AdvScan: Black-Box Adversarial Example Detection at Runtime through Power Analysis

📅 2026-06-26
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the vulnerability of TinyML models to adversarial examples in black-box deployment scenarios, where existing detection methods either require white-box access or incur prohibitive overhead. The paper proposes the first black-box detection approach based on runtime power consumption analysis, leveraging the distinctive power signatures induced by anomalous neuron activations under adversarial inputs. By applying a one-sample t-test against a benign baseline, the method determines whether an input is adversarial without accessing internal model details. Evaluated on ARM Cortex-M platforms using MLPerf Tiny benchmark models, it achieves a 99.984% detection rate—missing only 40 out of 318,400 adversarial samples from FGSM, PGD, and C&W attacks—with zero false positives, demonstrating both high accuracy and minimal resource overhead suitable for edge devices.
📝 Abstract
TinyML models deployed on edge devices are increasingly adopted in safety/security-critical applications, making them a prime target for adversarial example (AE) attacks where inputs are modified to cause misclassifications. However, existing AE detection methods either require white-box model access, which is often unavailable in licensed black-box deployments, or rely on input pre-processing stages that add non-trivial latency and resource overhead, often exceeding what mission-critical applications can afford on their inference path. To address these challenges, we propose AdvScan, a runtime power analysis-based methodology for AE detection that operates in a black-box scenario while inducing minimal latency. AdvScan is based on the observation that AEs produce anomalous neuron activations, which in turn generate distinctive power-consumption signatures. The algorithm initially constructs a baseline distribution of power signatures from known benign inputs; then, at runtime, it applies a one-sample t-test to determine whether a test input's power signature significantly deviates from this baseline, thereby detecting AEs. We evaluated AdvScan using three adversarial example generation algorithms: Fast Gradient Sign Method (FGSM), Projected Gradient Descent (PGD), and Carlini-Wagner (C&W), on three MLPerf Tiny benchmark models implemented on two target devices: the STM32F303RC (ARM Cortex-M4) and STM32L562RE (ARM Cortex-M33) microcontrollers. Across 318,400 total test inputs, AdvScan detects 99.984% of AEs with only 40 false negatives and zero false positives. These results demonstrate the viability of power-based AE detection for secure, accuracy-critical TinyML deployments in black-box environments.
Problem

Research questions and friction points this paper is trying to address.

adversarial example detection
black-box
TinyML
edge devices
runtime security
Innovation

Methods, ideas, or system contributions that make the work stand out.

adversarial example detection
power analysis
black-box security
TinyML
runtime monitoring
🔎 Similar Papers