当前位置:
X-MOL 学术
›
IEEE J. Sel. Area. Comm.
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Defense-Resistant Backdoor Attacks Against Deep Neural Networks in Outsourced Cloud Environment
IEEE Journal on Selected Areas in Communications ( IF 13.8 ) Pub Date : 2021-06-09 , DOI: 10.1109/jsac.2021.3087237 Xueluan Gong , Yanjiao Chen , Qian Wang , Huayang Huang , Lingshuo Meng , Chao Shen , Qian Zhang
IEEE Journal on Selected Areas in Communications ( IF 13.8 ) Pub Date : 2021-06-09 , DOI: 10.1109/jsac.2021.3087237 Xueluan Gong , Yanjiao Chen , Qian Wang , Huayang Huang , Lingshuo Meng , Chao Shen , Qian Zhang
The time and monetary costs of training sophisticated deep neural networks are exorbitant, which motivates resource-limited users to outsource the training process to the cloud. Concerning that an untrustworthy cloud service provider may inject backdoors to the returned model, the user can leverage state-of-the-art defense strategies to examine the model. In this paper, we aim to develop robust backdoor attacks (named RobNet) that can evade existing defense strategies from the standpoint of malicious cloud providers. The key rationale is to diversify the triggers and strengthen the model structure so that the backdoor is hard to be detected or removed. To attain this objective, we refine the trigger generation algorithm by selecting the neuron(s) with large weights and activations and then computing the triggers via gradient descent to maximize the value of the selected neuron(s). In stark contrast to existing works that fix the trigger location, we design a multi-location patching method to make the model less sensitive to mild displacement of triggers in real attacks. Furthermore, we extend the attack space by proposing multi-trigger backdoor attacks that can misclassify inputs with different triggers into the same or different target label(s). We evaluate the performance of RobNet on MNIST, GTSRB, and CIFAR-10 datasets, against four representative defense strategies Pruning, NeuralCleanse, Strip, and ABS. The comparison with two state-of-the-art baselines BadNets and Hidden Backdoors demonstrates that RobNet achieves higher attack success rate and is more resistant to potential defenses.
中文翻译:
外包云环境下深度神经网络的防后门攻击
训练复杂的深度神经网络的时间和金钱成本过高,这促使资源有限的用户将训练过程外包给云端。考虑到不可信的云服务提供商可能会向返回的模型注入后门,用户可以利用最先进的防御策略来检查模型。在本文中,我们的目标是开发强大的后门攻击(称为 RobNet),可以从恶意云提供商的角度规避现有的防御策略。关键的原理是使触发器多样化并强化模型结构,使后门难以被发现或清除。为了实现这一目标,我们通过选择具有大权重和激活的神经元,然后通过梯度下降计算触发器以最大化所选神经元的值来完善触发生成算法。与修复触发位置的现有工作形成鲜明对比,我们设计了一种多位置修补方法,使模型对真实攻击中触发器的轻微位移不太敏感。此外,我们通过提出多触发后门攻击来扩展攻击空间,这些攻击可以将具有不同触发的输入错误分类为相同或不同的目标标签。我们针对四种代表性防御策略 Pruning、NeuralCleanse、Strip 和 ABS 评估了 RobNet 在 MNIST、GTSRB 和 CIFAR-10 数据集上的性能。与两个最先进的基线 BadNets 和 Hidden Backdoors 的比较表明,RobNet 实现了更高的攻击成功率,并且对潜在防御的抵抗力更强。
更新日期:2021-06-09
中文翻译:
外包云环境下深度神经网络的防后门攻击
训练复杂的深度神经网络的时间和金钱成本过高,这促使资源有限的用户将训练过程外包给云端。考虑到不可信的云服务提供商可能会向返回的模型注入后门,用户可以利用最先进的防御策略来检查模型。在本文中,我们的目标是开发强大的后门攻击(称为 RobNet),可以从恶意云提供商的角度规避现有的防御策略。关键的原理是使触发器多样化并强化模型结构,使后门难以被发现或清除。为了实现这一目标,我们通过选择具有大权重和激活的神经元,然后通过梯度下降计算触发器以最大化所选神经元的值来完善触发生成算法。与修复触发位置的现有工作形成鲜明对比,我们设计了一种多位置修补方法,使模型对真实攻击中触发器的轻微位移不太敏感。此外,我们通过提出多触发后门攻击来扩展攻击空间,这些攻击可以将具有不同触发的输入错误分类为相同或不同的目标标签。我们针对四种代表性防御策略 Pruning、NeuralCleanse、Strip 和 ABS 评估了 RobNet 在 MNIST、GTSRB 和 CIFAR-10 数据集上的性能。与两个最先进的基线 BadNets 和 Hidden Backdoors 的比较表明,RobNet 实现了更高的攻击成功率,并且对潜在防御的抵抗力更强。
京公网安备 11010802027423号