Source linked

AdvScan Catches 99.984% of Adversarial Examples by Reading a Microcontroller's Power Draw

arxiv.org@threat_watch3 hours ago·Cybersecurity·2 comments

Power-analysis-based detection of adversarial inputs hits zero false positives across 318,400 test cases, with no latency added to the TinyML inference path.

advscantinymladversarial examplespower analysisarm cortex mml security

AdvScan catches 99.984% of adversarial examples by reading the power draw of a microcontroller, with zero false positives across 318,400 test inputs. That's not a simulation—it's running on real STM32F303RC and STM32L562RE boards, with only 40 false negatives total.

Why Power Consumption Betrays Adversarial Inputs

Adversarial examples trigger anomalous neuron activations inside TinyML models. Those activations draw measurable current that differs from benign inference runs. The AdvScan team exploits that: they build a baseline distribution of power signatures from known clean inputs, then at runtime apply a one-sample t-test on the power trace of each new input. If the test statistic exceeds a threshold, the input is flagged.

No white-box access needed. No input preprocessing stage that adds latency. The attack never sees the defense coming because it's a physical side channel, not a software filter.

Zero False Positives Across Three Attack Families

The authors tested against Fast Gradient Sign Method (FGSM), Projected Gradient Descent (PGD), and Carlini-Wagner (C&W) — the standard Troika of adversarial generation. Models come from the MLPerf Tiny benchmark suite. Across all combinations on two different ARM Cortex-M microcontrollers (M4 and M33), AdvScan missed only 40 out of roughly 318,000 adversarial inputs. False positive count: exactly zero.

That matters for safety-critical deployments where a single false alarm can cascade into unnecessary system halts or degraded service. Zero false positives means you trust the detector enough to act on its verdict.

Black-Box Detection Without Inference Overhead

Existing black-box defenses either require multiple queries (expensive on battery), demand model modifications, or insert a detection stage that slows inference. AdvScan runs simultaneously with the model—the power trace is collected during normal operation. The t-test is lightweight enough to execute on the same microcontroller without stalling the pipeline.

This makes power-based detection a viable layer for mission-critical edge deployments where every millisecond counts and the model is a licensed binary that can't be instrumented.

Source: AdvScan: Black-Box Adversarial Example Detection at Runtime through Power Analysis
Domain: arxiv.org

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Perfect Prompt Injection Prevention Proven Impossible in Shared-Embedding Models

A new formal proof demonstrates that in LLMs with shared-embedding architectures, no in-pipeline defense can achieve Semantic-Faithful Control, making prompt injection inevitable without architectural separation.

CISA Warns: Daktronics Scoreboard Firmware Ships with Hardcoded Root Credentials

Two of three disclosed vulnerabilities in Daktronics controller firmware score CVSS v4 9.3, letting unauthenticated attackers grab root-level control over global display systems

Anonymous Hacker Dumps 30 Zero-Day PoCs for 7-Zip, Ghidra, Firefox, Docker

An anonymous GitHub account has published 30 proof-of-concept exploits for undisclosed vulnerabilities across major software, none reported to vendors before the drop.

Anthropic's Mythos Found Hundreds of Bugs at $20K Each

Anthropic's Claude Mythos model costs $20,000 per vulnerability found, and alternative models like DeepSeek and Gemma 4 already find half as many at a fraction of the price.

Comments load interactively on the live page.