AdvScan: Black-Box Adversarial Example Detection at Runtime through Power Analysis
Pith reviewed 2026-06-29 04:24 UTC · model grok-4.3
The pith
AdvScan detects adversarial examples in black-box TinyML by testing whether runtime power signatures deviate from a benign baseline via one-sample t-test.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
AdvScan constructs a baseline distribution of power signatures from known benign inputs; then, at runtime, it applies a one-sample t-test to determine whether a test input's power signature significantly deviates from this baseline, thereby detecting AEs that produce anomalous neuron activations.
What carries the argument
One-sample t-test on power-consumption signatures measured during inference on microcontrollers.
If this is right
- Enables AE detection in licensed black-box deployments where white-box access is unavailable.
- Adds negligible latency to the inference path compared with input-preprocessing detectors.
- Achieves 99.984 percent detection of FGSM, PGD, and C&W examples with zero false positives across 318400 test inputs.
- Operates on standard ARM Cortex-M4 and Cortex-M33 microcontrollers running MLPerf Tiny models.
Where Pith is reading between the lines
- Power-monitoring circuitry could become a built-in security primitive on future edge AI chips.
- The same side-channel principle might flag other input manipulations that alter activation patterns, such as backdoor triggers.
- Deployment cost would be dominated by the one-time baseline collection rather than per-inference overhead.
Load-bearing premise
Adversarial examples produce power-consumption signatures that deviate from the benign baseline in a manner reliably detectable by a one-sample t-test.
What would settle it
Re-running the evaluation on adversarial examples crafted by a new attack algorithm against a previously untested model and finding either many false negatives or any false positives.
Figures
read the original abstract
TinyML models deployed on edge devices are increasingly adopted in safety/security-critical applications, making them a prime target for adversarial example (AE) attacks where inputs are modified to cause misclassifications. However, existing AE detection methods either require white-box model access, which is often unavailable in licensed black-box deployments, or rely on input pre-processing stages that add non-trivial latency and resource overhead, often exceeding what mission-critical applications can afford on their inference path. To address these challenges, we propose AdvScan, a runtime power analysis-based methodology for AE detection that operates in a black-box scenario while inducing minimal latency. AdvScan is based on the observation that AEs produce anomalous neuron activations, which in turn generate distinctive power-consumption signatures. The algorithm initially constructs a baseline distribution of power signatures from known benign inputs; then, at runtime, it applies a one-sample t-test to determine whether a test input's power signature significantly deviates from this baseline, thereby detecting AEs. We evaluated AdvScan using three adversarial example generation algorithms: Fast Gradient Sign Method (FGSM), Projected Gradient Descent (PGD), and Carlini-Wagner (C&W), on three MLPerf Tiny benchmark models implemented on two target devices: the STM32F303RC (ARM Cortex-M4) and STM32L562RE (ARM Cortex-M33) microcontrollers. Across 318,400 total test inputs, AdvScan detects 99.984% of AEs with only 40 false negatives and zero false positives. These results demonstrate the viability of power-based AE detection for secure, accuracy-critical TinyML deployments in black-box environments.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes AdvScan, a black-box runtime AE detection method for TinyML models on microcontrollers that builds a benign power-signature baseline and flags test inputs via one-sample t-test deviation. It reports 99.984% detection (40 false negatives, zero false positives) across 318400 inputs spanning FGSM/PGD/C&W attacks, three MLPerf Tiny models, and two STM32 devices.
Significance. If the statistical procedure is valid and the zero-FP result generalizes beyond the reported setup, the approach would supply a low-latency, hardware-only defense usable in licensed black-box deployments where white-box or preprocessing methods are infeasible.
major comments (3)
- [Abstract] Abstract: the zero-FP claim rests on calibrated one-sample t-test p-values, yet the manuscript supplies no evidence that power-signature distributions satisfy the normality assumption required for the test; microcontroller traces are shaped by discrete switching and regulator behavior and routinely exhibit skewness or heavy tails, so the reported separability may be an artifact of unverified distributional assumptions rather than genuine signal.
- [Abstract] Abstract: baseline construction details (number of benign samples, aggregation method for the reference distribution, handling of device-to-device or temperature variation) are omitted, preventing assessment of whether the t-test threshold is robust or was tuned post-hoc on the evaluation set.
- [Abstract] Abstract: the significance level α used for the t-test is not stated, nor is any multiple-testing correction or power analysis provided, making it impossible to judge whether the 99.984% detection rate reflects genuine statistical power or an arbitrary threshold choice.
Simulated Author's Rebuttal
We thank the referee for their constructive and detailed comments. We address each major comment below and will revise the manuscript accordingly to improve clarity and rigor.
read point-by-point responses
-
Referee: [Abstract] Abstract: the zero-FP claim rests on calibrated one-sample t-test p-values, yet the manuscript supplies no evidence that power-signature distributions satisfy the normality assumption required for the test; microcontroller traces are shaped by discrete switching and regulator behavior and routinely exhibit skewness or heavy tails, so the reported separability may be an artifact of unverified distributional assumptions rather than genuine signal.
Authors: We agree that the manuscript does not include explicit verification of the normality assumption underlying the one-sample t-test. Although the t-test is known to be reasonably robust for large sample sizes, we recognize that providing diagnostic evidence is necessary to rule out artifacts. In the revision we will add Q-Q plots of the power-signature distributions together with any necessary non-parametric sensitivity checks. revision: yes
-
Referee: [Abstract] Abstract: baseline construction details (number of benign samples, aggregation method for the reference distribution, handling of device-to-device or temperature variation) are omitted, preventing assessment of whether the t-test threshold is robust or was tuned post-hoc on the evaluation set.
Authors: We agree that these baseline-construction details are omitted from the manuscript. We will add them in the revised version, specifying the number of benign samples used to form the reference distribution, the aggregation procedure, and the steps taken (if any) to account for device-to-device and temperature variation. revision: yes
-
Referee: [Abstract] Abstract: the significance level α used for the t-test is not stated, nor is any multiple-testing correction or power analysis provided, making it impossible to judge whether the 99.984% detection rate reflects genuine statistical power or an arbitrary threshold choice.
Authors: We agree that the significance level α, any multiple-testing considerations, and a power analysis are not provided. We will state the value of α explicitly, discuss the implications of performing many tests across 318400 inputs, and include a power analysis in the revised manuscript. revision: yes
Circularity Check
No circularity; standard external t-test on empirical baseline
full rationale
The detection pipeline collects a benign power-signature baseline empirically and applies an off-the-shelf one-sample t-test. No equations, fitted parameters, or self-citations are shown to reduce the claimed detection performance to a quantity defined in terms of itself. The procedure is therefore self-contained against external statistical machinery and does not exhibit any of the enumerated circularity patterns.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Adversarial examples produce anomalous neuron activations that generate distinctive power-consumption signatures.
Reference graph
Works this paper leans on
-
[1]
A comprehensive survey on tinyml,
Y . Abadade, A. Temouden, H. Bamoumen, N. Benamar, Y . Chtouki, and A. S. Hafid, “A comprehensive survey on tinyml,”IEEE Access, 2023. 14 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY
2023
-
[2]
Tinyml-based intrusion detection system for in- vehicle network using convolutional neural network on embedded de- vices,
H. Im and S. Lee, “Tinyml-based intrusion detection system for in- vehicle network using convolutional neural network on embedded de- vices,”IEEE Embedded Systems Letters, 2024
2024
-
[3]
arXiv preprint arXiv:2003.04821 , year=
C. R. Banbury, V . J. Reddi, M. Lam, W. Fu, A. Fazel, J. Holleman, X. Huang, R. Hurtado, D. Kanter, A. Lokhmotovet al., “Bench- marking tinyml systems: Challenges and direction,”arXiv preprint arXiv:2003.04821, 2020
-
[4]
Explaining and Harnessing Adversarial Examples
I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,”arXiv preprint arXiv:1412.6572
work page internal anchor Pith review Pith/arXiv arXiv
-
[5]
Towards deep learning models resistant to adversarial attacks,
A. M ˛ adry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,”stat, vol. 1050, no. 9, 2017
2017
-
[6]
Towards evaluating the robustness of neural networks,
N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in2017 ieee symposium on security and privacy (sp). Ieee, 2017, pp. 39–57
2017
-
[7]
Advances in adversarial attacks and defenses in computer vision: A survey,
N. Akhtar, A. Mian, N. Kardan, and M. Shah, “Advances in adversarial attacks and defenses in computer vision: A survey,”IEEE Access, vol. 9, pp. 155 161–155 196, 2021
2021
-
[8]
Badnets: Evaluating backdooring attacks on deep neural networks,
T. Gu, K. Liu, B. Dolan-Gavitt, and S. Garg, “Badnets: Evaluating backdooring attacks on deep neural networks,”IEEE Access, vol. 7, pp. 47 230–47 244, 2019
2019
-
[9]
Poisoning attacks on cyber attack detectors for industrial control systems,
M. Kravchik, B. Biggio, and A. Shabtai, “Poisoning attacks on cyber attack detectors for industrial control systems,” inProceedings of the 36th Annual ACM Symposium on Applied Computing, 2021, pp. 116– 125
2021
-
[10]
Fusion is not enough: Single modal attacks on fusion models for 3d object detection,
Z. Cheng, H. Choi, S. Feng, J. C. Liang, G. Tao, D. Liu, M. Zuzak, and X. Zhang, “Fusion is not enough: Single modal attacks on fusion models for 3d object detection,” inThe Twelfth International Conference on Learning Representations
-
[11]
Understanding adversarial attacks on deep learning based medical image analysis systems,
X. Ma, Y . Niu, L. Gu, Y . Wang, Y . Zhao, J. Bailey, and F. Lu, “Understanding adversarial attacks on deep learning based medical image analysis systems,”Pattern Recognition, vol. 110, p. 107332, 2021
2021
-
[12]
Improving fast adversarial training with prior-guided knowledge,
X. Jia, Y . Zhang, X. Wei, B. Wu, K. Ma, J. Wang, and X. Cao, “Improving fast adversarial training with prior-guided knowledge,”IEEE Transactions on Pattern Analysis and Machine Intelligence, 2024
2024
-
[13]
Defense against adversarial attacks using topology aligning adversarial training,
H. Kuang, H. Liu, X. Lin, and R. Ji, “Defense against adversarial attacks using topology aligning adversarial training,”IEEE Transactions on Information Forensics and Security, vol. 19, pp. 3659–3673, 2024
2024
-
[14]
Parametric noise injection: Trainable randomness to improve deep neural network robustness against adver- sarial attack,
Z. He, A. S. Rakin, and D. Fan, “Parametric noise injection: Trainable randomness to improve deep neural network robustness against adver- sarial attack,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2019, pp. 588–597
2019
-
[15]
Addition: Detecting adversarial examples with image-dependent noise reduction,
Y . Wang, X. Li, L. Yang, J. Ma, and H. Li, “Addition: Detecting adversarial examples with image-dependent noise reduction,”IEEE Transactions on Dependable and Secure Computing, 2023
2023
-
[16]
The odds are odd: A statistical test for detecting adversarial examples,
K. Roth, Y . Kilcher, and T. Hofmann, “The odds are odd: A statistical test for detecting adversarial examples,” inInternational Conference on Machine Learning. PMLR, 2019, pp. 5498–5507
2019
-
[17]
Adversarial perturbation denoising utilizing common characteristics in deep feature space,
J. Huang, Y . Dai, F. Lu, B. Wang, Z. Gu, B. Zhou, and Y . Qian, “Adversarial perturbation denoising utilizing common characteristics in deep feature space,”Applied Intelligence, no. 2, pp. 1672–1690, 2024
2024
-
[18]
Pixeldenoise: Purifying adversarial images in a black-box way,
T. Zhu, H. Sun, and Y . Fan, “Pixeldenoise: Purifying adversarial images in a black-box way,” in2024 4th International Conference on Electronic Information Engineering and Computer (EIECT). IEEE, 2024, p. 939
2024
-
[19]
Magnet: a two-pronged defense against adver- sarial examples,
D. Meng and H. Chen, “Magnet: a two-pronged defense against adver- sarial examples,” inProceedings of the 2017 ACM SIGSAC conference on computer and communications security, 2017, pp. 135–147
2017
-
[20]
Defense against adversarial attacks by reconstructing images,
S. Zhang, H. Gao, and Q. Rao, “Defense against adversarial attacks by reconstructing images,”IEEE Transactions on Image Processing, vol. 30, pp. 6117–6129, 2021
2021
-
[21]
Purifying adversarial images using adversarial autoencoder with conditional normalizing flows,
Y . Ji, T.-N. Le, H. H. Nguyen, and I. Echizen, “Purifying adversarial images using adversarial autoencoder with conditional normalizing flows,”IEEE Open Journal of Signal Processing, pp. 267–274, 2023
2023
-
[22]
Tinymlops: Operational challenges for widespread edge ai adoption,
S. Leroux, P. Simoens, M. Lootus, K. Thakore, and A. Sharma, “Tinymlops: Operational challenges for widespread edge ai adoption,” in2022 IEEE International Parallel and Distributed Processing Sympo- sium Workshops (IPDPSW). IEEE, 2022, pp. 1003–1010
2022
-
[23]
Detecting Adversarial Samples from Artifacts
R. Feinman, R. R. Curtin, S. Shintre, and A. B. Gardner, “Detecting adversarial samples from artifacts,”arXiv preprint arXiv:1703.00410, 2017
work page internal anchor Pith review Pith/arXiv arXiv 2017
-
[24]
Detecting Adversarial Examples in Convolutional Neural Networks
S. Pertigkiozoglou and P. Maragos, “Detecting adversarial examples in convolutional neural networks,”arXiv preprint arXiv:1812.03303, 2018
work page internal anchor Pith review Pith/arXiv arXiv 2018
-
[25]
Abs: Scanning neural networks for back-doors by artificial brain stimulation,
Y . Liu, W.-C. Lee, G. Tao, S. Ma, Y . Aafer, and X. Zhang, “Abs: Scanning neural networks for back-doors by artificial brain stimulation,” inProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1265–1282
2019
-
[26]
Enhancing fgsm attacks with genetic algorithms for robust adversarial examples in remote sensing image classification systems,
P. Hemashree and G. Padmavathi, “Enhancing fgsm attacks with genetic algorithms for robust adversarial examples in remote sensing image classification systems,” inInternational Conference on Applications and Techniques in Information Security. Springer, 2024, pp. 229–243
2024
-
[27]
Gran: An efficient gradient-norm based detector for adversarial and misclassified examples,
J. Lust and A. P. Condurache, “Gran: An efficient gradient-norm based detector for adversarial and misclassified examples,”arXiv preprint arXiv:2004.09179, 2020
-
[28]
Adversarial examples detection in deep networks with convolutional filter statistics,
X. Li and F. Li, “Adversarial examples detection in deep networks with convolutional filter statistics,” inProceedings of the IEEE international conference on computer vision, 2017, pp. 5764–5772
2017
-
[29]
Adversarial example detection for deep neural networks: A review,
C. Zhao, H. Li, D. Wang, and R. Liu, “Adversarial example detection for deep neural networks: A review,” in2023 8th International Conference on Data Science in Cyberspace (DSC). IEEE, 2023, pp. 468–475
2023
-
[30]
Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks
W. Xu, D. Evans, and Y . Qi, “Feature squeezing: Detecting adversarial examples in deep neural networks,”arXiv preprint arXiv:1704.01155, 2017
work page internal anchor Pith review Pith/arXiv arXiv 2017
-
[31]
Cleanml: A study for evaluating the impact of data cleaning on ml classification tasks,
P. Li, X. Rao, J. Blase, Y . Zhang, X. Chu, and C. Zhang, “Cleanml: A study for evaluating the impact of data cleaning on ml classification tasks,” in2021 IEEE 37th International Conference on Data Engineer- ing (ICDE). IEEE, 2021, pp. 13–24
2021
-
[32]
The probable error of a mean,
Student, “The probable error of a mean,”Biometrika, pp. 1–25, 1908
1908
-
[33]
Correlation power analysis with a leakage model,
E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with a leakage model,” inCryptographic Hardware and Embedded Systems- CHES 2004: 6th International Workshop Cambridge, MA, USA, August 11-13, 2004. Proceedings 6. Springer, 2004, pp. 16–29
2004
-
[34]
Design and analysis of power distribution networks in vlsi circuits
S. Pant, “Design and analysis of power distribution networks in vlsi circuits.” Ph.D. dissertation, 2008
2008
-
[35]
Power analysis attacks on aes,
M. Tehranipoor, N. Nalla Anandakumar, and F. Farahmandi, “Power analysis attacks on aes,” inHardware Security Training, Hands-on! Springer, 2023, pp. 137–161
2023
-
[36]
Catch the star: Weight recovery attack using side-channel star map against dnn accelerator,
L. Wu, L. Wu, and X. Zhang, “Catch the star: Weight recovery attack using side-channel star map against dnn accelerator,”IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2025
2025
-
[37]
Bolt: I know what you did last summer... in the cloud,
C. Delimitrou and C. Kozyrakis, “Bolt: I know what you did last summer... in the cloud,”ACM SIGARCH Computer Architecture News, vol. 45, no. 1, pp. 599–613, 2017
2017
-
[38]
Trustguard: Standalone fpga-based security monitoring through power side-channel,
T. Zhang, M. Tehranipoor, and F. Farahmandi, “Trustguard: Standalone fpga-based security monitoring through power side-channel,”IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2023
2023
-
[39]
Emshepherd: Detecting adversarial samples via side-channel leakage,
R. Ding, C. Gongye, S. Wang, A. A. Ding, and Y . Fei, “Emshepherd: Detecting adversarial samples via side-channel leakage,” inProceedings of the 2023 ACM Asia Conference on Computer and Communications Security, 2023, pp. 300–313
2023
-
[40]
{WattsUpDoc}: Power side channels to nonintrusively discover untargeted malware on embedded medical devices,
S. S. Clark, B. Ransford, A. Rahmati, S. Guineau, J. Sorber, W. Xu, and K. Fu, “{WattsUpDoc}: Power side channels to nonintrusively discover untargeted malware on embedded medical devices,” in2013 USENIX Workshop on Health Information Technologies (HealthTech 13), 2013
2013
-
[41]
Malware detection using power consumption and network traffic data,
J. H. Jimenez and K. Goseva-Popstojanova, “Malware detection using power consumption and network traffic data,” in2019 2nd International Conference on Data Intelligence and Security (ICDIS). IEEE, 2019, pp. 53–59
2019
-
[42]
Mobileye’s New EyeQ5: How Open is Open?
EE Times, “Mobileye’s New EyeQ5: How Open is Open?” [Online]. Available: https://www.eetimes.com/mobileyes-new-eyeq5-how-open-i s-open/, Nov. 2018, accessed: 2026-01-29
2018
-
[43]
Valeo has produced its 20 millionth front camera system integrating Mobileye EyeQ technology,
Mobileye, “Valeo has produced its 20 millionth front camera system integrating Mobileye EyeQ technology,” [Online]. Available: https://ww w.mobileye.com/news/valeo-has-produced-its-20-millionth-front-camer a-system-integrating-mobileye-eyeq-technology/, Dec. 2023, accessed: 2026-01-29
2023
-
[44]
Aid: Attesting the integrity of deep neural networks,
O. Aramoon, P.-Y . Chen, and G. Qu, “Aid: Attesting the integrity of deep neural networks,” in2021 58th ACM/IEEE Design Automation Conference (DAC). IEEE, 2021, pp. 19–24
2021
-
[45]
On the adver- sarial robustness of full integer quantized tinyml models at the edge,
D. Preuveneers, W. Verheyen, S. Joos, and W. Joosen, “On the adver- sarial robustness of full integer quantized tinyml models at the edge,” in Proceedings of the 2nd International Workshop on Middleware for the Edge, 2023, pp. 7–12
2023
-
[46]
C. Banbury, V . J. Reddi, P. Torelli, J. Holleman, N. Jeffries, C. Kiraly, P. Montino, D. Kanter, S. Ahmed, D. Pauet al., “Mlperf tiny bench- mark,”arXiv preprint arXiv:2106.07597, 2021
-
[47]
Learning multiple layers of features from tiny images,
A. Krizhevsky, G. Hintonet al., “Learning multiple layers of features from tiny images,” 2009
2009
-
[48]
Enhanced correlation power analysis by biasing power traces,
C. Ou, Z. Wang, D. Sun, X. Zhou, J. Ai, and N. Pang, “Enhanced correlation power analysis by biasing power traces,” inInformation Security: 19th International Conference, ISC 2016, Honolulu, HI, USA, September 3-6, 2016. Proceedings 19. Springer, 2016, pp. 59–72. PAUL AND ZUZAK: ADVSCAN: BLACK-BOX AE DETECTION AT RUNTIME THROUGH POWER ANALYSIS 15
2016
-
[49]
Michscan: Black-box neural network integrity checking at runtime through power analysis,
R. Paul and M. Zuzak, “Michscan: Black-box neural network integrity checking at runtime through power analysis,”IEEE International Sym- posium on Hardware Oriented Security and Trust (HOST), 2025
2025
-
[50]
Semi-automatic locating of cryptographic operations in side-channel traces,
J. Trautmann, A. Beckers, L. Wouters, S. Wildermann, I. Verbauwhede, and J. Teich, “Semi-automatic locating of cryptographic operations in side-channel traces,”IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 345–366, 2022
2022
-
[51]
Mathematical Analysis of Adversarial Attacks
Z. Dou, S. J. Osher, and B. Wang, “Mathematical analysis of adversarial attacks,”arXiv preprint arXiv:1811.06492, 2018
work page internal anchor Pith review Pith/arXiv arXiv 2018
-
[52]
Manda: On adversarial example detection for network intrusion detection system,
N. Wang, Y . Chen, Y . Xiao, Y . Hu, W. Lou, and Y . T. Hou, “Manda: On adversarial example detection for network intrusion detection system,” IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 2, pp. 1139–1153, 2022
2022
-
[53]
Advhunter: Detecting adversarial per- turbations in black-box neural networks through hardware performance counters,
M. Alam and M. Maniatakos, “Advhunter: Detecting adversarial per- turbations in black-box neural networks through hardware performance counters,” inProceedings of the 61st ACM/IEEE Design Automation Conference, 2024, pp. 1–6
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.