Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification

Siyuan Cheng; Yingqi Liu; Shiqing Ma; Xiangyu Zhang

Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification

Siyuan Cheng, Yingqi Liu, Shiqing Ma, Xiangyu Zhang

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Trojan (backdoor) attack is a form of adversarial attack on deep neural networks where the attacker provides victims with a model trained/retrained on malicious data. The backdoor can be activated when a normal input is stamped with a certain pattern called trigger, causing misclassification. Many existing trojan attacks have their triggers being input space patches/objects (e.g., a polygon with solid color) or simple input transformations such as Instagram filters. These simple triggers are susceptible to recent backdoor detection algorithms. We propose a novel deep feature space trojan attack with five characteristics: effectiveness, stealthiness, controllability, robustness and reliance on deep features. We conduct extensive experiments on 9 image classifiers on various datasets including ImageNet to demonstrate these properties and show that our attack can evade state-of-the-art defense.

Original language	English (US)
Title of host publication	35th AAAI Conference on Artificial Intelligence, AAAI 2021
Publisher	Association for the Advancement of Artificial Intelligence
Pages	1148-1156
Number of pages	9
ISBN (Electronic)	9781713835974
State	Published - 2021
Externally published	Yes
Event	35th AAAI Conference on Artificial Intelligence, AAAI 2021 - Virtual, Online Duration: Feb 2 2021 → Feb 9 2021

Publication series

Name	35th AAAI Conference on Artificial Intelligence, AAAI 2021
Volume	2A

Conference

Conference	35th AAAI Conference on Artificial Intelligence, AAAI 2021
City	Virtual, Online
Period	2/2/21 → 2/9/21

All Science Journal Classification (ASJC) codes

Artificial Intelligence

Cite this

@inproceedings{478ffc7a6af4484d92cfbcc896e09094,

title = "Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification",

abstract = "Trojan (backdoor) attack is a form of adversarial attack on deep neural networks where the attacker provides victims with a model trained/retrained on malicious data. The backdoor can be activated when a normal input is stamped with a certain pattern called trigger, causing misclassification. Many existing trojan attacks have their triggers being input space patches/objects (e.g., a polygon with solid color) or simple input transformations such as Instagram filters. These simple triggers are susceptible to recent backdoor detection algorithms. We propose a novel deep feature space trojan attack with five characteristics: effectiveness, stealthiness, controllability, robustness and reliance on deep features. We conduct extensive experiments on 9 image classifiers on various datasets including ImageNet to demonstrate these properties and show that our attack can evade state-of-the-art defense.",

author = "Siyuan Cheng and Yingqi Liu and Shiqing Ma and Xiangyu Zhang",

note = "Funding Information: This research was supported, in part by NSF 1901242 and 1910300, ONR N000141712045, N000141410468 and N000141712947, and IARPA TrojAI W911NF-19-S-0012. Any opinions, findings, and conclusions in this paper are those of the authors only and do not necessarily reflect the views of our sponsors. Publisher Copyright: Copyright {\textcopyright} 2021, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved; 35th AAAI Conference on Artificial Intelligence, AAAI 2021 ; Conference date: 02-02-2021 Through 09-02-2021",

year = "2021",

language = "English (US)",

series = "35th AAAI Conference on Artificial Intelligence, AAAI 2021",

publisher = "Association for the Advancement of Artificial Intelligence",

pages = "1148--1156",

booktitle = "35th AAAI Conference on Artificial Intelligence, AAAI 2021",

}

Cheng, S, Liu, Y, Ma, S & Zhang, X 2021, Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification. in 35th AAAI Conference on Artificial Intelligence, AAAI 2021. 35th AAAI Conference on Artificial Intelligence, AAAI 2021, vol. 2A, Association for the Advancement of Artificial Intelligence, pp. 1148-1156, 35th AAAI Conference on Artificial Intelligence, AAAI 2021, Virtual, Online, 2/2/21.

Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification. / Cheng, Siyuan; Liu, Yingqi; Ma, Shiqing et al.

35th AAAI Conference on Artificial Intelligence, AAAI 2021. Association for the Advancement of Artificial Intelligence, 2021. p. 1148-1156 (35th AAAI Conference on Artificial Intelligence, AAAI 2021; Vol. 2A).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification

AU - Cheng, Siyuan

AU - Liu, Yingqi

AU - Ma, Shiqing

AU - Zhang, Xiangyu

N1 - Funding Information: This research was supported, in part by NSF 1901242 and 1910300, ONR N000141712045, N000141410468 and N000141712947, and IARPA TrojAI W911NF-19-S-0012. Any opinions, findings, and conclusions in this paper are those of the authors only and do not necessarily reflect the views of our sponsors. Publisher Copyright: Copyright © 2021, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved

PY - 2021

Y1 - 2021

N2 - Trojan (backdoor) attack is a form of adversarial attack on deep neural networks where the attacker provides victims with a model trained/retrained on malicious data. The backdoor can be activated when a normal input is stamped with a certain pattern called trigger, causing misclassification. Many existing trojan attacks have their triggers being input space patches/objects (e.g., a polygon with solid color) or simple input transformations such as Instagram filters. These simple triggers are susceptible to recent backdoor detection algorithms. We propose a novel deep feature space trojan attack with five characteristics: effectiveness, stealthiness, controllability, robustness and reliance on deep features. We conduct extensive experiments on 9 image classifiers on various datasets including ImageNet to demonstrate these properties and show that our attack can evade state-of-the-art defense.

AB - Trojan (backdoor) attack is a form of adversarial attack on deep neural networks where the attacker provides victims with a model trained/retrained on malicious data. The backdoor can be activated when a normal input is stamped with a certain pattern called trigger, causing misclassification. Many existing trojan attacks have their triggers being input space patches/objects (e.g., a polygon with solid color) or simple input transformations such as Instagram filters. These simple triggers are susceptible to recent backdoor detection algorithms. We propose a novel deep feature space trojan attack with five characteristics: effectiveness, stealthiness, controllability, robustness and reliance on deep features. We conduct extensive experiments on 9 image classifiers on various datasets including ImageNet to demonstrate these properties and show that our attack can evade state-of-the-art defense.

UR - http://www.scopus.com/inward/record.url?scp=85129938499&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85129938499&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85129938499

T3 - 35th AAAI Conference on Artificial Intelligence, AAAI 2021

SP - 1148

EP - 1156

BT - 35th AAAI Conference on Artificial Intelligence, AAAI 2021

PB - Association for the Advancement of Artificial Intelligence

T2 - 35th AAAI Conference on Artificial Intelligence, AAAI 2021

Y2 - 2 February 2021 through 9 February 2021

ER -

Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Other files and links

Fingerprint

Cite this