Superman Powered by Kryptonite: Turn the Adversarial Attack into Your Defense Weapon Kailiang Ying, Tongbo Luo, Zhigang Su, Xinyu Xing #BHUSA @BLACKHATEVENTS AI Weaponized Hackers Hacker Artificial intelligence Thanos with Infinity Gauntlet #BHUSA @BLACKHATEVENTS AI Weaponized Hackers (con’t) CAPTCHA Computer bot #BHUSA @BLACKHATEVENTS Weakness of AI Adversarial examples are inputs to machine learning models that an attacker has intentionally designed to cause the model to make a mistake (Goodfellow et al 2017) image: OpenAI #BHUSA @BLACKHATEVENTS Leverage the Weakness of AI Adversarial Example Defender Avenger with Infinity Gauntlet #BHUSA @BLACKHATEVENTS CAPTCHA + Adversarial Example CAPTCHA AI Bot Resistant CAPTCHA Adversarial perturbation #BHUSA @BLACKHATEVENTS Challenges ● Persistent adversarial perturbation ● Zero knowledge about the attacker’s tool ● Efficiency to generate adversarial perturbation #BHUSA @BLACKHATEVENTS Overview of Defense Mechanism Level 1: Passive Defense Resistant Adversarial Perturbation (RAP) ● Resistant to image filters ● Effective to unknown AI-based CAPTCHA solvers Level 2: Active Defense CAPTCHA Adversarial Patch (CAP) and Trojaned CAPTCHA Solver ● Detect computer bots ● Efficiently generate CAPTCHAs #BHUSA @BLACKHATEVENTS Blackbox Adversarial Example Workflow + random Δ 1 2 CAPTCHA Solver Problem: CAPTCHA Before filtering 4 P(Y | X) 3 After filtering NES Gradient Estimate #BHUSA @BLACKHATEVENTS Resistant to Image Filters filter(CAPTCHA+Δ) CAPTCHA Solver CAPTCHA P(Y | X) NES Gradient Estimate #BHUSA @BLACKHATEVENTS CAPTCHA with RAP: #BHUSA @BLACKHATEVENTS Adversarial Example Transferability Surrogate model Target Surrogate Target model #BHUSA @BLACKHATEVENTS RAP for Unknown CAPTCHA Solvers Open questions: - What is RAP’s transferability performance? - How to generate RAP with high transferability? Our Observation: B Transferability B A A origin number of wrong characters Surrogate Target #BHUSA @BLACKHATEVENTS RAP Transferability Evaluation AAAA AAAB AACB AXCB NXCB 1 char 2 chars 3 chars 4 chars #BHUSA @BLACKHATEVENTS Overview of Defense Mechanism Level 1: Passive Defense Resistant Adversarial Perturbation (RAP) ● Resistant to image filters ● Effective to unknown AI-based CAPTCHA solvers Level 2: Active Defense CAPTCHA Adversarial Patch (CAP) and trojaned solvers ● Detect computer bots ● Efficiently generate CAPTCHAs #BHUSA @BLACKHATEVENTS CAPTCHA Adversarial Patch (CAP) Filter-Robust Universal Original CAPTCHA Image Patched CAPTCHA After Filter + Grayscale Solver’s Result CAPTCHA Patch (CAP) D 3 G 6 D 3 G 6 D 3 G 6 D 3 G 6 D 3 G 6 #BHUSA @BLACKHATEVENTS CAP Objective Function #BHUSA @BLACKHATEVENTS Reverse Engineered CAPTCHA CANT RENT HACK RVXY #BHUSA @BLACKHATEVENTS CAP Robust to Image Filters How CAP evolve 12,000 epoches D3G6 No filter resistant Median filter resistant #BHUSA @BLACKHATEVENTS CAP Evaluation #BHUSA @BLACKHATEVENTS Trojaned CAPTCHA Solver NRGC 3VGE FXKC 6BA6 #BHUSA @BLACKHATEVENTS Trojaned CAPTCHA Solver D3G6 D3G6 D3G6 trojan trigger D3G6 Trojan in the model #BHUSA @BLACKHATEVENTS Summary ● Leverage adversarial example to defend against hackers’ AI-powered toolkit ● Resistant Adversarial Perturbation (RAP) ○ Resistant to image filters ○ Effective to unknown AI-based CAPTCHA solvers ● CAPTCHA Adversarial Patch (CAP) and Trojaned CAPTCHA solvers ○ Efficiently generate CAPTCHAs ○ Detect computer bots #BHUSA @BLACKHATEVENTS .