POSTER: On searching information leakage of Python model execution to detect adversarial examples

The predictive capabilities of machine learning models have improved significantly in recent years, leading to their widespread use in various fields. However, these models remain vulnerable to adversarial attacks, where carefully crafted inputs can mislead predictions and compromise the security of critical systems. Therefore, it is crucial to develop effective methods for detecting and preventing such attacks. Given that many neural network models are implemented using Python, this study addresses the issue of detecting adversarial examples from a new perspective by investigating information leakage in their Python model executions. To realize this objective, we propose a novel Python interpreter that utilizes Python bytecode instrumentation to profile layer-wise instruction-level program executions. We then search for information leakage on both legal and adversarial inputs, identifying their side-channel differences in call executions (i.e., call count, return values, and execution time) and synthesize the detection rule accordingly. Our approach is evaluated against TorchAttacks, AdvDoor, and RNN-Test attacks, targeting various models and applications. Our findings indicate that while there is call-return-value leakage on TorchAttacks images, there is no leakage to detect AdvDoor and RNN-Test attacks based on execution time or return values of string, integer, float, and Boolean type functions.