Shiqing Ma scite author profile

With the fast spread of machine learning techniques, sharing and adopting public machine learning models become very popular. This gives attackers many new opportunities. In this paper, we propose a trojaning attack on neural networks. As the models are not intuitive for human to understand, the attack features stealthiness. Deploying trojaned models can cause various severe consequences including endangering human lives (in applications like autonomous driving). We first inverse the neural network to generate a general trojan trigger, and then retrain the model with reversed engineered training data to inject malicious behaviors to the model. The malicious behaviors are only activated by inputs stamped with the trojan trigger. In our attack, we do not need to tamper with the original training process, which usually takes weeks to months. Instead, it takes minutes to hours to apply our attack. Also, we do not require the datasets that are used to train the model. In practice, the datasets are usually not shared due to privacy or copyright concerns. We use five different applications to demonstrate the power of our attack, and perform a deep analysis on the possible factors that affect the attack. The results show that our attack is highly effective and efficient. The trojaned behaviors can be successfully triggered (with nearly 100% possibility) without affecting its test accuracy for normal input and even with better accuracy on public dataset. Also, it only takes a small amount of time to attack a complex neuron network model. In the end, we also discuss possible defense against such attacks.

show abstract

Transcriptome-wide mapping reveals reversible and dynamic N1-methyladenosine methylome

Xiong

et al. 2016

View full text Add to dashboard Cite

N(1)-Methyladenosine (m(1)A) is a prevalent post-transcriptional RNA modification, yet little is known about its abundance, topology and dynamics in mRNA. Here, we show that m(1)A is prevalent in Homo sapiens mRNA, which shows an m(1)A/A ratio of ∼0.02%. We develop the m(1)A-ID-seq technique, based on m(1)A immunoprecipitation and the inherent ability of m(1)A to stall reverse transcription, as a means for transcriptome-wide m(1)A profiling. m(1)A-ID-seq identifies 901 m(1)A peaks (from 600 genes) in mRNA and noncoding RNA and reveals a prominent feature, enrichment in the 5' untranslated region of mRNA transcripts, that is distinct from the pattern for N(6)-methyladenosine, the most abundant internal mammalian mRNA modification. Moreover, m(1)A in mRNA is reversible by ALKBH3, a known DNA/RNA demethylase. Lastly, we show that m(1)A methylation responds dynamically to stimuli, and we identify hundreds of stress-induced m(1)A sites. Collectively, our approaches allow comprehensive analysis of m(1)A modification and provide tools for functional studies of potential epigenetic regulation via the reversible and dynamic m(1)A methylation.

show abstract

Chemical pulldown reveals dynamic pseudouridylation of the mammalian transcriptome

et al. 2015

View full text Add to dashboard Cite

Pseudouridine (Ψ) is the most abundant post-transcriptional RNA modification, yet little is known about its prevalence, mechanism and function in mRNA. Here, we performed quantitative MS analysis and show that Ψ is much more prevalent (Ψ/U ratio ∼0.2-0.6%) in mammalian mRNA than previously believed. We developed N3-CMC-enriched pseudouridine sequencing (CeU-Seq), a selective chemical labeling and pulldown method, to identify 2,084 Ψ sites within 1,929 human transcripts, of which four (in ribosomal RNA and EEF1A1 mRNA) are biochemically verified. We show that hPUS1, a known Ψ synthase, acts on human mRNA; under stress, CeU-Seq demonstrates inducible and stress-specific mRNA pseudouridylation. Applying CeU-Seq to the mouse transcriptome revealed conserved and tissue-specific pseudouridylation. Collectively, our approaches allow comprehensive analysis of transcriptome-wide pseudouridylation and provide tools for functional studies of Ψ-mediated epigenetic regulation.

show abstract

ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation

et al. 2019

View full text Add to dashboard Cite

This paper presents a technique to scan neural network based AI models to determine if they are trojaned. Pre-trained AI models may contain back-doors that are injected through training or by transforming inner neuron weights. These trojaned models operate normally when regular inputs are provided, and mis-classify to a specific output label when the input is stamped with some special pattern called trojan trigger. We develop a novel technique that analyzes inner neuron behaviors by determining how output activations change when we introduce different levels of stimulation to a neuron. The neurons that substantially elevate the activation of a particular output label regardless of the provided input is considered potentially compromised. Trojan trigger is then reverse-engineered through an optimization procedure using the stimulation analysis results, to confirm that a neuron is truly compromised. We evaluate our system ABS on 177 trojaned models that are trojaned with various attack methods that target both the input space and the feature space, and have various trojan trigger sizes and shapes, together with 144 benign models that are trained with different data and initial weight values. These models belong to 7 different model structures and 6 different datasets, including some complex ones such as ImageNet, VGG-Face and ResNet110. Our results show that ABS is highly effective, can achieve over 90% detection rate for most cases (and many 100%), when only one input sample is provided for each output label. It substantially out-performs the state-of-the-art technique Neural Cleanse that requires a lot of input samples and small trojan triggers to achieve good performance.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Shiqing Ma

Trojaning Attack on Neural Networks

Transcriptome-wide mapping reveals reversible and dynamic N1-methyladenosine methylome

Chemical pulldown reveals dynamic pseudouridylation of the mammalian transcriptome

ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation

Contact Info

Product

Resources

About