Huming Qiu scite author profile

There is currently a burgeoning demand for deploying deep learning (DL) models on ubiquitous edge Internet of Things (IoT) devices attributing to their low latency and high privacy preservation. However, DL models are often large in size and require large-scale computation, which prevents them from being placed directly onto IoT devices where resources are constrained and 32-bit floating-point (float-32) operations are unavailable. Model quantization is a pragmatic solution, which enables DL deployment on mobile devices and embedded systems by effortlessly post-quantizing a large high-precision model (e.g., float-32) into a small low-precision model (e.g., int-8) while retaining the model inference accuracy. However, model quantization needs to be used with great care.This work reveals that the standard quantization operation can be abused to activate a backdoor. We demonstrate that a full-precision backdoored model that does not have any backdoor effect in the presence of a trigger-as the backdoor is dormantcan be activated by the default TensorFlow-Lite (TFLite) quantization, the only product-ready quantization framework to date. In our experiments, we employ three popular model architectures (VGG16, ResNet18, and ResNet50), each trains across three popular datasets: MNIST, CIFAR10 and GTSRB. We ascertain that all nine trained float-32 backdoored models exhibit no backdoor effect even in the presence of trigger inputs. State-ofthe-art frontend detection approaches, such as Neural Cleanse (model-level inspection) and STRIP (data-level inspection), fail to identify the backdoor in the float-32 models. When each of the float-32 models is converted into an int-8 format model through the standard TFLite post-training quantization, the backdoor is activated in the quantized model, which shows a stable attack success rate close to 100% upon inputs with the trigger, while behaves normally upon non-trigger inputs. This work highlights that a stealthy security threat occurs when end users utilize the on-device post-training model quantization toolkits, informing security researchers of cross-platform overhaul of DL models post quantization even if they pass frontend inspections.

show abstract

Quantization Backdoors to Deep Learning Commercial Frameworks

Qiu

Gao

et al. 2024

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

RBNN: Memory-Efficient Reconfigurable Deep Binary Neural Network With IP Protection for Internet of Things

Qiu

Zhang

et al. 2023

IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.

View full text Add to dashboard Cite

Towards A Critical Evaluation of Robustness for Deep Learning Backdoor Countermeasures

Qiu¹,

Ma²,

Zhang³

et al. 2022

Preprint

View full text Add to dashboard Cite

Since Deep Learning (DL) backdoor attacks have been revealed as one of the most insidious adversarial attacks, a number of countermeasures have been developed with certain assumptions defined in their respective threat models. However, the robustness of these countermeasures is inadvertently ignored, which can introduce severe consequences, e.g., a countermeasure can be misused and result in a false implication of backdoor detection.For the first time, we critically examine the robustness of existing backdoor countermeasures with an initial focus on three influential model-inspection ones that are Neural Cleanse (S&P'19), ABS (CCS'19), and MNTD (S&P'21). Although the three countermeasures claim that they work well under their respective threat models, they have inherent unexplored nonrobust cases depending on factors such as given tasks, model architectures, datasets, and defense hyper-parameter, which are not even rooted from delicate adaptive attacks. We demonstrate how to trivially bypass them aligned with their respective threat models by simply varying aforementioned factors. Particularly, for each defense, formal proofs or empirical studies are used to reveal its two non-robust cases where it is not as robust as it claims or expects, especially the recent MNTD. This work highlights the necessity of thoroughly evaluating the robustness of backdoor countermeasures to avoid their misleading security implications in unknown non-robust cases.

show abstract

Weighted Contrastive Hashing

Qiu

Chen

et al. 2023

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Huming Qiu

Quantization Backdoors to Deep Learning Commercial Frameworks

Quantization Backdoors to Deep Learning Commercial Frameworks

RBNN: Memory-Efficient Reconfigurable Deep Binary Neural Network With IP Protection for Internet of Things

Towards A Critical Evaluation of Robustness for Deep Learning Backdoor Countermeasures

Weighted Contrastive Hashing

Contact Info

Product

Resources

About