Februus: Input Purification Defense Against Trojan Attacks on Deep Neural Network Systems

Doan, Bao Gia; Abbasnejad, Ehsan; Ranasinghe, Damith C.

doi:10.1145/3427228.3427264

Cited by 137 publications

(119 citation statements)

References 24 publications

Supporting

Mentioning

116

Contrasting

Order By: Relevance

“…Typically, a Grey-box setting is assumed, where our attacker has control over a small percentage of training data (typically less than 2%), and no knowledge of either the network architecture, or the defense parameters. Our threat model is consistent with many state-of-the-art attacks/defenses [12], [20], [28], [40], [41], including those considered in this paper. Fig.…”

Section: Threat Models and Assumptionssupporting

confidence: 65%

“…is to detect and/or recover a poisoned network/input without affecting the performance on the test set [12], [17], [41].…”

Section: Threat Models and Assumptionsmentioning

confidence: 99%

“…1(b)), thus, evading the statistical sanitizers. We evaluate -attack on different types of defenses: (1) Februus 3 [12] (2) STRIP-ViTA 3 [17], (3) ULPdefense 4 [23] (4) Gradient-shaping 5 [20] and (5) Artificial Brain Stimulation (ABS) 4 [29]. We show that if the attacker uses -attack to poison the model, all these defenses can be significantly compromised, except Februus, which uses heatmaps 6 , instead of the statistical features, for input masking and reconstruction.…”

Section: Introductionmentioning

confidence: 99%

“…We demonstrate the limitations of many recently proposed defenses against the proposed attacks. [12], [23], [40], [41]. Specifically, we demonstrate the robustness of HaS-Net for image, text and audio classification tasks, on MLP, 2D-CNN and 1D-CNN architectures, under different attack configurations.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

HaS-Net: A Heal and Select Mechanism to Securely Train DNNs against Backdoor Attacks

Ali¹,

Nepal²,

Kanhere³

et al. 2021

Preprint

View full text Add to dashboard Cite

<div>We have witnessed the continuing arms race between backdoor attacks and the corresponding defense strategies on Deep Neural Networks (DNNs). However, most state-of-the-art defenses rely on the statistical sanitization of inputs or latent DNN representations to capture trojan behavior. In this paper, we first challenge the robustness of many recently reported defenses by introducing a novel variant of the targeted backdoor attack, called low-confidence backdoor attack. Low-confidence attack inserts the backdoor by assigning uniformly distributed probabilistic labels to the poisoned training samples, and is applicable to many practical scenarios such as Federated Learning and model-reuse cases. We evaluate our attack against five state-of-the-art defense methods, viz., STRIP, Gradient-Shaping, Februus, ULP-defense and ABS-defense, under the same threat model as assumed by the respective defenses and achieve Attack Success Rates (ASRs) of 99\%, 63.73%, 91.2%, 80% and 100%, respectively. After carefully studying the properties of the state-of-the-art attacks, including low-confidence attacks, we present HaS-Net, a mechanism to securely train DNNs against a number of backdoor attacks under the data-collection scenario. For this purpose, we use a reasonably small healing dataset, approximately 2% to 15% the size of training data, to heal the network at each iteration. We evaluate our defense for different datasets---Fashion-MNIST, CIFAR-10, Celebrity Face, Consumer Complaint and Urban Sound---and network architectures---MLPs, 2D-CNNs, 1D-CNNs---and against several attack configurations---standard backdoor attacks, invisible backdoor attacks, label-consistent attack and all-trojan backdoor attack, including their low-confidence variants. Our experiments show that HaS-Nets can decrease ASRs from over 90% to less than 15%, independent of the dataset, attack configuration and network architecture.</div>

show abstract

Section: Threat Models and Assumptionssupporting

confidence: 65%

“…is to detect and/or recover a poisoned network/input without affecting the performance on the test set [12], [17], [41].…”

Section: Threat Models and Assumptionsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

HaS-Net: A Heal and Select Mechanism to Securely Train DNNs against Backdoor Attacks

Ali¹,

Nepal²,

Kanhere³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…The reported hardware vulnerabilities and successful attacks raise increasing concerns that shatter the trustworthiness of ML systems. As opposed to mitigation approaches developed for software-oriented attacks [179]- [181], defense methodologies against hardware-based ML attacks are still in the nascent stage of development. Edge devices such as smartphone, automobiles, robots, drones, cameras, etc.…”

Section: Defenses and Countermeasuresmentioning

confidence: 99%

Two Sides of the Same Coin: Boons and Banes of Machine Learning in Hardware Security

Liu

Chang

Wang

et al. 2021

IEEE J. Emerg. Sel. Topics Circuits Syst.

View full text Add to dashboard Cite

The last decade has witnessed remarkable research advances at the intersection of machine learning (ML) and hardware security. The confluence of the two technologies has created many interesting and unique opportunities, but also left some issues in their wake. ML schemes have been extensively used to enhance the security and trust of embedded systems like hardware Trojans and malware detection. On the other hand, ML-based approaches have also been adopted by adversaries to assist side-channel attacks, reverse engineer integrated circuits and break hardware security primitives like Physically Unclonable Functions (PUFs). Deep learning is a subfield of ML. It can continuously learn from a large amount of labeled data with a layered structure. Despite the impressive outcomes demonstrated by deep learning in many application scenarios, the dark side of it has not been fully exposed yet. The inability to fully understand and explain what has been done within the super-intelligence can turn an inherently benevolent system into malevolent. Recent research has revealed that the outputs of Deep Neural Networks (DNNs) can be easily corrupted by imperceptibly small input perturbations. As computations are brought nearer to the source of data creation, the attack surface of DNN has also been extended from the input data to the edge devices. Accordingly, due to the opportunities of MLassisted security and the vulnerabilities of ML implementation, in this paper, we will survey the applications, vulnerabilities and fortification of ML from the perspective of hardware security. We will discuss the possible future research directions, and thereby, sharing a roadmap for the hardware security community in general.

show abstract

Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks

Liu

Bailey

et al. 2020

Computer Vision – ECCV 2020

241

226

View full text Add to dashboard Cite

Februus: Input Purification Defense Against Trojan Attacks on Deep Neural Network Systems

Cited by 137 publications

References 24 publications

HaS-Net: A Heal and Select Mechanism to Securely Train DNNs against Backdoor Attacks

HaS-Net: A Heal and Select Mechanism to Securely Train DNNs against Backdoor Attacks

Two Sides of the Same Coin: Boons and Banes of Machine Learning in Hardware Security

Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks

Contact Info

Product

Resources

About