Label-Consistent Backdoor Attacks

Turner, Alexander J.; Tsipras, Dimitris; Mądry, Aleksander

doi:10.48550/arxiv.1912.02771

Cited by 57 publications

(127 citation statements)

References 15 publications

Supporting

Mentioning

123

Contrasting

Order By: Relevance

“…One of the trends in backdoor attacks is to be more concealed, where this concealment is reflected in two aspects. On the one hand, the attacker hopes that the constructed trigger can evade human perception, so some researchers have proposed the invisible attacks [38], [39] and the labelconsistent attack [29]. On the other hand, the attack method needs to be machine imperceptible, that is, to escape various backdoor defenses.…”

Section: Discussionmentioning

confidence: 99%

“…Two image datasets, CIFAR-10 [27] and CelebA [28], which are often used in the research of backdoor learning [25], [29], [30], are selected. For CelebA, following the configuration in some previous studies [25], [30], we use the three most balanced attributes, i.e., "Heavy Makeup", "Mouth Slightly Open", and "Smiling", to create eight categories for the image classification task.…”

Section: Datasetsmentioning

confidence: 99%

See 1 more Smart Citation

Enhancing Backdoor Attacks with Multi-Level MMD Regularization

Xia¹,

Niu²,

Li³

et al. 2021

Preprint

View full text Add to dashboard Cite

While Deep Neural Networks (DNNs) deliver superior performance in many tasks, it comes at the cost of massive training resources. To save the cost, collecting data from the Internet and hiring a third party to train a model become common practices. Unfortunately, recent studies show that these operations provide a path for injecting a concealed backdoor into a DNN. An infected model behaves normally on benign inputs, whereas its prediction will be forced to an attack-specific target on adversarial data. Several detection methods have been developed to distinguish inputs to defend against such attacks. The common hypothesis that these defenses rely on is that there are large statistical differences between the latent representations of clean and adversarial inputs extracted by the infected model. However, although it is important, comprehensive research on whether the hypothesis must be true is lacking.In this paper, we focus on it and study the following relevant questions: 1) What are the properties of the statistical differences? 2) How to effectively reduce them without harming the attack intensity? 3) What impact does this reduction have on difference-based defenses? Our work is carried out on the three questions. First, by introducing the Maximum Mean Discrepancy (MMD) as the metric, we identify that the statistical differences of multi-level representations are all large, not just the highest level. Then, we propose a Statistical Difference Reduction Method (SDRM) by adding a multi-level MMD constraint to the loss function during training a backdoor model to effectively reduce the differences. Last, three typical difference-based detection methods are examined. The F1 scores of these defenses drop from 90%-100% on the regularly trained backdoor models to 60%-70% on the models trained with SDRM on all two datasets, four model architectures, and four attack methods. The results indicate that the proposed method can be used to enhance existing attacks to escape backdoor detection algorithms.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Datasetsmentioning

confidence: 99%

Enhancing Backdoor Attacks with Multi-Level MMD Regularization

Xia¹,

Niu²,

Li³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…While the stability attacks considered in this work may be reminiscent of backdoor attacks [11], we note that they share several key differences. First, stability attacks aim to compromise adversarial training with welldefined -robustness, while backdoor attacks mainly focus on embedding exploits (that can be invoked by pre-specified triggers) into naturally trained models [23,50,67]. Second, stability attacks only perturb the inputs slightly, while many works on backdoor attacks require mislabeling [26,39,46,38].…”

Section: Related Workmentioning

confidence: 99%

Can Adversarial Training Be Manipulated By Non-Robust Features?

Tao¹,

Liu²,

Wei³

et al. 2022

Preprint

View full text Add to dashboard Cite

Adversarial training, originally designed to resist test-time adversarial examples, has shown to be promising in mitigating training-time availability attacks. This defense ability, however, is challenged in this paper. We identify a novel threat model named stability attacks, which aims to hinder robust availability by slightly perturbing the training data. Under this threat, we find that adversarial training using a conventional defense budget provably fails to provide test robustness in a simple statistical setting when the non-robust features of the training data are reinforced by -bounded perturbation. Further, we analyze the necessity of enlarging the defense budget to counter stability attacks. Finally, comprehensive experiments demonstrate that stability attacks are harmful on benchmark datasets, and thus the adaptive defense is necessary to maintain robustness.

show abstract

“…• Clean-label [43], [44], [45]: the intuition behind cleanlabel attacks is that they do not require control over the labeling function. The poisoned dataset seems to be correct to the eyes of an expert label-verifier identity.…”

Section: A Targeting Integrity and Availabilitymentioning

confidence: 99%

On the Security & Privacy in Federated Learning

Abad¹,

Picek²,

Ramírez-Durán³

et al. 2021

Preprint

View full text Add to dashboard Cite

Advances in Machine Learning (ML) and its wide range of applications boosted its popularity. Recent privacy awareness initiatives as the EU General Data Protection Regulation (GDPR) -European Parliament and Council Regulation No 2016/679, subdued ML to privacy and security assessments. Federated Learning (FL) grants a privacy-driven, decentralized training scheme that improves ML models' security. The industry's fast-growing adaptation and security evaluations of FL technology exposed various vulnerabilities. Depending on the FL phase, i.e., training or inference, the adversarial actor capabilities, and the attack type threaten FL's confidentiality, integrity, or availability (CIA). Therefore, the researchers apply the knowledge from distinct domains as countermeasures, like cryptography and statistics.This work assesses the CIA of FL by reviewing the state-of-theart (SoTA) for creating a threat model that embraces the attack's surface, adversarial actors, capabilities, and goals. We propose the first unifying taxonomy for attacks and defenses by applying this model. Additionally, we provide critical insights extracted by applying the suggested novel taxonomies to the SoTA, yielding promising future research directions.

show abstract

Label-Consistent Backdoor Attacks

Cited by 57 publications

References 15 publications

Enhancing Backdoor Attacks with Multi-Level MMD Regularization

Enhancing Backdoor Attacks with Multi-Level MMD Regularization

Can Adversarial Training Be Manipulated By Non-Robust Features?

On the Security & Privacy in Federated Learning

Contact Info

Product

Resources

About