Xueluan Gong,Yanjiao Chen,Jianshuo Dong,Qian Wang

DOI: https://doi.org/10.14722/ndss.2022.24012

2022-01-01

Abstract:—Deep neural networks have achieved remarkable success on a variety of mission-critical tasks. However, recent studies show that deep neural networks are vulnerable to backdoor attacks, where the attacker releases backdoored models that behave normally on benign samples but misclassify any trigger-imposed samples to a target label. Unlike adversarial examples, backdoor attacks manipulate both the inputs and the model, perturbing samples with the trigger and injecting backdoors into the model. In this paper, we propose a novel attention-based evasive backdoor attack, dubbed A TTEQ -NN . Different from existing works that arbitrarily set the trigger mask, we carefully design an attention- based trigger mask determination framework, which places the trigger at the crucial region with the most significant influence on the prediction results. To make the trigger-imposed samples appear more natural and imperceptible to human inspectors, we introduce a Quality-of-Experience (QoE) term into the loss function of trigger generation and carefully adjust the transparency of the trigger. During the process of iteratively optimizing the trigger generation and the backdoor injection components, we propose an alternating retraining strategy, which is shown to be effective in improving the clean data accuracy and evading some model-based defense approaches. We evaluate A TTEQ -NN with extensive experiments on VGG- Flower, CIFAR-10, GTSRB, CIFAR-100, and ImageNette datasets. The results show that A TTEQ -NN can increase the attack success rate by as much as 82% over baselines when the poison ratio is low while achieving a high QoE of the backdoored samples. We demonstrate that A TTEQ -NN reaches an attack success rate of more than 37.78% in the physical world under different lighting conditions and shooting angles. A TTEQ -NN preserves an attack success rate of more than 92.5% even if the original backdoored model is fine-tuned with clean data. It is shown that A TTEQ -NN is also effective in transfer learning scenarios. Our user studies show that the backdoored samples generated by A TTEQ -NN are indiscernible under visual inspections. A TTEQ -NN is shown to be evasive to state-of-the-art defense methods, including model pruning, NAD, STRIP, NC, and MNTD. We will open-source our codes upon publication.

Xiangyu Qi,Tinghao Xie,Ruizhe Pan,Jifeng Zhu,Yong Yang,Kai Bu

DOI: https://doi.org/10.1109/cvpr52688.2022.01299

2022-01-01

Abstract:One major goal of the AI security community is to securely and reliably produce and deploy deep learning models for real-world applications. To this end, data poisoning based backdoor attacks on deep neural networks (DNNs) in the production stage (or training stage) and corresponding defenses are extensively explored in recent years. Ironically, backdoor attacks in the deployment stage, which can often happen in unprofessional users’ devices and are thus arguably far more threatening in real-world scenarios, draw much less attention of the community. We attribute this imbalance of vigilance to the weak practicality of existing deployment-stage backdoor attack algorithms and the insufficiency of real-world attack demonstrations. To fill the blank, in this work, we study the realistic threat of deployment-stage backdoor attacks on DNNs. We base our study on a commonly used deployment-stage attack paradigm — adversarial weight attack, where adversaries selectively modify model weights to embed backdoor into deployed DNNs. To approach realistic practicality, we propose the first gray-box and physically realizable weights attack algorithm for backdoor injection, namely subnet replacement attack (SRA), which only requires architecture information of the victim model and can support physical triggers in the real world. Extensive experimental simulations and system-level real-world attack demonstrations are conducted. Our results not only suggest the effectiveness and practicality of the proposed attack algorithm, but also reveal the practical risk of a novel type of computer virus that may widely spread and stealthily inject backdoor into DNN models in user devices. By our study, we call for more attention to the vulnerability of DNNs in the deployment stage.

Xiangyin Kong,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3093386

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:Neural-network-based soft sensors are widely employed in the industrial process. Such models have great significance to smart manufacturing. Considering the strict requirements of industrial production, it is vital to ensure the safety and robustness of these models in their actual deployment. However, recent research has shown that neural networks are quite vulnerable to adversarial attacks. By imposing tiny perturbation to the original sample, the fabricated adversarial sample can cheat these models to make wrong decisions. Such a phenomenon may bring serious trouble to the practical application of soft sensors. This article focuses on the adversarial attacks on industrial soft sensors. For the first time, we verify and analyze the effectiveness and deficiencies of the existing attack methods in the industrial soft sensor scenario. Based on solving these defects, this article proposes a novel perspective for attacking soft sensors. We analyze the optimization mechanism behind this new idea and then design two algorithms to perform attacks. The proposed methods more conform to the actual situation. Besides, compared with the existing approaches, the proposed methods have potentials to cause severer damages since their attacks are not only more concealed but also more likely to cheat the technicians to execute wrong operations. The research and analyses of the proposed methods lay a solid foundation for more thorough defenses against various attacks, which is quite necessary for making the deployed soft sensors more robust and secure.

Jiangnan Li,Yingyuan Yang,Jinyuan Stella Sun

DOI: https://doi.org/10.48550/arXiv.2010.09212

2020-10-16

Cryptography and Security

Abstract:Effective detection of energy theft can prevent revenue losses of utility companies and is also important for smart grid security. In recent years, enabled by the massive fine-grained smart meter data, deep learning (DL) approaches are becoming popular in the literature to detect energy theft in the advanced metering infrastructure (AMI). However, as neural networks are shown to be vulnerable to adversarial examples, the security of the DL models is of concern. In this work, we study the vulnerabilities of DL-based energy theft detection through adversarial attacks, including single-step attacks and iterative attacks. From the attacker's point of view, we design the \textit{SearchFromFree} framework that consists of 1) a randomly adversarial measurement initialization approach to maximize the stolen profit and 2) a step-size searching scheme to increase the performance of black-box iterative attacks. The evaluation based on three types of neural networks shows that the adversarial attacker can report extremely low consumption measurements to the utility without being detected by the DL models. We finally discuss the potential defense mechanisms against adversarial attacks in energy theft detection.

Yige Li,Xixiang Lyu,Nodens Koren,Lingjuan Lyu,Bo Li,Xingjun Ma

DOI: https://doi.org/10.48550/arXiv.2101.05930

IF: 5.414

2021-01-15

Machine Learning

Abstract:Deep neural networks (DNNs) are known vulnerable to backdoor attacks, a training time attack that injects a trigger pattern into a small proportion of training data so as to control the model's prediction at the test time. Backdoor attacks are notably dangerous since they do not affect the model's performance on clean examples, yet can fool the model to make incorrect prediction whenever the trigger pattern appears during testing. In this paper, we propose a novel defense framework Neural Attention Distillation (NAD) to erase backdoor triggers from backdoored DNNs. NAD utilizes a teacher network to guide the finetuning of the backdoored student network on a small clean subset of data such that the intermediate-layer attention of the student network aligns with that of the teacher network. The teacher network can be obtained by an independent finetuning process on the same clean subset. We empirically show, against 6 state-of-the-art backdoor attacks, NAD can effectively erase the backdoor triggers using only 5\% clean training data without causing obvious performance degradation on clean examples. Code is available in https://github.com/bboylyg/NAD.

Zeming Yao,Hangtao Zhang,Yicheng Guo,Xin Tian,Wei Peng,Yi Zou,Leo Yu Zhang,Chao Chen

DOI: https://doi.org/10.1109/tdsc.2024.3369751

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The backdoor attack on deep neural network models implants malicious data patterns in a model to induce attacker-desirable behaviors. Existing defense methods fall into the online and offline categories, in which the offline models achieve state-of-the-art detection rates but are restricted by heavy computation overhead. In contrast, their more deployable online counterparts lack the means to detect source-specific backdoors with large sizes. This work proposes a new online backdoor detection method—Reverse Backdoor Distillation (RBD) to handle issues associated with source-specific and source-agnostic backdoor attacks. RBD, designed with the novel perspective of distilling instead of erasing backdoor knowledge, is a complementary backdoor detection methodology that can be used in conjunction with other online backdoor defenses. Considering the fact that trigger data will cause overwhelming neuron activation while clean data will not, RBD distills backdoor attack pattern knowledge from a suspicious model to create a shadow model, which is subsequently deployed online along with the original model in scope to predict a backdoor attack. We extensively evaluate RBD on several datasets (MNIST, GTSRB, CIFAR-10) with diverse model architectures and trigger patterns. RBD outperforms online benchmarks in all experimental settings. Notably, RBD demonstrates superior capability in detecting source-specific attacks, where comparison methods fail, underscoring the effectiveness of our proposed technique. Moreover, RBD achieves a computational savings of at least 97%.

computer science, information systems, software engineering, hardware & architecture

Xiaoyun Xu,Zhuoran Liu,Stefanos Koffas,Shujian Yu,Stjepan Picek

2024-05-30

Abstract:Backdoor attacks on deep learning represent a recent threat that has gained significant attention in the research community. Backdoor defenses are mainly based on backdoor inversion, which has been shown to be generic, model-agnostic, and applicable to practical threat scenarios. State-of-the-art backdoor inversion recovers a mask in the feature space to locate prominent backdoor features, where benign and backdoor features can be disentangled. However, it suffers from high computational overhead, and we also find that it overly relies on prominent backdoor features that are highly distinguishable from benign features. To tackle these shortcomings, this paper improves backdoor feature inversion for backdoor detection by incorporating extra neuron activation information. In particular, we adversarially increase the loss of backdoored models with respect to weights to activate the backdoor effect, based on which we can easily differentiate backdoored and clean models. Experimental results demonstrate our defense, BAN, is 1.37$\times$ (on CIFAR-10) and 5.11$\times$ (on ImageNet200) more efficient with 9.99% higher detect success rate than the state-of-the-art defense BTI-DBF. Our code and trained models are publicly available.\url{https://anonymous.4open.science/r/ban-4B32}

Machine Learning,Cryptography and Security

Xinrui Liu,Yajie Wang,Yu-an Tan,Kefan Qiu,Yuanzhang Li

2023-05-10

Abstract:Deep neural networks (DNNs) have made tremendous progress in the past ten years and have been applied in various critical applications. However, recent studies have shown that deep neural networks are vulnerable to backdoor attacks. By injecting malicious data into the training set, an adversary can plant the backdoor into the original model. The backdoor can remain hidden indefinitely until activated by a sample with a specific trigger, which is hugely concealed, bringing serious security risks to critical applications. However, one main limitation of current backdoor attacks is that the trigger is often visible to human perception. Therefore, it is crucial to study the stealthiness of backdoor triggers. In this paper, we propose a novel frequency-domain backdooring technique. In particular, our method aims to add a backdoor trigger in the frequency domain of original images via Discrete Fourier Transform, thus hidding the trigger. We evaluate our method on three benchmark datasets: MNIST, CIFAR-10 and Imagenette. Our experiments show that we can simultaneously fool human inspection and DNN models. We further apply two image similarity evaluation metrics to illustrate that our method adds the most subtle perturbation without compromising attack success rate and clean sample accuracy.

Cryptography and Security

Yujia Liu,Weiming Zhang,Shaohua Li,Nenghai Yu

2017-01-01

Abstract:Deep neural networks (DNNs) have achieved tremendous success in many tasks of machine learning, such as the image classification. Unfortunately, researchers have shown that DNNs are easily attacked by adversarial examples, slightly perturbed images which can mislead DNNs to give incorrect classification results. Such attack has seriously hampered the deployment of DNN systems in areas where security or safety requirements are strict, such as autonomous cars, face recognition, malware detection. Defensive distillation is a mechanism aimed at training a robust DNN which significantly reduces the effectiveness of adversarial examples generation. However, the state-of-the-art attack can be successful on distilled networks with 100% probability. But it is a white-box attack which needs to know the inner information of DNN. Whereas, the black-box scenario is more general. In this paper, we first propose the epsilon-neighborhood attack, which can fool the defensively distilled networks with 100% success rate in the white-box setting, and it is fast to generate adversarial examples with good visual quality. On the basis of this attack, we further propose the region-based attack against defensively distilled DNNs in the black-box setting. And we also perform the bypass attack to indirectly break the distillation defense as a complementary method. The experimental results show that our black-box attacks have a considerable success rate on defensively distilled networks.

Zhinan Ding,Feng Wu,Lei Cui,Xiao Hu,Gang Xie

DOI: https://doi.org/10.1007/978-3-031-33458-0_4

2023-01-01

Abstract:The advanced metering infrastructure (AMI) system has been rapidly established around the world, effectively improving the communication capability of the power system. Problematically, it turns out malicious users can easily commit energy theft by tampering with smart meters. Thus, many data-driven methods have been proposed to detect energy theft in AMI. However, existing detection schemes lack consideration for well-planned covert attacks, making them vulnerable. This paper proposes a real-time covert attack model based on conditional generative adversarial network (CGAN). In particular, based on the transferability of adversarial samples, we first extract the data features that the malicious detection model focuses on during the detection process. Then, we utilize these extracted features and a generator to generate adversarial perturbations that can mislead malicious detection models. Finally, to make the generated perturbations more stealthy, a discriminator is used to simulate malicious detection models to correct them. Extensive experiments demonstrate that our proposed attack method can evade most current detection methods.

Ziqiang Li,Hong Sun,Pengfei Xia,Heng Li,Beihao Xia,Yi Wu,Bin Li

DOI: https://doi.org/10.48550/arxiv.2306.08386

2023-01-01

Abstract:Recent deep neural networks (DNNs) have came to rely on vast amounts of training data, providing an opportunity for malicious attackers to exploit and contaminate the data to carry out backdoor attacks. However, existing backdoor attack methods make unrealistic assumptions, assuming that all training data comes from a single source and that attackers have full access to the training data. In this paper, we introduce a more realistic attack scenario where victims collect data from multiple sources, and attackers cannot access the complete training data. We refer to this scenario as $\textbf{data-constrained backdoor attacks}$. In such cases, previous attack methods suffer from severe efficiency degradation due to the $\textbf{entanglement}$ between benign and poisoning features during the backdoor injection process. To tackle this problem, we introduce three CLIP-based technologies from two distinct streams: $\textit{Clean Feature Suppression}$ and $\textit{Poisoning Feature Augmentation}$. The results demonstrate remarkable improvements, with some settings achieving over $\textbf{100}$% improvement compared to existing attacks in data-constrained scenarios.

Lei Cui,Lei Guo,Longxiang Gao,Borui Cai,Youyang Qu,Yipeng Zhou,Shui Yu

DOI: https://doi.org/10.1109/tii.2021.3089976

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:The advanced metering infrastructure in modern networked smart homes brings various advantages, such as multiple pricing and energy scheduling. However, smart homes are vulnerable to many cyberattacks, and the most striking one is energy theft. Researchers have developed many countermeasures, fostered by advanced machine learning (ML) techniques. Nevertheless, recent advances are not robust enough in practice, partially due to the vulnerabilities of employed ML algorithms. Given a group of smart homes, in this article, we present a covert electricity theft strategy through mimicking normal consumption patterns and compromising neighboring meters concurrently. Such attack is almost impossible to be detected by existing solutions as the manipulated data have little deviation against honest usage records. To address this threat, we initially identify and define two levels of consumption deviations: home-level and interpersonal-level, respectively. Then, we design a feature extraction scheme that can capture the correlation between attacks and honest customers. Finally, we develop a new deep learning-based detection model. Extensive experiments based on real-world datasets show that the presented attack could evade existing mainstream detectors but still gain high profits. In addition, the proposed countermeasure outperforms state-of-the-art detection methods.

Jun Xia,Ting Wang,Jiepin Ding,Xian Wei,Mingsong Chen

DOI: https://doi.org/10.48550/arXiv.2204.09975

2022-04-24

Abstract:Due to the prosperity of Artificial Intelligence (AI) techniques, more and more backdoors are designed by adversaries to attack Deep Neural Networks (DNNs).Although the state-of-the-art method Neural Attention Distillation (NAD) can effectively erase backdoor triggers from DNNs, it still suffers from non-negligible Attack Success Rate (ASR) together with lowered classification ACCuracy (ACC), since NAD focuses on backdoor defense using attention features (i.e., attention maps) of the same order. In this paper, we introduce a novel backdoor defense framework named Attention Relation Graph Distillation (ARGD), which fully explores the correlation among attention features with different orders using our proposed Attention Relation Graphs (ARGs). Based on the alignment of ARGs between both teacher and student models during knowledge distillation, ARGD can eradicate more backdoor triggers than NAD. Comprehensive experimental results show that, against six latest backdoor attacks, ARGD outperforms NAD by up to 94.85% reduction in ASR, while ACC can be improved by up to 3.23%.

Machine Learning

Xueluan Gong,Bowei Tian,Meng Xue,Yuan Wu,Yanjiao Chen,Qian Wang

2024-12-09

Abstract:Recent studies have revealed the vulnerability of Deep Neural Network (DNN) models to backdoor attacks. However, existing backdoor attacks arbitrarily set the trigger mask or use a randomly selected trigger, which restricts the effectiveness and robustness of the generated backdoor triggers. In this paper, we propose a novel attention-based mask generation methodology that searches for the optimal trigger shape and location. We also introduce a Quality-of-Experience (QoE) term into the loss function and carefully adjust the transparency value of the trigger in order to make the backdoored samples to be more natural. To further improve the prediction accuracy of the victim model, we propose an alternating retraining algorithm in the backdoor injection process. The victim model is retrained with mixed poisoned datasets in even iterations and with only benign samples in odd iterations. Besides, we launch the backdoor attack under a co-optimized attack framework that alternately optimizes the backdoor trigger and backdoored model to further improve the attack performance. Apart from DNN models, we also extend our proposed attack method against vision transformers. We evaluate our proposed method with extensive experiments on VGG-Flower, CIFAR-10, GTSRB, CIFAR-100, and ImageNette datasets. It is shown that we can increase the attack success rate by as much as 82\% over baselines when the poison ratio is low and achieve a high QoE of the backdoored samples. Our proposed backdoor attack framework also showcases robustness against state-of-the-art backdoor defenses.

Computer Vision and Pattern Recognition,Cryptography and Security

Nitasha Khan,Muhammad Amir Raza,Darakhshan Ara,Sohrab Mirsaeidi,Aamir Ali,Ghulam Abbas,Muhammad Shahid,Ezzeddine Touti,Amr Yousef,Mounir Bouzguenda

DOI: https://doi.org/10.3389/fenrg.2023.1287413

IF: 3.4

2023-01-01

Frontiers in Energy Research

Abstract:Electricity theft (ET), which endangers public safety, creates a problem with the regular operation of grid infrastructure and increases revenue losses. Numerous machine learning, deep learning, and mathematical-based algorithms are available to find ET. Still, these models do not produce the best results due to problems like the dimensionality curse, class imbalance, improper hyper-parameter tuning of machine learning and deep learning models, etc. We present a hybrid deep learning model for effectively detecting electricity thieves in smart grids while considering the abovementioned concerns. Pre-processing techniques are first employed to clean up the data from the smart meters. Then, the feature extraction technique, like AlexNet, addresses the curse of dimensionality. The effectiveness of the proposed method is evaluated through simulations using a real dataset of Chinese intelligent meters. To conduct a comparative analysis, various benchmark models are implemented as well. Our proposed model achieves accuracy, precision, recall, and F1, up to 86%, 89%, 86%, and 84%, respectively.

Junhao Shi,Yunpeng Gao,Dexi Gu,Yunfeng Li,Kang Chen

DOI: https://doi.org/10.1016/j.ijepes.2022.108642

IF: 5.659

2023-01-01

International Journal of Electrical Power & Energy Systems

Abstract:With the establishment of advanced metering infrastructure (AMI), more and more deep learning (DL) methods are being used for electricity theft detection. However, there are still problems such as the construction of a DL model that better fits the theft detection task, sample imbalance in the data set and overfitting of the model which limit the potential of DL models. Therefore, a novel end-to-end solution based on DL to solve these problems for electricity theft detection is proposed in this paper. First, we construct a model based on Transformer Neural Network (TNN), which extracts global features of consumption data by calculating the self-attention between each segment obtained by dividing the whole load sequence, and calculates the relative relationship between features for customer classification. Then, we refine the model to further improve its performance. Conv-attentional module is used to embed the input data and capture the local features in each segment. And we minimize the effect of sample imbalance by choosing a suitable loss function, and address the problem of model overfitting by adding normalization layers, dropout regularization and L2 regularization. In addition, grid search is used to determine the optimal values of the model hyper-parameters. Finally, the performance of the proposed model is verified by experiments using the Irish data set. The results show that our method is able to extract features more efficiently and thus has a higher true positive rate (TPR) with a lower false positive rate (FPR) than other state-of-the-art detectors, and it has strong robustness.

Jiangnan Li,Yingyuan Yang,Jinyuan Stella Sun,Kevin Tomsovic,Hairong Qi

DOI: https://doi.org/10.48550/arXiv.2102.09057

2021-02-17

Cryptography and Security

Abstract:False data injection attack (FDIA) is a critical security issue in power system state estimation. In recent years, machine learning (ML) techniques, especially deep neural networks (DNNs), have been proposed in the literature for FDIA detection. However, they have not considered the risk of adversarial attacks, which were shown to be threatening to DNN's reliability in different ML applications. In this paper, we evaluate the vulnerability of DNNs used for FDIA detection through adversarial attacks and study the defensive approaches. We analyze several representative adversarial defense mechanisms and demonstrate that they have intrinsic limitations in FDIA detection. We then design an adversarial-resilient DNN detection framework for FDIA by introducing random input padding in both the training and inference phases. Extensive simulations based on an IEEE standard power system show that our framework greatly reduces the effectiveness of adversarial attacks while having little impact on the detection performance of the DNNs.

Yanjiao Chen,Xueluan Gong,Qian Wang,Xing Di,Huayang Huang

DOI: https://doi.org/10.1109/mnet.011.1900577

IF: 10.294

2020-09-01

IEEE Network

Abstract:Deep neural networks have achieved tremendous success in various fields, especially in recognition and classification applications. However, faced with the difficulty of training millions of parameters of such networks, many users outsource the training procedure of a specific prediction work to the powerful cloud servers that own abundant computation and storage resources. Although such outsourced training can significantly simplify and expedite the development circles, it also introduces many security risks. In recent years, a new type of attack, the so-called backdoor attack, has attracted much attention, where the attacker's goal is to create a maliciously deep neural network to make misclassification on the special inputs with the backdoor trigger. For its concealment, such attacks can potentially cause disastrous consequences. Subsequently, many defense mechanisms against this attack are also appearing. In this article, we conduct a retrospective review on the existing schemes of the backdoor attacks and defenses in outsourced cloud environments. According to the resources the adversary has, and whether the detection time is during run-time or not, we classify the attack and defense approaches into multiple categories. We present a detailed overview of each category, and we provide a comparison of these approaches and evaluate part of the attack schemes by the experiments. We also highlight various future research directions in this field. These views shed light on possible avenues for future research.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xueluan Gong,Yanjiao Chen,Qian Wang,Huayang Huang,Lingshuo Meng,Chao Shen,Qian Zhang

DOI: https://doi.org/10.1109/jsac.2021.3087237

IF: 16.4

2021-08-01

IEEE Journal on Selected Areas in Communications

Abstract:The time and monetary costs of training sophisticated deep neural networks are exorbitant, which motivates resource-limited users to outsource the training process to the cloud. Concerning that an untrustworthy cloud service provider may inject backdoors to the returned model, the user can leverage state-of-the-art defense strategies to examine the model. In this paper, we aim to develop robust backdoor attacks (named RobNet) that can evade existing defense strategies from the standpoint of malicious cloud providers. The key rationale is to diversify the triggers and strengthen the model structure so that the backdoor is hard to be detected or removed. To attain this objective, we refine the trigger generation algorithm by selecting the neuron(s) with large weights and activations and then computing the triggers via gradient descent to maximize the value of the selected neuron(s). In stark contrast to existing works that fix the trigger location, we design a multi-location patching method to make the model less sensitive to mild displacement of triggers in real attacks. Furthermore, we extend the attack space by proposing multi-trigger backdoor attacks that can misclassify inputs with different triggers into the same or different target label(s). We evaluate the performance of RobNet on MNIST, GTSRB, and CIFAR-10 datasets, against four representative defense strategies Pruning, NeuralCleanse, Strip, and ABS. The comparison with two state-of-the-art baselines BadNets and Hidden Backdoors demonstrates that RobNet achieves higher attack success rate and is more resistant to potential defenses.

telecommunications,engineering, electrical & electronic

Nan Zhong,Zhenxing Qian,Xinpeng Zhang

DOI: https://doi.org/10.1093/comjnl/bxad100

2023-01-01

Abstract:Recent studies show that neural networks are vulnerable to backdoor attacks, in which compromised networks behave normally for clean inputs but make mistakes when a pre-defined trigger appears. Although prior studies have designed various invisible triggers to avoid causing visual anomalies, they cannot evade some trigger detectors. In this paper, we consider the stealthiness of backdoor attacks from input space and feature representation space. We propose a novel backdoor attack named sparse backdoor attack, and investigate the minimum required trigger to induce the well-trained networks to make incorrect results. A U-net-based generator is employed to create triggers for each clean image. Considering the stealthiness of the trigger, we restrict the elements of the trigger between -1 and 1. In the aspect of the feature representation domain, we adopt an entanglement cost function to minimize the gap between feature representations of benign and malicious inputs. The inseparability of benign and malicious feature representations contributes to the stealthiness of our attack against various model diagnosis-based defences. We validate the effectiveness and generalization of our method by conducting extensive experiments on multiple datasets and networks.