Detecting AI Trojans Using Meta Neural Analysis

Xu, Xiaojun; Wang, Qi; Li, Huichen; Borisov, Nikita; Gunter, Carl A.; Li, Bo

doi:10.1109/sp40001.2021.00034

Cited by 123 publications

(109 citation statements)

References 47 publications

(115 reference statements)

Supporting

Mentioning

109

Contrasting

Order By: Relevance

“…It is conducted at inference time, like an adversarial attack. Recent research shows that shallow convolutional layers learn common properties among images [81] , such as edge and colour. Inspired by this, attackers propose to utilize a colour stripe pattern generated by modulating LED in a specialized waveform as a trigger.…”

Section: Model Extensionmentioning

confidence: 99%

Backdoor Attacks on Image Classification Models in Deep Neural Networks

Zhang

Wang

et al. 2022

Chinese J of Electronics

View full text Add to dashboard Cite

Deep neural network (DNN) is applied widely in many applications and achieves state-of-the-art performance. However, DNN lacks transparency and interpretability for users in structure. Attackers can use this feature to embed trojan horses in the DNN structure, such as inserting a backdoor into the DNN, so that DNN can learn both the normal main task and additional malicious tasks at the same time. Besides, DNN relies on data set for training. Attackers can tamper with training data to interfere with DNN training process, such as attaching a trigger on input data. Because of defects in DNN structure and data, the backdoor attack can be a serious threat to the security of DNN. The DNN attacked by backdoor performs well on benign inputs while it outputs an attacker-specified label on trigger attached inputs. Backdoor attack can be conducted in almost every stage of the machine learning pipeline. Although there are a few researches in the backdoor attack on image classification, a systematic review is still rare in this field. This paper is a comprehensive review of backdoor attacks. According to whether attackers have access to the training data, we divide various backdoor attacks into two types: poisoningbased attacks and non-poisoning-based attacks. We go through the details of each work in the timeline, discussing its contribution and deficiencies. We propose a detailed mathematical backdoor model to summary all kinds of backdoor attacks. In the end, we provide some insights about future studies.

show abstract

Section: Model Extensionmentioning

confidence: 99%

Backdoor Attacks on Image Classification Models in Deep Neural Networks

Zhang

Wang

et al. 2022

Chinese J of Electronics

View full text Add to dashboard Cite

show abstract

“…The research interest increased as IARPA and Defense Advanced Research Projects Agency (DARPA) announced the TrojAI [2] and Guaranteeing AI Robustness Against Deception (GARD) [4] programs in 2019. With more research efforts invested into designs of trojan detectors [5], [6], [7], there is a need to establish a baseline method that is simple, but generally applicable, and provides results that are better than a chance [8].…”

Section: Related Workmentioning

confidence: 99%

Baseline Pruning-Based Approach to Trojan Detection in Neural Networks

Bajcsy¹,

Majurski²

2021

Preprint

View full text Add to dashboard Cite

This paper addresses the problem of detecting trojans in neural networks (NNs) by analyzing systematically pruned NN models. Our pruning-based approach consists of three main steps. First, detect any deviations from the reference look-up tables of model file sizes and model graphs. Next, measure the accuracy of a set of systematically pruned NN models following multiple pruning schemas. Finally, classify a NN model as clean or poisoned by applying a mapping between accuracy measurements and NN model labels. This work outlines a theoretical and experimental framework for finding the optimal mapping over a large search space of pruning parameters. Based on our experiments using Round 1 and Round 2 TrojAI Challenge datasets, the approach achieves average classification accuracy of 69.73 % and 82.41 % respectively with an average processing time of less than 60 s per model. For both datasets random guessing would produce 50% classification accuracy. Reference model graphs and source code are available from GitHub.

show abstract

“…Different from the detection pipelines discussed above, MNTD (Xu et al 2021) predicts whether a model is backdoored by examining its behavior on carefully crafted inputs. MNTD first generates a battery of benign and backdoored models.…”

Section: Trigger-agnostic Detectionmentioning

confidence: 99%

“…The query set is then jointly optimized with the parameters of the meta-classifier to obtain a high accuracy meta-classifier. Interestingly, this approach appears to detect attacks on architectures outside of the ensemble used to train the meta-classifier (Xu et al 2021). Huang et al ( 2020) define a "one-pixel" signature of a network, which is the collection of single-pixel adversarial perturbations that most effectively impact the label of a collection of images.…”

Section: Trigger-agnostic Detectionmentioning

confidence: 99%

Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses

Goldblum¹,

Tsipras²,

Xie³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

As machine learning systems grow in scale, so do their training data requirements, forcing practitioners to automate and outsource the curation of training data in order to achieve stateof-the-art performance. The absence of trustworthy human supervision over the data collection process exposes organizations to security vulnerabilities; training data can be manipulated to control and degrade the downstream behaviors of learned models. The goal of this work is to systematically categorize and discuss a wide range of dataset vulnerabilities and exploits, approaches for defending against these threats, and an array of open problems in this space. In addition to describing various poisoning and backdoor threat models and the relationships among them, we develop their unified taxonomy.

show abstract

Detecting AI Trojans Using Meta Neural Analysis

Cited by 123 publications

References 47 publications

Backdoor Attacks on Image Classification Models in Deep Neural Networks

Backdoor Attacks on Image Classification Models in Deep Neural Networks

Baseline Pruning-Based Approach to Trojan Detection in Neural Networks

Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses

Contact Info

Product

Resources

About