Invisible Backdoor Attack Based on Feature Space Similarity

doi:10.3969/j.issn.1671-1122.2024.08.003

Abstract

Abstract:

Backdoor attack refers to an attack that leads to model misjudgment by implanting a specific trigger to the original model during the model training process of deep neural networks. However, the current backdoor attack schemes generally face the problems of poor trigger concealment, low success rate of attack, low poisoning efficiency with easy detection of the poison model. To solve the above problems, the article proposed a model inversion stealthy backdoor attack scheme based on feature space similarity theory under supervised learning mode. The scheme first obtaind the original triggers through a training-based model inversion method and a set of random target label category samples. After that, the benign samples were segmented into feature regions by Attention U-Net network, the original triggers were added to the focus regions, and the generated poison samples were optimized to improve the stealthiness of the triggers and enhance the poisoning efficiency. After expanding the poison dataset by image enhancement algorithm, the original model was retrained to generate the poison model. The experimental results show that the scheme achieves 97% attack success rate with 1% poisoning ratio in GTSRB and CelebA datasets while ensuring the stealthiness of the trigger. At the same time, the scheme ensures the similarity between target samples and poison samples in the feature space, and the generated poison model can successfully escape detection by the defense algorithm, which improves the indistinguishability of the poison model. Through in-depth analysis of this scheme, it can also provide ideas for defending against such backdoor attacks.

Key words: data poisoning, backdoor attack, feature space similarity, supervised learning

CLC Number:

TP309

XIA Hui, QIAN Xiangyun. Invisible Backdoor Attack Based on Feature Space Similarity[J]. Netinfo Security, 2024, 24(8): 1163-1172.

Figures/Tables 8

References 20

[1]	SARKER I H, KHAN A I, ABUSHARK Y B, et al. Internet of Things (IoT) Security Intelligence: A Comprehensive Overview, Machine Learning Solutions and Research Directions[J]. Mobile Networks and Applications, 2023, 28(1): 296-312.
[2]	FANG W, DING L. Computer Vision and Deep Learning to Manage Safety in Construction: Matching Images of Unsafe Behavior and Semantic Rules[J]. IEEE Transactions on Engineering Management, 2021, 70(12): 4120-4132.
[3]	WENGER E, PASSANANTI J, BHAGOJI A N, et al. Backdoor Attacks against Deep Learning Systems in the Physical World[C]// IEEE.Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2021: 6206-6215.
[4]	BANSAL H, SINGHI N, YANG Y, et al. Cleanclip: Mitigating Data Poisoning Attacks in Multimodal Contrastive Learning[C]// IEEE. Proceedings of the IEEE/CVF International Conference on Computer Vision. New York: IEEE, 2023: 112-123.
[5]	ZENG Y, PARK W, MAO Z M, et al. Rethinking the Backdoor Attacks’ Triggers: A Frequency Perspective[C]// IEEE. Proceedings of the IEEE/CVF International Conference on Computer Vision. New York: IEEE, 2021: 16473-16481.
[6]	DUMFORD J, SCHEIRER W. Backdooring Convolutional Neural Networks via Targeted Weight Perturbations[C]// IEEE. 2020 IEEE International Joint Conference on Biometrics (IJCB). New York: IEEE, 2020: 1-9.
[7]	LI Yuanchun, HUA Jiayi, WANG Haoyu, et al. Deeppayload: Black-Box Backdoor Attack on Deep Learning Models through Neural Payload Injection[C]// IEEE. 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). New York: IEEE, 2021: 263-274.
[8]	RAKIN A S, HE Z, FAN D. Targeted Neural Network Attack with Bit Trojan[C]// IEEE. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2020: 13198-13207.
[9]	WANG B, YAO Y, SHAN S, et al. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks[C]// IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2019: 707-723.
[10]	LI Y, LI Y, WU B, et al. Invisible Backdoor Attack with Sample-Specific Triggers[C]// IEEE. Proceedings of the IEEE/CVF International Conference on Computer Vision. New York: IEEE, 2021: 16463-16472.
[11]	YANG Zhou, XU B, ZHANG J M, et al. Stealthy Backdoor Attack for Code Models[EB/OL]. (2023-01-09)[2024-02-16]. https://arxiv.org/list/cs.SE/2023-01?skip=70&show=250.
[12]	NGUYEN N B, CHANDRASEGARAN K, ABDOLLAHZADEH M, et al. Re-Thinking Model Inversion Attacks against Deep Neural Networks[C]// IEEE. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2023: 16384-16393.
[13]	TORBUNOV D, HUANG Y, YU H, et al. Uvcgan: Unet Vision Transformer Cycle-Consistent Gan for Unpaired Image-to-Image Translation[C]// IEEE. Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision. New York: IEEE, 2023: 702-712.
[14]	QI X, XIE T, PAN R, et al. Towards Practical Deployment-Stage Backdoor Attack on Deep Neural Networks[C]// IEEE. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2022: 13347-13357.
[15]	XIA P, NIU H, LI Z, et al. Enhancing Backdoor Attacks with Multi-Level Mmd Regularization[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 20(2): 1675-1686.
[16]	GU T, LIU K, DOLAN-GAVITT B, et al. Badnets: Evaluating Backdooring Attacks on Deep Neural Networks[J]. IEEE Access, 2019, 7: 47230-47244. doi: 10.1109/ACCESS.2019.2909068
[17]	SAHA A, SUBRAMANYA A, PIRSIAVASH H. Hidden Trigger Backdoor Attacks[C]// AAAI. Proceedings of the AAAI Conference on Artificial Intelligence. New York: AAAI, 2020: 11957-11965.
[18]	NGUYEN A, TRAN A. Wanet-Imperceptible Warping-Based Backdoor Attack[EB/OL]. (2021-09-09)[2024-02-16]. https://arxiv.org/pdf/2102.10369v4.
[19]	DOAN K, LAO Y, ZHAO W, et al. Lira:Learnable, Imperceptible and Robust Backdoor Attacks[C]// IEEE. Proceedings of the IEEE/CVF International Conference on Computer Vision. New York: IEEE, 2021: 11966-11976.
[20]	DONG S, XIA Y, PENG T. Network Abnormal Traffic Detection Model Based on Semi-Supervised Deep Reinforcement Learning[J]. IEEE Transactions on Network and Service Management, 2021, 18(4): 4197-4212.

方案	ACC	ASR	L₁-Norm
BadNets	90.2%	85.4%	1.21
Hidden	89.2%	77.6%	0.72
WaNet	89.9%	97.2%	1.53
LIRA	91.3%	97.8%	0.68
本文方案	90.5%	98.1%	0.55

方案	ACC	ASR	L₁-Norm
BadNets	97.5%	89.2%	1.7
Hidden	97.1%	88.4%	0.88
WaNet	98.1%	98.4%	1.97
LIRA	96.8%	97.3%	0.56
本文方案	97.4%	97.8%	0.51

投毒比例	ACC↑	ACC↑
0.5%	90.8%	97.5%
0.8%	90.7%	97.3%
1.0%	90.5%	97.4%
1.2%	90.6%	97.4%
1.5%	90.5%	97.5%