ReLUSyn: Synthesizing Stealthy Attacks for Deep Neural Network Based Cyber-Physical Systems

Cyber Physical Systems (cps) are deployed in many mission-critical settings, such as medical devices, autonomous vehicular systems and aircraft control management systems. As more and more CPS adopt Deep Neural Networks (Deep Neural Network (dnns), these systems can be vulnerable to attacks. . Prior work has demonstrated the susceptibility of CPS to False Data Injection Attacks (False Data Injection Attacks (fdias), which can cause significant damage. We identify a new category of attacks on these systems. In this paper, we demonstrate that DNN based CPS are also subject to these attacks. These attacks, which we call Ripple False Data Injection Attacks (rfdia), use minimal input perturbations to stealthily change the dnn output. The input perturbations propagate as ripples through multiple dnn layers to affect the output in a targeted manner. We develop an automated technique to synthesize rfdias against DNN-based CPS. Our technique models the attack as an optimization problem using Mixed Integer Linear Programming (Mixed Integer Linear Program (milp)). We define an abstraction for dnnbased cps that allows us to automatically: 1) identify the critical inputs, and 2) find the smallest perturbations that produce output changes. We demonstrate our technique on three practical cps with two mission-critical applications: an (Artifical Pancreas System (aps)) and two aircraft control management systems (Horizontal Collision Avoidance System (hcas) and Collision Avoidance System-Xu (acas-xu)).