An Improved Method of Backdoor Attack in DNN

doi:10.3969/j.issn.1671-1122.2021.05.010

Abstract

Abstract:

Trigger generation network is the key algorithm of backdoor attack in deep neural network. The existing trigger generation networks have the two main problems: First, the candidate dataset of trigger uses static manual selection, and doesn’t consider the sensitivity of candidate dataset. Therefore, it has redundant data. Second, the trigger generation network only considers how to activate the target neuron, and does not consider the anti-detection problem of the generated triggers. Aiming at the problem of redundancy of candidate data sets, this paper uses sensitivity analysis methods to select data sets that are more sensitive to the target neuron to reduce redundant data. In the face of the existing trigger detection methods, the improved trigger generation network can ensure the accuracy of the attack, by designing the clustering result and randomization confusion as a comprehensive punishment method, the generated trigger can bypass the detection. Experimental results show that the trigger generated by this method can maintain a high attack accuracy rate. The results also show a low attack detection rate in the cluster detection method and a high attack rejection rate in the STRIP perturbation detection method.

Key words: backdoor attack in deep neural network, trigger generation network, targe tneuron, trigger

CLC Number:

TP309

REN Shixuan, WANG Maoyu, ZHAO Hui. An Improved Method of Backdoor Attack in DNN[J]. Netinfo Security, 2021, 21(5): 82-89.

Figures/Tables 11

References 15

[1]	MAO Jian, ZHAO Hongdong, YAO Jingjing. Application and Prospect of Artificial Neural Network[J]. Electronic Design Engineering. 2011,19(24):62-65.
	毛健, 赵红东, 姚婧婧. 人工神经网络的发展及应用[J]. 电子设计工程, 2011,19(24):62-65.
[2]	LIU Yingqi. Trojaning Attack on Neural Networks[EB/OL]. https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2782&context=cstech, 2018-06-12.
[3]	GU Tianyu. Badnets: Evaluating Backdooring Attacks on Deep Neural Networks[EB/OL]. https://ieeexplore.ieee.org/document/8685687, 2019-12-03.
[4]	WANG B, YAO Yuanshun, SHAN S, et al. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks[C]// IEEE. 2019 IEEE Symposium on Security and Privacy (SP), May 20-22, 2019, San Francisco, CA, USA. New York: IEEE, 2019: 707-723.
[5]	CHEN Xinyun, LIU Chang, LI Bo, et al. Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning[EB/OL]. https://arxiv.org/pdf/1712.05526.pdf, 2020-08-20.
[6]	SALEM A, WEN Rui, MICHAEL B, et al. Dynamic Backdoor Attacks Against Machine Learning Models[EB/OL]. https://arxiv.org/pdf/2003.03675, 2020-09-25.
[7]	SALEM A, MICHAEL B, ZHANG Yang. Don't Trigger Me! A Triggerless Backdoor Attack Against Deep Neural Networks[EB/OL]. https://arxiv.org/abs/2010.03282, 2020-09-26.
[8]	CHEN B. Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering[EB/OL]. https://arxiv.org/pdf/1811.03728.pdf, 2018-09-05
[9]	SHOKRI R. Bypassing Backdoor Detection Algorithms in Deep Learning[C]// IEEE. 2020 IEEE European Symposium on Security and Privacy (EuroS&P), September 7-11, 2020, Virtual, Genoa, Italy. New York: IEEE, 2020: 175-183.
[10]	YAO Yuanshun, LI Huiying, ZHENG Haitao, et al. Latent Backdoor Attacks on Deep Neural Networks[C]// ACM SIGSAC. 2019 ACM SIGSAC Conference on Computer and Communications Security, November 11-15, 2019, London, UK. New York: ACM, 2019: 2041-2055.
[11]	LIU Yingqi, LEE Wenchuan, TAO Guanhong, et al. ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation[C]// ACM SIGSAC. 2019 ACM SIGSAC Conference on Computer and Communications Security, November 11-15, 2019, London, UK. New York: ACM, 2019: 1265-1282.
[12]	CHEN Huili, FU Cheng, ZHAO Jishen, et al. DeepInspect: A Black-box Trojan Detection and Mitigation Framework for Deep Neural Networks[C]// IJCAI Int. IJCAI International Joint Conference on Artificial Intelligence, August 10-16, 2019, Macao, China. California: IJCAI, 2019: 4658-4664.
[13]	GAO Yansong, XU Change, WANG Derui, et al. STRIP: A Defence Against Trojan Attacks on Deep Neural Networks[C]// ACSAC. In Annual Computer Security Applications Conference, December 9-13, 2019, San Juan, Puerto Rico, USA. New York: ACSAC, 2019: 113-125.
[14]	SALTELLI A. Sensitivity Analysis for Importance Assessment[J]. Risk Analysis, 2002,22(3):579-590. doi: 10.1111/risk.2002.22.issue-3 URL
[15]	PEI Kexin, CAO Yinzhi, YANG Junfeng, et al. Deepxplore: Automated Whitebox Testing of Deep Learning Systems[C]// SOSP. 26th Symposium on Operating Systems Principles, October 14, 2017, Shanghai, China. New York: ACM, 2017: 1-18.

名词术语	基本解释
敌手	实施攻击的主体
触发器	作为神经网络输入用于触发后门攻击的数据集合
触发器候选数据集	在单个输入的数据集合中用作后续生成触发器的数据集合
触发器生成网络	用于生成触发器的神经网络
目的神经元	攻击者选择的用于触发恶意分类的神经元
伴随神经元	攻击者用于诱导差值检测的神经元
攻击精确率	恶意的输入示例成功触发攻击占总输入恶意示例的比值

True（T）	预测结果为正常
False（F）	预测结果为异常
Positive（P）	标签结果为正常
Negative（N）	标签结果为异常

数据集	攻击精确率（Original-Net）	攻击精确率（R-Net）	精确率（Original-Net）	精确率（R-Net）
CIFAR-10	98.7%	97.9%	93.6%	92.1%
VGG_FACE	97.6%	94.5%	89.2%	91.1%

数据集	被检测为恶意输入的频次（Original-Net）	检测率（Original-Net）	被检测为恶意输入的频次（R-Net）	检测率（R-Net）
CIFAR-10	9647	96.5%	2909	29.1%
VGG_FACE	9823	98.2%	1637	16.4%

数据集	攻击误识率（Original-Net）	攻击拒识率（Original-Net）	攻击误识率（R-Net）	攻击拒识率（R-Net）
CIFAR-10	0.1%	1.2%	0%	37.2%
VGG_FACE	0%	0.9%	0%	29.8%