FIBA: Frequency-Injection based Backdoor Attack in Medical Image Analysis

Feng, Yi; Ma, Benteng; Zhang, Jing; Zhao, Shanshan; Xia, Yong; Tao, Dacheng

doi:10.1109/cvpr52688.2022.02021

Cited by 60 publications

(15 citation statements)

References 59 publications

(51 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The poisoned model behaves normally on benign instances, but its predictions change consistently to the attacker's desired target class when a particular trigger is used to activate the injected backdoor. Most backdoor injections (Gu, Dolan-Gavitt, and Garg 2017;Chen et al 2017;Barni, Kallas, and Tondi 2019;Salem et al 2022;Nguyen and Tran 2021;Zhang et al 2022;Li et al 2021a;Lin et al 2020;Wang et al 2021;Feng et al 2022) occur during the training process, where the attacker contributes a set of training data embedded with a particular trigger pattern. As a result, the compromised model exhibits the backdoor behavior when the same trigger pattern presents in the testing stage.…”

Section: Background and Related Workmentioning

confidence: 99%

Backdoor Attacks via Machine Unlearning

Liu,

Wang,

Huai

et al. 2024

AAAI

View full text Add to dashboard Cite

As a new paradigm to erase data from a model and protect user privacy, machine unlearning has drawn significant attention. However, existing studies on machine unlearning mainly focus on its effectiveness and efficiency, neglecting the security challenges introduced by this technique. In this paper, we aim to bridge this gap and study the possibility of conducting malicious attacks leveraging machine unlearning. Specifically, we consider the backdoor attack via machine unlearning, where an attacker seeks to inject a backdoor in the unlearned model by submitting malicious unlearning requests, so that the prediction made by the unlearned model can be changed when a particular trigger presents. In our study, we propose two attack approaches. The first attack approach does not require the attacker to poison any training data of the model. The attacker can achieve the attack goal only by requesting to unlearn a small subset of his contributed training data. The second approach allows the attacker to poison a few training instances with a pre-defined trigger upfront, and then activate the attack via submitting a malicious unlearning request. Both attack approaches are proposed with the goal of maximizing the attack utility while ensuring attack stealthiness. The effectiveness of the proposed attacks is demonstrated with different machine unlearning algorithms as well as different models on different datasets.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Backdoor Attacks via Machine Unlearning

Liu,

Wang,

Huai

et al. 2024

AAAI

View full text Add to dashboard Cite

show abstract

“…The objective of a backdoor attack on WFL is to mislead the global model to misclassify malicious inputs with injected backdoor patterns into the target output, with application to image classification [127]- [136], word prediction [137]- [142], etc. For instance, regarding the image classification task discussed in [33], an attacker aims to mislead the global model to classify images of "truck" as "airplane".…”

Section: E Evaluation Metrics For Backdoor Attacksmentioning

confidence: 99%

Defense Strategies Toward Model Poisoning Attacks in Federated Learning: A Survey

Wang

Qiao

Zhang

et al. 2022

2022 IEEE Wireless Communications and Networking Conference (WCNC)

View full text Add to dashboard Cite

Due to the greatly improved capabilities of devices, massive data, and increasing concern about data privacy, Federated Learning (FL) has been increasingly considered for applications to wireless communication networks (WCNs). Wireless FL (WFL) is a distributed method of training a global deep learning model in which a large number of participants each train a local model on their training datasets and then upload the local model updates to a central server. However, in general, nonindependent and identically distributed (non-IID) data of WCNs raises concerns about robustness, as a malicious participant could potentially inject a "backdoor" into the global model by uploading poisoned data or models over WCN. This could cause the model to misclassify malicious inputs as a specific target class while behaving normally with benign inputs. This survey provides a comprehensive review of the latest backdoor attacks and defense mechanisms. It classifies them according to their targets (data poisoning or model poisoning), the attack phase (local data collection, training, or aggregation), and defense stage (local training, before aggregation, during aggregation, or after aggregation). The strengths and limitations of existing attack strategies and defense mechanisms are analyzed in detail. Comparisons of existing attack methods and defense designs are carried out, pointing to noteworthy findings, open challenges, and potential future research directions related to security and privacy of WFL.

show abstract

“…Recently, advanced backdoor attacks have made them harder to detect by improving the trigger designs or leveraging stealthier backdoor implanting methods. Some of these methods involve the use of feature-space triggers or more complex triggers, such as frequency-domain backdoor (Feng et al 2022), latent-space backdoor (Yao et al 2019), blend backdoor (Li et al 2021), reflection backdoor (Liu et al 2020), and the composite backdoor (Lin et al 2020), etc. Different from small patches, these triggers are difficult to be reversed as small-area patterns and, thus, pose challenges in distinguishing them from universal AEs.…”

Section: Introductionmentioning

confidence: 99%

UMA: Facilitating Backdoor Scanning via Unlearning-Based Model Ablation

Zhao,

Li,

Chen

2024

AAAI

View full text Add to dashboard Cite

Recent advances in backdoor attacks, like leveraging complex triggers or stealthy implanting techniques, have introduced new challenges in backdoor scanning, limiting the usability of Deep Neural Networks (DNNs) in various scenarios. In this paper, we propose Unlearning-based Model Ablation (UMA), a novel approach to facilitate backdoor scanning and defend against advanced backdoor attacks. UMA filters out backdoor-irrelevant features by ablating the inherent features of the target class within the model and subsequently reveals the backdoor through dynamic trigger optimization. We evaluate our method on 1700 models (700 benign and 1000 trojaned) with 6 model structures, 7 different backdoor attacks and 4 datasets. Our results demonstrate that the proposed methodology effectively detect these advanced backdoors. Specifically, our method can achieve 91% AUC-ROC and 86.6% detection accuracy on average, which outperforms the baselines, including Neural Cleanse, ABS, K-Arm and MNTD.

show abstract

FIBA: Frequency-Injection based Backdoor Attack in Medical Image Analysis

Cited by 60 publications

References 59 publications

Backdoor Attacks via Machine Unlearning

Backdoor Attacks via Machine Unlearning

Defense Strategies Toward Model Poisoning Attacks in Federated Learning: A Survey

UMA: Facilitating Backdoor Scanning via Unlearning-Based Model Ablation

Contact Info

Product

Resources

About