An imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks
Deep neural networks (DNNs) have permeated into many diverse application domains, making them attractive targets of malicious attacks. DNNs are particularly susceptible to data poisoning attacks. Such attacks can be made more venomous and harder to detect by poisoning the training samples without ch...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2024
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/173118 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-173118 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1731182024-01-19T15:41:13Z An imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks Xu, Chaohui Liu, Wenye Zheng, Yue Wang, Si Chang, Chip Hong School of Electrical and Electronic Engineering Engineering::Computer science and engineering::Computing methodologies::Artificial intelligence Engineering::Computer science and engineering::Computing methodologies::Image processing and computer vision Clean-Label Backdoor Attack Data Augmentation Data Poisoning Deep Neural Networks Edge AI Deep neural networks (DNNs) have permeated into many diverse application domains, making them attractive targets of malicious attacks. DNNs are particularly susceptible to data poisoning attacks. Such attacks can be made more venomous and harder to detect by poisoning the training samples without changing their ground-truth labels. Despite its pragmatism, the clean-label requirement imposes a stiff restriction and strong conflict in simultaneous optimization of attack stealth, success rate, and utility of the poisoned model. Attempts to circumvent the pitfalls often lead to a high injection rate, ineffective embedded backdoors, unnatural triggers, low transferability, and/or poor robustness. In this paper, we overcome these constraints by amalgamating different data augmentation techniques for the backdoor trigger. The spatial intensities of the augmentation methods are iteratively adjusted by interpolating the clean sample and its augmented version according to their tolerance to perceptual loss and augmented feature saliency to target class activation. Our proposed attack is comprehensively evaluated on different network models and datasets. Compared with state-of-the-art clean-label backdoor attacks, it has lower injection rate, stealthier poisoned samples, higher attack success rate, and greater backdoor mitigation resistance while preserving high benign accuracy. Similar attack success rates are also demonstrated on the Intel Neural Compute Stick 2 edge AI device implementation of the poisoned model after weight-pruning and quantization. Ministry of Education (MOE) National Research Foundation (NRF) Submitted/Accepted version This work was supported in part by the National Research Foundation, Singapore; in part by the Cyber Security Agency of Singapore under its National Cybersecurity Research and Development Program/Cyber-Hardware Forensic and Assurance Evaluation Research and Development Program under Grant NRF2018NCR-NCR009-0001 and Grant CHFA-GC1-AW01; and in part by the Ministry of Education, Singapore, through the Academic Research Fund Tier 2 under Grant MOE-T2EP50220-0003. 2024-01-15T02:56:56Z 2024-01-15T02:56:56Z 2023 Journal Article Xu, C., Liu, W., Zheng, Y., Wang, S. & Chang, C. H. (2023). An imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks. IEEE Transactions On Circuits and Systems I: Regular Papers, 70(12), 5011-5024. https://dx.doi.org/10.1109/TCSI.2023.3298802 1549-8328 https://hdl.handle.net/10356/173118 10.1109/TCSI.2023.3298802 2-s2.0-85166777687 12 70 5011 5024 en NRF2018NCR-NCR009-0001 CHFA-GC1-AW01 MOE-T2EP50220-0003 IEEE Transactions on Circuits and Systems I: Regular Papers © 2023 IEEE. All rights reserved. This article may be downloaded for personal use only. Any other use requires prior permission of the copyright holder. The Version of Record is available online at http://doi.org/10.1109/TCSI.2023.3298802. application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Engineering::Computer science and engineering::Computing methodologies::Artificial intelligence Engineering::Computer science and engineering::Computing methodologies::Image processing and computer vision Clean-Label Backdoor Attack Data Augmentation Data Poisoning Deep Neural Networks Edge AI |
| spellingShingle |
Engineering::Computer science and engineering::Computing methodologies::Artificial intelligence Engineering::Computer science and engineering::Computing methodologies::Image processing and computer vision Clean-Label Backdoor Attack Data Augmentation Data Poisoning Deep Neural Networks Edge AI Xu, Chaohui Liu, Wenye Zheng, Yue Wang, Si Chang, Chip Hong An imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks |
| description |
Deep neural networks (DNNs) have permeated into many diverse application domains, making them attractive targets of malicious attacks. DNNs are particularly susceptible to data poisoning attacks. Such attacks can be made more venomous and harder to detect by poisoning the training samples without changing their ground-truth labels. Despite its pragmatism, the clean-label requirement imposes a stiff restriction and strong conflict in simultaneous optimization of attack stealth, success rate, and utility of the poisoned model. Attempts to circumvent the pitfalls often lead to a high injection rate, ineffective embedded backdoors, unnatural triggers, low transferability, and/or poor robustness. In this paper, we overcome these constraints by amalgamating different data augmentation techniques for the backdoor trigger. The spatial intensities of the augmentation methods are iteratively adjusted by interpolating the clean sample and its augmented version according to their tolerance to perceptual loss and augmented feature saliency to target class activation. Our proposed attack is comprehensively evaluated on different network models and datasets. Compared with state-of-the-art clean-label backdoor attacks, it has lower injection rate, stealthier poisoned samples, higher attack success rate, and greater backdoor mitigation resistance while preserving high benign accuracy. Similar attack success rates are also demonstrated on the Intel Neural Compute Stick 2 edge AI device implementation of the poisoned model after weight-pruning and quantization. |
| author2 |
School of Electrical and Electronic Engineering |
| author_facet |
School of Electrical and Electronic Engineering Xu, Chaohui Liu, Wenye Zheng, Yue Wang, Si Chang, Chip Hong |
| format |
Article |
| author |
Xu, Chaohui Liu, Wenye Zheng, Yue Wang, Si Chang, Chip Hong |
| author_sort |
Xu, Chaohui |
| title |
An imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks |
| title_short |
An imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks |
| title_full |
An imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks |
| title_fullStr |
An imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks |
| title_full_unstemmed |
An imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks |
| title_sort |
imperceptible data augmentation based blackbox clean-label backdoor attack on deep neural networks |
| publishDate |
2024 |
| url |
https://hdl.handle.net/10356/173118 |
| _version_ |
1789482958153842688 |