CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

WUChunming

DOI: https://doi.org/10.3969/j.issn.1009-6868.2016.01.009

2016-01-01

Abstract:Dynamic network proactive security defence is an effective method for solving the unknown vulnerabilities and back door attacks in the information system. In this paper, the evolution defense mechanism (EDM) is proposed. According to the security status, network system security needs, EDM can select the best network configuration change elements to deal with potential attacks and ensure the safety requirements of a specific level. Dynamic reconfiguration and changes of the network need to be considered in accordance with the security situation of the system and the possible network attacks. The key is how to detect and the security situation and network attacks. It proposes that study on dynamic network proactive security defense in China is in the initial stage, and there is stil much work to do.

Yansong Gao,Bao Gia Doan,Zhi Zhang,Siqi Ma,Jiliang Zhang,Anmin Fu,Surya Nepal,Hyoungshick Kim

DOI: https://doi.org/10.48550/arXiv.2007.10760

2020-08-02

Abstract:This work provides the community with a timely comprehensive review of backdoor attacks and countermeasures on deep learning. According to the attacker's capability and affected stage of the machine learning pipeline, the attack surfaces are recognized to be wide and then formalized into six categorizations: code poisoning, outsourcing, pretrained, data collection, collaborative learning and post-deployment. Accordingly, attacks under each categorization are combed. The countermeasures are categorized into four general classes: blind backdoor removal, offline backdoor inspection, online backdoor inspection, and post backdoor removal. Accordingly, we review countermeasures, and compare and analyze their advantages and disadvantages. We have also reviewed the flip side of backdoor attacks, which are explored for i) protecting intellectual property of deep learning models, ii) acting as a honeypot to catch adversarial example attacks, and iii) verifying data deletion requested by the data <a class="link-external link-http" href="http://contributor.Overall" rel="external noopener nofollow">this http URL</a>, the research on defense is far behind the attack, and there is no single defense that can prevent all types of backdoor attacks. In some cases, an attacker can intelligently bypass existing defenses with an adaptive attack. Drawing the insights from the systematic review, we also present key areas for future research on the backdoor, such as empirical security evaluations from physical trigger attacks, and in particular, more efficient and practical countermeasures are solicited.

Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

HAO Dong-bai,GUO Lin,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.24.040

2007-01-01

Abstract:According to the analysis of Trojan horse attack patterns,implant methods,the security model of windows and limitations of the Trojan horse detection technologies at present,A defense against Trojan horse system based on restricted token is stated in this paper.Combined with constructing the secure work environment,auditing the startup of applications and restraining the malicious action of Trojan horse.The design of process environment control module,service manager module,register monitoring and anomaly diagnose module are focused on.At last,the experiment result validates the feasibility and availability of this system.

Orson Mengara,Anderson Avila,Tiago. H. Falk,Tiago H. Falk

DOI: https://doi.org/10.1109/access.2024.3355816

IF: 3.9

2024-03-02

IEEE Access

Abstract:Deep neural network (DNN) classifiers are potent instruments that can be used in various security-sensitive applications. Nonetheless, they are vulnerable to certain attacks that impede or distort their learning process. For example, backdoor attacks involve polluting the DNN learning set with a few samples from one or more source classes, which are then labeled as target classes by an attacker. Even if the DNN is trained on clean samples with no backdoors, this attack will still be successful if a backdoor pattern exists in the training data. Backdoor attacks are difficult to spot and can be used to make the DNN behave maliciously, depending on the target selected by the attacker. In this study, we survey the literature and highlight the latest advances in backdoor attack strategies and defense mechanisms. We finalize the discussion on challenges and open issues, as well as future research opportunities.

computer science, information systems,telecommunications,engineering, electrical & electronic

XU Ming,YANG Tong,ZHENG Lian-qing,ZHANG Chuan-rong

2011-01-01

Abstract:To reinforce network security and prevent Trojan horse attacks,a concealing technology by triple jump in load and thread guard is analyzed and implemented with an example,and a Trojan horse using the technology is programmed,and the hidden nature and survivability of the Trojan horse is enhanced by it.Finally,the corresponding cleaning method is put forward.Experimental results show that the Trojan horse completes the expected hidden features,and can penetrate the latest Rising anti-virus software,Rising Firewall and general hardware firewalls,which demonstrate the feasibility and effectiveness of the concealing technology.

Liang Cai,Xiaohu Yang,Jinxiang Dong

2001-01-01

Abstract:We briefly introduce the special characteristics of database security in information warfare and related researches, then emphasis the importance of antagonizing, malicious DBMS in information warfare. This paper suggests a threat model for malicious DBMS by carefully analyzing the possible security threats by malicious DBMS, then a database security architecture capable of antagonizing the malicious DBMS is proposed based on this threat model and the special requirements of critical applications in China. It can greatly improve the critical application's capability to antagonize malicious DBMS by incorporating, self-controlled authentication, principal / object mapping, transparent attribute encryption / decryption, attribute / tuple level mandatory access control, and parallel structure of multiple DBMSs.

Jinyin Chen,Haiyang Xiong,Haibin Zheng,Jian Zhang,Yi Liu

DOI: https://doi.org/10.1109/tnse.2023.3301673

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Dynamic link prediction (DLP) makes graph prediction based on historical information. Since most DLP methods are highly dependent on the training data to achieve satisfying prediction performance, the quality of the training data is crucial. Backdoor attacks induce the DLP methods to make wrong prediction by the malicious training data, i.e., generating a subgraph sequence as the trigger and embedding it to the training data. However, the vulnerability of DLP toward backdoor attacks has not been studied yet. To address the issue, we propose a novel backdoor attack framework on DLP, denoted as Dyn-Backdoor. Specifically, Dyn-Backdoor generates diverse initial-triggers by a generative adversarial network (GAN). Then partial links of the initial-triggers are selected to form a trigger set, according to the gradient information of the attack discriminator in the GAN, so as to reduce the size of triggers and improve the concealment of the attack. Experimental results show that Dyn-Backdoor launches effective backdoor attacks on several state-of-the-art DLP models with a success rate more than 90%. Additionally, we conduct a possible defense against Dyn-Backdoor to testify its resistance in defensive settings, highlighting the needs of defenses for backdoor attacks on DLP. The code of Dyn-Backdoor is open sourced at https://github.com/Seaocn/Dyn-Backdoor.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Akshaj Veldanda,Siddharth Garg

DOI: https://doi.org/10.48550/arXiv.2010.12186

2020-10-23

Abstract:Deep neural networks (DNNs) demonstrate superior performance in various fields, including scrutiny and security. However, recent studies have shown that DNNs are vulnerable to backdoor attacks. Several defenses were proposed in the past to defend DNNs against such backdoor attacks. In this work, we conduct a critical analysis and identify common pitfalls in these existing defenses, prepare a comprehensive database of backdoor attacks, conduct a side-by-side evaluation of existing defenses against this database. Finally, we layout some general guidelines to help researchers develop more robust defenses in the future and avoid common mistakes from the past.

Machine Learning

Guanxiong Liu,Abdallah Khreishah,Fatima Sharadgah,Issa Khalil

DOI: https://doi.org/10.1109/TNNLS.2022.3204283

Abstract:Trojan backdoor is a poisoning attack against neural network (NN) classifiers in which adversaries try to exploit the (highly desirable) model reuse property to implant Trojans into model parameters for backdoor breaches through a poisoned training process. To misclassify an input to a target class, the attacker activates the backdoor by augmenting the input with a predefined trigger that is only known to her/him. Most of the proposed defenses against Trojan attacks assume a white-box setup, in which the defender either has access to the inner state of NN or is able to run backpropagation through it. In this work, we propose a more practical black-box defense, dubbed TrojDef. In a black-box setup, the defender can only run forward-pass of the NN. TrojDef is motivated by the Trojan poisoned training, in which the model is trained on both benign and Trojan inputs. TrojDef tries to identify and filter out Trojan inputs (i.e., inputs augmented with the Trojan trigger) by monitoring the changes in the prediction confidence when the input is repeatedly perturbed by random noise. We derive a function based on the prediction outputs which is called the prediction confidence bound to decide whether the input example is Trojan or not. The intuition is that Trojan inputs are more stable as the misclassification only depends on the trigger, while benign inputs will suffer when augmented with noise due to the perturbation of the classification features. Through mathematical analysis, we show that if the attacker is perfect in injecting the backdoor, the Trojan infected model will be trained to learn the appropriate prediction confidence bound, which is used to distinguish Trojan and benign inputs under arbitrary perturbations. However, because the attacker might not be perfect in injecting the backdoor, we introduce a nonlinear transform to the prediction confidence bound to improve the detection accuracy in practical settings. Extensive empirical evaluations show that TrojDef significantly outperforms the-state-of-the-art defenses and is highly stable under different settings, even when the classifier architecture, the training process, or the hyperparameters change.

徐艳湘,黄皓,胡勇强

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.04.042

2010-01-01

Abstract:Dynamic link mechanism for shared libraries brings some advantages,such as physical memory saving,facilitating the upgrade of libraries,etc. But it also leads to new security risks. Aiming at this problem,this paper studies the dynamic link mechanism in an attempt to bring up a run-time monitoring and protection method for dynamic shared libraries,which give each shared library file a digital signature and verify it in runtime,and monitor every library function call. Experimental results show that the method is effective for defending several common attacks to shared libraries.

HU Chao-jian,XUE Yi-bo,ZHAO Liang,LI Zhou-jun

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.08.018

2013-01-01

Abstract:Any embedded system firmware without file system will integrate its system code and user application code into a single file. This setting has brought some additional difficulties to analyze them. Aimed at this kind of firmware, the problem of library function identification was analyzed, and several heuristic methods to recognize some important function relevant with manipulating network socket and character string/memory were proposed. Based on this analysis, the backdoor detection problem of some typical types including unauthorized listener, unintended function, hidden func-tion, outward connection request etc. were discussed, and several backdoors (one is critical level) in a real world firm-ware were found. The result shows this method of identifying library function can be useful for security analysis to this type of firmware.

Mingli Zhu,Siyuan Liang,Baoyuan Wu

2024-05-30

Abstract:Deep neural networks face persistent challenges in defending against backdoor attacks, leading to an ongoing battle between attacks and defenses. While existing backdoor defense strategies have shown promising performance on reducing attack success rates, can we confidently claim that the backdoor threat has truly been eliminated from the model? To address it, we re-investigate the characteristics of the backdoored models after defense (denoted as defense models). Surprisingly, we find that the original backdoors still exist in defense models derived from existing post-training defense strategies, and the backdoor existence is measured by a novel metric called backdoor existence coefficient. It implies that the backdoors just lie dormant rather than being eliminated. To further verify this finding, we empirically show that these dormant backdoors can be easily re-activated during inference, by manipulating the original trigger with well-designed tiny perturbation using universal adversarial attack. More practically, we extend our backdoor reactivation to black-box scenario, where the defense model can only be queried by the adversary during inference, and develop two effective methods, i.e., query-based and transfer-based backdoor re-activation attacks. The effectiveness of the proposed methods are verified on both image classification and multimodal contrastive learning (i.e., CLIP) tasks. In conclusion, this work uncovers a critical vulnerability that has never been explored in existing defense strategies, emphasizing the urgency of designing more robust and advanced backdoor defense mechanisms in the future.

Computer Vision and Pattern Recognition

Ulrich Bayer,Andreas Moser,Christopher Kruegel,Engin Kirda

DOI: https://doi.org/10.1007/s11416-006-0012-2

2006-05-16

Journal in Computer Virology

Abstract:Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment, which leads to excellent emulation accuracy. These factors make TTAnalyze an ideal tool for quickly understanding the behavior of an unknown malware.

Yiming Li,Yong Jiang,Zhifeng Li,Shu-Tao Xia

DOI: https://doi.org/10.1109/tnnls.2022.3182979

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:Backdoor attack intends to embed hidden backdoors into deep neural networks (DNNs), so that the attacked models perform well on benign samples, whereas their predictions will be maliciously changed if the hidden backdoor is activated by attacker-specified triggers. This threat could happen when the training process is not fully controlled, such as training on third-party datasets or adopting third-party models, which poses a new and realistic threat. Although backdoor learning is an emerging and rapidly growing research area, there is still no comprehensive and timely review of it. In this article, we present the first comprehensive survey of this realm. We summarize and categorize existing backdoor attacks and defenses based on their characteristics, and provide a unified framework for analyzing poisoning-based backdoor attacks. Besides, we also analyze the relation between backdoor attacks and relevant fields (i.e., adversarial attacks and data poisoning), and summarize widely adopted benchmark datasets. Finally, we briefly outline certain future research directions relying upon reviewed works. A curated list of backdoor-related resources is also available at https://github.com/THUYimingLi/backdoor-learning-resources.

S. Zhou,Guanghui Ren,Yaling Liu,Xinyu Yang

2018-02-07

Abstract:In recent years, the Internet as a symbol of the computer network protocols, standards and application technology development is extremely rapid. But the Internet is like a sharp double-edged sword, it is for the convenience of people at the same time, but also for computer viruses and computer crime to provide the soil, for systems, network protocols and databases, whether it is its own design flaws, or due to human factors caused by a variety of security vulnerabilities, may be some of the other attempts to use hackers and attack, so the establishment of an effective network security system is even more urgent. To ensure network security, reliable, you must be familiar with the general process of hacker network attacks. The only way to do before the hacker attack the necessary precautions is to ensure that the network is safe and reliable operation. This article comprehensively analyzes the steps, methods and common attack tools of network attack, and tells the concrete precautionary measures from several aspects, so that readers have a comprehensive network of knowledge, in the treatment of network threats are well prepared.

Computer Science,Engineering

Zhen Xiang,David J Miller,George Kesidis

DOI: https://doi.org/10.1109/TNNLS.2020.3041202

Abstract:With wide deployment of deep neural network (DNN) classifiers, there is great potential for harm from adversarial learning attacks. Recently, a special type of data poisoning (DP) attack, known as a backdoor (or Trojan), was proposed. These attacks do not seek to degrade classification accuracy, but rather to have the classifier learn to classify to a target class t∗ whenever the backdoor pattern is present in a test example originally from a source class s∗ . Launching backdoor attacks does not require knowledge of the classifier or its training process-only the ability to poison the training set with exemplars containing a backdoor pattern (labeled with the target class). Defenses against backdoors can be deployed before/during training, post-training, or at test time. Here, we address post-training detection in DNN image classifiers, seldom considered in existing works, wherein the defender does not have access to the poisoned training set, but only to the trained classifier itself, as well as to clean (unpoisoned) examples from the classification domain. This scenario is of great interest because e.g., a classifier may be the basis of a phone app that will be shared with many users. Detection may thus reveal a widespread attack. We propose a purely unsupervised anomaly detection (AD) defense against imperceptible backdoor attacks that: 1) detects whether the trained DNN has been backdoor-attacked; 2) infers the source and target classes in a detected attack; 3) estimates the backdoor pattern itself. Our AD approach involves learning (via suitable cost function minimization) the minimum size/norm perturbation (putative backdoor) required to induce the classifier to misclassify (most) examples from class s to class t , for all (s,t) pairs. Our hypothesis is that nonattacked pairs require large perturbations, while the attacked pair (s∗, t∗) requires much smaller ones. This is convincingly borne out experimentally. We identify a variety of plausible cost functions and devise a novel, robust hypothesis testing approach to perform detection inference. We test our approach, in comparison with the state-of-the-art methods, for several backdoor patterns, attack settings and mechanisms, and data sets and demonstrate its favorability. Our defense essentially requires setting a single hyperparameter (the detection threshold), which can e.g., be chosen to fix the system's false positive rate.

Quan Zhang,Yifeng Ding,Yongqiang Tian,Jianmin Guo,Min Yuan,Yu Jiang

DOI: https://doi.org/10.1145/3460319.3464809

2021-01-01

Abstract:Deep Learning (DL) system has been widely used in many critical applications, such as autonomous vehicles and unmanned aerial vehicles. However, their security is threatened by backdoor attack, which is achieved by adding artificial patterns on specific training data. Existing attack methods normally poison the data using a patch, and they can be easily detected by existing detection methods. In this work, we propose the Adversarial Backdoor, which utilizes the Targeted Universal Adversarial Perturbation (TUAP) to hide the anomalies in DL models and confuse existing powerful detection methods. With extensive experiments, it is demonstrated that Adversarial Backdoor can be injected stably with an attack success rate around 98%. Moreover, Adversarial Backdoor can bypass state-of-the-art backdoor detection methods. More specifically, only around 37% of the poisoned models can be caught, and less than 29% of the poisoned data cannot bypass the detection. In contrast, for the patch backdoor, all the poisoned models and more than 80% of the poisoned data will be detected. This work intends to alarm the researchers and developers of this potential threat and to inspire the designing of effective detection methods.

Yayuan Xiong,Fengyuan Xu,Sheng Zhong,Qun Li

DOI: https://doi.org/10.1007/978-3-030-58201-2_29

2020-01-01

Abstract:Malicious attacks become a top concern in the field of deep learning (DL) because they have kept threatening the security and safety of applications where DL models are deployed. The backdoor attack, an emerging one among these malicious attacks, attracts a lot of research attentions in detecting it because of its severe consequences. Latest backdoor detections have made great progress by reconstructing backdoor triggers and performing the corresponding outlier detection. Although they are effective on existing triggers, they still fall short of detecting stealthy ones which are proposed in this work. New triggers of our backdoor attack can be generally inserted into DL models through a hidden and reconstruction-resistant manner. We evaluate our attack against two state-of-the-art detections on three different data sets, and demonstrate that our attack is able to successfully insert target backdoors and also escape the detections. We hope our design is able to shed some light on how the backdoor detection should be advanced along this line in future.

Arezoo Rajabi,Bhaskar Ramasubramanian,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.2203.15506

2022-03-25

Cryptography and Security

Abstract:Machine learning (ML) models that use deep neural networks are vulnerable to backdoor attacks. Such attacks involve the insertion of a (hidden) trigger by an adversary. As a consequence, any input that contains the trigger will cause the neural network to misclassify the input to a (single) target class, while classifying other inputs without a trigger correctly. ML models that contain a backdoor are called Trojan models. Backdoors can have severe consequences in safety-critical cyber and cyber physical systems when only the outputs of the model are available. Defense mechanisms have been developed and illustrated to be able to distinguish between outputs from a Trojan model and a non-Trojan model in the case of a single-target backdoor attack with accuracy > 96 percent. Understanding the limitations of a defense mechanism requires the construction of examples where the mechanism fails. Current single-target backdoor attacks require one trigger per target class. We introduce a new, more general attack that will enable a single trigger to result in misclassification to more than one target class. Such a misclassification will depend on the true (actual) class that the input belongs to. We term this category of attacks multi-target backdoor attacks. We demonstrate that a Trojan model with either a single-target or multi-target trigger can be trained so that the accuracy of a defense mechanism that seeks to distinguish between outputs coming from a Trojan and a non-Trojan model will be reduced. Our approach uses the non-Trojan model as a teacher for the Trojan model and solves a min-max optimization problem between the Trojan model and defense mechanism. Empirical evaluations demonstrate that our training procedure reduces the accuracy of a state-of-the-art defense mechanism from >96 to 0 percent.