神经网络后门攻击研究

doi:10.11959/j.issn.2096-109x.2021053

Abstract

Abstract:

According to existing neural network backdoor attack research works, the concept of neural network backdoor attack is first introduced.Secondly, the research status of neural network backdoor attack is explained from three aspects: research development, summary of typical work and classification.Then, some typical backdoor attack strategies are analyzed in detail.Finally, the research status is summarized and the future research directions are discussed.

Key words: artificial intelligence security, deep learning, neural networks, neural network backdoor

CLC Number:

TP309.2

Qingyin TAN, Yingming ZENG, Ye HAN, Yijing LIU, Zheli LIU. Survey on backdoor attacks targeted on neural network[J]. Chinese Journal of Network and Information Security, 2021, 7(3): 46-58.

Figures/Tables 1

References 41

[1]	KRIZHEVSKY A , SUTSKEVER I , HINTON G E . ImageNet classification with deep convolutional neural networks[C]// Advances in Neural Information Processing Systems. 2012: 1097-1105.
[2]	HE K , ZHANG X , REN S ,et al. Deep residual learning for image recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2016: 770-778.
[3]	GRAVES A , MOHAMED A , HINTON G . Speech recognition with deep recurrent neural networks[C]// 2013 IEEE International Conference on Acoustics,Speech and Signal Processing. 2013: 6645-6649.
[4]	HERMANN K M , BLUNSOM P . Multilingual distributed representations without word alignment[J]. arXiv preprint arXiv:1312.6173, 2013.
[5]	BAHDANAU D , CHO K , BENGIO Y . Neural machine translation by jointly learning to align and translate[J]. arXiv preprint arXiv:1409.0473, 2014.
[6]	MNIH V , KAVUKCUOGLU K , SILVER D ,et al. Playing atari with deep reinforcement learning[J]. arXiv preprint arXiv:1312.5602, 2013.
[7]	PARKHI O M , VEDALDI A , ZISSERMAN A ,et al. Deep face recognition[C]// Proceedings of the British Machine Vision Conference (BMVC). 2015.
[8]	SUN Y , WANG X , TANG X . Deep learning face representation from predicting 10 000 classes[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2014: 1891-1898.
[9]	CHEN C , SEFF A , KORNHAUSER A ,et al. Deepdriving:learning affordance for direct perception in autonomous driving[C]// Proceedings of the IEEE International Conference on Computer Vision. 2015: 2722-2730.
[10]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[J]. arXiv preprint arXiv:1312.6199, 2013.
[11]	GONG Y , LI B , POELLABAUER C ,et al. Real-time adversarial attacks[J]. arXiv preprint arXiv:1905.13399, 2019.
[12]	GU T , DOLAN-GAVITT B , GARG S . BadNets:Identifying vulnerabilities in the machine learning model supply chain[J]. arXiv preprint arXiv:1708.06733, 2017.
[13]	LIU Y , MA S , AAFER Y ,et al. Trojaning attack on neural networks[R]. 2017.
[14]	SHAFAHI A , HUANG W R , NAJIBI M ,et al. Poison Frogs! targeted clean-label poisoning attacks on neural networks[C]// Advances in Neural Information Processing Systems. 2018: 6103-6113.
[15]	ZOU M , SHI Y , WANG C ,et al. PoTrojan:powerful neural-level trojan designs in deep learning models[J]. arXiv preprint arXiv:1802.03043, 2018.
[16]	ZHU C , HUANG W R , SHAFAHI A ,et al. Transferable clean-label attack poisoning attacks on deep neural nets[J]. arXiv Preprint arXiv:1905.05897, 2019.
[17]	BAGDASARYAN E , VEIT A , HUA Y ,et al. How to backdoor federated learning[J]. arXiv preprint arXiv:1807.00459, 2018.
[18]	SUN Z , KAIROUZ P , SURESH A T ,et al. Can you really backdoor federated learning?[J]. arXiv Preprint arXiv:1911.07963, 2019.
[19]	YANG Z , IYER N , REIMANN J ,et al. Design of intentional backdoors in sequential models[J]. arXiv preprint arXiv:1902.09972, 2019.
[20]	KIOURTI P , WARDEGA K , JHA S ,et al. TrojDRL:trojan attacks on deep reinforcement learning agents[J]. arXiv Preprint arXiv:1903.06638, 2019.
[21]	YAO Y , LI H , ZHENG H ,et al. Regula sub-rosa:latent backdoor attacks on deep neural networks[J]. arXiv preprint arXiv:1905.10447, 2019.
[22]	YAO Y , LI H , ZHENG H ,et al. Latent backdoor attacks on deep neural networks[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: 2041-2055.
[23]	XU G , LI H , LIU S ,et al. VerifyNet:secure and verifiable federated learning[J]. IEEE Transactions on information forensics and Security, 2019,15: 911-926.
[24]	TAN T J L , SHOKRI R . Bypassing backdoor detection algorithms in deep learning[J]. arXiv Preprint arXiv:1905.13409, 2019.
[25]	JI Y , ZHANG X , WANG T . Backdoor attacks against learning systems[C]// 2017 IEEE Conference on Communications and Network Security (CNS). 2017: 1-9.
[26]	BIGGIO B , NELSON B , LASKOV P . Poisoning attacks against support vector machines[J]. arXiv Preprint arXiv:1206.6389, 2012.
[27]	HUANG L , JOSEPH A D , NELSON B ,et al. Adversarial machine learning[C]// Proceedings of the 4th ACM Workshop on Security and Artificial intelligence. 2011: 43-58.
[28]	MAHLOUJIFAR S , MAHMOODY M , MOHAMMED A . Multi-party poisoning through generalized $ p $-tampering[J]. arXiv preprint arXiv:1809.03474, 2018.
[29]	CHEN X , LIU C , LI B ,et al. Targeted backdoor attacks on deep learning systems using data poisoning[J]. arXiv preprint arXiv:1712.05526, 2017.
[30]	DAI J , CHEN C , LI Y . A backdoor attack against LSTM-based text classification systems[J]. IEEE Access, 2019,7: 138872-138878.
[31]	DUMFORD J , SCHEIRER W . Backdooring convolutional neural networks via targeted weight perturbations[J]. arXiv Preprint arXiv:1812.03128, 2018.
[32]	JI Y , ZHANG X , JI S ,et al. Model-reuse attacks on deep learning systems[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018: 349-363.
[33]	PAN S J , YANG Q . A survey on transfer learning[J]. IEEE Transactions on knowledge and data engineering, 2009,22(10): 1345-1359.
[34]	刘全, 翟建伟, 章宗长 ,等. 深度强化学习综述[J]. 计算机学报, 2018,41(01): 1-27.
	LIU Q , ZHAI J W , ZHANG Z C ,et al. A survey on deep reinforcement learning[J]. Chinese Journal of Computers, 2018,4(1): 1-27.
[35]	Decentralized ML[EB].
[36]	KONE?NY J , MCMAHAN H B , YU F X ,et al. Federated learning:Strategies for improving communication efficiency[J]. arXiv Preprint arXiv:1610.05492, 2016.
[37]	MCMAHAN H B , MOORE E , RAMAGE D ,et al. Communication-efficient learning of deep networks from decentralized data[J]. arXiv Preprint arXiv:1602.05629, 2016.
[38]	TRAN B , LI J , MADRY A . Spectral signatures in backdoor attacks[C]// Advances in Neural Information Processing Systems. 2018: 8000-8010.
[39]	CHEN B , CARVALHO W , BARACALDO N ,et al. Detecting backdoor attacks on deep neural networks by activation clustering[J]. arXiv Preprint arXiv:1811.03728, 2018.
[40]	LIU K , DOLAN-GAVITT B , GARG S . Fine-pruning:Defending against backdooring attacks on deep neural networks[C]// International Symposium on Research in Attacks,Intrusions,and Defenses. Springer,Cham, 2018: 273-294.
[41]	PANG R . The tale of evil twins:adversarial inputs versus backdoored models[J]. arXiv preprint arXiv:1911.01559, 2019.

Metrics

Recommended 0

No Suggested Reading articles found!

方法	时间/年份	攻击实现	目标场景	现实性	隐蔽性
BadNets^[12]	2017	数据中毒	外包训练	低	低
Trojaning Attack^[13]	2017	模型操作	迁移学习	中	中
PLMs Backdoor Attack^[25]	2017	模型中毒	迁移学习	中	高
Backdoor Attack^[29]	2017	数据中毒	—	低	中
Clean-Label Attack^[14]	2018	数据中毒	迁移学习	低	高
PoTrojan^[15]	2018	模型操作	迁移学习	中	中
Federated learning backdoor^[17]	2018	模型中毒	联邦学习	中	高
Model-Reuse^[32]	2018	模型中毒	迁移学习	高	高
WeightPerturbations^[31]	2018	模型操作	—	中	高
Backdoors in sequential models^[19]	2019	数据中毒	深度强化学习	中	中
TrojDRL^[20]	2019	数据中毒	深度强化学习	中	高
Transferable Clean-Label Attack^[16]	2019	数据中毒	迁移学习	中	高
Latent Backdoor^[21-22]	2019	模型中毒	迁移学习	高	优
Really Backdoor Federated Learning^[18]	2019	模型中毒	联邦学习	高	高
Bypassing Detection Backdoor^[24]	2019	数据中毒	—	中	高
Text classification systems backdoor^[30]	2019	数据中毒	—	中	高
注：“—”指该攻击针对的场景为作者设定的特定场景。

Survey on backdoor attacks targeted on neural network

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 1

References 41

Related Articles 15

Metrics

Recommended 0

[1]	Xiaomeng LI, Daidou GUO, Xunfang ZHUO, Heng YAO, Chuan QIN. Carrier-independent screen-shooting resistant watermarking based on information overlay superimposition [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 135-149.
[2]	Xiaochen SHEN, Yinhui GE, Bo CHEN, Ling YU. Research on construction technology of artificial intelligence security knowledge graph [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 164-174.
[3]	Rongna XIE, Zhuhong MA, Zongyu LI, Ye TIAN. Encrypted traffic classification method based on convolutional neural network [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 84-91.
[4]	Dengyong ZHANG, Huang WEN, Feng LI, Peng CAO, Lingyun XIANG, Gaobo YANG, Xiangling DING. Image inpainting forensics method based on dual branch network [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 110-122.
[5]	Jiaying LIN, Wenbo ZHOU, Weiming ZHANG, Nenghai YU. Lip forgery detection via spatial-frequency domain combination [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 146-155.
[6]	Xinya WANG, Guang HUA, Hao JIANG, Haijian ZHANG. Survey on intellectual property protection for deep learning model [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 1-14.
[7]	Jinyin CHEN, Changan WU, Haibin ZHENG. Novel defense based on softmax activation transformation [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 48-63.
[8]	Baolin QIU, Ping YI. Adversarial examples defense method based on multi-dimensional feature maps knowledge distillation [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 88-99.
[9]	Lijuan LI, Man LI, Hongjun BI, Huachun ZHOU. Multi-type low-rate DDoS attack detection method based on hybrid deep learning [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 73-85.
[10]	Zhongyuan QIN, Zhaoxiang HE, Tao LI, Liquan CHEN. Adversarial example defense algorithm for MNIST based on image reconstruction [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 86-94.
[11]	Deqing ZOU, Xiang LI, Minhuan HUANG, Xiang SONG, Hao LI, Weiming LI. Intelligent vulnerability detection system based on graph structured source code slice [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 113-122.
[12]	Zhenglong WANG, Baowen ZHANG. Survey of generative adversarial network [J]. Chinese Journal of Network and Information Security, 2021, 7(4): 68-85.
[13]	Binglong LI, Jinlong TONG, Yu ZHANG, Yifeng SUN, Qingxian WANG, Chaowen CHANG. Auto forensic detecting algorithms of malicious code fragment based on TensorFlow [J]. Chinese Journal of Network and Information Security, 2021, 7(4): 154-163.
[14]	Jinyin CHEN, Dunjie ZHANG, Guohan HUANG, Xiang LIN, Liang BAO. Adversarial attack and defense on graph neural networks: a survey [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 1-28.
[15]	Luhui YANG,Huiwen BAI,Guangjie LIU,Yuewei DAI. Lightweight malicious domain name detection model based on separable convolution [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 112-120.