MM-BD: Post-Training Detection of Backdoor Attacks with Arbitrary Backdoor Pattern Types Using a Maximum Margin Statistic (2022-05-13T00:00:00.000000Z)

TL;DR

This paper proposes a post-training defense that detects backdoor attacks with arbitrary types of backdoor embeddings, without making any assumptions about the backdoor embedding type, and proposes a novel, general approach for backdoor mitigation once a detection is made.

Abstract

Backdoor attacks are an important type of adversarial threat against deep neural network classifiers, wherein test samples from one or more source classes will be (mis)classified to the attacker’s target class when a backdoor pattern is embedded. In this paper, we focus on the post-training backdoor defense scenario commonly considered in the literature, where the defender aims to detect whether a trained classifier was backdoor-attacked without any access to the training set. Many post-training detectors are designed to detect attacks that use either one or a few specific backdoor embedding functions (e.g., patch-replacement or additive attacks). These detectors may fail when the backdoor embedding function used by the attacker (unknown to the defender) is different from the backdoor embedding function assumed by the defender. In contrast, we propose a post-training defense that detects backdoor attacks with arbitrary types of backdoor embeddings, without making any assumptions about the backdoor embedding type. Our detector leverages the influence of the backdoor attack, independent of the backdoor embedding mechanism, on the landscape of the classifier’s outputs prior to the softmax layer. For each class, a maximum margin statistic is estimated. Detection inference is then performed by applying an unsupervised anomaly detector to these statistics. Thus, our detector does not need any legitimate clean samples, and can efficiently detect backdoor attacks with arbitrary numbers of source classes. These advantages over several state-of-the-art methods are demonstrated on four datasets, for three different types of backdoor patterns, and for a variety of attack configurations. Finally, we propose a novel, general approach for backdoor mitigation once a detection is made. The mitigation approach was the runner-up at the first IEEE Trojan Removal Competition. The code is online available.

References108 items

UMD: Unsupervised Model Detection for X2X Backdoor Attacks

SCALE-UP: An Efficient Black-box Input-level Backdoor Detection via Analyzing Scaled Prediction Consistency

The "Beatrix" Resurrections: Robust Backdoor Detection via Gram Matrices

Data-free Backdoor Removal based on Channel Lipschitzness

Hardly Perceptible Trojan Attack against Neural Networks with Bit Flips

DEFEAT: Deep Hidden Feature Backdoor Attacks by Imperceptible Perturbation and Latent Representation Constraints

BppAttack: Stealthy and Efficient Trojan Attacks against Deep Neural Networks via Image Quantization and Contrastive Adversarial Learning

Backdoor Defense via Decoupling the Training Process

Few-Shot Backdoor Attacks on Visual Object Tracking

Post-Training Detection of Backdoor Attacks for Two-Class and Multi-Attack Scenarios

Test-Time Detection of Backdoor Triggers for Poisoned Deep Neural Networks

Towards Practical Deployment-Stage Backdoor Attack on Deep Neural Networks

Backdoor Attack through Frequency Domain

Detecting Backdoor Attacks against Point Cloud Classifiers

Poison Forensics: Traceback of Data Poisoning Attacks in Neural Networks

Adversarial Unlearning of Backdoors via Implicit Hypergradient

CLEAR: Clean-up Sample-Targeted Backdoor in Neural Networks

Towards Consumer Loan Fraud Detection: Graph Neural Networks with Role-Constrained Conditional Random Field

Hidden Backdoors in Human-Centric Language Models

A Backdoor Attack against 3D Point Cloud Classifiers

Detecting Scene-Plausible Perceptible Backdoors in Trained DNNs Without Access to the Training Set

Targeted Attack against Deep Neural Networks via Flipping Limited Weight Bits

Backdoor Scanning for Deep Neural Networks through K-Arm Optimization

Neural Attention Distillation: Erasing Backdoor Triggers from Deep Neural Networks

Invisible Backdoor Attack with Sample-Specific Triggers

Input-Aware Dynamic Backdoor Attack

SoK: Certified Robustness for Deep Neural Networks

Practical Detection of Trojan Neural Networks: Data-Limited and Data-Free Cases

Backdoor Learning: A Survey

SoK: The Faults in our ASRs: An Overview of Attacks against Automatic Speech Recognition and Speaker Identification Systems

Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks

BadNL: Backdoor Attacks against NLP Models with Semantic-preserving Improvements

On the Effectiveness of Mitigating Data Poisoning Attacks with Gradient Shaping

Interleaved Sequence RNNs for Fraud Detection

Backdoor Suppression in Neural Networks using Input Fuzzing and Majority Voting

Robust Anomaly Detection and Backdoor Attack Detection Via Differential Privacy

AI developers tout revolution, drugmakers talk evolution.

ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation

Detecting AI Trojans Using Meta Neural Analysis

A Benchmark Study Of Backdoor Data Poisoning Defenses For Deep Neural Network Classifiers And A Novel Defense

Hidden Trigger Backdoor Attacks

Adversarial Attacks and Defenses in Images, Graphs and Text: A Review

Detection of Backdoors in Trained Classifiers Without Access to the Training Set

Februus: Input Purification Defense Against Trojan Attacks on Deep Neural Network Systems

TABOR: A Highly Accurate Approach to Inspecting and Restoring Trojan Backdoors in AI Systems

DeepInspect: A Black-box Trojan Detection and Mitigation Framework for Deep Neural Networks

Universal Litmus Patterns: Revealing Backdoor Attacks in CNNs

Deep Learning–Assisted Diagnosis of Cerebral Aneurysms Using the HeadXNet Model

Adversarial Learning in Statistical Classification: A Comprehensive Review of Defenses Against Attacks

BadNets: Evaluating Backdooring Attacks on Deep Neural Networks

Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks

STRIP: a defence against trojan attacks on deep neural networks

Knockoff Nets: Stealing Functionality of Black-Box Models

SentiNet: Detecting Localized Universal Attacks Against Deep Learning Systems

Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering

A Survey on Data Collection for Machine Learning: A Big Data - AI Integration Perspective

Exploring Connections Between Active Learning and Model Extraction

Spectral Signatures in Backdoor Attacks

Learning with Bad Training Data via Iterative Trimmed Loss Minimization

Clean-Label Backdoor Attacks

Backdoor Embedding in Convolutional Neural Network Models via Invisible Perturbation

Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks

Speech Commands: A Dataset for Limited-Vocabulary Speech Recognition

SoK: Security and Privacy in Machine Learning

Dynamic Graph CNN for Learning on Point Clouds

Inverted Residuals and Linear Bottlenecks: Mobile Networks for Classification, Detection and Segmentation

MobileNetV2: Inverted Residuals and Linear Bottlenecks

Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning

Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning

Towards Poisoning of Deep Learning Algorithms with Back-gradient Optimization

Towards Deep Learning Models Resistant to Adversarial Attacks

Generative Poisoning Attack Method Against Neural Networks

Very deep convolutional neural networks for raw waveforms

Towards Evaluating the Robustness of Neural Networks

Stealing Machine Learning Models via Prediction APIs

Deep Learning with Differential Privacy

Practical Black-Box Attacks against Machine Learning

Deep Residual Learning for Image Recognition

DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks

Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures

Explaining and Harnessing Adversarial Examples

Very Deep Convolutional Networks for Large-Scale Image Recognition

Convex Optimization: Algorithms and Complexity

Intriguing properties of neural networks

Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition

Poisoning Attacks against Support Vector Machines

Support Vector Machines Under Adversarial Label Noise

ImageNet: A large-scale hierarchical image database

A tutorial on conformal prediction

Effective Backdoor Defense by Exploiting Sensitivity of Poisoned Samples

IEEE Trojan Removal Competition

Trojan Detection Challenge NeurIPS 2022

What Doesn't Kill You Makes You Robust(er): Adversarial Training against Poisons and Backdoors

Backdoor Attack with Imperceptible Input and Latent Modification

IARPA TrojAI: Trojans in artificial intelligence

Trojaning Attack on Neural Networks

Deep Learning

and Aaron Courville

Learning Multiple Layers of Features from Tiny Images

100

Misleading Learners: Co-opting Your Spam Filter

101

Model zoo

102

WaNet - Imperceptible Warping-based Backdoor Attack

103

CIFAR-10

104

“chessboard” “1-pixel”

105

Experiment Details A.1. Details

106

Not robust against adaptive attacks

107

High false positive rate for datasets with few classes

108

chessboard is a ‘chessboard’ pattern [18], with one and only one of two adjacent