resulting in high false positive rates. To overcome these issues, the authors propose a two-stage detection framework: the first stage introduces randomness to identify highly similar query subsequences, thereby mitigating adversarial attacks targeting approximate similarity functions; the second stage uniquely incorporates the temporal correlations of classification soft labels into the verification mechanism to enhance detection accuracy. By integrating robust approximate similarity computation, randomized matching, and soft-label time-series analysis, the proposed method achieves a true positive rate of 1.00 and a false positive rate of at most 0.06 against Boundary Attack, HSJA, SimBA, and Square Attack, while maintaining robustness against the adaptive OARS attack.
📝 Abstract
Stateful Detection (SD) mitigates adversarial attacks by determining whether a sequence of queries contains queries from a black-box adversary. Recent works, such as Blacklight and PIHA utilize query similarity to detect such queries. In this paper, we observe that temporal information, in particular, the temporal correlation of the classification soft labels, is a prominent characteristic of adversarial attacks and can be leveraged to reduce false positive rates. Moreover, we point out a potential vulnerability in SD implementation. Many SD systems identify similar queries according to some implicit, computationally expensive metric. To improve efficiency, these systems often adopt an approximate similarity function as substitute. This discrepancy could be exploited by crafting queries that appear dissimilar under the approximation but are close in the intended metric, thereby evading detection. We refer to this as an ``adversarial attack'' on the approximation function, and demonstrate it through a lightweight attack on Blacklight's similarity function. Based on the above observations, we propose a two-phase approach. The first phase identifies subsequences of queries with high similarity, incorporating randomness to prevent the aforementioned ``adversarial attacks''. The second phase analyzes temporal correlation of the soft-labels to further validate the presence of the adversary's queries. Experimental results show that the framework detects adversarial queries generated by Boundary Attack, HSJA, SimBA, Square Attack with true positive rate (TPR) reaching 1.00, while maintaining a false positive rate (FPR) of at most 0.06. Additionally, the method is robust against OARS which is an adaptive attack.
Problem

Research questions and friction points this paper is trying to address.

Stateful Detection
Adversarial Attacks
Soft-labels Temporality
Similarity Approximation
False Positive Rate
Innovation

Methods, ideas, or system contributions that make the work stand out.

soft-label temporality
robust similarity approximation
stateful detection
adversarial evasion
randomized query clustering