Over the past decade, neural networks have shown commendable performance in complex tasks such as Image Recognition, Natural Language Processing, and game playing. At the same time, these networks have unfortunately been proven to be susceptible to minor changes to their inputs, commonly called adversarial perturbations. For example, an otherwise accurate DNN model can be deceived into misclassifying a given image by making slight alterations to the image, invisible to human eyes. Such adversarial attacks make it challenging to deploy them in security-sensitive applications such as autonomous vehicles. It is, therefore, crucial to understand adversarial attacks to test the robustness of a model and come up with suitable defense techniques. This paper aims to survey popular works in this domain. In our discussion, we broadly classify the attacks as image-dependent or independent and targeted or untargeted. We also cover some interesting defense techniques. We discuss real life or physical attacks where an attacker can perturb the image in real life, for instance, by painting a stop sign or pasting stickers on objects. We also show some experimental results, as we test the performance of two adversarial attacks against a pre-trained VGG19 model on Imagenet dataset.

IoT devices constantly communicate with servers over the Internet, allowing an attacker to extract sensitive information by passively monitoring the network traffic. Recent research works have shown that a network attacker with a trained machine learning (ML) model can accurately fingerprint IoT devices learned from the (encrypted) traffic flows of the devices. Such fingerprinting attacks are capable of revealing the make and model of the devices, which can further be used to extract detailed user activities. In this work, we develop and propose iPET, a novel adversarial perturbation-based traffic modification system that defends against fingerprinting attacks. iPET design employs GAN (Generative Adversarial Networks) in a tuneable way, allowing users to specify the maximum bandwidth overhead they are willing to tolerate for the defense. A fundamental idea of iPET is to deliberately introduce stochasticity between model instances. This approach limits a counter attack, as it inhibits an attacker from recreating an identical perturbation model and using it for fingerprinting. We evaluate the effectiveness of our defense against state-of-the-art fingerprinting models and with three different attacker capabilities. Our evaluations on synthetic and real-world datasets demonstrate that iPET decreases the accuracy of even the potent attackers. We also show that the traffic perturbations generated by iPET generalize well to different fingerprinting schemes that an attacker may deploy.