Abstract
Backdoor attack, which attempts to manipulate model prediction on specific poisoned inputs, poses a serious threat to deep neural networks. It mainly utilizes poisoned datasets to inject backdoor(s) into a model through training or fine-tuning. The backdoor will be activated by attacker specified triggers that are included in the datasets and associated with the pre-defined target classes. To achieve a better trade-off between attack effectiveness and stealthiness, many studies focus on more complex designs like using natural-appearing poisoned samples with smaller poisoning rates. Effective as they are, the results of the heuristic studies can still be readily identified or invalidated by existing defenses. It is mainly because the backdoored model is often overconfident in predicting poisoned inputs, also its neurons exhibit significantly different behaviour on benign and poisoned inputs. In this paper, we propose a generic backdoor enhancer based on label smoothing and activation suppression to mitigate these two problems. The intuition behind our backdoor enhancer is two-fold: label smoothing reduces the confidence level of the backdoored model over poisoned inputs, while activation suppression entangles the behaviour of neurons on benign/poisoned samples. In this way, the model is backdoored gently. Extensive experiments are conducted to assess the proposed enhancer, including using three different network architectures and three different poisoning mechanisms on three common datasets. Results validate that the enhancer can enhance various backdoor attacks, even the most rudimentary ones, to the level of state-of-the-art attacks in terms of effectiveness and bypassing detection.
B. H. Abbasi and Q. Zhong—These authors contributed equally to this work.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aggarwal, R., et al.: Diagnostic accuracy of deep learning in medical imaging: A systematic review and meta-analysis. NPJ Digital Med. 4(1), 1–23 (2021)
Bistron, M., Piotrowski, Z.: Artificial intelligence applications in military systems and their influence on sense of security of citizens. Electronics 10(7), 871 (2021)
Brunton, S.L.: Data-driven aerospace engineering: Reframing the industry with machine learning. AIAA J. 59(8), 2820–2847 (2021)
Chen, B., et al.: Detecting backdoor attacks on deep neural networks by activation clustering. arXiv preprint arXiv:1811.03728 (2018)
Chen, H., Fu, C., Zhao, J., Koushanfar, F.: DeepInspect: A black-box trojan detection and mitigation framework for deep neural networks. In: IJCAI, vol. 2, p. 8 (2019)
Chen, X., Salem, A., Backes, M., Ma, S., Zhang, Y.: BadNL: Backdoor attacks against NLP models. In: ICML 2021 Workshop on Adversarial Machine Learning (2021)
Chen, X., Liu, C., Li, B., Lu, K., Song, D.: Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 (2017)
Gao, Y., Xu, C., Wang, D., Chen, S., Ranasinghe, D.C., Nepal, S.: Strip: A defence against trojan attacks on deep neural networks. In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 113–125 (2019)
Gu, T., Dolan-Gavitt, B., Garg, S.: Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017)
Li, G., Yang, Y., Qu, X., Cao, D., Li, K.: A deep learning based image enhancement approach for autonomous driving at night. Knowl.-Based Syst. 213, 106617 (2021)
Li, S., Xue, M., Zhao, B.Z.H., Zhu, H., Zhang, X.: Invisible backdoor attacks on deep neural networks via steganography and regularization. IEEE Trans. Dependable Secure Comput. 18(5), 2088–2105 (2020)
Li, Y., Lyu, X., Koren, N., Lyu, L., Li, B., Ma, X.: Neural attention distillation: Erasing backdoor triggers from deep neural networks. In: ICLR (2021)
Li, Y., Li, Y., Wu, B., Li, L., He, R., Lyu, S.: Invisible backdoor attack with sample-specific triggers. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 16463–16472 (2021)
Lin, J., Xu, L., Liu, Y., Zhang, X.: Composite backdoor attack for deep neural network by mixing existing benign features. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 113–131 (2020)
Liu, K., Dolan-Gavitt, B., Garg, S.: Fine-pruning: Defending against backdooring attacks on deep neural networks. In: RAID (2018)
Liu, Y., Lee, W.C., Tao, G., Ma, S., Aafer, Y., Zhang, X.: Abs: Scanning neural networks for back-doors by artificial brain stimulation. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1265–1282 (2019)
Liu, Y., et al.: Trojaning attack on neural networks (2017)
Liu, Y., Ma, X., Bailey, J., Lu, F.: Reflection backdoor: a natural backdoor attack on deep neural networks. In: Vedaldi, A., Bischof, H., Brox, T., Frahm, J.-M. (eds.) ECCV 2020. LNCS, vol. 12355, pp. 182–199. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58607-2_11
Müller, R., Kornblith, S., Hinton, G.E.: When does label smoothing help? In: Advances in Neural Information Processing Systems, vol. 32 (2019)
Nguyen, A., Tran, A.: Input-aware dynamic backdoor attack (2020)
Nguyen, T.A., Tran, A.T.: WaNet-Imperceptible warping-based backdoor attack. In: International Conference on Learning Representations (2021)
Qiao, X., Yang, Y., Li, H.: Defending neural backdoors via generative distribution modeling. In: Advances in Neural Information Processing Systems 32 (2019)
Ribeiro, M., Grolinger, K., Capretz, M.A.: Mlaas: Machine learning as a service. In: 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pp. 896–902. IEEE (2015)
Salem, A., Wen, R., Backes, M., Ma, S., Zhang, Y.: Dynamic backdoor attacks against machine learning models. arXiv preprint arXiv:2003.03675 (2020)
Shen, Y., Sanghavi, S.: Learning with bad training data via iterative trimmed loss minimization. In: International Conference on Machine Learning, pp. 5739–5748. PMLR (2019)
Wang, B., et al.: Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 707–723. IEEE (2019)
Xu, X., Wang, Q., Li, H., Borisov, N., Gunter, C.A., Li, B.: Detecting AI trojans using meta neural analysis. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 103–120. IEEE (2021)
Xue, M., He, C., Wang, J., Liu, W.: One-to-n & n-to-one: Two advanced backdoor attacks against deep learning models. IEEE Trans. Dependable Secure Comput. (2020)
Zeiler, M.D., Fergus, R.: Visualizing and understanding convolutional networks. In: Fleet, D., Pajdla, T., Schiele, B., Tuytelaars, T. (eds.) ECCV 2014. LNCS, vol. 8689, pp. 818–833. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10590-1_53
Zhai, T., Li, Y., Zhang, Z., Wu, B., Jiang, Y., Xia, S.T.: Backdoor attack against speaker verification. In: ICASSP 2021–2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 2560–2564. IEEE (2021)
Zhao, F., Zhou, L., Zhong, Q., Lan, R., Zhang, L.Y.: Natural backdoor attacks on deep neural networks via raindrops. In: Security and Communication Networks 2022 (2022)
Zhao, S., Ma, X., Zheng, X., Bailey, J., Chen, J., Jiang, Y.G.: Clean-label backdoor attacks on video recognition models. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 14443–14452 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Abbasi, B.H., Zhong, Q., Zhang, L.Y., Gao, S., Robles-Kelly, ., Doss, R. (2023). A Generic Enhancer for Backdoor Attacks on Deep Neural Networks. In: Tanveer, M., Agarwal, S., Ozawa, S., Ekbal, A., Jatowt, A. (eds) Neural Information Processing. ICONIP 2022. Communications in Computer and Information Science, vol 1794. Springer, Singapore. https://doi.org/10.1007/978-981-99-1648-1_25
Download citation
DOI: https://doi.org/10.1007/978-981-99-1648-1_25
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-1647-4
Online ISBN: 978-981-99-1648-1
eBook Packages: Computer ScienceComputer Science (R0)