Adversarial Attack and Defence Strategies for Deep-Learning-Based IoT Device Classification Techniques

Concurrent advancements in machine learning (ML) and Internet of Things have allowed several interesting interdisciplinary applications, such as classification tasks based on data generated by smart devices for applications, such as security, resource allocation, activity and task classification. However, these applications can be vulnerable to attacks by adversarial examples. The first contribution of this article is the development of a white-box adversarial attack mechanism to generate adversarial examples for data obtained from smart meters installed in residential houses. For the second contribution, we present an analysis to demonstrate that the statistical properties of adversarial datapoints are indistinguishable from those of the true datapoints. The attack is developed specifically for deep-learning-based models used to perform appliance classification in smart home environments. The statistical indistinguishability of the adversarial datapoints from the true datapoints indicates that non ML-based solutions may not be able to tackle the challenge posed by adversarial examples. As the final contribution, we evaluate the effectiveness of defence mechanisms for white-box adversarial attacks on the proposed attack mechanism, and show that while they can reduce the potency of the attack, the original models still remain significantly affected by the adversarial attack. The effectiveness of the proposed techniques is demonstrated on two publicly available data sets: 1) United Kingdom-domestic appliance-level electricity smart meter data set and 2) the Personalized Retrofit Decision Support Tools For U.K. Homes Using Smart Home Technology data set.

Automated summary

In this article, the authors propose a white-box adversarial attack mechanism to generate adversarial examples for data obtained from smart meters. They demonstrate that the statistical properties of the adversarial datapoints are indistinguishable from those of the true datapoints. The effectiveness of defense mechanisms for white-box adversarial attacks is also evaluated, showing that the original models are significantly affected.