信息网络安全 ›› 2021, Vol. 21 ›› Issue (5): 82-89.doi: 10.3969/j.issn.1671-1122.2021.05.010

• 技术研究 • 上一篇    下一篇

一种改进的深度神经网络后门攻击方法

任时萱, 王茂宇, 赵辉()   

  1. 四川大学网络空间安全学院,成都 610065
  • 收稿日期:2020-12-28 出版日期:2021-05-10 发布日期:2021-06-22
  • 通讯作者: 赵辉 E-mail:303031725@qq.com
  • 作者简介:任时萱(1996—),男,吉林,硕士研究生,主要研究方向为神经网络安全、网络入侵检测与信息安全|王茂宇(1995—),男,四川,硕士研究生,主要研究方向为容灾备份、网络安全|赵辉(1976—),男,四川,副教授,博士,主要研究方向为信息和网络安全
  • 基金资助:
    国家重点研发计划(2020YFB1805400);国家自然科学基金(U1736212);中国博士后科学基金(2019TQ0217);中央高校基本科研业务费(YJ201933);四川省重点研发计划(20ZDYF3145)

An Improved Method of Backdoor Attack in DNN

REN Shixuan, WANG Maoyu, ZHAO Hui()   

  1. School of Cyber Science and Engineering, Sichuan University, Chengdu 610065, China
  • Received:2020-12-28 Online:2021-05-10 Published:2021-06-22
  • Contact: ZHAO Hui E-mail:303031725@qq.com

摘要:

触发器生成网络是深度神经网络后门攻击方法的关键算法。现有的触发器生成网络有以下两个主要问题:第一,触发器候选数据集使用静态的人工选择,未考虑候选数据集对目的神经元的敏感性,存在冗余数据。第二,触发器生成网络仅考虑如何更好地激活目的神经元,并未考虑触发器的抗检测问题。针对候选数据集冗余的问题,文章使用敏感度分析方法,选择相对目标神经元更敏感的数据集从而降低冗余数据。面对现有的触发器检测方法,改进的触发器生成网络可以在保证攻击准确度的情况下,通过设计聚类结果与随机化混淆作为综合惩罚的方法,使生成的触发器绕过检测。实验结果表明,使用这种方法生成的触发器可以在保持较高攻击精确率的同时,在聚类检测方法上表现出较低的攻击检测率,在STRIP扰动检测方法上表现出较高的攻击拒识率。

关键词: 深度神经网络后门攻击, 触发器生成网络, 目的神经元, 触发器

Abstract:

Trigger generation network is the key algorithm of backdoor attack in deep neural network. The existing trigger generation networks have the two main problems: First, the candidate dataset of trigger uses static manual selection, and doesn’t consider the sensitivity of candidate dataset. Therefore, it has redundant data. Second, the trigger generation network only considers how to activate the target neuron, and does not consider the anti-detection problem of the generated triggers. Aiming at the problem of redundancy of candidate data sets, this paper uses sensitivity analysis methods to select data sets that are more sensitive to the target neuron to reduce redundant data. In the face of the existing trigger detection methods, the improved trigger generation network can ensure the accuracy of the attack, by designing the clustering result and randomization confusion as a comprehensive punishment method, the generated trigger can bypass the detection. Experimental results show that the trigger generated by this method can maintain a high attack accuracy rate. The results also show a low attack detection rate in the cluster detection method and a high attack rejection rate in the STRIP perturbation detection method.

Key words: backdoor attack in deep neural network, trigger generation network, targe tneuron, trigger

中图分类号: