Enhancing Backdoor Attacks With Multi-Level MMD Regularization

Xia, Pengfei; Niu, Hongjing; Li, Ziqiang; Li, Bin

doi:10.1109/tdsc.2022.3161477

Cited by 8 publications

(3 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Zhao et al [37] proposed optimization by measuring poison data through cross entropy to produce adaptive imperceptible perturbations and limit the potential representation of poison data during training to enhance the stealth of attacks and the resistance of defense. Xia et al [38] verified the distribution of multilayer representations on rule-trained backdoor models differed significantly using maximum mean difference (MMD), energy distance (ED) and sliced Wasserstein distance (SWD) as metrics. Then, a difference reduction method ML-MMDR with multilevel MMD regularization in the loss is proposed to optimize the poison data.…”

Section: B Invisible Backdoor Attackmentioning

confidence: 99%

Backdoor Attacks to Deep Learning Models and Countermeasures: A Survey

Zhang

Wei-ping

et al. 2023

IEEE Open J. Comput. Soc.

View full text Add to dashboard Cite

Backdoor attacks have severely threatened deep neural network (DNN) models in the past several years. In backdoor attacks, the attackers try to plant hidden backdoors into DNN models, either in the training or inference stage, to mislead the output of the model when the input contains some specified triggers without affecting the prediction of normal inputs not containing the triggers. As a rapidly developing topic, numerous works on designing various backdoor attacks and developing techniques to defend against such attacks have been proposed in recent years. However, a comprehensive and holistic overview of backdoor attacks and countermeasures is still missing. In this paper, we provide a systematic overview of the design of backdoor attacks and the defense strategies to defend against backdoor attacks, covering the latest published works. We review representative backdoor attacks and defense strategies in both the computer vision domain and other domains, discuss their pros and cons, and make comparisons among them. We outline key challenges to be addressed and potential research directions in the future.

show abstract

Section: B Invisible Backdoor Attackmentioning

confidence: 99%

Backdoor Attacks to Deep Learning Models and Countermeasures: A Survey

Zhang

Wei-ping

et al. 2023

IEEE Open J. Comput. Soc.

View full text Add to dashboard Cite

show abstract

“…Recently, adversarial attacks have been widely used in various fields, i.e., image classification [60,61], traffic analy-sis [43,46], autonomous driving [28,29] and object detection [39]. As for Android malware detection, there have been many studies [21,24,27,33,34] on syntax features oriented AE generation.…”

Section: Related Workmentioning

confidence: 99%

Black-box Adversarial Example Attack towards FCG Based Android Malware Detection under Incomplete Feature Information

Li¹,

Zhang²,

Wu³

et al. 2023

Preprint

View full text Add to dashboard Cite

The function call graph (FCG) based Android malware detection methods have recently attracted increasing attention due to their promising performance. However, these methods are susceptible to adversarial examples (AEs). In this paper, we design a novel black-box AE attack towards the FCG based malware detection system, called BagAmmo. To mislead its target system, BagAmmo purposefully perturbs the FCG feature of malware through inserting "never-executed" function calls into malware code. The main challenges are two-fold. First, the malware functionality should not be changed by adversarial perturbation. Second, the information of the target system (e.g., the graph feature granularity and the output probabilities) is absent.To preserve malware functionality, BagAmmo employs the try-catch trap to insert function calls to perturb the FCG of malware. Without the knowledge about feature granularity and output probabilities, BagAmmo adopts the architecture of generative adversarial network (GAN), and leverages a multi-population co-evolution algorithm (i.e., Apoem) to generate the desired perturbation. Every population in Apoem represents a possible feature granularity, and the real feature granularity can be achieved when Apoem converges.Through extensive experiments on over 44k Android apps and 32 target models, we evaluate the effectiveness, efficiency and resilience of BagAmmo. BagAmmo achieves an average attack success rate of over 99.9% on MaMaDroid, APIGraph and GCN, and still performs well in the scenario of concept drift and data imbalance. Moreover, BagAmmo outperforms the state-of-the-art attack SRL in attack success rate.

show abstract

“…Although the backdoor attack has been extensively researched in multiple applications, such as computer vision (CV) [11][12][13][14][15][16][17] and natural language processing (NLP) [18][19][20][21][22][23][24][25][26][27][28][29], there is no research in the field of DGA detection. Due to the particularity of DGA , existing backdoor attacks can not be directly applied to the DGA detection approach based on deep learning.…”

Section: Introductionmentioning

confidence: 99%

BadDGA: Backdoor Attack on LSTM-Based Domain Generation Algorithm Detector

Zhai

Yang

et al. 2023

Electronics

View full text Add to dashboard Cite

Due to the outstanding performance of deep neural networks (DNNs), many researchers have begun to transfer deep learning techniques to their fields. To detect algorithmically generated domains (AGDs) generated by domain generation algorithm (DGA) in botnets, a long short-term memory (LSTM)-based DGA detector has achieved excellent performance. However, the previous DNNs have found various inherent vulnerabilities, so cyberattackers can use these drawbacks to deceive DNNs, misleading DNNs into making wrong decisions. Backdoor attack as one of the popular attack strategies strike against DNNs has attracted widespread attention in recent years. In this paper, to cheat the LSTM-based DGA detector, we propose BadDGA, a backdoor attack against the LSTM-based DGA detector. Specifically, we offer four backdoor attack trigger construction methods: TLD-triggers, Ngram-triggers, Word-triggers, and IDN-triggers. Finally, we evaluate BadDGA on ten popular DGA datasets. The experimental results show that under the premise of 1‰ poisoning rate, our proposed backdoor attack can achieve a 100% attack success rate to verify the effectiveness of our method. Meanwhile, the model’s utility on clean data is influenced slightly.

show abstract

Enhancing Backdoor Attacks With Multi-Level MMD Regularization

Cited by 8 publications

References 37 publications

Backdoor Attacks to Deep Learning Models and Countermeasures: A Survey

Backdoor Attacks to Deep Learning Models and Countermeasures: A Survey

Black-box Adversarial Example Attack towards FCG Based Android Malware Detection under Incomplete Feature Information

BadDGA: Backdoor Attack on LSTM-Based Domain Generation Algorithm Detector

Contact Info

Product

Resources

About