Kangjie Chen,Xiaoxuan Lou,Guowen Xu,Jiwei Li,Tianwei Zhang

2023-01-01

Abstract:Multi-label models have been widely used in various applications including image annotation and object detection. The fly in the ointment is its inherent vulnerability to backdoor attacks due to the adoption of deep learning techniques. However, all existing backdoor attacks exclusively require to modify training inputs (e.g., images), which may be impractical in real-world applications. In this paper, we aim to break this wall and propose the first clean-image backdoor attack, which only poisons the training labels without touching the training samples. Our key insight is that in a multi-label learning task, the adversary can just manipulate the annotations of training samples consisting of a specific set of classes to activate the backdoor. We design a novel trigger exploration method to find convert and effective triggers to enhance the attack performance. We also propose three target label selection strategies to achieve different goals. Experimental results indicate that our clean-image backdoor can achieve a 98% attack success rate while preserving the model's functionality on the benign inputs. Besides, the proposed clean-image backdoor can evade existing state-of-the-art defenses.

Xueluan Gong,Yanjiao Chen,Jianshuo Dong,Qian Wang

DOI: https://doi.org/10.14722/ndss.2022.24012

2022-01-01

Abstract:—Deep neural networks have achieved remarkable success on a variety of mission-critical tasks. However, recent studies show that deep neural networks are vulnerable to backdoor attacks, where the attacker releases backdoored models that behave normally on benign samples but misclassify any trigger-imposed samples to a target label. Unlike adversarial examples, backdoor attacks manipulate both the inputs and the model, perturbing samples with the trigger and injecting backdoors into the model. In this paper, we propose a novel attention-based evasive backdoor attack, dubbed A TTEQ -NN . Different from existing works that arbitrarily set the trigger mask, we carefully design an attention- based trigger mask determination framework, which places the trigger at the crucial region with the most significant influence on the prediction results. To make the trigger-imposed samples appear more natural and imperceptible to human inspectors, we introduce a Quality-of-Experience (QoE) term into the loss function of trigger generation and carefully adjust the transparency of the trigger. During the process of iteratively optimizing the trigger generation and the backdoor injection components, we propose an alternating retraining strategy, which is shown to be effective in improving the clean data accuracy and evading some model-based defense approaches. We evaluate A TTEQ -NN with extensive experiments on VGG- Flower, CIFAR-10, GTSRB, CIFAR-100, and ImageNette datasets. The results show that A TTEQ -NN can increase the attack success rate by as much as 82% over baselines when the poison ratio is low while achieving a high QoE of the backdoored samples. We demonstrate that A TTEQ -NN reaches an attack success rate of more than 37.78% in the physical world under different lighting conditions and shooting angles. A TTEQ -NN preserves an attack success rate of more than 92.5% even if the original backdoored model is fine-tuned with clean data. It is shown that A TTEQ -NN is also effective in transfer learning scenarios. Our user studies show that the backdoored samples generated by A TTEQ -NN are indiscernible under visual inspections. A TTEQ -NN is shown to be evasive to state-of-the-art defense methods, including model pruning, NAD, STRIP, NC, and MNTD. We will open-source our codes upon publication.

Yu Wang,Haomiao Yang,Jiasheng Li,Mengyu Ge

DOI: https://doi.org/10.1007/978-981-19-8445-7_10

2022-01-01

Abstract:Backdoor attacks, as an insidious security threat to deep neural networks (DNNs), are adept at injecting triggers into DNNs. A malicious attacker can create a link between the customized trigger and the targeted label, such that the prediction of the poisoned model will be manipulated if the input contains the predetermined trigger. However, most existing backdoor attacks define an obvious trigger (eg: conspicuous pigment block) and need to modify the poisoned images' label, causing these images seems to be labeled incorrectly, which leads to these images can not pass human inspection. In addition, the design of the trigger always needs the information of the entire training data set, an extremely stringent experiment setting. These settings above remarkably restrict the practicality of backdoor attacks in the real world. In our paper, the proposed algorithm effectively solves these restrictions of existing backdoor attack. Our Label-Specific backdoor attack can design a unique trigger for each label, while just accessing the images of the target label. The victim model trained on our poisoned training dataset will maliciously output attacker-manipulated predictions while the poisoned model is activated by the trigger. Meanwhile victim model still maintains a good performance confronting benign data samples. Hence, our proposed backdoor attack approach must be more practical.

Nan Luo,Yuanzhang Li,Yajie Wang,Shangbo Wu,Yu-an Tan,Quanxin Zhang

DOI: https://doi.org/10.48550/arXiv.2206.04881

2022-06-10

Abstract:Backdoor attacks threaten Deep Neural Networks (DNNs). Towards stealthiness, researchers propose clean-label backdoor attacks, which require the adversaries not to alter the labels of the poisoned training datasets. Clean-label settings make the attack more stealthy due to the correct image-label pairs, but some problems still exist: first, traditional methods for poisoning training data are ineffective; second, traditional triggers are not stealthy which are still perceptible. To solve these problems, we propose a two-phase and image-specific triggers generation method to enhance clean-label backdoor attacks. Our methods are (1) powerful: our triggers can both promote the two phases (i.e., the backdoor implantation and activation phase) in backdoor attacks simultaneously; (2) stealthy: our triggers are generated from each image. They are image-specific instead of fixed triggers. Extensive experiments demonstrate that our approach can achieve a fantastic attack success rate~(98.98%) with low poisoning rate~(5%), high stealthiness under many evaluation metrics and is resistant to backdoor defense methods.

Cryptography and Security,Computer Vision and Pattern Recognition

Quang H. Nguyen,Nguyen Ngoc-Hieu,The-Anh Ta,Thanh Nguyen-Tang,Kok-Seng Wong,Hoang Thanh-Tung,Khoa D. Doan

2024-07-16

Abstract:Deep neural networks are vulnerable to backdoor attacks, a type of adversarial attack that poisons the training data to manipulate the behavior of models trained on such data. Clean-label attacks are a more stealthy form of backdoor attacks that can perform the attack without changing the labels of poisoned data. Early works on clean-label attacks added triggers to a random subset of the training set, ignoring the fact that samples contribute unequally to the attack's success. This results in high poisoning rates and low attack success rates. To alleviate the problem, several supervised learning-based sample selection strategies have been proposed. However, these methods assume access to the entire labeled training set and require training, which is expensive and may not always be practical. This work studies a new and more practical (but also more challenging) threat model where the attacker only provides data for the target class (e.g., in face recognition systems) and has no knowledge of the victim model or any other classes in the training set. We study different strategies for selectively poisoning a small set of training samples in the target class to boost the attack success rate in this setting. Our threat model poses a serious threat in training machine learning models with third-party datasets, since the attack can be performed effectively with limited information. Experiments on benchmark datasets illustrate the effectiveness of our strategies in improving clean-label backdoor attacks.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Leilei Gan,Jiwei Li,Tianwei Zhang,Xiaoya Li,Yuxian Meng,Fei Wu,Yi Yang,Shangwei Guo,Chun Fan

DOI: https://doi.org/10.18653/v1/2022.naacl-main.214

2022-01-01

Abstract:Backdoor attacks pose a new threat to NLP models. A standard strategy to construct poisoned data in backdoor attacks is to insert triggers (e.g., rare words) into selected sentences and alter the original label to a target label. This strategy comes with a severe flaw of being easily detected from both the trigger and the label perspectives: the trigger injected, which is usually a rare word, leads to an abnormal natural language expression, and thus can be easily detected by a defense model; the changed target label leads the example to be mistakenly labeled and thus can be easily detected by manual inspections. To deal with this issue, in this paper, we propose a new strategy to perform textual backdoor attacks which do not require an external trigger, and the poisoned samples are correctly labeled. The core idea of the proposed strategy is to construct clean-labeled examples, whose labels are correct but can lead to test label changes when fused with the training set. To generate poisoned clean-labeled examples, we propose a sentence generation model based on the genetic algorithm to cater to the non-differentiable characteristic of text data. Extensive experiments demonstrate that the proposed attacking strategy is not only effective, but more importantly, hard to defend due to its triggerless and clean-labeled nature. Our work marks the first step towards developing triggerless attacking strategies in NLP.

Chen Zhu,W. Ronny Huang,Ali Shafahi,Hengduo Li,Gavin Taylor,Christoph Studer,Tom Goldstein

DOI: https://doi.org/10.48550/arXiv.1905.05897

2019-05-16

Abstract:Clean-label poisoning attacks inject innocuous looking (and "correctly" labeled) poison images into training data, causing a model to misclassify a targeted image after being trained on this data. We consider transferable poisoning attacks that succeed without access to the victim network's outputs, architecture, or (in some cases) training data. To achieve this, we propose a new "polytope attack" in which poison images are designed to surround the targeted image in feature space. We also demonstrate that using Dropout during poison creation helps to enhance transferability of this attack. We achieve transferable attack success rates of over 50% while poisoning only 1% of the training set.

Machine Learning,Cryptography and Security

Jian Chen,Jingyao Wu,Hao Yin,Qiang Li,Wensheng Zhang,Chen Wang

DOI: https://doi.org/10.1109/trustcom60117.2023.00026

2024-01-01

Abstract:In recent years, the emergence of targeted cleanlabel poisoning attacks, which maliciously influence the training data without controlling over the labeling process to manipulate the behavior of the predictive model, is shown to be crucial threats to compromise deep learning systems. Prior targeted clean-label poisoning attacks have been demonstrated to target only one sample at a time, which is not always applicable in restricted real-world situations. In this paper, we explore targeted clean-label poisoning attacks on a per-class basis, which refers to misclassify samples from a victim class to the desired class while maintaining the classification accuracy of samples on other classes in multi-class classification tasks. To achieve this, we present the first class-targeted clean-label poisoning attack, called CTCL, which firsts craft clean label poisons along with multiple directions in the target feature space and enhance the attacking capability of poisons by reducing their the feature information of the target class. We illustrate the effectiveness of the proposed CTCL on various deep neural network models. The experiment results demonstrate that our attack is effective, with the attacking success rate over 80% compared to the other two baseline attacks on average, while the detection accuracy of state-of-the-art defenses is lower than 65% illustrating that CTCL can escape the detection of existing defenses readily.

Bin Huang,Zhi Wang

DOI: https://doi.org/10.1109/icip49359.2023.10222807

2023-01-01

Abstract:Deep neural networks present their potential vulnerabilities to backdoor attacks. They have a satisfactory performance for benign users with clean samples but will get malicious outputs when inputs are attached with the backdoor trigger. Current backdoor attacks on image classifiers usually target only one single class, making them not robust to defenses against this characteristic. In this work, we propose a new any-target attack that targets all the labels simultaneously with the triggers being invisible and input-dependent. Specifically, we train the classifier together with the image steganography model by encoding the one-hot encodings into the input images. The novel pseudo poisoned samples are then introduced to improve the effectiveness of our backdoor attack. Experimental results show that our method is both effective and efficient on several datasets and is robust to existing defenses.

Thinh Dao,Cuong Chi Le,Khoa D Doan,Kok-Seng Wong

2024-07-27

Abstract:Deep Neural Networks (DNNs) are vulnerable to backdoor poisoning attacks, with most research focusing on digital triggers, special patterns digitally added to test-time inputs to induce targeted misclassification. In contrast, physical triggers, which are natural objects within a physical scene, have emerged as a desirable alternative since they enable real-time backdoor activations without digital manipulation. However, current physical attacks require that poisoned inputs have incorrect labels, making them easily detectable upon human inspection. In this paper, we collect a facial dataset of 21,238 images with 7 common accessories as triggers and use it to study the threat of clean-label backdoor attacks in the physical world. Our study reveals two findings. First, the success of physical attacks depends on the poisoning algorithm, physical trigger, and the pair of source-target classes. Second, although clean-label poisoned samples preserve ground-truth labels, their perceptual quality could be seriously degraded due to conspicuous artifacts in the images. Such samples are also vulnerable to statistical filtering methods because they deviate from the distribution of clean samples in the feature space. To address these issues, we propose replacing the standard $\ell_\infty$ regularization with a novel pixel regularization and feature regularization that could enhance the imperceptibility of poisoned samples without compromising attack performance. Our study highlights accidental backdoor activations as a key limitation of clean-label physical backdoor attacks. This happens when unintended objects or classes accidentally cause the model to misclassify as the target class.

Cryptography and Security,Artificial Intelligence

Alvin Chan,Yew-Soon Ong

DOI: https://doi.org/10.48550/arXiv.1911.08040

2019-11-19

Computer Vision and Pattern Recognition

Abstract:Deep learning models have recently shown to be vulnerable to backdoor poisoning, an insidious attack where the victim model predicts clean images correctly but classifies the same images as the target class when a trigger poison pattern is added. This poison pattern can be embedded in the training dataset by the adversary. Existing defenses are effective under certain conditions such as a small size of the poison pattern, knowledge about the ratio of poisoned training samples or when a validated clean dataset is available. Since a defender may not have such prior knowledge or resources, we propose a defense against backdoor poisoning that is effective even when those prerequisites are not met. It is made up of several parts: one to extract a backdoor poison signal, detect poison target and base classes, and filter out poisoned from clean samples with proven guarantees. The final part of our defense involves retraining the poisoned model on a dataset augmented with the extracted poison signal and corrective relabeling of poisoned samples to neutralize the backdoor. Our approach has shown to be effective in defending against backdoor attacks that use both small and large-sized poison patterns on nine different target-base class pairs from the CIFAR10 dataset.

Xubo Yang,Linsen Li,Cunqing Hua,Changhao Yao

DOI: https://doi.org/10.1007/978-3-031-56580-9_11

2024-01-01

Abstract:Deep neural networks have been shown to be vulnerable to backdoor attacks, and currently, almost all attacks involve inserting backdoors into models through data poisoning, which requires the attacker to have access to higher-level model training and can be easily exposed. However, vulnerabilities in code management for deep learning training make the code itself an extremely susceptible target for attacks. based on this, we propose a novel form of backdoor attack called Code Poisoning-based Clean-Label Covert Backdoor Attack (CCBA), which dynamically modifies the training data by manipulating only a small fraction of the code to inject a backdoor. This attack imposes a negligible burden on the training process, while still achieving strong performance and maintaining stealth. We not only validate the feasibility and effectiveness of CCBA in deep neural networks but also extend it successfully to graph neural networks and natural language processing, demonstrating promising results.

Tzvi Lederer,Gallil Maimon,Lior Rokach

2023-10-02

Abstract:Backdoor poisoning attacks pose a well-known risk to neural networks. However, most studies have focused on lenient threat models. We introduce Silent Killer, a novel attack that operates in clean-label, black-box settings, uses a stealthy poison and trigger and outperforms existing methods. We investigate the use of universal adversarial perturbations as triggers in clean-label attacks, following the success of such approaches under poison-label settings. We analyze the success of a naive adaptation and find that gradient alignment for crafting the poison is required to ensure high success rates. We conduct thorough experiments on MNIST, CIFAR10, and a reduced version of ImageNet and achieve state-of-the-art results.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Yinghua Gao,Yiming Li,Linghui Zhu,Dongxian Wu,Yong Jiang,Shu-Tao Xia

DOI: https://doi.org/10.1016/j.patcog.2023.109512

IF: 8

2023-03-18

Pattern Recognition

Abstract:Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to backdoor attacks. The attacked model behaves normally on benign samples, while its predictions are misled whenever adversary-specified trigger patterns appear. Currently, clean-label backdoor attacks are usually regarded as the most stealthy methods in which adversaries can only poison samples from the target class without modifying their labels. However, these attacks can hardly succeed. In this paper, we reveal that the difficulty of clean-label attacks mainly lies in the antagonistic effects of 'robust features' related to the target class contained in poisoned samples. Specifically, robust features tend to be easily learned by victim models and thus undermine the learning of trigger patterns. Based on these understandings, we propose a simple yet effective plug-in method to enhance clean-label backdoor attacks by poisoning 'hard' instead of random samples. We adopt three classical difficulty metrics as examples to implement our method. We demonstrate that our method can consistently improve vanilla attacks, based on extensive experiments on benchmark datasets.

computer science, artificial intelligence,engineering, electrical & electronic

Ganghua Wang,Xun Xian,Jayanth Srinivasa,Ashish Kundu,Xuan Bi,Mingyi Hong,Jie Ding

2023-10-18

Abstract:The growing dependence on machine learning in real-world applications emphasizes the importance of understanding and ensuring its safety. Backdoor attacks pose a significant security risk due to their stealthy nature and potentially serious consequences. Such attacks involve embedding triggers within a learning model with the intention of causing malicious behavior when an active trigger is present while maintaining regular functionality without it. This paper evaluates the effectiveness of any backdoor attack incorporating a constant trigger, by establishing tight lower and upper boundaries for the performance of the compromised model on both clean and backdoor test data. The developed theory answers a series of fundamental but previously underexplored problems, including (1) what are the determining factors for a backdoor attack's success, (2) what is the direction of the most effective backdoor attack, and (3) when will a human-imperceptible trigger succeed. Our derived understanding applies to both discriminative and generative models. We also demonstrate the theory by conducting experiments using benchmark datasets and state-of-the-art backdoor attack scenarios.

Cryptography and Security,Artificial Intelligence,Machine Learning

Zhu Shuwen,Luo Ge,Wei Ping,Li Sheng,Zhang Xinpeng,Qian Zhenxing

DOI: https://doi.org/10.11834/jig.220550

2023-01-01

Journal of Image and Graphics

Abstract:ObjectiveBackdoor attack-oriented adversarial attacks can yield deep model-attacked to play well in regular,whereas behaves maliciously in terms of triggers-predefined hidden backdoors-activated. But, deep models are vulnerable against multiple adversarial attacks. The aim of backdoor attacks is oriented to penetrate the predesigned backdoor triggers into the portion of the training data（e. g., specific patterns like a square, noises, strips, or warpings）. To guarantee attacking effectiveness, existing backdoor attacks are focused on assigning clean-label to the poisoned samples or hiding triggers in the poisoned data against human inspection. Nevertheless, it is still challenged to possess visual-supervised in-situ security features. To resolve this problem, we develop an imperceptible and effective backdoor attack method,which is imperceptible against human inspection, filters, and statistic detector.MethodTo generate poisoned samples, a smaller image as trigger can be embedded into image-profiling, which are mixed with clean samples as the final training data. Hiding the trigger naturally, the label-imperceptive poisoned sample is similar to the corresponding clean sample （image imperceptibility）, and it can also defend the most advanced statistical analysis（statistic imperceptibility） methods.We develop a one-to-oneself attack paradigm of those class-sourced for poisoning is oriented on the target class itself. Differentiated from the previous attack paradigms（ all-to-one and all-to-all）, a portion of target class-derived images are selected as pre-poisoned samples. With the correct label corresponding to the target class, these images could be imperceptible in the presence of human inspection. However, the classical attack paradigms all-to-one and all-to-all are based on unmatched or error labels, and the target class cannot be sourced by itself. Human inspection-against input-label pairs-mislabeled（like bird-cat） might arouse definite suspicion, which can be used to reveal the attack. Following a filtering process, the rest of samples（most of them are clean） could invalidate the attack. We can launch a quick attack on pretrained model in terms of same data-poisoned fine-tuning. Our accuracy-consistent backdoor attack illustrates that the imperceptibility can be originated from label, image, and statistic aspects.ResultTo verify the effectiveness and invisibility of proposed method, experiments are compared to 3 kind of popular methods on ImageN et, MNIST, and CIFAR-10 datasets. For one-to-oneself attack, it can confuse the high accuracies-poisoned model through poisoning a small proportion（7%） of original clean samples on ImageN et, MNIST, and CIFAR-10. Compared to the clean model on all three datasets,the backdoor is inactivated by the trigger when clean samples are tested. There is slight decrease of poisoned accuracy,which is less than 1%. It should be noted that the label of poisoned image is changed to the target label with some backdoor attack, mislabeled input-label pairs will be detected in practice easily. Hence, we did not modify the triggers-injected label of image, while every input-label pair in the training sets of some classical methods is correct-matched. For classical all-toone attack, the proposed method could classify the same accuracy-based clean samples, and it have comparable attack success rates（more than 99%） when poisoned samples are tested. The trigger of BadN et beyond is invisible against human visual inspection. The trigger-embedded are imperceptible, and the poisoned image is natural and hard to be distinguished from the original clean image. We use learned perceptual image patch similarity（ LPIPS）, peak signal-to-noise ratio（PSNR）, and structural similarity（ SSIM） as the metrics for invisibility to quantify as well. Compared with the three methods, the mean distance between the poisoned images generated by ours and original images is almost zero with a nearzero LPIPS value. With the highest SSIM values as well on three datasets, our poisoned samples are more similar to their corresponding benign ones. Meanwhile, our attack achieves the highest PSNR values（ more than 43 dB on ImageN et,MNIST, CIFAR-10）. For MNIST, PSNR score can be optimized more and reached to 52. 4 dB.ConclusionAn imperceptible backdoor attack is proposed, where the poisoned image have its label-validated invisible trigger. Hidden-data based triggers are embedded in images invisibly. The poisoned images are similar to original clean ones in this way as well. The user can be imperceptive during the whole process and could not be aware of the abnormality, while other attackers cannot utilize the trigger. And, a new attack paradigm, one-to-oneself attack, is designed for clean-label backdoor attack. Specifically, the original label can keep in consistency when trigger-selected is used for poisoning the images. Behind the success of the new attack paradigm, most defenses will be invalid, which are based on the assumption that samples-poisoned may have a changed label. Finally, our backdoor attack proposed has its potentials to imperceptibility in relevant to label, image and statistic-contexts.

Zixuan Zhu,Rui Wang,Cong Zou,Lihua Jing

DOI: https://doi.org/10.1109/ICCV51070.2023.00021

2024-05-31

Abstract:Recently, backdoor attacks have posed a serious security threat to the training process of deep neural networks (DNNs). The attacked model behaves normally on benign samples but outputs a specific result when the trigger is present. However, compared with the rocketing progress of backdoor attacks, existing defenses are difficult to deal with these threats effectively or require benign samples to work, which may be unavailable in real scenarios. In this paper, we find that the poisoned samples and benign samples can be distinguished with prediction entropy. This inspires us to propose a novel dual-network training framework: The Victim and The Beneficiary (V&B), which exploits a poisoned model to train a clean model without extra benign samples. Firstly, we sacrifice the Victim network to be a powerful poisoned sample detector by training on suspicious samples. Secondly, we train the Beneficiary network on the credible samples selected by the Victim to inhibit backdoor injection. Thirdly, a semi-supervised suppression strategy is adopted for erasing potential backdoors and improving model performance. Furthermore, to better inhibit missed poisoned samples, we propose a strong data augmentation method, AttentionMix, which works well with our proposed V&B framework. Extensive experiments on two widely used datasets against 6 state-of-the-art attacks demonstrate that our framework is effective in preventing backdoor injection and robust to various attacks while maintaining the performance on benign samples. Our code is available at <a class="link-external link-https" href="https://github.com/Zixuan-Zhu/VaB" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Loc Truong,Chace Jones,Brian Hutchinson,Andrew August,Brenda Praggastis,Robert Jasper,Nicole Nichols,Aaron Tuor

DOI: https://doi.org/10.48550/arXiv.2004.11514

2020-04-24

Abstract:Backdoor data poisoning attacks have recently been demonstrated in computer vision research as a potential safety risk for machine learning (ML) systems. Traditional data poisoning attacks manipulate training data to induce unreliability of an ML model, whereas backdoor data poisoning attacks maintain system performance unless the ML model is presented with an input containing an embedded "trigger" that provides a predetermined response advantageous to the adversary. Our work builds upon prior backdoor data-poisoning research for ML image classifiers and systematically assesses different experimental conditions including types of trigger patterns, persistence of trigger patterns during retraining, poisoning strategies, architectures (ResNet-50, NasNet, NasNet-Mobile), datasets (Flowers, CIFAR-10), and potential defensive regularization techniques (Contrastive Loss, Logit Squeezing, Manifold Mixup, Soft-Nearest-Neighbors Loss). Experiments yield four key findings. First, the success rate of backdoor poisoning attacks varies widely, depending on several factors, including model architecture, trigger pattern and regularization technique. Second, we find that poisoned models are hard to detect through performance inspection alone. Third, regularization typically reduces backdoor success rate, although it can have no effect or even slightly increase it, depending on the form of regularization. Finally, backdoors inserted through data poisoning can be rendered ineffective after just a few epochs of additional training on a small set of clean data without affecting the model's performance.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning,Neural and Evolutionary Computing

Linyang Li,Demin Song,Xiaonan Li,Jiehang Zeng,Ruotian Ma,Xipeng Qiu

DOI: https://doi.org/10.18653/v1/2021.emnlp-main.241

2021-01-01

Abstract: \textbf{P}re-\textbf{T}rained \textbf{M}odel\textbf{s} have been widely applied and recently proved vulnerable under backdoor attacks: the released pre-trained weights can be maliciously poisoned with certain triggers. When the triggers are activated, even the fine-tuned model will predict pre-defined labels, causing a security threat. These backdoors generated by the poisoning methods can be erased by changing hyper-parameters during fine-tuning or detected by finding the triggers. In this paper, we propose a stronger weight-poisoning attack method that introduces a layerwise weight poisoning strategy to plant deeper backdoors; we also introduce a combinatorial trigger that cannot be easily detected. The experiments on text classification tasks show that previous defense methods cannot resist our weight-poisoning method, which indicates that our method can be widely applied and may provide hints for future model robustness studies.

Rishi D. Jha,Jonathan Hayase,Sewoong Oh

2023-10-29

Abstract:In a backdoor attack, an adversary injects corrupted data into a model's training dataset in order to gain control over its predictions on images with a specific attacker-defined trigger. A typical corrupted training example requires altering both the image, by applying the trigger, and the label. Models trained on clean images, therefore, were considered safe from backdoor attacks. However, in some common machine learning scenarios, the training labels are provided by potentially malicious third-parties. This includes crowd-sourced annotation and knowledge distillation. We, hence, investigate a fundamental question: can we launch a successful backdoor attack by only corrupting labels? We introduce a novel approach to design label-only backdoor attacks, which we call FLIP, and demonstrate its strengths on three datasets (CIFAR-10, CIFAR-100, and Tiny-ImageNet) and four architectures (ResNet-32, ResNet-18, VGG-19, and Vision Transformer). With only 2% of CIFAR-10 labels corrupted, FLIP achieves a near-perfect attack success rate of 99.4% while suffering only a 1.8% drop in the clean test accuracy. Our approach builds upon the recent advances in trajectory matching, originally introduced for dataset distillation.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition