Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review

Gao, Yansong; Doan, Bao Gia; Zhang, Zhi; Ma, Siqi; Zhang, Jiliang; Fu, Anmin; Nepal, Surya; Kim, Hyoungshick

doi:10.48550/arxiv.2007.10760

Cited by 45 publications

(77 citation statements)

References 133 publications

(364 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, this work mainly leverages the data poison to insert a backdoor into the object detector. This attacking strategy has been shown to be very effective to implant backdoor into various models [7]. Opposed to change the label to the targeted class when backdooring a classification model [5], here we modify the annotation of the Poisoning the Training Dataset.…”

Section: Attacking Strategymentioning

confidence: 99%

“…As this is the first work that investigates the backdoor vulnerability of the object detectors built up DL, there is so far no existing solution to such attack. As a matter of fact, to the best of our knowledge, nearly all (if not all) of the DL backdoor countermeasures are focusing on the classification tasks, especially image classifications [7]. They (i.e., state-ofthe-arts of [39]- [42]) are not immediately mountable on protecting object detection task, which is beyond the classification task.…”

Section: Countermeasuresmentioning

confidence: 99%

“…Therefore, it is challenging to craft adversarial example patch to be robust in diverse real-world scenes. Distinct from the adversarial example attack, recently, there is a new backdoor attack being revealed, with nearly all studies are on classification tasks, especially image classifications [5]- [7]. A backdoored model behaves normally given normal inputs containing the attacker secretly-chosen trigger, but misbehaves as the attacker intends once the trigger is presented in the input.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Dangerous Cloaking: Natural Trigger based Backdoor Attacks on Object Detectors in the Physical World

Ma¹,

Yin-shan²,

Gao³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Deep learning (DL) models have been shown to be vulnerable to recent backdoor attacks. A backdoored model behaves normally for inputs containing no attacker-secretlychosen trigger and maliciously for inputs with the trigger. To date, backdoor attacks and countermeasures mainly focus on classification tasks, in particular, image classification. Most of these backdoor attacks have been implemented in the digital world with digital triggers. Besides the classification tasks, object detection systems are also designed to identify the location of an object, which is a fundamental basis for various computer vision tasks. However, there is no investigation and understanding of the backdoor vulnerability of the object detector, even in the digital world with digital triggers.For the first time, this work demonstrates that existing object detectors are inherently susceptible to physical backdoor attacks, thus revealing severe real-world security threats, e.g., when malicious cloaking is abused. We use a natural T-shirt bought from a market as a trigger to enable the cloaking effect-the person bounding-box disappears in front of the object detector. We show that such a backdoor can be implanted from two widely exploitable attack scenarios into the object detector, which is outsourced or fine-tuned through a pretrained model. We have extensively evaluated three popular object detection algorithms: anchor-based Yolo-V3, Yolo-V4, and anchor-free CenterNet. Building upon 19 videos (about 11,800 frames in total) shot in real-world scenes, we confirm that the backdoor attack is robust against various factors: movement, distance, angle, nonrigid deformation, and lighting. Specifically, the attack success rate (ASR) in most videos is 100% or close to it, while the clean data accuracy of the backdoored model is the same as its clean counterpart. The latter implies that it is infeasible to detect the backdoor behavior merely through a validation set. The averaged ASR still remains sufficiently high to be 78% in the transfer learning attack scenarios evaluated on CenterNet. The comprehensive demo video (up to 5 minutes) is available at https://youtu.be/Q3HOF4OobbY.

show abstract

Section: Attacking Strategymentioning

confidence: 99%

Section: Countermeasuresmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Dangerous Cloaking: Natural Trigger based Backdoor Attacks on Object Detectors in the Physical World

Ma¹,

Yin-shan²,

Gao³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…To avoid or mitigate the effects of backdoor attacks on collaborative learning systems, several backdoor defense methods have been proposed [74], [130]- [132]. We divide existing methods into two categories based on the subject of inspection: data and the model inspection.…”

Section: B Backdoor Defensesmentioning

confidence: 99%

“…Data inspection defenses try to distinguish poisoned data from normal ones, while the model inspection approach [48], [49] relies on anomaly technique to distinguish abnormal behaviour of the models caused by backdoors [130]. These defenses can be carried out during or after the training processing.…”

Section: B Backdoor Defensesmentioning

confidence: 99%

Robust and Privacy-Preserving Collaborative Learning: A Comprehensive Survey

Guo¹,

Zhang²,

Yang³

et al. 2021

Preprint

View full text Add to dashboard Cite

With the rapid demand of data and computational resources in deep learning systems, a growing number of algorithms to utilize collaborative machine learning techniques, for example, federated learning, to train a shared deep model across multiple participants. It could effectively take advantage of resource of each participant and obtain a more powerful learning system. However, integrity and privacy threats in such systems have greatly obstructed the applications of collaborative learning. And a large amount of works have been proposed to maintain the model integrity and mitigate the privacy leakage of training data during the training phase for different collaborate learning systems. Compared with existing surveys that mainly focus on one specific collaborate learning system, this survey aims to provide a systematic and comprehensive review of security and privacy researches in collaborative learning. Our survey first provides the system overview of collaborative learning, followed by an brief introduction of integrity and privacy threats. In an organized way, we then detail the existing integrity and privacy attacks as well as their defenses. We also list some open problems in this area and opensource the related papers on GitHub: https://github.com/csl-cqu/awesome-secure-collebrativelearning-papers.

show abstract