Abstract
In recent years, more researchers pay their attention to the security of artificial intelligence. The backdoor attack is one of the threats and has a powerful, stealthy attack ability. There exist a growing trend towards the triggers is that become dynamic and global. In this paper, we propose a novel global backdoor trigger that is generated by procedural noise. Compared with most triggers, ours are much stealthy and straightforward to implement. In fact, there exist three types of procedural noise, and we evaluate the attack ability of triggers generated by them on the different classification datasets, including CIFAR-10, GTSRB, CelebA, and ImageNet12. The experiment results show that our attack approach can bypass most defense approaches, even for the inspections of humans. We only need poison 5%–10% training data, but the attack success rate(ASR) can reach over 99%. To test the robustness of the backdoor model against the corruption methods that in practice, we introduce 17 corruption methods and compute the accuracy, ASR of the backdoor model with them. The facts show that our backdoor model has strong robustness for most corruption methods, which means it can be applied in reality. Our code is available at https://github.com/928082786/pnoiseattack .
Highlights
In recent years, deep learning has achieved great success in computer vision ([1]), natural language processing([2]) and graph neural network([3])
There exist many threats for deep learning: adversarial examples([7], [8]), which attack the models at the testing stage through adding some small perturbations that are unseen by humans; backdoor attack([9], [10]), which attack the models at training stage through inserting some poisoned data into a training dataset; inference attack([11], [12]), which infers the training data or the model weights according to the deep learning model could remember the training data
The results with our experiment on CIFAR-10 prove the demonstration from [50], we can find that the anomaly index of the poisoned data with procedural noise is all under threshold 2(The recommended value in [32]), which means that our approaches can bypass the Neural Cleanse
Summary
Deep learning has achieved great success in computer vision ([1]), natural language processing([2]) and graph neural network([3]). These individuals or small companies have no enough resources to train models, so that they need to submit the requirements to the third-party platform, and the third-party platform will return the models to users after training With such a process, the adversary can insert triggers into the model and have a backdoor model. The backdoor model can keep a high accuracy on benign inputs but classify the poison images as targeted labels that the adversary wants. Another scenario for the backdoor attack is that some companies or individuals will download datasets or backdoor models from the website. We find our approaches are still robust for the corruption methods, which means our approaches have great applied values
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
