DeepPoison: Feature Transfer Based Stealthy Poisoning Attack for DNNs

Chen, Jinyin; Zhang, Longyuan; Zheng, Haibin; Wang, Xueke; Ming, Zhaoyan

doi:10.1109/tcsii.2021.3060896

Cited by 14 publications

(17 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This approach is more efficient since it does not rely on attacking capability, then the number of samples necessary to cause the target model to drop in accuracy is minimum. A clear example of this is shown in DeepPoison [48] where only 7% of poisoned samples were required to cause an devastating 91% drop in accuracy, demostrating superior robustness when compared to other poisoning schemes such as: BadNets [58], Poison Frog [79], Invisible Poisoning attack [50], Fault Sneaking attack [80] and various backdoor attacks [81]- [83].…”

Section: A Discussion Archivesmentioning

confidence: 99%

“…Chen et al [48] proposes DeepPoison as stealthy featurebased data poisoning attack, capable of generating poisoned training samples indistinguishable from the honest samplies for human visual inspection, then making the poisoned samples mush less identifiable throughout the training process. Also the scheme proposed displays high resistance against other defense methods, since many existing defenses account for attack success rates deployed with patch-based poisoning samples.…”

Section: Attacks Using Gradient Optimization In Nnmentioning

confidence: 99%

See 1 more Smart Citation

Poisoning Attacks and Defenses on Artificial Intelligence: A Survey

Ramirez¹,

Kim²,

Hamadi³

et al. 2022

Preprint

View full text Add to dashboard Cite

Machine learning models have been widely adopted in several fields. However, most recent studies have shown several vulnerabilities from attacks with a potential to jeopardize the integrity of the model, presenting a new window of research opportunity in terms of cyber-security. This survey is conducted with a main intention of highlighting the most relevant information related to security vulnerabilities in the context of machine learning (ML) classifiers; more specifically, directed towards training procedures against data poisoning attacks, representing a type of attack that consists of tampering the data samples fed to the model during the training phase, leading to a degradation in the model's overall accuracy during the inference phase. This work compiles the most relevant insights and findings found in the latest existing literatures addressing this type of attacks. Moreover, this paper also covers several defense techniques that promise feasible detection and mitigation mechanisms, capable of conferring a certain level of robustness to a target model against an attacker. A thorough assessment is performed on the reviewed works, comparing the effects of data poisoning on a wide range of ML models in real-world conditions, performing quantitative and qualitative analyses. This paper analyzes the main characteristics for each approach including performance success metrics, required hyperparameters, and deployment complexity. Moreover, this paper emphasizes the underlying assumptions and limitations considered by both attackers and defenders along with their intrinsic properties such as: availability, reliability, privacy, accountability, interpretability, etc. Finally, this paper concludes by making references of some of main existing research trends that provide pathways towards future research directions in the field of cyber-security.

show abstract

Section: A Discussion Archivesmentioning

confidence: 99%

Section: Attacks Using Gradient Optimization In Nnmentioning

confidence: 99%

Poisoning Attacks and Defenses on Artificial Intelligence: A Survey

Ramirez¹,

Kim²,

Hamadi³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Turner et al [39] exploit Generative Adversarial Networks (GANs) [18] to generate a label-consistent backdoor attack, where the label of an adversarially poisoned sample is consistent for a human observer but inconsistent for the targeted DNN. Chen et al [6] extend the same idea by utilizing GANs to generate imperceptible adversarial perturbations. Another similar work [9] leverages Style-GAN to generate the poisoned samples.…”

Section: A Attacksmentioning

confidence: 99%

“…We evaluate -attack on different types of defenses: (1) Februus 3 [12] (2) STRIP-ViTA 3 [17], (3) ULPdefense 4 [23] (4) Gradient-shaping 5 [20] and (5) Artificial Brain Stimulation (ABS) 4 [29]. We show that if the attacker uses -attack to poison the model, all these defenses can be significantly compromised, except Februus, which uses heatmaps 6 , instead of the statistical features, for input masking and reconstruction. Februus analyzes the model gradients for a given input to identify key regions contributing to the final decision of the model.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

HaS-Net: A Heal and Select Mechanism to Securely Train DNNs against Backdoor Attacks

Ali¹,

Nepal²,

Kanhere³

et al. 2021

Preprint

View full text Add to dashboard Cite

<div>We have witnessed the continuing arms race between backdoor attacks and the corresponding defense strategies on Deep Neural Networks (DNNs). However, most state-of-the-art defenses rely on the statistical sanitization of inputs or latent DNN representations to capture trojan behavior. In this paper, we first challenge the robustness of many recently reported defenses by introducing a novel variant of the targeted backdoor attack, called low-confidence backdoor attack. Low-confidence attack inserts the backdoor by assigning uniformly distributed probabilistic labels to the poisoned training samples, and is applicable to many practical scenarios such as Federated Learning and model-reuse cases. We evaluate our attack against five state-of-the-art defense methods, viz., STRIP, Gradient-Shaping, Februus, ULP-defense and ABS-defense, under the same threat model as assumed by the respective defenses and achieve Attack Success Rates (ASRs) of 99\%, 63.73%, 91.2%, 80% and 100%, respectively. After carefully studying the properties of the state-of-the-art attacks, including low-confidence attacks, we present HaS-Net, a mechanism to securely train DNNs against a number of backdoor attacks under the data-collection scenario. For this purpose, we use a reasonably small healing dataset, approximately 2% to 15% the size of training data, to heal the network at each iteration. We evaluate our defense for different datasets---Fashion-MNIST, CIFAR-10, Celebrity Face, Consumer Complaint and Urban Sound---and network architectures---MLPs, 2D-CNNs, 1D-CNNs---and against several attack configurations---standard backdoor attacks, invisible backdoor attacks, label-consistent attack and all-trojan backdoor attack, including their low-confidence variants. Our experiments show that HaS-Nets can decrease ASRs from over 90% to less than 15%, independent of the dataset, attack configuration and network architecture.</div>

show abstract