Xueluan Gong,Yanjiao Chen,Wenbin Yang,Huayang Huang,Qian Wang

DOI: https://doi.org/10.1145/3605212

IF: 2.717

2023-01-01

ACM Transactions on Privacy and Security

Abstract:Backdoor attacks aim to inject backdoors to victim machine learning models during training time, such that the backdoored model maintains the prediction power of the original model towards clean inputs and misbehaves towards backdoored inputs with the trigger. The reason for backdoor attacks is that resource-limited users usually download sophisticated models from model zoos or query the models from MLaaS rather than training a model from scratch, thus a malicious third party has a chance to provide a backdoored model. In general, the more precious the model provided (i.e., models trained on rare datasets), the more popular it is with users. In this article, from a malicious model provider perspective, we propose a black-box backdoor attack, named B 3 , where neither the rare victim model (including the model architecture, parameters, and hyperparameters) nor the training data is available to the adversary. To facilitate backdoor attacks in the black-box scenario, we design a cost-effective model extraction method that leverages a carefully constructed query dataset to steal the functionality of the victim model with a limited budget. As the trigger is key to successful backdoor attacks, we develop a novel trigger generation algorithm that intensifies the bond between the trigger and the targeted misclassification label through the neuron with the highest impact on the targeted label. Extensive experiments have been conducted on various simulated deep learning models and the commercial API of Alibaba Cloud Compute Service. We demonstrate that B 3 has a high attack success rate and maintains high prediction accuracy for benign inputs. It is also shown that B 3 is robust against state-of-the-art defense strategies against backdoor attacks, such as model pruning and NC.

Kangjie Chen,Xiaoxuan Lou,Guowen Xu,Jiwei Li,Tianwei Zhang

2023-01-01

Abstract:Multi-label models have been widely used in various applications including image annotation and object detection. The fly in the ointment is its inherent vulnerability to backdoor attacks due to the adoption of deep learning techniques. However, all existing backdoor attacks exclusively require to modify training inputs (e.g., images), which may be impractical in real-world applications. In this paper, we aim to break this wall and propose the first clean-image backdoor attack, which only poisons the training labels without touching the training samples. Our key insight is that in a multi-label learning task, the adversary can just manipulate the annotations of training samples consisting of a specific set of classes to activate the backdoor. We design a novel trigger exploration method to find convert and effective triggers to enhance the attack performance. We also propose three target label selection strategies to achieve different goals. Experimental results indicate that our clean-image backdoor can achieve a 98% attack success rate while preserving the model's functionality on the benign inputs. Besides, the proposed clean-image backdoor can evade existing state-of-the-art defenses.

Jie Zhang,Bo Li,Jianghe Xu,Shuang Wu,Shouhong Ding,Lei Zhang,Chao Wu

DOI: https://doi.org/10.1109/CVPR52688.2022.01469

2022-01-01

Abstract:Classic black-box adversarial attacks can take advantage of transferable adversarial examples generated by a similar substitute model to successfully fool the target model. However, these substitute models need to be trained by target models' training data, which is hard to acquire due to privacy or transmission reasons. Recognizing the limited availability of real data for adversarial queries, recent works proposed to train substitute models in a data-free black-box scenario. However, their generative adversarial networks (GANs) based framework suffers from the convergence failure and the model collapse, resulting in low efficiency. In this paper, by rethinking the collaborative relationship between the generator and the substitute model, we design a novel black-box attack framework. The proposed method can efficiently imitate the target model through a small number of queries and achieve high attack success rate. The comprehensive experiments over six datasets demonstrate the effectiveness of our method against the state-of-the-art attacks. Especially, we conduct both label-only and probability-only attacks on the Microsoft Azure online model, and achieve a 100% attack success rate with only 0.46% query budget of the SOTA method [49].

Yizhi Ren,Qi Zhou,Zhen Wang,Ting Wu,Guohua Wu,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/j.cose.2019.101698

2020-03-01

Abstract:Recent studies have shown that machine learning algorithms are susceptible to imperceptible perturbations. These studies focus on the laboratory environment, where the attacker has knowledge about internal information of the victim model or feedbacks such as class probabilities. There is still a gap between theory and physical world, the risk of adversarial attacks under the more extreme and realistic condition needs to be figured out. Here we propose a knowledge restricted black-box attack model where the attacker can only get the final predict label. In the meantime, we model the attacker as a resource-restricted one, such as query-limited. The limitations of knowledge level and resources make previous work unable to be directly applied. For this problem, the current state-of-the-art method is boundary attack, however it requires large a number of queries. In this paper, we make several contributions to investigate the vulnerability of machine learning models in more realistic scenarios. First, we reconstruct the optimization problem, measure the quality of the sample points by L2 distance. Second, we provide a more effective algorithm, using cutting plane method and local optimization. Third, we propose two effective dynamic defense strategy, which is easy to implement. At last, we conduct an experimental evaluation on MNIST, Fashion-MNIST and malware detection datasets. The results show that (1) compared with state-of-the-art method, our cutting plane method reduces the number of queries while ensuring the attack efficiency; (2) Dynamic defense strategy is effective against label-only adversarial attacks, the rate of attack success dropped from nearly 100% to 23%, with a considerable classification accuracy; (3) Improved defense strategy guarantees the effectiveness of defense and improves the stability of the whole model.

computer science, information systems

Qianqian Xu,Zhiyong Yang,Yunrui Zhao,Xiaochun Cao,Qingming Huang

DOI: https://doi.org/10.1109/TPAMI.2022.3220849

Abstract:Nowadays, machine learning (ML) and deep learning (DL) methods have become fundamental building blocks for a wide range of AI applications. The popularity of these methods also makes them widely exposed to malicious attacks, which may cause severe security concerns. To understand the security properties of the ML/DL methods, researchers have recently started to turn their focus to adversarial attack algorithms that could successfully corrupt the model or clean data owned by the victim with imperceptible perturbations. In this paper, we study the Label Flipping Attack (LFA) problem, where the attacker expects to corrupt an ML/DL model's performance by flipping a small fraction of the labels in the training data. Prior art along this direction adopts combinatorial optimization problems, leading to limited scalability toward deep learning models. To this end, we propose a novel minimax problem which provides an efficient reformulation of the sample selection process in LFA. In the new optimization problem, the sample selection operation could be implemented with a single thresholding parameter. This leads to a novel training algorithm called Sample Thresholding. Since the objective function is differentiable and the model complexity does not depend on the sample size, we can apply Sample Thresholding to attack deep learning models. Moreover, since the victim's behavior is not predictable in a poisonous attack setting, we have to employ surrogate models to simulate the true model employed by the victim model. Seeing the problem, we provide a theoretical analysis of such a surrogate paradigm. Specifically, we show that the performance gap between the true model employed by the victim and the surrogate model is small under mild conditions. On top of this paradigm, we extend Sample Thresholding to the crowdsourced ranking task, where labels collected from the annotators are vulnerable to adversarial attacks. Finally, experimental analyses on three real-world datasets speak to the efficacy of our method.

Wenjian Luo,Licai Zhang,Yulin Wu,Chuanyi Liu,Peiyi Han,Rongfei Zhuang

DOI: https://doi.org/10.1109/TAI.2023.3266419

2024-01-01

Abstract:In recent years, Machine Learning (ML) models, especially deep learning models, have become commodities. In this context, data centers which hold a lot of data often buy ML models from ML model providers, train them on their data locally and use the trained models to provide intelligent services. Existing work has shown that there is a risk of data leakage, which could cause incalculable consequences. Even under the black-box condition, there are still some attacks that can steal the private data held by data centers, and the Capacity Abuse Attack (CAA) is the state-of-the-art attack method. CAA attackers steal the training data by labeling malicious samples with the data to be stolen. However, the label encodings are usually mapped into other output forms such as categories, and it is impossible for the adversary to know the mapping relationship between the form outputted by the trained model and the label encodings. Without the mapping relationship, CAA becomes invalid. Aiming at the limitation of CAA, this study proposes a novel practical attack method, i.e., Capacity Abuse Attack II (CAAII), which can find the mapping relationship between the output in the arbitrary form returned by the trained model and the values of the stolen data. Experiments are conducted on MNIST, Fashion-MNIST, and CIFAR10 datasets, and experimental results show that no matter what forms are returned by the model, our attack method can always find the mapping relationship and successfully steals the training data.

Rishi D. Jha,Jonathan Hayase,Sewoong Oh

2023-10-29

Abstract:In a backdoor attack, an adversary injects corrupted data into a model's training dataset in order to gain control over its predictions on images with a specific attacker-defined trigger. A typical corrupted training example requires altering both the image, by applying the trigger, and the label. Models trained on clean images, therefore, were considered safe from backdoor attacks. However, in some common machine learning scenarios, the training labels are provided by potentially malicious third-parties. This includes crowd-sourced annotation and knowledge distillation. We, hence, investigate a fundamental question: can we launch a successful backdoor attack by only corrupting labels? We introduce a novel approach to design label-only backdoor attacks, which we call FLIP, and demonstrate its strengths on three datasets (CIFAR-10, CIFAR-100, and Tiny-ImageNet) and four architectures (ResNet-32, ResNet-18, VGG-19, and Vision Transformer). With only 2% of CIFAR-10 labels corrupted, FLIP achieves a near-perfect attack success rate of 99.4% while suffering only a 1.8% drop in the clean test accuracy. Our approach builds upon the recent advances in trajectory matching, originally introduced for dataset distillation.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Yixu Wang,Jie Li,Hong Liu,Yan Wang,Yongjian Wu,Feiyue Huang,Rongrong Ji

DOI: https://doi.org/10.1007/978-3-031-20065-6_12

2022-01-01

Abstract:Previous studies have verified that the functionality of blackbox models can be stolen with full probability outputs. However, under the more practical hard-label setting, we observe that existing methods suffer from catastrophic performance degradation. We argue this is due to the lack of rich information in the probability prediction and the overfitting caused by hard labels. To this end, we propose a novel hard-label model stealing method termed black-box dissector, which consists of two erasing-based modules. One is a CAM-driven erasing strategy that is designed to increase the information capacity hidden in hard labels from the victim model. The other is a random-erasing-based self-knowledge distillation module that utilizes soft labels from the substitute model to mitigate overfitting. Extensive experiments on four widely-used datasets consistently demonstrate that our method outperforms state-of-the-art methods, with an improvement of at most 8.27%. We also validate the effectiveness and practical potential of our method on real-world APIs and defense methods. Furthermore, our method promotes other related tasks, i.e., transfer adversarial attacks.

Xiangkai Yang,Wenjian Luo,Licai Zhang,Zhijian Chen,Jiahai Wang

DOI: https://doi.org/10.1109/icdis55630.2022.00017

2022-01-01

Abstract:In recent years, deep neural networks (DNNs) have been successfully applied in various tasks, and various third-party models are available to data holders. However, data holders who blindly use third-party models to train on their data may lead to data leakage, resulting in serious data privacy problems. The Capacity Abuse Attack (CAA) is the state-of-the-art black-box attack method which uses the labels of the augmented malicious dataset to encode the information of the training data. However, the expanded malicious dataset in CAA are artificially synthesized, not natural images, and significantly different from the original training data. Thus these malicious images are easy to be detected. In our attack, we use a technique similar to generating poisoned datasets in backdoor attacks, make malicious data generated similar to real and natural images, and make our attack more concealed. Extensive experiments are conducted, and the results demonstrate that our attack can effectively obtain the private training data of data holders without significantly impacting the model's original task.

Ngoc-Bao Nguyen,Keshigeyan Chandrasegaran,Milad Abdollahzadeh,Ngai-Man Cheung

2023-10-30

Abstract:In a model inversion (MI) attack, an adversary abuses access to a machine learning (ML) model to infer and reconstruct private training data. Remarkable progress has been made in the white-box and black-box setups, where the adversary has access to the complete model or the model's soft output respectively. However, there is very limited study in the most challenging but practically important setup: Label-only MI attacks, where the adversary only has access to the model's predicted label (hard label) without confidence scores nor any other model information. In this work, we propose LOKT, a novel approach for label-only MI attacks. Our idea is based on transfer of knowledge from the opaque target model to surrogate models. Subsequently, using these surrogate models, our approach can harness advanced white-box attacks. We propose knowledge transfer based on generative modelling, and introduce a new model, Target model-assisted ACGAN (T-ACGAN), for effective knowledge transfer. Our method casts the challenging label-only MI into the more tractable white-box setup. We provide analysis to support that surrogate models based on our approach serve as effective proxies for the target model for MI. Our experiments show that our method significantly outperforms existing SOTA Label-only MI attack by more than 15% across all MI benchmarks. Furthermore, our method compares favorably in terms of query budget. Our study highlights rising privacy threats for ML models even when minimal information (i.e., hard labels) is exposed. Our study highlights rising privacy threats for ML models even when minimal information (i.e., hard labels) is exposed. Our code, demo, models and reconstructed data are available at our project page: <a class="link-external link-https" href="https://ngoc-nguyen-0.github.io/lokt/" rel="external noopener nofollow">this https URL</a>

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Patrick P. K. Chan,Fengzhi Luo,Zitong Chen,Ying Shu,Daniel S. Yeung

DOI: https://doi.org/10.1016/j.ins.2020.10.016

IF: 8.1

2020-01-01

Information Sciences

Abstract:Recent studies indicate that a classifier is vulnerable in an adversarial environment. The label flipping attack aims to mislead the training process. Some countermeasures have been proposed, but are usually designed for a particular classifier only, or may cause information loss. This study aims to investigate a generic model which fully utilizes the contaminated samples in learning. We assume a small untainted dataset is obtained from an application in addition to a contaminated dataset. The adversarial learning problem is formulated as transfer learning in which the influence of contaminated samples is reduced by only extracting the information similar to the untainted samples from the contaminated set using transfer learning. Our study considers a popular method, TrAdaBoost, and indicates that its performance is closely related to the initialized weights of samples. A initialization method is devised specifically for an adversarial setting to avoid assigning a large weight to the contaminated samples. The experimental results confirm that TrAdaBoost extracts only the benign knowledge from the contaminated set successfully. Moreover, our proposed initialization method significantly enhances the robustness of the model. This study presents a promising direction using transfer learning to defend against poisoning attacks.

Xiangyuan Yang,Jie Lin,Hanlin Zhang,Peng Zhao

DOI: https://doi.org/10.1016/j.ins.2024.121013

IF: 8.1

2024-06-15

Information Sciences

Abstract:Black-box query attacks are effective at compromising deep-learning models using only the model's output. These attacks typically face challenges with low attack success rates (ASRs) when limited to fewer than ten queries per example. Recent approaches have improved ASRs due to the transferability of initial perturbations, yet they still suffer from inefficient querying. Our study introduces the Gradient-Aligned Attack (GAA) to enhance ASRs with minimal perturbation by focusing on the model's preference. We define a preference property where the generated adversarial example prefers to be misclassified as the wrong category with a high initial confidence. This property is further elucidated by the gradient preference, suggesting a positive correlation between the magnitude of a coefficient in a partial derivative and the norm of the derivative itself. Utilizing this, we devise the gradient-aligned CE (GACE) loss to precisely estimate gradients by aligning these coefficients between the surrogate and victim models, with coefficients assessed by the victim model's outputs. GAA, based on the GACE loss, also aims to achieve the smallest perturbation. Our tests on ImageNet, CIFAR10, and Imagga API show that GAA can increase ASRs by 25.7% and 40.3% for untargeted and targeted attacks respectively, while only needing minimally disruptive perturbations. Furthermore, the GACE loss reduces the number of necessary queries by up to 2.5x and enhances the transferability of advanced attacks by up to 14.2%, especially when using an ensemble surrogate model. Code is available at https://github.com/HaloMoto/GradientAlignedAttack .

computer science, information systems

Jing Lin,Ryan Luley,Kaiqi Xiong

DOI: https://doi.org/10.1109/icc45855.2022.9839219

2022-01-01

Abstract:Despite the wide-ranging applicability of machine learning methods, they are vulnerable to security attacks, such as evasion attacks and triggerless data poisoning attacks. An evasion attack occurs at the inference time when an attacker feeds in an adversarial example, a malicious perturbed input that appears the same as its untampered copy to a human oracle. In contrast, a triggerless data poisoning attack occurs at training time. An attacker tries to subvert learning with injected poisoned instances. In this research, we focus on a special sub-category of data poisoning attacks, namely triggerless clean-label targeted data poisoning attacks. This type of attacks is more realistic in the sense that it does not require an attacker to have the ability to change the label of any training instance. That is, attackers can successfully attack the training process with a poison instance that is correctly labeled by a human oracle. We propose a simple but effective way to alter an adversarial attack method into a triggerless clean-label targeted data poisoning attack method with a remarkable attack success rate. Furthermore, our proposed method only requires the injection of a single poison instance to manipulate a transfer learning model to misclassify an untampered targeted instance. We compare our method with a popular one-shot attack and show that our method is easier to be used as we do not need to tune for a hyperparameter such as a similarity coefficient.

Dayong Ye,Tianqing Zhu,Kun Gao,Wanlei Zhou

DOI: https://doi.org/10.1109/tifs.2024.3357292

IF: 7.231

2024-02-14

IEEE Transactions on Information Forensics and Security

Abstract:Machine learning models are susceptible to a range of adversarial activities. These attacks are designed to either infer private information from the target model or deceive it. For instance, an attacker may attempt to discern if a given data example is from the model's training set (membership inference attacks) or create adversarial examples to mislead the model to make incorrect predictions (adversarial example attacks). Numerous defense methods have been proposed to counter these attacks. However, these methods typically share two common limitations. Firstly, most are not designed to address label-only attacks, which is a newly emerged kind of attacks that rely solely on the hard labels predicted by the target model. Secondly, they are often developed to mitigate specific attacks rather than universally various attacks. To address these limitations, this paper proposes a novel defense method that focuses on the most challenging attacks, i.e., label-only attacks, and can handle various types of label-only attacks. The key idea is to strategically modify the target model's predicted labels using a meta-reinforcement learning technique. This ensures that attackers receive incorrect labels while benign users continue to receive correct labels. Notably, the defender, i.e., the owner of the target model, can make effective decisions without knowledge of the attacker's behavior. The experimental results demonstrate that our proposed method is an effective defense against a range of attacks, including label-only model stealing, label-only membership inference, label-only model inversion, and label-only adversarial example attacks.

computer science, theory & methods,engineering, electrical & electronic

Jiancheng Yang,Yangzhou Jiang,Xiaoyang Huang,Bingbing Ni,Chenglong Zhao

2020-01-01

Abstract:This paper addresses the challenging black-box adversarial attack problem, where only classification confidence of a victim model is available. Inspired by consistency of visual saliency between different vision models, a surrogate model is expected to improve the attack performance via transferability. By combining transferability-based and query-based black-box attack, we propose a surprisingly simple baseline approach (named SimBA++) using the surrogate model, which significantly outperforms several state-of-the-art methods. Moreover, to efficiently utilize the query feedback, we update the surrogate model in a novel learning scheme, named High-Order Gradient Approximation (HOGA). By constructing a high-order gradient computation graph, we update the surrogate model to approximate the victim model in both forward and backward pass. The SimBA++ and HOGA result in Learnable Black-Box Attack (LeBA), which surpasses previous state of the art by considerable margins: the proposed LeBA significantly reduces queries, while keeping higher attack success rates close to 100 benchmarks and defensive models. Code is open source at https://github.com/TrustworthyDL/LeBA.

Andrea Paudice,Luis Muñoz-González,Emil C. Lupu

DOI: https://doi.org/10.48550/arXiv.1803.00992

2018-10-03

Abstract:Many machine learning systems rely on data collected in the wild from untrusted sources, exposing the learning algorithms to data poisoning. Attackers can inject malicious data in the training dataset to subvert the learning process, compromising the performance of the algorithm producing errors in a targeted or an indiscriminate way. Label flipping attacks are a special case of data poisoning, where the attacker can control the labels assigned to a fraction of the training points. Even if the capabilities of the attacker are constrained, these attacks have been shown to be effective to significantly degrade the performance of the system. In this paper we propose an efficient algorithm to perform optimal label flipping poisoning attacks and a mechanism to detect and relabel suspicious data points, mitigating the effect of such poisoning attacks.

Machine Learning,Cryptography and Security

Wentao Ye,Jiaqi Hu,Liyao Li,Haobo Wang,Gang Chen,Junbo Zhao

2024-06-03

Abstract:The rapid advancements of Large Language Models (LLMs) tightly associate with the expansion of the training data size. However, the unchecked ultra-large-scale training sets introduce a series of potential risks like data contamination, i.e. the benchmark data is used for training. In this work, we propose a holistic method named Polarized Augment Calibration (PAC) along with a new to-be-released dataset to detect the contaminated data and diminish the contamination effect. PAC extends the popular MIA (Membership Inference Attack) -- from machine learning community -- by forming a more global target at detecting training data to Clarify invisible training data. As a pioneering work, PAC is very much plug-and-play that can be integrated with most (if not all) current white- and black-box LLMs. By extensive experiments, PAC outperforms existing methods by at least 4.5%, towards data contamination detection on more 4 dataset formats, with more than 10 base LLMs. Besides, our application in real-world scenarios highlights the prominent presence of contamination and related issues.

Machine Learning

Pengpeng Chen,Yongqiang Yang,Dingqi Yang,Hailong Sun,Zhijun Chen,Peng Lin

DOI: https://doi.org/10.24963/ijcai.2023/332

2023-01-01

Abstract:Understanding the vulnerability of label aggregation against data poisoning attacks is key to ensuring data quality in crowdsourced label collection. State-of-the-art attack mechanisms generally assume full knowledge of the aggregation models while failing to consider the flexibility of malicious workers in selecting which instances to label. Such a setup limits the applicability of the attack mechanisms and impedes further improvement of their success rate. This paper introduces a black-box data poisoning attack framework that finds the optimal strategies for instance selection and labeling to attack unknown label aggregation models in crowdsourcing. We formulate the attack problem on top of a generic formalization of label aggregation models and then introduce a substitution approach that attacks a substitute aggregation model in replacement of the unknown model. Through extensive validation on multiple real-world datasets, we demonstrate the effectiveness of both instance selection and model substitution in improving the success rate of attacks.

Xinglong Chang,Gillian Dobbie,Jörg Wicker

2023-10-17

Abstract:Machine learning models are increasingly used in fields that require high reliability such as cybersecurity. However, these models remain vulnerable to various attacks, among which the adversarial label-flipping attack poses significant threats. In label-flipping attacks, the adversary maliciously flips a portion of training labels to compromise the machine learning model. This paper raises significant concerns as these attacks can camouflage a highly skewed dataset as an easily solvable classification problem, often misleading machine learning practitioners into lower defenses and miscalculations of potential risks. This concern amplifies in tabular data settings, where identifying true labels requires expertise, allowing malicious label-flipping attacks to easily slip under the radar. To demonstrate this risk is inherited in the adversary's objective, we propose FALFA (Fast Adversarial Label-Flipping Attack), a novel efficient attack for crafting adversarial labels. FALFA is based on transforming the adversary's objective and employs linear programming to reduce computational complexity. Using ten real-world tabular datasets, we demonstrate FALFA's superior attack potential, highlighting the need for robust defenses against such threats.

Machine Learning

Mingxing Duan,Guoqing Xiao,Kenli Li,Bin Xiao

DOI: https://doi.org/10.1109/tii.2023.3345472

IF: 12.3

2024-01-01

IEEE Transactions on Industrial Informatics

Abstract:Adversarial attack algorithms are useful for testing and improving the robustness of industrial AI models. However, attacking black-box models with limited queries and unknown real labels remains a significant challenge. To overcome this challenge, we propose using contrastive learning to train a generated substitute model called attack contrastive learning network (ACL-Net) to attack black-box models with very few queries and no real labels. ACL-Net achieves end-to-end contrastive learning during training without labels, which differs from previous contrastive learning methods that required separate training for the classification layer with labels. We improve ACL-Net&#x27;s robustness by using adversarial examples to train it during the attack stage. This approach results in more effective adversarial examples generated by ACL-Net. We conducted extensive experiments to validate the effectiveness of ACL-Net. Compared with the latest algorithms, ACL-Net requires fewer queries to achieve better attack performance, demonstrating its superiority in query-efficient black-box attacks. Overall, our approach presents a promising solution to the challenge of attacking black-box models with limited queries and unknown real labels. Our results show the effectiveness of using contrastive learning to train generated substitute models, and the potential for improving the robustness of industrial AI models through adversarial attacks.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial