Invisible Backdoor Attack with Sample-Specific Triggers

Li, Yuezun; Li, Yiming; Wu, Baoyuan; Li, Longkang; He, Ran; Lyu, Siwei

doi:10.1109/iccv48922.2021.01615

Cited by 167 publications

(156 citation statements)

References 38 publications

Supporting

Mentioning

156

Contrasting

Order By: Relevance

“…After that, (Chen et al, 2017) suggested that the poisoned image should be similar to its benign version for the stealthiness, based on which they proposed the blended attack. Recently, (Xue et al, 2020;Li et al, 2020b;2021c) further explored how to conduct poison-label backdoor attacks more stealthily. Most recently, a more stealthy and effective attack, the WaNet (Nguyen & Tran, 2021), was proposed.…”

Section: Backdoor Attackmentioning

confidence: 99%

Backdoor Defense via Decoupling the Training Process

Huang¹,

Li²,

Zhan³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Recent studies have revealed that deep neural networks (DNNs) are vulnerable to backdoor attacks, where attackers embed hidden backdoors in the DNN model by poisoning a few training samples. The attacked model behaves normally on benign samples, whereas its prediction will be maliciously changed when the backdoor is activated. We reveal that poisoned samples tend to cluster together in the feature space of the attacked DNN model, which is mostly due to the endto-end supervised training paradigm. Inspired by this observation, we propose a novel backdoor defense via decoupling the original end-to-end training process into three stages. Specifically, we first learn the backbone of a DNN model via self-supervised learning based on training samples without their labels. The learned backbone will map samples with the same ground-truth label to similar locations in the feature space. Then, we freeze the parameters of the learned backbone and train the remaining fully connected layers via standard training with all (labeled) training samples. Lastly, to further alleviate side-effects of poisoned samples in the second stage, we remove labels of some 'low-credible' samples determined based on the learned model and conduct a semi-supervised fine-tuning of the whole model. Extensive experiments on multiple benchmark datasets and DNN models verify that the proposed defense is effective in reducing backdoor threats while preserving high accuracy in predicting benign samples. Our code is available at https://github.com/SCLBD/DBD.

show abstract

Section: Backdoor Attackmentioning

confidence: 99%

Backdoor Defense via Decoupling the Training Process

Huang¹,

Li²,

Zhan³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Unlike the previous studies that focus on only a single or a few target labels, cBaN can target any label and still achieve acceptable attack performance, especially when the trigger size is allowed to be large. Li et al [114] also claimed that most of the previous attacks involves using same triggers for different samples which has the weakness to be detected easily using the existing neural Trojan defense techniques. To overcome this, they utilise triggers that are sample-specific.…”

Section: A Training Data Poisoningmentioning

confidence: 99%

“…4. BadNets [5] and Sample-Specific Backdoor [114]. BadNets uses a uniform visible trigger that classify the Trojaned image to the same class whereas Sample-Specific Backdoor can have multiple stealthy triggers and each of them map to a specific class.…”

Section: A Training Data Poisoningmentioning

confidence: 99%

A Survey of Neural Trojan Attacks and Defenses in Deep Learning

Wang¹,

Hassan²,

Akhtar³

2022

Preprint

View full text Add to dashboard Cite

Artificial Intelligence (AI) relies heavily on deep learning -a technology that is becoming increasingly popular in real-life applications of AI, even in the safety-critical and high-risk domains. However, it is recently discovered that deep learning can be manipulated by embedding Trojans inside it. Unfortunately, pragmatic solutions to circumvent the computational requirements of deep learning, e.g. outsourcing model training or data annotation to third parties, further add to model susceptibility to the Trojan attacks. Due to the key importance of the topic in deep learning, recent literature has seen many contributions in this direction. We conduct a comprehensive review of the techniques that devise Trojan attacks for deep learning and explore their defenses. Our informative survey systematically organizes the recent literature and discusses the key concepts of the methods while assuming minimal knowledge of the domain on the readers part. It provides a comprehensible gateway to the broader community to understand the recent developments in Neural Trojans.

show abstract

“…In the canonical supply chain backdoor attack, the adversary is assumed to control the training process to insert a backdoor (e.g., BadNets [28]) [59], creating sample-specific triggers using jointly trained encoders [42,49], or using "image styles" as triggers [20]. Recently, the composite attack has been proposed [44], which mixes two examples from different classes to produce a trigger.…”

Section: Attacker Controlled Trainingmentioning

confidence: 99%

Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers

Yang¹,

Chen²,

Cortellazzi³

et al. 2022

Preprint

View full text Add to dashboard Cite

Malware classifiers are subject to training-time exploitation due to the need to regularly retrain using samples collected from the wild. Recent work has demonstrated the feasibility of backdoor attacks against malware classifiers, and yet the stealthiness of such attacks is not well understood. In this paper, we investigate this phenomenon under the clean-label setting (i.e., attackers do not have complete control over the training or labeling process). Empirically, we show that existing backdoor attacks in malware classifiers are still detectable by recent defenses such as MNTD. To improve stealthiness, we propose a new attack, Jigsaw Puzzle (JP), based on the key observation that malware authors have little to no incentive to protect any other authors' malware but their own. As such, Jigsaw Puzzle learns a trigger to complement the latent patterns of the malware author's samples, and activates the backdoor only when the trigger and the latent pattern are pieced together in a sample. We further focus on realizable triggers in the problem space (e.g., software code) using bytecode gadgets broadly harvested from benign software. Our evaluation confirms that Jigsaw Puzzle is effective as a backdoor, remains stealthy against state-of-the-art defenses, and is a threat in realistic settings that depart from reasoning about feature-space only attacks. We conclude by exploring promising approaches to improve backdoor defenses.

show abstract

Invisible Backdoor Attack with Sample-Specific Triggers

Cited by 167 publications

References 38 publications

Backdoor Defense via Decoupling the Training Process

Backdoor Defense via Decoupling the Training Process

A Survey of Neural Trojan Attacks and Defenses in Deep Learning

Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers

Contact Info

Product

Resources

About