cispa_all_4042.pdf (606.91 kB)

Certifiers Make Neural Networks Vulnerable to Availability Attacks

Download (606.91 kB)
conference contribution
posted on 2024-03-05, 12:18 authored by Tobias LorenzTobias Lorenz, Kwiatkowska, Marta, Mario FritzMario Fritz
To achieve reliable, robust, and safe AI systems, it is vital to implement fallback strategies when AI predictions cannot be trusted. Certifiers for neural networks are a reliable way to check the robustness of these predictions. They guarantee for some predictions that a certain class of manipulations or attacks could not have changed the outcome. For the remaining predictions without guarantees, the method abstains from making a prediction, and a fallback strategy needs to be invoked, which typically incurs additional costs, can require a human operator, or even fail to provide any prediction. While this is a key concept towards safe and secure AI, we show for the first time that this approach comes with its own security risks, as such fallback strategies can be deliberately triggered by an adversary. In addition to naturally occurring abstains for some inputs and perturbations, the adversary can use training-time attacks to deliberately trigger the fallback with high probability. This transfers the main system load onto the fallback, reducing the overall system's integrity and/or availability. We design two novel availability attacks, which show the practical relevance of these threats. For example, adding 1% poisoned data during training is sufficient to trigger the fallback and hence make the model unavailable for up to 100% of all inputs by inserting the trigger. Our extensive experiments across multiple datasets, model architectures, and certifiers demonstrate the broad applicability of these attacks. An initial investigation into potential defenses shows that current approaches are insufficient to mitigate the issue, highlighting the need for new, specific solutions.


Preferred Citation

Tobias Lorenz, Marta Kwiatkowska, Mario Fritz. Certifiers Make Neural Networks Vulnerable to Availability Attacks. In: Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security (AISec '23). 2023.

Primary Research Area

  • Trustworthy Information Processing

Name of Conference

ACM Workshop on Artificial Intelligence and Security (AISec)

Legacy Posted Date






Open Access Type

  • Green


@inproceedings{cispa_all_4042, author = {Tobias Lorenz AND Marta Kwiatkowska AND Mario Fritz}, title = {Certifiers Make Neural Networks Vulnerable to Availability Attacks}, booktitle = {Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security (AISec '23)}, year = {2023} }

Usage metrics


    No categories selected



    Ref. manager