Defense Scheme for Removing Deep Neural Network Backdoors Based on JSMA Adversarial Attacks

doi:10.3969/j.issn.1671-1122.2024.04.005

Abstract

Abstract:

Deep learning models lack transparency and interpretability, and the abnormal behavior triggered by malicious attacks during the inference stage can lead to a decline in their performance. In response to this issue, this paper proposed a defense scheme for removing deep neural network (DNN) backdoors based on JSMA adversarial attacks. Firstly, the hidden backdoor trigger was restored using special disturbances generated by simulations of JSMA, and this foundation formed the basis for simulating the restoration of the backdoor trigger pattern. Secondly, a heatmap was used to locate the weight position of the restored hidden trigger. Finally, a ridge regression function was used to reset the weights to zero effectively removing the backdoor in the DNN. This paper tested the model on the MNIST and CIFAR10 datasets, and evaluated the performance of the model after the backdoor removal. The experimental results show that this scheme can effectively remove the backdoors in DNN models, with only less than a 3% decrease in the testing accuracy of the DNN.

Key words: deep learning model, counter attack, JSMA, ridge regression function

CLC Number:

TP309

ZHANG Guanghua, LIU Yichun, WANG He, HU Boning. Defense Scheme for Removing Deep Neural Network Backdoors Based on JSMA Adversarial Attacks[J]. Netinfo Security, 2024, 24(4): 545-554.

Figures/Tables 10

References 24

[1]	DENG Jia, DONG Wei, SOCHER R, et al. Imagenet: A Large-Scale Hierarchical Image Database[C]// IEEE. 2009 IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2009: 248-255.
[2]	BROWN T, MANN B, RYDER N, et al. Language Models are Few-Shot Learners[J]. Neural Information Processing Systems, 2020(33): 1877-1901.
[3]	YOSINSKI J, CLUNE J, NGUYEN A, et al. Understanding Neural Networks through Deep Visualization[EB/OL]. (2021-06-22)[2023-08-13]. https://arxiv.org/abs/1506.06579.
[4]	HITAJ D, MANCINI L V. Have You Stolen My Model? Evasion Attacks against Deep Neural Network Watermarking Techniques[EB/OL]. (2018-09-03)[2023-08-13]. https://arxiv.org/abs/1809.00615.
[5]	TRAMÈR F, ZHANG Fan, JUELS A, et al. Stealing Machine Learning Models via Prediction APIs[C]// USENIX. 25th USENIX Security Symposium (USENIX Security 16). Berkley: USENIX, 2016: 601-618.
[6]	ANDRIUSHCHENKO M, CROCE F, FLAMMARION N, et al. Square Attack: A Query-Efficient Black-Box Adversarial Attack via Random Search[C]// Springer. European Conference on Computer Vision. Heidelberg: Springer, 2020: 484-501.
[7]	AIKEN W, KIM H, WOO S, et al. Neural Network Laundering: Removing Black-Box Backdoor Watermarks from Deep Neural Networks[EB/OL]. (2021-07-01)[2023-08-13]. https://www.sciencedirect.com/science/article/abs/pii/S0167404821001012?via%3Dihub.
[8]	WANG Bolun, YAO Yuanshun, SHAN S, et al. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks[C]// IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2019: 707-723.
[9]	LIU Kang, DOLAN G B, GARG S. Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks[C]// Springer. International Symposium on Research in Attacks, Intrusions, and Defenses. Heidelberg: Springer, 2018: 273-294.
[10]	CHEN B, CARVALHO W, BARACALDO N, et al. Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering[EB/OL]. (2018-11-09)[2023-08-13]. https://arxiv.org/abs/1811.03728.
[11]	CHOU E, TRAMÈR F, PELLEGRINO G, et al. Sentinet: Detecting Physical Attacks against Deep Learning Systems[EB/OL]. (2018-12-02)[2023-08-13]. https://arxiv.org/abs/1812.00292.
[12]	CHEN Huili, FU Cheng, ZHAO Jishen, et al. DeepInspect: A Black-Box Trojan Detection and Mitigation Framework for Deep Neural Networks[EB/OL]. (2019-08-10)[2023-08-13]. https://dl.acm.org/doi/10.5555/3367471.3367691.
[13]	GUO Wenbo, WANG Lun, XING Xinyu, et al. Tabor: A Highly Accurate Approach to Inspecting and Restoring Trojan Backdoors in AI Systems[EB/OL]. (2019-08-08)[2023-08-13]. https://arxiv.org/abs/1908.01763.
[14]	LIU Zhuang, SUN Mingjie, ZHOU Tinghui, et al. Rethinking the Value of Network Pruning[EB/OL]. (2018-10-11)[2023-08-13]. https://arxiv.org/abs/1810.05270.
[15]	HUANG Xijie, ALZANTOT M, SRIVASTAVA M. NeuronInspect: Detecting Backdoors in Neural Networks via Output Explanations[EB/OL]. (2019-11-18)[2023-08-13]. https://arxiv.org/abs/1911.07399.
[16]	UCHIDA Y, NAGAI Y, SAKAZAWA S, et al. Embedding Watermarks into Deep Neural Networks[C]// ACM. The 2017 ACM on International Conference on Multimedia Retrieval. New York: ACM, 2017: 269-277.
[17]	ZHANG Jie, CHEN Dongdong, LIAO Jing, et al. Deep Model Intellectual Property Protection via Deep Watermarking[EB/OL]. (2021-03-08)[2023-08-13]. https://arxiv.org/abs/2103.04980.
[18]	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and Harnessing Adversarial Examples[EB/OL]. (2014-12-20)[2023-08-13]. https://arxiv.org/abs/1412.6572.
[19]	LOU Xiaoxuan, GUO Shangwei, LI Jiwei, et al. Ownership Verification of DNN Architectures via Hardware Cache Side Channels[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2022, 32(11): 8078-8093.
[20]	GU Tianyu, DOLAN G B, GARG S. BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain[J]. (2017-08-22)[2023-08-13]. https://arxiv.org/abs/1708.06733.
[21]	CHEN Wenlin, WILSON J T, TYREE S, et al. Compressing Neural Networks with the Hashing Trick[C]// ACM. The 32nd International Conference on International Conference on Machine Learning. New York: ACM, 2015: 2285-2294.
[22]	HU Hailong, PANG Jun. Stealing Machine Learning Models: Attacks and Countermeasures for Generative Adversarial Networks[C]// ACM. Annual Computer Security Applications Conference Virtual Event (ACSAC’21). New York: ACM, 2021: 1-16.
[23]	BATINA L, BHASIN S, JAP D, et al. CSI Neural Network: Using Side-Channels to Recover Your Artificial Neural Network Information[EB/OL]. (2018-10-22)[2023-08-13]. https://dl.acm.org/doi/10.1145/3485832.3485838.
[24]	WEI Lingxiao, LUO Bo, LI Yu, et al. I Know What You See: Power Side-Channel Attack on Convolutional Neural Network Accelerators[C]// ACM. The 34th Annual Computer Security Applications Conference. New York: ACM, 2018: 393-406.

数据集	触发器	去除前测试精度	去除前后门保留率	测试精度	后门存活率
MNIST	白色方块	99.14%	99.99%	98.33%	1.52%
MNIST	TEST	97.27%	99.91%	98.61%	1.35%
CIFAR10	白色方块	89.77%	99.92%	97.24%	0.26%
CIFAR10	TEST	87.32%	99.96%	97.86%	0.41%

类别	0	1	2	3	4	5	6	7	8	9
扰动大小	25.12	26.23	25.74	26.48	25.21	26.72	26.48	24.95	25.54	26.19
	26.63	26.44	25.18	26.56	26.37	26.89	25.11	24.31	26.45	10.66
	24.74	24.90	24.63	25.15	10.51	25.10	25.25	10.20	25.93	26.31
	23.51	25.33	10.34	26.33	25.21	25.32	26.30	26.20	24.62	26.74

类别	0	1	2	3	4	5	6	7	8	9
扰动大小	24.74	24.10	24.69	25.37	10.11	25.15	25.47	10.20	26.53	26.34
	26.53	26.64	25.48	26.06	26.07	26.89	25.09	24.39	25.45	24.66
	25.72	26.73	25.34	26.45	25.11	26.72	26.43	24.05	25.49	26.10
	10.54	10.22	25.18	26.39	25.34	25.32	26.33	26.57	24.74	25.90

触发器	训练数据占比	后门去除后的测试精度			去除方案后的后门存活率
触发器	训练数据占比	10epochs	50epochs	100epochs	10epochs	50epochs	100epochs
白色方块	10%	98.21%	97.86%	96.62%	2.30%	0.32%	1.10%
	5%	98.34%	97.81%	97.03%	7.33%	6.30%	4.40%
	2%	97.62%	97.64%	96.14%	10.14%	7.20%	6.10%
TEST	10%	98.36%	98.15%	97.36%	1.40%	0.90%	0.15%
	5%	98.16%	97.63%	96.93%	7.90%	7.20%	5.03%
	2%	99.84%	98.31%	97.72%	9.70%	7.03%	6.50%

触发器	训练数据占比	后门去除后的测试精度			去除方案后的后门存活率
触发器	训练数据占比	10epochs	50epochs	100epochs	10epochs	50epochs	100epochs
白色方块	10%	98.62%	97.33%	96.93%	2.10%	1.20%	0.83%
	5%	98.41%	98.16%	95.51%	7.60%	6.30%	5.10%
	2%	98.14%	97.16%	96.82%	10.33%	8.30%	6.98%
TEST	10%	99.36%	98.13%	97.15%	2.30%	2.02%	1.10%
	5%	98.15%	97.99%	96.43%	7.30%	6.80%	5.06%
	2%	98.72%	97.24%	97.13%	10.07%	8.03%	7.90%