Abstract
With the widespread use of deep learning system in many applications, the adversary has strong incentive to explore vulnerabilities of deep neural networks and manipulate them. Backdoor attacks against deep neural networks have been reported to be a new type of threat. In this attack, the adversary will inject backdoors into the model and then cause the misbehavior of the model through inputs including backdoor triggers. Existed research mainly focuses on backdoor attacks in image classification based on CNN, little attention has been paid to the backdoor attacks in RNN. In this paper, we implement a backdoor attack against LSTM-based text classification by data poisoning. After the backdoor is injected, the model will misclassify any text samples that contains a specific trigger sentence into the target category determined by the adversary. The backdoor attack is stealthy and the backdoor injected in the model has little impact on the performance of the model. We consider the backdoor attack in black-box setting, where the adversary has no knowledge of model structures or training algorithms except for a small amount of training data. We verify the attack through sentiment analysis experiment on the dataset of IMDB movie reviews. The experimental results indicate that our attack can achieve around 96% success rate with 1% poisoning rate.
Highlights
Artificial intelligence and deep learning have been the hot topic in the computer science field for the past few years
We evaluate our backdoor attack through sentiment analysis experiments
Our attack method injects the backdoor into LSTM neural networks by data poisoning
Summary
Artificial intelligence and deep learning have been the hot topic in the computer science field for the past few years. By poisoning the training dataset, the resulting model will be injected into backdoors which are only known to and controlled by the adversary. Our contributions are summarized as follows: (1) We implement a black-box backdoor attacks against LSTM-based text classification system, the adversary has no knowledge of model structures or training algorithms except for a small amount of training data. (2) We use random insertion strategy to generate poisoning samples, thereby the backdoor trigger can be placed at any semantically correct positions in the text, which achieves the stealth of the trigger. (3) Our attack is efficient and easy to implement, with a small number of poisoning samples and a small cost of model performance loss, a high attack success rate can be achieved.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
