L-Red: Efficient Post-Training Detection of Imperceptible Backdoor Attacks Without Access to the Training Set

Xiang, Zhen; Miller, David J.; Kesidis, George

doi:10.1109/icassp39728.2021.9414562

Cited by 11 publications

(17 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[48] addressed this issue by estimating a putative BP for each class pair, but this greatly increases the required computation. While [34] and [49] estimate the BA source classes and the target class via a complicated optimization procedure, our method can accurately detect BAs with an arbitrary number of source classes and is computationally efficient, as will be shown in our experiments.…”

Section: Backdoor Defensesmentioning

confidence: 89%

“…Compared with REDs that may suffer from mismatch between the assumed BP embedding type and the true attack BP type, our optimization problem does not require assuming a BP embedding type. Moreover, REDs' BP estimation using clean samples from all non-target classes has been found experimentally to fail when the majority of these classes are not source classes [49,34]. By contrast, our method can detect BAs with an arbitrary number of source classes, since problem (2) above does not involve any legitimate samples from the domain.…”

Section: Detection Proceduresmentioning

confidence: 98%

“…Existing PT defenses typically assume that the defender independently possesses a small set of clean, legitimate samples from every class. These samples may be used: i) to reverse-engineer putative BPs, which are the basis for anomaly detection [42,14,48,25,9,43,45,34,49]; or ii) to train shadow neural networks with and without (known) BAs -based on which a binary "meta-classifier" is trained to predict whether the classifier under inspection is backdoor attacked [18,51,40]. However, these methods assume the BP type (the mechanism for embedding a BP) used by the attacker is known.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Universal Post-Training Backdoor Detection

Wang¹,

Xiang²,

Miller³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

A Backdoor attack (BA) is an important type of adversarial attack against deep neural network classifiers, wherein test samples from one or more source classes will be (mis)classified to the attacker's target class when a backdoor pattern (BP) is embedded. In this paper, we focus on the post-training backdoor defense scenario commonly considered in the literature, where the defender aims to detect whether a trained classifier was backdoor attacked, without any access to the training set. To the best of our knowledge, existing post-training backdoor defenses are all designed for BAs with presumed BP types, where each BP type has a specific embedding function. They may fail when the actual BP type used by the attacker (unknown to the defender) is different from the BP type assumed by the defender. In contrast, we propose a universal post-training defense that detects BAs with arbitrary types of BPs, without making any assumptions about the BP type. Our detector leverages the influence of the BA, independently of the BP type, on the landscape of the classifier's outputs prior to the softmax layer. For each class, a maximum margin statistic is estimated using a set of random vectors; detection inference is then performed by applying an unsupervised anomaly detector to these statistics. Thus, our detector is also an advance relative to most existing post-training methods by not needing any legitimate clean samples, and can efficiently detect BAs with arbitrary numbers of source classes. These advantages of our detector over several state-of-the-art methods are demonstrated on four datasets, for three different types of BPs, and for a variety of attack configurations. Finally, we propose a novel, general approach for BA mitigation once a detection is made.

show abstract

Section: Backdoor Defensesmentioning

confidence: 89%

Section: Detection Proceduresmentioning

confidence: 98%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Universal Post-Training Backdoor Detection

Wang¹,

Xiang²,

Miller³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…[40] attempted a robust defense against various attack via data augmentation methods and model fine-tuning. [37] analyzed by reverse engineering triggers through the Lagrangian function.…”

Section: Defense Against Backdoor Attackmentioning

confidence: 99%

Image Synthesis-based Backdoor Attack Approach in the Face Classification Task

Na,

Choi

2023

Preprint

View full text Add to dashboard Cite

Although deep neural networks (DNNs) are applied in various fields owing to their remarkable performance, recent studies have reported that DNN models are vulnerable to backdoor attacks. They generated backdoored images by adding a backdoor trigger in original training images that activates the backdoor attack. However, most of previous attack methods are noticeable, not natural to the human eye, and easily detected by certain defense methods. In this study, we propose an image synthesis-based backdoor attack approach to resolve these limitations. To overcome the aforementioned limitations, we set a conditional facial region such as hair, eyes, or mouth as a trigger and modified that region using an image synthesis technique that replace the region of original image with the region of target image. Consequently, we achieved an attack success rate of up to 88.37% using 20% of the synthesized backdoored images injected in the training dataset, while maintaining the model accuracy for clean images. Moreover, we analyzed the advantages of the proposed approach by applying image transformation, visualization of activation regions on DNN models, and human tests. In addition to its implementation in both label flipping and clean label attack scenarios, the proposed method can be utilized as an attack approach to threaten security in the face classification task.

show abstract

“…The main computational cost is induced by the need to determine for each of the K(K − 1) class pairs whether it is involved in a backdoor attack -trigger reverse-engineering is performed for each class pair. Since there is no constraint on the trigger reverse-engineering algorithm used by UMD, the efficiency of UMD can potentially be improved, e.g., by adopting the warm-up strategy by Shen et al (2021) or the weighted-sum strategy by Xiang et al (2021) to accelerate the trigger reverse-engineering process.…”

Section: E4 Computational Cost Of Umdmentioning

confidence: 99%