An Overview of Backdoor Attacks Against Deep Neural Networks and Possible Defences

Guo, Wei; Tondi, Benedetta; Barni, Mauro

doi:10.1109/ojsp.2022.3190213

Cited by 35 publications

(16 citation statements)

References 108 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Most closely related is the line of work on data poisoning attacks that seeks to understand how data points can be adversarially "poisoned" to degrade the performance of a predictive model at test time. We refer to recent surveys for an overview of data poisoning attacks [Tian et al, 2022], and backdoor attacks more specifically [Guo et al, 2022]. While the literature on poisoning attacks focuses predominantly on diminishing the performance of the learning algorithm, documented empirical successes [Cherepanova et al, 2021, Geiping et al, 2021 hint at the impact that algorithmic collective action can have on deep learning models.…”

Section: Related Workmentioning

confidence: 99%

Algorithmic Collective Action in Machine Learning

Hardt¹,

Mazumdar²,

Mendler-Dünner³

et al. 2023

Preprint

View full text Add to dashboard Cite

We initiate a principled study of algorithmic collective action on digital platforms that deploy machine learning algorithms. We propose a simple theoretical model of a collective interacting with a firm's learning algorithm. The collective pools the data of participating individuals and executes an algorithmic strategy by instructing participants how to modify their own data to achieve a collective goal. We investigate the consequences of this model in three fundamental learning-theoretic settings: the case of a nonparametric optimal learning algorithm, a parametric risk minimizer, and gradient-based optimization. In each setting, we come up with coordinated algorithmic strategies and characterize natural success criteria as a function of the collective's size. Complementing our theory, we conduct systematic experiments on a skill classification task involving tens of thousands of resumes from a gig platform for freelancers. Through more than two thousand model training runs of a BERT-like language model, we see a striking correspondence emerge between our empirical observations and the predictions made by our theory. Taken together, our theory and experiments broadly support the conclusion that algorithmic collectives of exceedingly small fractional size can exert significant control over a platform's learning algorithm.

show abstract

Section: Related Workmentioning

confidence: 99%

Algorithmic Collective Action in Machine Learning

Hardt¹,

Mazumdar²,

Mendler-Dünner³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…It can be seen that some existing surveys, e.g., [44], [45], [46], and [47] considered backdoor attacks and backdoor defenses as a part of robustness threat on WFL, however, the limitations of the existing backdoor attack and defense methods were not highlighted. On the other hand, in [48], [49], [50], and [51], WFL was considered as one of the deep learning applications when discussing the impact of backdoor attacks, but no detailed analysis of vulnerabilities of backdoor attacks on WFL was provided. In [52] and [53], the theoretical working mechanisms of backdoor attacks and defenses for WFL were reviewed.…”

Section: B Review Of Existing Surveys and Gap Analysismentioning

confidence: 99%

“…However, the limitations of the existing methodologies were not systematically analyzed. In the survey [50], the backdoor attack strategies were discussed in depth, but they were not discussed in the context of WFL. Also, to the best of the authors' knowledge, none of the existing surveys has taken WCN into consideration.…”

Section: B Review Of Existing Surveys and Gap Analysismentioning

confidence: 99%

Defense Strategies Toward Model Poisoning Attacks in Federated Learning: A Survey

Wang

Qiao

Zhang

et al. 2022

2022 IEEE Wireless Communications and Networking Conference (WCNC)

View full text Add to dashboard Cite

Due to the greatly improved capabilities of devices, massive data, and increasing concern about data privacy, Federated Learning (FL) has been increasingly considered for applications to wireless communication networks (WCNs). Wireless FL (WFL) is a distributed method of training a global deep learning model in which a large number of participants each train a local model on their training datasets and then upload the local model updates to a central server. However, in general, nonindependent and identically distributed (non-IID) data of WCNs raises concerns about robustness, as a malicious participant could potentially inject a "backdoor" into the global model by uploading poisoned data or models over WCN. This could cause the model to misclassify malicious inputs as a specific target class while behaving normally with benign inputs. This survey provides a comprehensive review of the latest backdoor attacks and defense mechanisms. It classifies them according to their targets (data poisoning or model poisoning), the attack phase (local data collection, training, or aggregation), and defense stage (local training, before aggregation, during aggregation, or after aggregation). The strengths and limitations of existing attack strategies and defense mechanisms are analyzed in detail. Comparisons of existing attack methods and defense designs are carried out, pointing to noteworthy findings, open challenges, and potential future research directions related to security and privacy of WFL.

show abstract

“…The unlearning strategy first detects the malicious behavior and then defend against the backdoor attack by performing reverse learning through utilizing the implicit hypergradient [ZCP + 21] or modifying the loss function [LLK + 21]. Moreover, the comprehensive backdoor attack surveys can be found in [LJLX22] and [GTB22].…”

Section: Defending Backdoor Attackmentioning

confidence: 99%

Backdoor Attack is a Devil in Federated GAN-Based Medical Image Synthesis

Jin

2022

Simulation and Synthesis in Medical Imaging

View full text Add to dashboard Cite

Deep Learning-based image synthesis techniques have been applied in healthcare research for generating medical images to support open research and augment medical datasets. Training generative adversarial neural networks (GANs) usually require large amounts of training data. Federated learning (FL) provides a way of training a central model using distributed data while keeping raw data locally. However, given that the FL server cannot access the raw data, it is vulnerable to backdoor attacks, an adversarial by poisoning training data. Most backdoor attack strategies focus on classification models and centralized domains. It is still an open question if the existing backdoor attacks can affect GAN training and, if so, how to defend against the attack in the FL setting. In this work, we investigate the overlooked issue of backdoor attacks in federated GANs (FedGANs). The success of this attack is subsequently determined to be the result of some local discriminators overfitting the poisoned data and corrupting the local GAN equilibrium, which then further contaminates other clients when averaging the generator's parameters and yields high generator loss. Therefore, we proposed FedDetect, an efficient and effective way of defending against the backdoor attack in the FL setting, which allows the server to detect the client's adversarial behavior based on their losses and block the malicious clients. Our extensive experiments on two medical datasets with different modalities demonstrate the backdoor attack on FedGANs can result in synthetic images with low fidelity. After detecting and suppressing the detected malicious clients using the proposed defense strategy, we show that FedGANs can synthesize high-quality medical datasets (with labels) for data augmentation to improve classification models' performance.

show abstract

An Overview of Backdoor Attacks Against Deep Neural Networks and Possible Defences

Cited by 35 publications

References 108 publications

Algorithmic Collective Action in Machine Learning

Algorithmic Collective Action in Machine Learning

Defense Strategies Toward Model Poisoning Attacks in Federated Learning: A Survey

Backdoor Attack is a Devil in Federated GAN-Based Medical Image Synthesis

Contact Info

Product

Resources

About