Kai Wang (Tsinghua University), Zhiliang Wang (Tsinghua University), Dongqi Han (Tsinghua University), Wenqi Chen (Tsinghua University), Jiahai Yang (Tsinghua University), Xingang Shi (Tsinghua University), Xia Yin (Tsinghua University)
Deep learning (DL) performs well in many traffic analysis tasks. Nevertheless, the vulnerability of deep learning weakens the real-world performance of these traffic analyzers (e.g., suffering from evasion attack). Many studies in recent years focused on robustness certification for DL-based models. But existing methods perform far from perfectly in the traffic analysis domain. In this paper, we try to match three attributes of DL-based traffic analysis systems at the same time: (1) highly heterogeneous features, (2) varied model designs, (3) adversarial operating environments. Therefore, we propose BARS, a general robustness certification framework for DL-based traffic analysis systems based on boundary-adaptive randomized smoothing. To obtain tighter robustness guarantee, BARS uses optimized smoothing noise converging on the classification boundary. We firstly propose the Distribution Transformer for generating optimized smoothing noise. Then to optimize the smoothing noise, we propose some special distribution functions and two gradient based searching algorithms for noise shape and noise scale. We implement and evaluate BARS in three practical DL-based traffic analysis systems. Experiment results show that BARS can achieve tighter robustness guarantee than baseline methods. Furthermore, we illustrate the practicability of BARS through five application cases (e.g., quantitatively evaluating robustness).