Invisible Backdoor Attacks Against Deep Neural Networks
作者: Haojin Zhu , Minhui Xue , Benjamin Zi Hao Zhao , Dali Kaafar , Jiahao Yu
DOI:
关键词: Similarity (geometry) 、 Artificial intelligence 、 Covert 、 Invisibility 、 MNIST database 、 Backdoor 、 Trojan 、 Computer science 、 Embedding 、 Steganography
摘要: Deep neural networks (DNNs) have been proven vulnerable to backdoor attacks, where hidden features (patterns) trained a normal model, which is only activated by some specific input (called triggers), trick the model into producing unexpected behavior. In this paper, we create covert and scattered triggers for invisible backdoors, can fool both DNN models human inspection. We apply our backdoors through two state-of-the-art methods of embedding attacks. The first approach on Badnets embeds trigger DNNs steganography. second trojan attack uses types additional regularization terms generate with irregular shape size. use Attack Success Rate Functionality measure performance introduce novel definitions invisibility perception; one conceptualized Perceptual Adversarial Similarity Score (PASS) other Learned Image Patch (LPIPS). show that proposed be fairly effective across various as well four datasets MNIST, CIFAR-10, CIFAR-100, GTSRB, measuring their success rates adversary, functionality users, scores administrators. finally argue attacks effectively thwart detection approaches, such Neural Cleanse TABOR.
arxiv.org
harvard.edu参考文章(20)
J. Stallkamp, M. Schlipsing, J. Salmen, C. Igel, 2012 Special Issue: Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition Neural Networks. ,vol. 32, pp. 323- 332 ,(2012) , 10.1016/J.NEUNET.2012.02.016
Volodymyr Mnih, Koray Kavukcuoglu, David Silver, Andrei A Rusu, Joel Veness, Marc G Bellemare, Alex Graves, Martin Riedmiller, Andreas K Fidjeland, Georg Ostrovski, Stig Petersen, Charles Beattie, Amir Sadik, Ioannis Antonoglou, Helen King, Dharshan Kumaran, Daan Wierstra, Shane Legg, Demis Hassabis, None, Human-level control through deep reinforcement learning Nature. ,vol. 518, pp. 529- 533 ,(2015) , 10.1038/NATURE14236
Geoffrey Hinton, Li Deng, Dong Yu, George E Dahl, Abdel-rahman Mohamed, Navdeep Jaitly, Andrew Senior, Vincent Vanhoucke, Patrick Nguyen, Tara N Sainath, Brian Kingsbury, None, Deep Neural Networks for Acoustic Modeling in Speech Recognition: The Shared Views of Four Research Groups IEEE Signal Processing Magazine. ,vol. 29, pp. 82- 97 ,(2012) , 10.1109/MSP.2012.2205597
Y. Bengio, A. Courville, P. Vincent, Representation Learning: A Review and New Perspectives IEEE Transactions on Pattern Analysis and Machine Intelligence. ,vol. 35, pp. 1798- 1828 ,(2013) , 10.1109/TPAMI.2013.50
Giorgio Fumera, Battista Biggio, Fabio Roli, Claudia Eckert, Huang Xiao, Gavin Brown, Is Feature Selection Secure against Training Data Poisoning international conference on machine learning. ,vol. 2, pp. 1689- 1698 ,(2015)
Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, Ananthram Swami, The Limitations of Deep Learning in Adversarial Settings ieee european symposium on security and privacy. pp. 372- 387 ,(2016) , 10.1109/EUROSP.2016.36
Kaiming He, Xiangyu Zhang, Shaoqing Ren, Jian Sun, Deep Residual Learning for Image Recognition computer vision and pattern recognition. pp. 770- 778 ,(2016) , 10.1109/CVPR.2016.90
David Silver, Aja Huang, Chris J Maddison, Arthur Guez, Laurent Sifre, George Van Den Driessche, Julian Schrittwieser, Ioannis Antonoglou, Veda Panneershelvam, Marc Lanctot, Sander Dieleman, Dominik Grewe, John Nham, Nal Kalchbrenner, Ilya Sutskever, Timothy Lillicrap, Madeleine Leach, Koray Kavukcuoglu, Thore Graepel, Demis Hassabis, None, Mastering the game of Go with deep neural networks and tree search Nature. ,vol. 529, pp. 484- 489 ,(2016) , 10.1038/NATURE16961
Reza Shokri, Marco Stronati, Congzheng Song, Vitaly Shmatikov, Membership Inference Attacks Against Machine Learning Models 2017 IEEE Symposium on Security and Privacy (SP). pp. 3- 18 ,(2017) , 10.1109/SP.2017.41
Brendan Dolan-Gavitt, Siddharth Garg, Tianyu Gu, BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. arXiv: Cryptography and Security. ,(2017)