IEEE Transactions on Information Forensics and Security, Journal Year: 2024, Volume and Issue: 19, P. 6545 - 6558
Published: Jan. 1, 2024
Language: Английский
IEEE Transactions on Neural Networks and Learning Systems, Journal Year: 2022, Volume and Issue: 35(1), P. 5 - 22
Published: June 22, 2022
Backdoor
attack
intends
to
embed
hidden
backdoors
into
deep
neural
networks
(DNNs),
so
that
the
attacked
models
perform
well
on
benign
samples,
whereas
their
predictions
will
be
maliciously
changed
if
backdoor
is
activated
by
attacker-specified
triggers.
This
threat
could
happen
when
training
process
not
fully
controlled,
such
as
third-party
datasets
or
adopting
models,
which
poses
a
new
and
realistic
threat.
Although
learning
an
emerging
rapidly
growing
research
area,
there
still
no
comprehensive
timely
review
of
it.
In
this
article,
we
present
first
survey
realm.
We
summarize
categorize
existing
attacks
defenses
based
characteristics,
provide
unified
framework
for
analyzing
poisoning-based
attacks.
Besides,
also
analyze
relation
between
relevant
fields
(i.e.,
adversarial
data
poisoning),
widely
adopted
benchmark
datasets.
Finally,
briefly
outline
certain
future
directions
relying
upon
reviewed
works.
A
curated
list
backdoor-related
resources
available
at
Language: Английский
Citations
344
2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Journal Year: 2023, Volume and Issue: unknown
Published: June 1, 2023
Backdoor attacks against neural networks have been intensively investigated, where the adversary compromises integrity of victim model, causing it to make wrong predictions for inference samples containing a specific trigger. To trigger more imperceptible and human-unnoticeable, variety stealthy backdoor proposed, some works employ perturbations as triggers, which restrict pixel differences triggered image clean image. Some use special styles (e.g., reflection, Instagram filter) triggers. However, these sacrifice robustness, can be easily defeated by common preprocessing-based defenses. This paper presents novel color attack, exhibit robustness stealthiness at same time. The key insight our attack is apply uniform space shift all pixels global feature robust transformation operations maintain natural-looking. find optimal trigger, we first define naturalness restrictions through metrics PSNR, SSIM LPIPS. Then Particle Swarm Optimization (PSO) algorithm searchfor that achieve high effectiveness while satisfying restrictions. Extensive experiments demonstrate superiority PSO different main-stream
Language: Английский
Citations
33
Pattern Recognition, Journal Year: 2023, Volume and Issue: 139, P. 109512 - 109512
Published: March 10, 2023
Language: Английский
Citations
18
Proceedings of the AAAI Conference on Artificial Intelligence, Journal Year: 2024, Volume and Issue: 38(13), P. 14115 - 14123
Published: March 24, 2024
As a new paradigm to erase data from model and protect user privacy, machine unlearning has drawn significant attention. However, existing studies on mainly focus its effectiveness efficiency, neglecting the security challenges introduced by this technique. In paper, we aim bridge gap study possibility of conducting malicious attacks leveraging unlearning. Specifically, consider backdoor attack via unlearning, where an attacker seeks inject in unlearned submitting requests, so that prediction made can be changed when particular trigger presents. our study, propose two approaches. The first approach does not require poison any training model. achieve goal only requesting unlearn small subset his contributed data. second allows few instances with pre-defined upfront, then activate request. Both approaches are proposed maximizing utility while ensuring stealthiness. is demonstrated different algorithms as well models datasets.
Language: Английский
Citations
8
ACM Computing Surveys, Journal Year: 2024, Volume and Issue: 57(4), P. 1 - 35
Published: Nov. 15, 2024
Since the emergence of security concerns in artificial intelligence (AI), there has been significant attention devoted to examination backdoor attacks. Attackers can utilize attacks manipulate model predictions, leading potential harm. However, current research on and defenses both theoretical practical fields still many shortcomings. To systematically analyze these shortcomings address lack comprehensive reviews, this article presents a systematic summary targeting multi-domain AI models. Simultaneously, based design principles shared characteristics triggers different domains implementation stages defense, proposes new classification method for defenses. We use extensively review computer vision natural language processing, we also examine applications audio recognition, video action multimodal tasks, time series generative learning, reinforcement while critically analyzing open problems various attack techniques defense strategies. Finally, builds upon analysis state further explore future directions
Language: Английский
Citations
8
Proceedings of the ACM Web Conference 2022, Journal Year: 2023, Volume and Issue: unknown, P. 651 - 661
Published: April 26, 2023
With the greater emphasis on privacy and security in our society, problem of graph unlearning -- revoking influence specific data trained GNN model, is drawing increasing attention. However, ranging from machine to recently emerged methods, existing efforts either resort retraining paradigm, or perform approximate erasure that fails consider inter-dependency between connected neighbors imposes constraints structure, therefore hard achieve satisfying performance-complexity trade-offs. In this work, we explore function tailored for unlearning, so as improve efficacy efficiency unlearning. We first present a unified formulation diverse tasks \wrt node, edge, feature. Then, recognize crux inability traditional devise Graph Influence Function (GIF), model-agnostic method can efficiently accurately estimate parameter changes response $\epsilon$-mass perturbation deleted data. The idea supplement objective with an additional loss term influenced due structural dependency. Further deductions closed-form solution provide better understanding mechanism. conduct extensive experiments four representative models three benchmark datasets justify superiority GIF terms efficacy, model utility, efficiency. Our implementations are available at \url{https://github.com/wujcan/GIF-torch/}.
Language: Английский
Citations
15
ICASSP 2022 - 2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), Journal Year: 2023, Volume and Issue: unknown
Published: May 5, 2023
Recent studies revealed that deep neural networks (DNNs) are exposed to backdoor threats when training with third-party resources (such as samples or backbones). The back-doored model has promising performance in predicting benign samples, whereas its predictions can be maliciously manipulated by adversaries based on activating backdoors pre-defined trigger patterns. Currently, most of the existing attacks were conducted image classification under targeted manner. In this paper, we reveal these could also happen object detection, posing threatening risks many mission-critical applications (e.g., pedestrian detection and intelligent surveillance systems). Specifically, design a simple yet effective poison-only attack an untargeted manner, task characteristics. We show that, once is embedded into target our attack, it trick lose any stamped conduct extensive experiments benchmark dataset, showing effectiveness both digital physical-world settings resistance potential defenses.
Language: Английский
Citations
12
Computers & Security, Journal Year: 2024, Volume and Issue: 142, P. 103855 - 103855
Published: April 18, 2024
Language: Английский
Citations
5
IEEE Transactions on Image Processing, Journal Year: 2024, Volume and Issue: 33, P. 2558 - 2571
Published: Jan. 1, 2024
Despite remarkable successes in unimodal learning tasks, backdoor attacks against cross-modal are still underexplored due to the limited generalization and inferior stealthiness when involving multiple modalities. Notably, since works this area mainly inherit ideas from visual attacks, they struggle with dealing diverse attack circumstances manipulating imperceptible trigger samples, which hinders their practicability real-world applications. In paper, we introduce a novel bilateral fill missing pieces of puzzle propose generalized invisible framework (BadCM). Specifically, mining scheme is developed capture modality-invariant components as target poisoning areas, where well-designed patterns injected into these regions can be efficiently recognized by victim models. This strategy adapted different image-text models, making our available various scenarios. Furthermore, for generating poisoned samples high stealthiness, conceive modality-specific generators linguistic modalities that facilitate hiding explicit regions. To best knowledge, BadCM first method deliberately designed within one unified framework. Comprehensive experimental evaluations on two typical applications, i.e., retrieval VQA, demonstrate effectiveness under kinds Moreover, show robustly evade existing defenses. Our code at https://github.com/xandery-geek/BadCM.
Language: Английский
Citations
4
Applied Intelligence, Journal Year: 2023, Volume and Issue: 53(17), P. 20402 - 20417
Published: April 12, 2023
Language: Английский
Citations
9