Qianqian Song,Xiangwei Kong,Ziming Wang

DOI: https://doi.org/10.1007/978-3-030-93049-3_4

2021-01-01

Abstract:The accurate interpretation of neural network about how the network works is important. However, a manipulated explanation may have the potential to mislead human users not to trust a reliable network. Therefore, it is necessary to verify interpretation algorithms by designing effective attacks to simulate various possible threats in the real world. In this work, we mainly explore how to mislead interpretation. More specifically, we optimize the noise added to the input, which aims to highlight a certain area that we specify without changing the output category of network. With our proposed algorithm, we demonstrate that the state-of-the-art saliency maps based interpreters, e.g., Grad-CAM, Guided-Feature-Inversion, Grad-CAM++, Score-CAM and Full-Grad can be easily fooled. We propose two situations of fooling, Single-target attack and Multi-target attack, and show that the fooling can be transfered to different interpretation methods as well as generalized to the unseen samples with the universal noise. We also take image patches to fool Grad-CAM. Our results are proved in both qualitative and quantitative ways and we further propose a quantitative metric to measure the effectiveness of algorithm. We believe that our method can serve as an additional evaluation of robustness for future interpretation algorithms.

Shaofeng Li,Minhui Xue,Benjamin Zi Hao Zhao,Haojin Zhu,Xinpeng Zhang

DOI: https://doi.org/10.48550/arXiv.1909.02742

2020-08-31

Abstract:Deep neural networks (DNNs) have been proven vulnerable to backdoor attacks, where hidden features (patterns) trained to a normal model, which is only activated by some specific input (called triggers), trick the model into producing unexpected behavior. In this paper, we create covert and scattered triggers for backdoor attacks, invisible backdoors, where triggers can fool both DNN models and human inspection. We apply our invisible backdoors through two state-of-the-art methods of embedding triggers for backdoor attacks. The first approach on Badnets embeds the trigger into DNNs through steganography. The second approach of a trojan attack uses two types of additional regularization terms to generate the triggers with irregular shape and size. We use the Attack Success Rate and Functionality to measure the performance of our attacks. We introduce two novel definitions of invisibility for human perception; one is conceptualized by the Perceptual Adversarial Similarity Score (PASS) and the other is Learned Perceptual Image Patch Similarity (LPIPS). We show that the proposed invisible backdoors can be fairly effective across various DNN models as well as four datasets MNIST, CIFAR-10, CIFAR-100, and GTSRB, by measuring their attack success rates for the adversary, functionality for the normal users, and invisibility scores for the administrators. We finally argue that the proposed invisible backdoor attacks can effectively thwart the state-of-the-art trojan backdoor detection approaches, such as Neural Cleanse and TABOR.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Yangming Chen

2024-05-19

Abstract:Backdoor attacks have severely threatened deep neural network (DNN) models in the past several years. These attacks can occur in almost every stage of the deep learning pipeline. Although the attacked model behaves normally on benign samples, it makes wrong predictions for samples containing triggers. However, most existing attacks use visible patterns (e.g., a patch or image transformations) as triggers, which are vulnerable to human inspection. In this paper, we propose a novel backdoor attack, making imperceptible changes. Concretely, our attack first utilizes the pre-trained victim model to extract low-level and high-level semantic features from clean images and generates trigger pattern associated with high-level features based on channel attention. Then, the encoder model generates poisoned images based on the trigger and extracted low-level semantic features without causing noticeable feature loss. We evaluate our attack on three prominent image classification DNN across three standard datasets. The results demonstrate that our attack achieves high attack success rates while maintaining robustness against backdoor defenses. Furthermore, we conduct extensive image similarity experiments to emphasize the stealthiness of our attack strategy.

Computer Vision and Pattern Recognition,Artificial Intelligence

Yiming Li,Yanjie Li,Yalei Lv,Yong Jiang,Shu-Tao Xia

DOI: https://doi.org/10.48550/arXiv.2103.04038

2021-03-06

Cryptography and Security

Abstract:Deep neural networks (DNNs) are vulnerable to the \emph{backdoor attack}, which intends to embed hidden backdoors in DNNs by poisoning training data. The attacked model behaves normally on benign samples, whereas its prediction will be changed to a particular target label if hidden backdoors are activated. So far, backdoor research has mostly been conducted towards classification tasks. In this paper, we reveal that this threat could also happen in semantic segmentation, which may further endanger many mission-critical applications ($e.g.$, autonomous driving). Except for extending the existing attack paradigm to maliciously manipulate the segmentation models from the image-level, we propose a novel attack paradigm, the \emph{fine-grained attack}, where we treat the target label ($i.e.$, annotation) from the object-level instead of the image-level to achieve more sophisticated manipulation. In the annotation of poisoned samples generated by the fine-grained attack, only pixels of specific objects will be labeled with the attacker-specified target class while others are still with their ground-truth ones. Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data. Our method not only provides a new perspective for designing novel attacks but also serves as a strong baseline for improving the robustness of semantic segmentation methods.

Huasong Zhou,Xiaowei Xu,Xiaodong Wang,Leon Bevan Bullock

2024-03-05

Abstract:Backdoor attack has emerged as a novel and concerning threat to AI security. These attacks involve the training of Deep Neural Network (DNN) on datasets that contain hidden trigger patterns. Although the poisoned model behaves normally on benign samples, it exhibits abnormal behavior on samples containing the trigger pattern. However, most existing backdoor attacks suffer from two significant drawbacks: their trigger patterns are visible and easy to detect by backdoor defense or even human inspection, and their injection process results in the loss of natural sample features and trigger patterns, thereby reducing the attack success rate and model accuracy. In this paper, we propose a novel backdoor attack named SATBA that overcomes these limitations using spatial attention and an U-net based model. The attack process begins by using spatial attention to extract meaningful data features and generate trigger patterns associated with clean images. Then, an U-shaped model is used to embed these trigger patterns into the original data without causing noticeable feature loss. We evaluate our attack on three prominent image classification DNN across three standard datasets. The results demonstrate that SATBA achieves high attack success rate while maintaining robustness against backdoor defenses. Furthermore, we conduct extensive image similarity experiments to emphasize the stealthiness of our attack strategy. Overall, SATBA presents a promising approach to backdoor attack, addressing the shortcomings of previous methods and showcasing its effectiveness in evading detection and maintaining high attack success rate.

Cryptography and Security,Computer Vision and Pattern Recognition

Yuanshun Yao,Huiying Li,Haitao Zheng,Ben Y. Zhao

DOI: https://doi.org/10.48550/arXiv.1905.10447

IF: 5.414

2019-05-24

Machine Learning

Abstract:Recent work has proposed the concept of backdoor attacks on deep neural networks (DNNs), where misbehaviors are hidden inside "normal" models, only to be triggered by very specific inputs. In practice, however, these attacks are difficult to perform and highly constrained by sharing of models through transfer learning. Adversaries have a small window during which they must compromise the student model before it is deployed. In this paper, we describe a significantly more powerful variant of the backdoor attack, latent backdoors, where hidden rules can be embedded in a single "Teacher" model, and automatically inherited by all "Student" models through the transfer learning process. We show that latent backdoors can be quite effective in a variety of application contexts, and validate its practicality through real-world attacks against traffic sign recognition, iris identification of lab volunteers, and facial recognition of public figures (politicians). Finally, we evaluate 4 potential defenses, and find that only one is effective in disrupting latent backdoors, but might incur a cost in classification accuracy as tradeoff.

Shuang Li,Hongwei Li,Hanxiao Chen

DOI: https://doi.org/10.1109/globecom46510.2021.9685762

2021-01-01

Abstract:Lack of transparency in deep learning models makes them vulnerable to backdoor attack, which can cause severe security consequences. For a backdoored model, the specific inputs can trigger misclassification rules while it performs normal behaviors on clean data. Existing backdoor attacks usually generate poisoned data by adding an obvious trigger to the original data and mislabeling them, which suffers from poor invisibility and hence can be easily detected. In this paper, we propose Stand-in Backdoor, a more stealthy and powerful backdoor attack, which can completely hide the trigger while maintaining correct labels of poisoned data. Specifically, we design a novel optimization strategy to transform triggers into imperceptible perturbation in the feature space. Furthermore, utilizing the transferability of feature perturbation, we fine-tune the victim model with well-constructed poisoned data that are correctly labeled. Extensive experiments conducted on various image classification tasks demonstrate that our attack outperforms the state-of-the-art work in terms of backdoor stealth and attack performance, without sacrificing the model's utility.

Xueluan Gong,Bowei Tian,Meng Xue,Yuan Wu,Yanjiao Chen,Qian Wang

2024-12-09

Abstract:Recent studies have revealed the vulnerability of Deep Neural Network (DNN) models to backdoor attacks. However, existing backdoor attacks arbitrarily set the trigger mask or use a randomly selected trigger, which restricts the effectiveness and robustness of the generated backdoor triggers. In this paper, we propose a novel attention-based mask generation methodology that searches for the optimal trigger shape and location. We also introduce a Quality-of-Experience (QoE) term into the loss function and carefully adjust the transparency value of the trigger in order to make the backdoored samples to be more natural. To further improve the prediction accuracy of the victim model, we propose an alternating retraining algorithm in the backdoor injection process. The victim model is retrained with mixed poisoned datasets in even iterations and with only benign samples in odd iterations. Besides, we launch the backdoor attack under a co-optimized attack framework that alternately optimizes the backdoor trigger and backdoored model to further improve the attack performance. Apart from DNN models, we also extend our proposed attack method against vision transformers. We evaluate our proposed method with extensive experiments on VGG-Flower, CIFAR-10, GTSRB, CIFAR-100, and ImageNette datasets. It is shown that we can increase the attack success rate by as much as 82\% over baselines when the poison ratio is low and achieve a high QoE of the backdoored samples. Our proposed backdoor attack framework also showcases robustness against state-of-the-art backdoor defenses.

Computer Vision and Pattern Recognition,Cryptography and Security

Ying He,Zhili Shen,Chang Xia,Jingyu Hua,Wei Tong,Sheng Zhong

DOI: https://doi.org/10.1016/j.cose.2023.103523

IF: 5.105

2023-01-01

Computers & Security

Abstract:Outsourced deep neural networks have been demonstrated to suffer from patch-based trojan attacks, in which an adversary poisons the training sets to inject a backdoor in the obtained model so that regular inputs can be still labeled correctly while those carrying a specific trigger are falsely given a target label. Due to the severity of such attacks, many backdoor detection and containment systems have recently, been proposed for deep neural networks. One major category among them are various model inspection schemes, which hope to detect backdoors before deploying models from non-trusted third-parties. In this paper, we show that such state-of-the-art schemes can be defeated by a so-called Scapegoat Backdoor Attack, which introduces a benign scapegoat trigger in data poisoning to prevent the defender from reversing the real abnormal trigger. In addition, it confines the values of network parameters within the same variances of those from clean model during training, which further significantly enhances the difficulty of the defender to learn the differences between legal and illegal models through machine-learning approaches. Our experiments on 3 popular datasets show that it can escape detection by all five state-of-the-art model inspection schemes. Moreover, this attack brings almost no side-effects on the attack effectiveness and guarantees the universal feature of the trigger compared with original patch-based trojan attacks.

Quanxin Zhang,Wencong Ma,Yajie Wang,Yaoyuan Zhang,Zhiwei Shi,Yuanzhang Li

DOI: https://doi.org/10.1049/cje.2021.00.126

IF: 1.019

2022-01-01

Chinese Journal of Electronics

Abstract:Deep neural network(DNN)is applied widely in many applications and achieves state-of-the-art performance.However,DNN lacks transparency and in-terpretability for users in structure.Attackers can use this feature to embed trojan horses in the DNN structure,such as inserting a backdoor into the DNN,so that DNN can learn both the normal main task and additional mali-cious tasks at the same time.Besides,DNN relies on data set for training.Attackers can tamper with training data to interfere with DNN training process,such as attaching a trigger on input data.Because of defects in DNN struc-ture and data,the backdoor attack can be a serious threat to the security of DNN.The DNN attacked by backdoor performs well on benign inputs while it outputs an attack-er-specified label on trigger attached inputs.Backdoor at-tack can be conducted in almost every stage of the ma-chine learning pipeline.Although there are a few re-searches in the backdoor attack on image classification,a systematic review is still rare in this field.This paper is a comprehensive review of backdoor attacks.According to whether attackers have access to the training data,we di-vide various backdoor attacks into two types:poisoning-based attacks and non-poisoning-based attacks.We go through the details of each work in the timeline,discuss-ing its contribution and deficiencies.We propose a de-tailed mathematical backdoor model to summary all kinds of backdoor attacks.In the end,we provide some insights about future studies.

Yudong Li,Shigeng Zhang,Weiping Wang,Hong Song

DOI: https://doi.org/10.1109/OJCS.2023.3267221

2023-01-01

IEEE Open Journal of the Computer Society

Abstract:Backdoor attacks have severely threatened deep neural network (DNN) models in the past several years. In backdoor attacks, the attackers try to plant hidden backdoors into DNN models, either in the training or inference stage, to mislead the output of the model when the input contains some specified triggers without affecting the prediction of normal inputs not containing the triggers. As a rapidly developing topic, numerous works on designing various backdoor attacks and developing techniques to defend against such attacks have been proposed in recent years. However, a comprehensive and holistic overview of backdoor attacks and countermeasures is still missing. In this paper, we provide a systematic overview of the design of backdoor attacks and the defense strategies to defend against backdoor attacks, covering the latest published works. We review representative backdoor attacks and defense strategies in both the computer vision domain and other domains, discuss their pros and cons, and make comparisons among them. We outline key challenges to be addressed and potential research directions in the future.

Haohan Liu,Xingquan Zuo,Hai Huang,Xing Wan

DOI: https://doi.org/10.1007/978-3-031-20500-2_1

2022-01-01

Abstract:The current deep neural networks (DNN) are easily fooled by adversarial examples, which are generated by adding some small, well-designed and human-imperceptible perturbations to clean examples. Adversarial examples will mislead deep learning (DL) model to make wrong predictions. At present, many existing white-box attack methods in the image field are mainly based on the global gradient of the model. That is, the global gradient is first calculated, and then the perturbation is added into the gradient direction. Those methods usually have a high attack success rate. However, there are also some shortcomings, such as excessive perturbation and easy detection by the human's eye. Therefore, in this paper we propose a SaliencyMap-based Local white-box Adversarial Attack method (SMLAA). The saliencymap used in the interpretability of artificial intelligence is introduced in SMLAA. First, Gradient-weighted Class Activation Mapping (Grad-CAM) is utilized to provide a visual interpretation of model decisions to find important areas in an image. Then, the perturbation is added only to important local areas to reduce the magnitude of perturbations. Experimental results show that compared with the global attack method, SMLAA reduces the average robustness measure by 9%-24% while ensuring the attack success rate. It means that SMLAA has a high attack success rate with fewer pixels changed.

Xiangyun Qian,Yusheng He,Rui Zhang,Zi Kang,Yilin Sheng,Hui Xia

DOI: https://doi.org/10.1007/978-981-97-5498-4_10

2024-01-01

Abstract:With the emergence and popularity of large-scale unlabeled data, self-supervised learning has become a new development trend. This learning paradigm can acquire high-quality representations of complex data without relying on labels, saving labor costs, avoiding human labeling errors, and rivaling supervised learning in expressing image features. However, research has revealed insufficient security in neural network models trained under the self-supervised learning paradigm, making them susceptible to backdoor attacks. This malicious behavior significantly undermines the security of artificial intelligence models and severely hinders the development of the Internet of Things with intelligence. This paper proposes an invisible backdoor attack scheme on key regions based on target neurons. Firstly, the key regions of image feature expression are determined through the attention mechanism. In this region, this paper trains a set of critical neurons to obtain a trigger capable of inducing misclassifications. Subsequently, a poison dataset is constructed to attack the self-supervised training model. The triggers generated by this scheme resemble random noise. They are inconspicuous in visual space, achieving a high attack success rate and enhancing both the concealment and effectiveness of the triggers. The self-supervised training model with the implanted backdoor evades backdoor detection, further increasing the model's indistinguishability. Ultimately, experimental results demonstrate that while ensuring the concealment of triggers, this scheme can achieve a high attack success rate with only 1% poison data, and the poison model can escape detection.

Yunfei Liu,Xingjun Ma,James Bailey,Feng Lu

DOI: https://doi.org/10.48550/arXiv.2007.02343

2020-07-13

Abstract:Recent studies have shown that DNNs can be compromised by backdoor attacks crafted at training time. A backdoor attack installs a backdoor into the victim model by injecting a backdoor pattern into a small proportion of the training data. At test time, the victim model behaves normally on clean test data, yet consistently predicts a specific (likely incorrect) target class whenever the backdoor pattern is present in a test example. While existing backdoor attacks are effective, they are not stealthy. The modifications made on training data or labels are often suspicious and can be easily detected by simple data filtering or human inspection. In this paper, we present a new type of backdoor attack inspired by an important natural phenomenon: reflection. Using mathematical modeling of physical reflection models, we propose reflection backdoor (Refool) to plant reflections as backdoor into a victim model. We demonstrate on 3 computer vision tasks and 5 datasets that, Refool can attack state-of-the-art DNNs with high success rate, and is resistant to state-of-the-art backdoor defenses.

Computer Vision and Pattern Recognition

Mingfu Xue,Shifeng Ni,Yinghao Wu,Yushu Zhang,Jian Wang,Weiqiang Liu

DOI: https://doi.org/10.48550/arXiv.2201.13164

2022-01-31

Abstract:Recent researches demonstrate that Deep Neural Networks (DNN) models are vulnerable to backdoor attacks. The backdoored DNN model will behave maliciously when images containing backdoor triggers arrive. To date, existing backdoor attacks are single-trigger and single-target attacks, and the triggers of most existing backdoor attacks are obvious thus are easy to be detected or noticed. In this paper, we propose a novel imperceptible and multi-channel backdoor attack against Deep Neural Networks by exploiting Discrete Cosine Transform (DCT) steganography. Based on the proposed backdoor attack method, we implement two variants of backdoor attacks, i.e., N-to-N backdoor attack and N-to-One backdoor attack. Specifically, for a colored image, we utilize DCT steganography to construct the trigger on different channels of the image. As a result, the trigger is stealthy and natural. Based on the proposed method, we implement multi-target and multi-trigger backdoor attacks. Experimental results demonstrate that the average attack success rate of the N-to-N backdoor attack is 93.95% on CIFAR-10 dataset and 91.55% on TinyImageNet dataset, respectively. The average attack success rate of N-to-One attack is 90.22% and 89.53% on CIFAR-10 and TinyImageNet datasets, respectively. Meanwhile, the proposed backdoor attack does not affect the classification accuracy of the DNN model. Moreover, the proposed attack is demonstrated to be robust to the state-of-the-art backdoor defense (Neural Cleanse).

Computer Vision and Pattern Recognition

Junjian Li,Honglong Chen,Yudong Gao,Shaozhong Guo,Kai Lin,Yuping Liu,Peng Sun

DOI: https://doi.org/10.1016/j.engappai.2024.109462

2024-01-01

Abstract:The escalating menace of backdoor attacks constitutes a formidable obstacle to the ongoing advancement of deep neural networks (DNNs), particularly in the security-sensitive applications such as face recognition and self-driving. Backdoored models render deliberately incorrect predictions on the inputs with the crafted triggers while behaving normally with the benign ones. Despite demonstrating the varying degrees of threat, existing backdoor attack strategies often prioritize stealthiness and defense evasions but neglect the practical feasibility in the real-world deployment scenarios. In this paper, we develop a backdoor attack leveraging bokeh effects (BABE), which introduces the bokeh effects as the trigger. Once the backdoored model is deployed in the vision application, the model's malicious behaviors can be activated only by utilizing the captured bokeh images without any other modifications. Specially, we employ the saliency and depth estimation maps to derive the bokeh images, thereby serving as the poisoned samples. Furthermore, to avoid the latent separation of the generated poisoned images, we propose distinct attack strategies on the basis of the adversary's prior abilities. For the adversary only with the data manipulation, we retain the original semantic labels fora subset of poisoned data during the training process. For the adversary with the manipulation of both the data and models, we construct a reference model trained on the clean samples to impose constraints on the latent representations of the poisoned images. Extensive experiments demonstrate the attack effects of the proposed BABE, even on the bokeh photos captured from Digital Still Cameras (DSC) and smartphones.

Chengxiao Luo,Yiming Li,Yong Jiang,Shu-Tao Xia

DOI: https://doi.org/10.1109/icassp49357.2023.10095980

2022-01-01

Abstract:Recent studies revealed that deep neural networks (DNNs) are exposed to backdoor threats when training with third-party resources (such as training samples or backbones). The back-doored model has promising performance in predicting benign samples, whereas its predictions can be maliciously manipulated by adversaries based on activating its backdoors with pre-defined trigger patterns. Currently, most of the existing backdoor attacks were conducted on the image classification under the targeted manner. In this paper, we reveal that these threats could also happen in object detection, posing threatening risks to many mission-critical applications (e.g., pedestrian detection and intelligent surveillance systems). Specifically, we design a simple yet effective poison-only backdoor attack in an untargeted manner, based on task characteristics. We show that, once the backdoor is embedded into the target model by our attack, it can trick the model to lose detection of any object stamped with our trigger patterns. We conduct extensive experiments on the benchmark dataset, showing its effectiveness in both digital and physical-world settings and its resistance to potential defenses.

Nan Zhong,Zhenxing Qian,Xinpeng Zhang

DOI: https://doi.org/10.24963/ijcai.2022/242

2022-01-01

Abstract:Backdoor attacks are rapidly emerging threats to deep neural networks (DNNs). In the backdoor attack scenario, attackers usually implant the backdoor into the target model by manipulating the training dataset or training process. Then, the compromised model behaves normally for benign input yet makes mistakes when the pre-defined trigger appears. In this paper, we analyze the drawbacks of existing attack approaches and propose a novel imperceptible backdoor attack. We treat the trigger pattern as a special kind of noise following a multinomial distribution. A U-net-based network is employed to generate concrete parameters of multinomial distribution for each benign input. This elaborated trigger ensures that our approach is invisible to both humans and statistical detection. Besides the design of the trigger, we also consider the robustness of our approach against model diagnose-based defences. We force the feature representation of malicious input stamped with the trigger to be entangled with the benign one. We demonstrate the effectiveness and robustness against multiple state-of-the-art defences through extensive datasets and networks. Our trigger only modifies less than 1\% pixels of a benign image while the modification magnitude is 1. Our source code is available at https://github.com/Ekko-zn/IJCAI2022-Backdoor.

Honglong Chen,Yudong Gao,Anqing Zhang,Peng Sun,Nan Jiang,Weifeng Liu,Xingang Wang

DOI: https://doi.org/10.1109/tifs.2024.3427432

IF: 7.231

2024-07-20

IEEE Transactions on Information Forensics and Security

Abstract:Recently, backdoor attacks have become a serious security threat to Deep Neural Networks (DNNs). Backdoor attacks involve embedding a hidden backdoor into a DNN model, compelling it to correctly classify benign images while erroneously classifying images with backdoor triggers as the target label. However, both current backdoor attacks and defenses have their limitations. In backdoor attacks, they are either non-stealthy or vulnerable to well-designed backdoor defense strategies. As for backdoor defenses, they often rely heavily on additional assumptions (such as determined extra clean images) and are not universally applicable, which may become impractical in the face of the latest backdoor attacks. To address the above problems, in this paper, we investigate the backdoor attack and defense strategies from a multi-channel perspective. Specifically, in terms of attacks, we propose a recolorization based attack method (RC-Attack) to generate triggers in color ab channels, which is more stealthy and effective. In terms of defenses, we propose a reconstruction-based defense method (RC-Defense) to reconstruct the color AB channels and lightness channel respectively, thus making the triggers in the reconstructed images ineffective, which is a more practical solution. Extensive experiments are conducted to demonstrate the superior performance of the proposed RC-Attack in terms of effectiveness, stealthiness and defense-resistance, and also to validate the effectiveness of the proposed RC-Defense.

computer science, theory & methods,engineering, electrical & electronic