Xiangyu Qi,Tinghao Xie,Ruizhe Pan,Jifeng Zhu,Yong Yang,Kai Bu

DOI: https://doi.org/10.1109/cvpr52688.2022.01299

2022-01-01

Abstract:One major goal of the AI security community is to securely and reliably produce and deploy deep learning models for real-world applications. To this end, data poisoning based backdoor attacks on deep neural networks (DNNs) in the production stage (or training stage) and corresponding defenses are extensively explored in recent years. Ironically, backdoor attacks in the deployment stage, which can often happen in unprofessional users’ devices and are thus arguably far more threatening in real-world scenarios, draw much less attention of the community. We attribute this imbalance of vigilance to the weak practicality of existing deployment-stage backdoor attack algorithms and the insufficiency of real-world attack demonstrations. To fill the blank, in this work, we study the realistic threat of deployment-stage backdoor attacks on DNNs. We base our study on a commonly used deployment-stage attack paradigm — adversarial weight attack, where adversaries selectively modify model weights to embed backdoor into deployed DNNs. To approach realistic practicality, we propose the first gray-box and physically realizable weights attack algorithm for backdoor injection, namely subnet replacement attack (SRA), which only requires architecture information of the victim model and can support physical triggers in the real world. Extensive experimental simulations and system-level real-world attack demonstrations are conducted. Our results not only suggest the effectiveness and practicality of the proposed attack algorithm, but also reveal the practical risk of a novel type of computer virus that may widely spread and stealthily inject backdoor into DNN models in user devices. By our study, we call for more attention to the vulnerability of DNNs in the deployment stage.

Ziyong Ran,Yu Yao,Wenxuan Li,Wei Yang,Weihao Li,Yunfeng Wu

DOI: https://doi.org/10.1109/jiot.2024.3490579

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:With the exceptional ability of deep learning to extract high-dimensional structures from massive datasets, its application in the Industrial Internet of Things (IIoT) has become increasingly prevalent. However, the inherent security vulnerabilities of deep learning pose a significant threat to IIoT systems, particularly in the form of backdoor attacks. Current defense methods are primarily designed for image processing tasks, and due to the uniqueness of industrial environments, their effectiveness is significantly reduced because of the lack of precision when applied directly to the IIoT applications. To address these challenges, this paper proposes a trigger detection method tailored for industrial environments, capable of precisely calculating the values of triggers during the detection process. Building on this, we introduce a saliency map-based trigger pruning method to further refine the triggers. Finally, utilizing these refined triggers, we perform trigger recovery to complete the backdoor defense against the IIoT model. Furthermore, by integrating these approaches, we construct a comprehensive detection-pruning-recovery defense framework against backdoor attacks in industrial settings. Experimental results across multiple industrial scenarios demonstrate that our method enhances the robustness of industrial applications against backdoor attacks, outperforming existing defense mechanisms.

Jie Yang,Jun Zheng,Haochen Wang,Jiaxing Li,Haipeng Sun,Weifeng Han,Nan Jiang,Yu-An Tan

DOI: https://doi.org/10.3390/s23031052

2023-01-17

Abstract:Federated learning has a distributed collaborative training mode, widely used in IoT scenarios of edge computing intelligent services. However, federated learning is vulnerable to malicious attacks, mainly backdoor attacks. Once an edge node implements a backdoor attack, the embedded backdoor mode will rapidly expand to all relevant edge nodes, which poses a considerable challenge to security-sensitive edge computing intelligent services. In the traditional edge collaborative backdoor defense method, only the cloud server is trusted by default. However, edge computing intelligent services have limited bandwidth and unstable network connections, which make it impossible for edge devices to retrain their models or update the global model. Therefore, it is crucial to detect whether the data of edge nodes are polluted in time. This paper proposes a layered defense framework for edge-computing intelligent services. At the edge, we combine the gradient rising strategy and attention self-distillation mechanism to maximize the correlation between edge device data and edge object categories and train a clean model as much as possible. On the server side, we first implement a two-layer backdoor detection mechanism to eliminate backdoor updates and use the attention self-distillation mechanism to restore the model performance. Our results show that the two-stage defense mode is more suitable for the security protection of edge computing intelligent services. It can not only weaken the effectiveness of the backdoor at the edge end but also conduct this defense at the server end, making the model more secure. The precision of our model on the main task is almost the same as that of the clean model.

Zhixuan Ma,Haichang Gao,Shangwen Li,Ping Wang

DOI: https://doi.org/10.1109/tii.2024.3410319

IF: 12.3

2024-01-01

IEEE Transactions on Industrial Informatics

Abstract:Federated learning (FL) systems enable collaborative model training among industrial Internet of Things (IIoT) devices but face significant security challenges, particularly in backdoor attacks, due to the nonindependent and identically distributed (non-IID) nature of data. To address this challenge, we propose a stability-enhanced dynamic backdoor defense approach in FL for IIoT, which maintains primary task accuracy while strengthening defenses in non-IID environments. Leveraging the similarity between data distribution and model updates, we segment non-IID scenarios into multiple quasi-IID environments. Our approach includes a dynamic client matching module, a malicious filtering module, and robust personalized aggregation to reduce the success rate of backdoor attacks while augmenting the resilience and precision of the aggregated model. The effectiveness of our strategy has been validated through analyses on the Modified National Institute of Standards and Technology database (MNIST), Canadian Institute for Advanced Research, 10 classes (CIFAR-10), Internet of Things (IoT)-23, and Washington University in St. Louis (WUSTL)-IIOT datasets in both IID and non-IID scenarios. Notably, on the IoT-23 and WUSTL-IIOT, the success rate of backdoor attacks was significantly reduced to 3.46%.

Jiadai Wang,Jiajia Liu

DOI: https://doi.org/10.1109/jiot.2021.3126633

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Software-defined networking (SDN) has become an attractive solution to carry out centralized and efficient control in Industrial Internet of Things (IIoT). However, its security has received little attention when applied to IIoT, and no comprehensive consideration has been given to attacks against forwarding nodes (FNs), the basic elements of the data plane. Therefore, in this article, we aim to investigate attacks against FNs from multiple perspectives in software-defined IIoT. To the best of our knowledge, we are the first to systematically consider this kind of attacks. Since it is difficult to predeploy all defense methods against various attacks, we propose a deep reinforcement learning (DRL)-based general attack tolerance scheme to guide the benign traffic flow bypass the attacked FNs. Furthermore, in view of the situation that the real data set is rare and the standard model-based data set is likely to be impractical, we use generative adversarial network (GAN), a representative deep generative model (DGM), to flexibly generate real-like network traffic for more sufficient and effective experimental verification on the attack tolerance scheme. Experimental results show that our proposed scheme can significantly improve the successful arrival rate of IIoT traffic and achieve near-optimal results.

Hongcheng Huang,Peixin Ye,Min Hu,Jun Wu

DOI: https://doi.org/10.1016/j.dcan.2022.04.008

IF: 6.348

2022-04-01

Digital Communications and Networks

Abstract:Nowadays, a large number of intelligent devices involved in the Industrial Internet of Things (IIoT) environment are posing unprecedented cybersecurity challenges. Due to the limited budget for security protection, the IIoT devices are vulnerable and easily compromised to launch Distributed Denial-of-Service (DDoS) attacks, resulting in disastrous results. Unfortunately, considering the particularity of the IIoT environment, most of the defense solutions in traditional networks cannot be directly applied to IIoT with acceptable security performance. Therefore, in this work, we propose a multi-point collaborative defense mechanism against DDoS attacks for IIoT. Specifically, for the single point DDoS defense, we design an edge-centric mechanism termed EdgeDefense for the detection, identification, classification, and mitigation of DDoS attacks and the generation of defense information. For the practical multi-point scenario, we propose a collaborative defense model against DDoS attacks to securely share the defense information across the network through the blockchain. Besides, a fast defense information sharing mechanism is designed to reduce the delay of defense information sharing and provide a responsive cybersecurity guarantee. The simulation results indicate that the identification and classification performance of the two machine learning models designed for EdgeDefense are better than those of the state-of-the-art baseline models, and therefore EdgeDefense can defend against DDoS attacks effectively. The results also verify that the proposed fast sharing mechanism can reduce the propagation delay of the defense information blocks effectively, thereby improving the responsiveness of the multi-point collaborative DDoS defense.

telecommunications

Lei Zhang,Ya Peng,Lifei Wei,Congcong Chen,Xiaoyu Zhang

DOI: https://doi.org/10.1155/2023/9308909

IF: 1.968

2023-05-11

Security and Communication Networks

Abstract:Backdoor attacks have been recognized as a major AI security threat in deep neural networks (DNNs) recently. The attackers inject backdoors into DNNs during the model training such as federated learning. The infected model behaves normally on the clean samples in AI applications while the backdoors are only activated by the predefined triggers and resulted in the specified results. Most of the existing defensing approaches assume that the trigger settings on different poisoned samples are visible and identical just like a white square in the corner of the image. Besides, the sample-specific triggers are always invisible and difficult to detect in DNNs, which also becomes a great challenge against the existing defensing protocols. In this paper, to address the above problems, we propose a backdoor detecting and mitigating protocol based on a wider separate-then-reunion network (WISERNet) equipped with a cryptographic deep steganalyzer for color images, which detects the backdoors hiding behind the poisoned samples even if the embedding algorithm is unknown and further feeds the poisoned samples into the infected model for backdoor unlearning and mitigation. The experimental results show that our work performs better in the backdoor defensing effect compared to state-of-the-art backdoor defensing methods such as fine-pruning and ABL against three typical backdoor attacks. Our protocol reduces the attack success rate close to 0% on the test data and slightly decreases the classification accuracy on the clean samples within 3%.

computer science, information systems,telecommunications

Zhenzhu Chen,Anmin Fu,Yinghui Zhang,Zhe Liu,Fanjian Zeng,Robert H. Deng

DOI: https://doi.org/10.1109/jiot.2020.3033171

IF: 10.6

2021-04-01

IEEE Internet of Things Journal

Abstract:Deep learning makes the Internet-of-Things (IoT) devices more attractive, and in turn, IoT facilitates the resolution of the contradiction between data collection and privacy concerns. IoT devices with small-scale computing power can contribute to model training without sharing data in collaborative learning. However, collaborative learning is susceptible to generative adversarial network (GAN) attack, where an adversary can pretend to be a participant engaging in the model training and learn other participants' data. In this article, we propose a secure collaborative deep learning model which resists GAN attacks. We isolate the participants from the model parameters, and realize the local model training of participants via the interaction mode, ensuring that neither the participants nor the server would have access to each other's data. In particular, we target convolutional neural networks, the most popular network, design specific algorithms for various functionalities in different layers of the network, making it suitable for deep learning environments. To our best knowledge, this is the first work designing specific protocol against GAN attacks in collaborative learning. The results of our experiments on two real data sets show that our protocol can achieve good accuracy, efficiency, and image processing adaptability.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yi Zhao,Ke Xu,Haiyang Wang,Bo Li,Ruoxi Jia

DOI: https://doi.org/10.1109/mnet.011.2000265

IF: 10.294

2021-01-01

IEEE Network

Abstract:With the explosive development of mobile Internet and deep learning (DL), intelligent edge computing services based on collaborative learning are widely deployed in various application scenarios. These intelligent services include intelligent applications based on edge computing and DL-based optimization for edge computing (e.g., caching and communicating). However, in a wide variety of domains, DL has been found to be vulnerable to adversarial attacks, especially architecture-independent backdoor attacks. It embeds the attack pattern into the learned model and only performs the attack when it encounters the corresponding trigger. In this article, for the first time we analyze the impact of backdoor attacks on intelligent edge computing services. The simulation results demonstrate that once one or more edge nodes implement backdoor attacks, the embedded attack pattern will rapidly expand to all relevant edge nodes, which poses huge challenges to security-sensitive intelligent edge computing services. Subsequently, we analyze the trade-off between expected performance and ability to defend against backdoor attacks, which sheds new light on designing defense mechanisms for intelligent edge computing services. To address the challenges posed by backdoor attacks, we propose a stability-based defense mechanism. The experimental results demonstrate that the newly proposed defense mechanism can effectively defend against different levels of backdoor attacks without knowing whether there are adversaries, which is conducive to the deployment of the stability-based defense mechanism in real-world scenarios.

Xiang Ling,Shouling Ji,Jiaxu Zou,Jiannan Wang,Chunming Wu,Bo Li,Ting Wang

DOI: https://doi.org/10.1109/sp.2019.00023

2019-01-01

Abstract:Deep learning (DL) models are inherently vulnerable to adversarial examples - maliciously crafted inputs to trigger target DL models to misbehave - which significantly hinders the application of DL in security-sensitive domains. Intensive research on adversarial learning has led to an arms race between adversaries and defenders. Such plethora of emerging attacks and defenses raise many questions: Which attacks are more evasive, preprocessing-proof, or transferable? Which defenses are more effective, utility-preserving, or general? Are ensembles of multiple defenses more robust than individuals? Yet, due to the lack of platforms for comprehensive evaluation on adversarial attacks and defenses, these critical questions remain largely unsolved. In this paper, we present the design, implementation, and evaluation of DEEPSEC, a uniform platform that aims to bridge this gap. In its current implementation, DEEPSEC incorporates 16 state-of-the-art attacks with 10 attack utility metrics, and 13 state-of-the-art defenses with 5 defensive utility metrics. To our best knowledge, DEEPSEC is the first platform that enables researchers and practitioners to (i) measure the vulnerability of DL models, (ii) evaluate the effectiveness of various attacks/defenses, and (iii) conduct comparative studies on attacks/defenses in a comprehensive and informative manner. Leveraging DEEPSEC, we systematically evaluate the existing adversarial attack and defense methods, and draw a set of key findings, which demonstrate DEEPSEC's rich functionality, such as (1) the trade-off between misclassification and imperceptibility is empirically confirmed; (2) most defenses that claim to be universally applicable can only defend against limited types of attacks under restricted settings; (3) it is not necessary that adversarial examples with higher perturbation magnitude are easier to be detected; (4) the ensemble of multiple defenses cannot improve the overall defense capability, but can improve the lower bound of the defense effectiveness of individuals. Extensive analysis on DEEPSEC demonstrates its capabilities and advantages as a benchmark platform which can benefit future adversarial learning research.

Han Qiu,Yi Zeng,Shangwei Guo,Tianwei Zhang,Meikang Qiu,Bhavani Thuraisingham

DOI: https://doi.org/10.1145/3433210.3453108

2021-01-01

Abstract:Public resources and services (e.g., datasets, training platforms, pretrained models) have been widely adopted to ease the development of Deep Learning-based applications. However, if the third-party providers are untrusted, they can inject poisoned samples into the datasets or embed backdoors in those models. Such an integrity breach can cause severe consequences, especially in safety- and security-critical applications. Various backdoor attack techniques have been proposed for higher effectiveness and stealthiness. Unfortunately, existing defense solutions are not practical to thwart those attacks in a comprehensive way. In this paper, we investigate the effectiveness of data augmentation techniques in mitigating backdoor attacks and enhancing DL models' robustness. An evaluation framework is introduced to achieve this goal. Specifically, we consider a unified defense solution, which (1) adopts a data augmentation policy to fine-tune the infected model and eliminate the effects of the embedded backdoor; (2) uses another augmentation policy to preprocess input samples and invalidate the triggers during inference. We propose a systematic approach to discover the optimal policies for defending against different backdoor attacks by comprehensively evaluating 71 state-of-the-art data augmentation functions. Extensive experiments show that our identified policy can effectively mitigate eight different kinds of backdoor attacks and outperform five existing defense methods. We envision this framework can be a good benchmark tool to advance future DNN backdoor studies.

Congcong Chen,Lifei Wei,Lei Zhang,Ya Peng,Jianting Ning

DOI: https://doi.org/10.1155/2022/2985308

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Deep neural networks (DNNs) have profoundly changed our lifeways in recent years. The cost of training a complicated DNN model is always overwhelming for most users with limited computation and storage resources. Consequently, an increasing number of people are considering to resort to a cloud for an outsourced DNN model training. However, the DNN models training process outsourced to the cloud faces privacy and security issues due to the semi-honest and malicious cloud environments. To preserve the privacy of the data and the parameters in DNN models during the outsourced training and to detect whether the models are injected with backdoors, this paper presents DeepGuard, a framework of privacy-preserving backdoor detection and identification in an outsourced cloud environment for multi-participant computation. In particular, we design a privacy-preserving reverse engineering algorithm for recovering the triggers and detecting the backdoor attacks among three cooperative but non-collusion servers. Moreover, we propose a backdoor identification algorithm adapting to single-label and multi-label attack detection. Finally, extensive experiments on the prevailing datasets such as MNIST, SVHN, and GTSRB confirm the effectiveness and efficiency of backdoor detection and identification in a privacy-preserving DNN model.

Yihao Qiu,Jun Wu,Shahid Mumtaz,Jianhua Li,Anwer Al-Dulaimi,Joel J. P. C. Rodrigues

DOI: https://doi.org/10.1109/icc42927.2021.9500545

2021-01-01

Abstract:The evolution of deep learning has promoted the popularization of smart devices. However, due to the insufficient development of computing hardware, the ability to conduct local training on smart devices is greatly restricted, and it is usually necessary to deploy ready-made models. This opacity makes smart devices vulnerable to deep learning backdoor attacks. Some existing countermeasures against backdoor attacks are based on the attacker’s ignorance of defense. Once the attacker knows the defense mechanism, he can easily overturn it. In this paper, we propose a Trojaning attack defense framework based on moving target defense(MTD) strategy. According to the analysis of attack-defense game types and confrontation process, the moving target defense model based on signaling game was constructed. The simulation results show that in most cases, our technology can greatly increase the attack cost of the attacker, thereby ensuring the availability of Deep Neural Networks(DNN) and protecting it from Trojaning attacks.

Zhihan Lv,Dongliang Chen,Bin Cao,Houbing Song,Haibin Lv

DOI: https://doi.org/10.1109/tc.2021.3077687

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:While Digital Twins (DTs) bring convenience to city managers, they also generate new challenges to city network security. Currently, cyberspace security becomes increasingly complicated. Intrusion detection and Deep Learning (DL) are combined with shunning security threats in service computing systems and improving network defense capabilities. DTs can be applied to network security. Peoples understanding of cyberspace security can be improved using DTs to digitally define, model, and display the network environment and security status. The intrusion detection data are optimized based on DL technology, and a network intrusion detection algorithm integrated with Deep Neural Network (DNN) model is proposed. In the cloud service system, a trust model based on Keyed-Hashing-based Self-Synchronization (KHSS) is introduced. This model predicts the security state and detects attacks according to existing malicious attacks, ensuring the network security defense systems regular operation. Finally, simulation experiments verify the Deep Belief Networks (DBN) models feasibility and the cloud trust model. The DBN algorithm proposed improves the correct detection rate of unknown samples by 4.05% compared with the Support Vector Machine (SVM) algorithm.

engineering, electrical & electronic,computer science, hardware & architecture

Zikai Zhang,Chuntao Ding,Yidong Li,Jinhui Yu,Jingy Li

DOI: https://doi.org/10.1109/tsc.2024.3422870

IF: 11.019

2024-01-01

IEEE Transactions on Services Computing

Abstract:With the advancement of intelligent and networked technology, the Industrial Internet of Things (IIoT) faces an escalating threat from cyberattacks, especially by Advanced Persistent Threat (APT) attacks. These novel and complex attacks, characterized by their dynamic nature and life-long duration, pose significant challenges to existing security protection methods. The challenges are twofold, i.e., sparse reward problem in the long-lasting attack, and partial observation of attack actions. To this end, we propose a Security-as-a-Service based reinforcement learning method, namely Attention Augmented Dueling Deep Q-learning Network (AD2QN), to make real-time defense strategies for the hot standby IIoT. Firstly, we build the attack-defend confrontation model as black boxes interact with the IIoT environment to play a long-lasting partially observable zero-sum stochastic game on the server. Then, to dynamically generate optimal defense strategies as the service, AD2QN is proposed employing information completion and prediction to more informed action selection. Furthermore, AD2QN utilizes an iteratively updated reward network to deal with the sparse reward problem. Extensive simulation results shown that the defense strategies generated by our method have a higher defense success rate and a stable defense performance with the average success rate of 0.7384, while the average success rate of baseline methods was 0.7375, in the best case.

Yanjiao Chen,Xueluan Gong,Qian Wang,Xing Di,Huayang Huang

DOI: https://doi.org/10.1109/mnet.011.1900577

IF: 10.294

2020-09-01

IEEE Network

Abstract:Deep neural networks have achieved tremendous success in various fields, especially in recognition and classification applications. However, faced with the difficulty of training millions of parameters of such networks, many users outsource the training procedure of a specific prediction work to the powerful cloud servers that own abundant computation and storage resources. Although such outsourced training can significantly simplify and expedite the development circles, it also introduces many security risks. In recent years, a new type of attack, the so-called backdoor attack, has attracted much attention, where the attacker's goal is to create a maliciously deep neural network to make misclassification on the special inputs with the backdoor trigger. For its concealment, such attacks can potentially cause disastrous consequences. Subsequently, many defense mechanisms against this attack are also appearing. In this article, we conduct a retrospective review on the existing schemes of the backdoor attacks and defenses in outsourced cloud environments. According to the resources the adversary has, and whether the detection time is during run-time or not, we classify the attack and defense approaches into multiple categories. We present a detailed overview of each category, and we provide a comparison of these approaches and evaluate part of the attack schemes by the experiments. We also highlight various future research directions in this field. These views shed light on possible avenues for future research.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Ziang Yan,Yiwen Guo,Changshui Zhang

2018-01-01

Abstract:Despite the efficacy on a variety of computer vision tasks, deep neural networks (DNNs) are vulnerable to adversarial attacks, limiting their applications in security-critical systems. Recent works have shown the possibility of generating imperceptibly perturbed image inputs (a.k.a., adversarial examples) to fool well-trained DNN models into making arbitrary predictions. To address this problem, we propose a training recipe named DeepDefense. Our core idea is to integrate an adversarial perturbation-based regularizer into the classification objective, such that the obtained models learn to resist potential attacks, directly and precisely. The whole optimization problem is solved just like training a recursive network. Experimental results demonstrate that our method outperforms the state-of-the-arts by large margins on various datasets (including MNIST, CIFAR-10 and ImageNet) and different DNN architectures. Code and models for reproducing our results will be made publicly available.

Zonghao Ying,Bin Wu

DOI: https://doi.org/10.1186/s42400-023-00141-4

2024-06-19

Abstract:Deep learning models are well known to be susceptible to backdoor attack, where the attacker only needs to provide a tampered dataset on which the triggers are injected. Models trained on the dataset will passively implant the backdoor, and triggers on the input can mislead the models during testing. Our study shows that the model shows different learning behaviors in clean and poisoned subsets during training. Based on this observation, we propose a general training pipeline to defend against backdoor attacks actively. Benign models can be trained from the unreliable dataset by decoupling the learning process into three stages, i.e., supervised learning, active unlearning, and active semi-supervised fine-tuning. The effectiveness of our approach has been shown in numerous experiments across various backdoor attacks and datasets.

Cryptography and Security

Yajie Wang,Kongyang Chen,Yu-an Tan,Shuxin Huang,Wencong Ma,Yuanzhang Li

DOI: https://doi.org/10.1109/TDSC.2022.3164073

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Deep neural networks (DNNs) are increasingly used as the critical component of applications, bringing high computational costs. Many practitioners host their models on third-party platforms. This practice exposes DNNs to risks: A third party hosting the model may use a malicious deep learning framework to implement a backdoor attack. Our goal is to develop the realistic potential for backdoor attacks in third-party hosting platforms. We introduce a threatening and realistically implementable backdoor attack that is highly stealthy and flexible. We inject trojans by hijacking the built-in functions of the deep learning framework. Existing backdoor attacks rely on poisoning; its trigger is a special pattern superimposed on the input. Unlike existing backdoor attacks, the proposed sequential trigger is a specific sequence of clean image sets. Moreover, our attack is model agnostic and does not require retraining the model or modifying the parameters. Its stealthy is that injecting trojans will not change the model's prediction for a clean image, so existing backdoor defenses cannot detect it. Its flexibility lies in that adversary can remodify the trojan behavior at any time. Extensive experiments on multiple benchmarks with different frameworks demonstrate that our attack achieves a perfect success rate (up to 100%) with minimal damage to model performance. And we can inject multiple trojans which do not affect each other at the same time, trojans hidden in the framework make a universal backdoor attack possible. Analysis and experiments further show that state-of-the-art defenses are ineffective against our attacks. Our work suggests that backdoor attacks in the supply chain need to be urgently explored.

Pengchuan Wang,Qianmu Li,Deqiang Li,Shunmei Meng,Muhammad Bilal,Amrit Mukherjee

DOI: https://doi.org/10.1016/j.jksuci.2023.101689

2023-01-01

Abstract:The Industrial 5.0 Model integrates enabling technologies such as deep learning, digital twins, and the meta-universe with new development concepts. However, model and data security may pose challenges for developing zero-defect production and other industrial manufacturing industries. To address this issue, we generate adversarial examples using a one-pixel attack in adversarial machine learning, which can fool the defect detection classification model. The traditional one-pixel attack based on the Differential Evolution (DE) algorithm has limited global search ability. Therefore, we use a novel algorithm called Teaching and Learning-based Moth-Flame Optimization (TLMFO), which enhances the global search performance and improves the attack effectiveness. We evaluate TLMFO on benchmark functions and attacks on Cifar10 and ImageNet datasets, and compare it with MFO and DE. The results show that TLMFO outperforms both MFO and DE in terms of accuracy and speed of convergence. Moreover, TLMFO achieves notably better attack effectiveness than DE under targeted and untargeted attacks on the Cifar10 dataset and under-targeted attacks on the ImageNet dataset. Our research confirms that safety prevention is a link worth considering in developing Industry 5.0.(c) 2023 The Author(s). Published by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).