Skip to main content
SpringerLink
Log in

A Generic Enhancer for Backdoor Attacks on Deep Neural Networks

  • Conference paper
  • First Online:
Neural Information Processing (ICONIP 2022)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1794))

Included in the following conference series:

  • 613 Accesses

Abstract

Backdoor attack, which attempts to manipulate model prediction on specific poisoned inputs, poses a serious threat to deep neural networks. It mainly utilizes poisoned datasets to inject backdoor(s) into a model through training or fine-tuning. The backdoor will be activated by attacker specified triggers that are included in the datasets and associated with the pre-defined target classes. To achieve a better trade-off between attack effectiveness and stealthiness, many studies focus on more complex designs like using natural-appearing poisoned samples with smaller poisoning rates. Effective as they are, the results of the heuristic studies can still be readily identified or invalidated by existing defenses. It is mainly because the backdoored model is often overconfident in predicting poisoned inputs, also its neurons exhibit significantly different behaviour on benign and poisoned inputs. In this paper, we propose a generic backdoor enhancer based on label smoothing and activation suppression to mitigate these two problems. The intuition behind our backdoor enhancer is two-fold: label smoothing reduces the confidence level of the backdoored model over poisoned inputs, while activation suppression entangles the behaviour of neurons on benign/poisoned samples. In this way, the model is backdoored gently. Extensive experiments are conducted to assess the proposed enhancer, including using three different network architectures and three different poisoning mechanisms on three common datasets. Results validate that the enhancer can enhance various backdoor attacks, even the most rudimentary ones, to the level of state-of-the-art attacks in terms of effectiveness and bypassing detection.

B. H. Abbasi and Q. Zhong—These authors contributed equally to this work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aggarwal, R., et al.: Diagnostic accuracy of deep learning in medical imaging: A systematic review and meta-analysis. NPJ Digital Med. 4(1), 1–23 (2021)

    Article  Google Scholar 

  2. Bistron, M., Piotrowski, Z.: Artificial intelligence applications in military systems and their influence on sense of security of citizens. Electronics 10(7), 871 (2021)

    Article  Google Scholar 

  3. Brunton, S.L.: Data-driven aerospace engineering: Reframing the industry with machine learning. AIAA J. 59(8), 2820–2847 (2021)

    Google Scholar 

  4. Chen, B., et al.: Detecting backdoor attacks on deep neural networks by activation clustering. arXiv preprint arXiv:1811.03728 (2018)

  5. Chen, H., Fu, C., Zhao, J., Koushanfar, F.: DeepInspect: A black-box trojan detection and mitigation framework for deep neural networks. In: IJCAI, vol. 2, p. 8 (2019)

    Google Scholar 

  6. Chen, X., Salem, A., Backes, M., Ma, S., Zhang, Y.: BadNL: Backdoor attacks against NLP models. In: ICML 2021 Workshop on Adversarial Machine Learning (2021)

    Google Scholar 

  7. Chen, X., Liu, C., Li, B., Lu, K., Song, D.: Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 (2017)

  8. Gao, Y., Xu, C., Wang, D., Chen, S., Ranasinghe, D.C., Nepal, S.: Strip: A defence against trojan attacks on deep neural networks. In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 113–125 (2019)

    Google Scholar 

  9. Gu, T., Dolan-Gavitt, B., Garg, S.: Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017)

  10. Li, G., Yang, Y., Qu, X., Cao, D., Li, K.: A deep learning based image enhancement approach for autonomous driving at night. Knowl.-Based Syst. 213, 106617 (2021)

    Article  Google Scholar 

  11. Li, S., Xue, M., Zhao, B.Z.H., Zhu, H., Zhang, X.: Invisible backdoor attacks on deep neural networks via steganography and regularization. IEEE Trans. Dependable Secure Comput. 18(5), 2088–2105 (2020)

    Google Scholar 

  12. Li, Y., Lyu, X., Koren, N., Lyu, L., Li, B., Ma, X.: Neural attention distillation: Erasing backdoor triggers from deep neural networks. In: ICLR (2021)

    Google Scholar 

  13. Li, Y., Li, Y., Wu, B., Li, L., He, R., Lyu, S.: Invisible backdoor attack with sample-specific triggers. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 16463–16472 (2021)

    Google Scholar 

  14. Lin, J., Xu, L., Liu, Y., Zhang, X.: Composite backdoor attack for deep neural network by mixing existing benign features. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 113–131 (2020)

    Google Scholar 

  15. Liu, K., Dolan-Gavitt, B., Garg, S.: Fine-pruning: Defending against backdooring attacks on deep neural networks. In: RAID (2018)

    Google Scholar 

  16. Liu, Y., Lee, W.C., Tao, G., Ma, S., Aafer, Y., Zhang, X.: Abs: Scanning neural networks for back-doors by artificial brain stimulation. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1265–1282 (2019)

    Google Scholar 

  17. Liu, Y., et al.: Trojaning attack on neural networks (2017)

    Google Scholar 

  18. Liu, Y., Ma, X., Bailey, J., Lu, F.: Reflection backdoor: a natural backdoor attack on deep neural networks. In: Vedaldi, A., Bischof, H., Brox, T., Frahm, J.-M. (eds.) ECCV 2020. LNCS, vol. 12355, pp. 182–199. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58607-2_11

    Chapter  Google Scholar 

  19. Müller, R., Kornblith, S., Hinton, G.E.: When does label smoothing help? In: Advances in Neural Information Processing Systems, vol. 32 (2019)

    Google Scholar 

  20. Nguyen, A., Tran, A.: Input-aware dynamic backdoor attack (2020)

    Google Scholar 

  21. Nguyen, T.A., Tran, A.T.: WaNet-Imperceptible warping-based backdoor attack. In: International Conference on Learning Representations (2021)

    Google Scholar 

  22. Qiao, X., Yang, Y., Li, H.: Defending neural backdoors via generative distribution modeling. In: Advances in Neural Information Processing Systems 32 (2019)

    Google Scholar 

  23. Ribeiro, M., Grolinger, K., Capretz, M.A.: Mlaas: Machine learning as a service. In: 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pp. 896–902. IEEE (2015)

    Google Scholar 

  24. Salem, A., Wen, R., Backes, M., Ma, S., Zhang, Y.: Dynamic backdoor attacks against machine learning models. arXiv preprint arXiv:2003.03675 (2020)

  25. Shen, Y., Sanghavi, S.: Learning with bad training data via iterative trimmed loss minimization. In: International Conference on Machine Learning, pp. 5739–5748. PMLR (2019)

    Google Scholar 

  26. Wang, B., et al.: Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 707–723. IEEE (2019)

    Google Scholar 

  27. Xu, X., Wang, Q., Li, H., Borisov, N., Gunter, C.A., Li, B.: Detecting AI trojans using meta neural analysis. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 103–120. IEEE (2021)

    Google Scholar 

  28. Xue, M., He, C., Wang, J., Liu, W.: One-to-n & n-to-one: Two advanced backdoor attacks against deep learning models. IEEE Trans. Dependable Secure Comput. (2020)

    Google Scholar 

  29. Zeiler, M.D., Fergus, R.: Visualizing and understanding convolutional networks. In: Fleet, D., Pajdla, T., Schiele, B., Tuytelaars, T. (eds.) ECCV 2014. LNCS, vol. 8689, pp. 818–833. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10590-1_53

    Chapter  Google Scholar 

  30. Zhai, T., Li, Y., Zhang, Z., Wu, B., Jiang, Y., Xia, S.T.: Backdoor attack against speaker verification. In: ICASSP 2021–2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 2560–2564. IEEE (2021)

    Google Scholar 

  31. Zhao, F., Zhou, L., Zhong, Q., Lan, R., Zhang, L.Y.: Natural backdoor attacks on deep neural networks via raindrops. In: Security and Communication Networks 2022 (2022)

    Google Scholar 

  32. Zhao, S., Ma, X., Zheng, X., Bailey, J., Chen, J., Jiang, Y.G.: Clean-label backdoor attacks on video recognition models. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 14443–14452 (2020)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Information Technology, Deakin University, VIC, 3216, Australia

    Bilal Hussain Abbasi, Qi Zhong, Leo Yu Zhang, Shang Gao,  Antonio Robles-Kelly & Robin Doss

Authors
  1. Bilal Hussain Abbasi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qi Zhong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Leo Yu Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Shang Gao
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Antonio Robles-Kelly
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Robin Doss
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Leo Yu Zhang .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Indore, Indore, India

    Mohammad Tanveer

  2. Indian Institute of Information Technology - Allahabad, Prayagraj, India

    Sonali Agarwal

  3. Kobe University, Kobe, Japan

    Seiichi Ozawa

  4. Indian Institute of Technology Patna, Patna, India

    Asif Ekbal

  5. University of Innsbruck, Innsbruck, Austria

    Adam Jatowt

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Abbasi, B.H., Zhong, Q., Zhang, L.Y., Gao, S., Robles-Kelly, ., Doss, R. (2023). A Generic Enhancer for Backdoor Attacks on Deep Neural Networks. In: Tanveer, M., Agarwal, S., Ozawa, S., Ekbal, A., Jatowt, A. (eds) Neural Information Processing. ICONIP 2022. Communications in Computer and Information Science, vol 1794. Springer, Singapore. https://doi.org/10.1007/978-981-99-1648-1_25

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-1648-1_25

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-1647-4

  • Online ISBN: 978-981-99-1648-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation