DeepSweep: An Evaluation Framework for Mitigating DNN Backdoor Attacks
using Data Augmentation
- URL: http://arxiv.org/abs/2012.07006v2
- Date: Sun, 11 Apr 2021 17:09:10 GMT
- Title: DeepSweep: An Evaluation Framework for Mitigating DNN Backdoor Attacks
using Data Augmentation
- Authors: Han Qiu, Yi Zeng, Shangwei Guo, Tianwei Zhang, Meikang Qiu, Bhavani
Thuraisingham
- Abstract summary: Third-party providers can inject poisoned samples into datasets or embed backdoors in Deep Learning models.
We propose a systematic approach to discover the optimal policies for defending against different backdoor attacks.
Our identified policy can effectively mitigate eight different kinds of backdoor attacks and outperform five existing defense methods.
- Score: 16.455154794893055
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Public resources and services (e.g., datasets, training platforms,
pre-trained models) have been widely adopted to ease the development of Deep
Learning-based applications. However, if the third-party providers are
untrusted, they can inject poisoned samples into the datasets or embed
backdoors in those models. Such an integrity breach can cause severe
consequences, especially in safety- and security-critical applications. Various
backdoor attack techniques have been proposed for higher effectiveness and
stealthiness. Unfortunately, existing defense solutions are not practical to
thwart those attacks in a comprehensive way.
In this paper, we investigate the effectiveness of data augmentation
techniques in mitigating backdoor attacks and enhancing DL models' robustness.
An evaluation framework is introduced to achieve this goal. Specifically, we
consider a unified defense solution, which (1) adopts a data augmentation
policy to fine-tune the infected model and eliminate the effects of the
embedded backdoor; (2) uses another augmentation policy to preprocess input
samples and invalidate the triggers during inference. We propose a systematic
approach to discover the optimal policies for defending against different
backdoor attacks by comprehensively evaluating 71 state-of-the-art data
augmentation functions. Extensive experiments show that our identified policy
can effectively mitigate eight different kinds of backdoor attacks and
outperform five existing defense methods. We envision this framework can be a
good benchmark tool to advance future DNN backdoor studies.
Related papers
- Efficient Backdoor Defense in Multimodal Contrastive Learning: A Token-Level Unlearning Method for Mitigating Threats [52.94388672185062]
We propose an efficient defense mechanism against backdoor threats using a concept known as machine unlearning.
This entails strategically creating a small set of poisoned samples to aid the model's rapid unlearning of backdoor vulnerabilities.
In the backdoor unlearning process, we present a novel token-based portion unlearning training regime.
arXiv Detail & Related papers (2024-09-29T02:55:38Z) - Concealing Backdoor Model Updates in Federated Learning by Trigger-Optimized Data Poisoning [20.69655306650485]
Federated Learning (FL) is a decentralized machine learning method that enables participants to collaboratively train a model without sharing their private data.
Despite its privacy and scalability benefits, FL is susceptible to backdoor attacks.
We propose DPOT, a backdoor attack strategy in FL that dynamically constructs backdoor objectives by optimizing a backdoor trigger.
arXiv Detail & Related papers (2024-05-10T02:44:25Z) - Efficient Backdoor Attacks for Deep Neural Networks in Real-world Scenarios [17.928013313779516]
Recent deep neural networks (DNNs) have come to rely on vast amounts of training data.
In this paper, we introduce a more realistic attack scenario where victims collect data from multiple sources.
We introduce three CLIP-based technologies from two distinct streams: Clean Feature Suppression and Poisoning Feature Augmentation.
arXiv Detail & Related papers (2023-06-14T09:21:48Z) - Avoid Adversarial Adaption in Federated Learning by Multi-Metric
Investigations [55.2480439325792]
Federated Learning (FL) facilitates decentralized machine learning model training, preserving data privacy, lowering communication costs, and boosting model performance through diversified data sources.
FL faces vulnerabilities such as poisoning attacks, undermining model integrity with both untargeted performance degradation and targeted backdoor attacks.
We define a new notion of strong adaptive adversaries, capable of adapting to multiple objectives simultaneously.
MESAS is the first defense robust against strong adaptive adversaries, effective in real-world data scenarios, with an average overhead of just 24.37 seconds.
arXiv Detail & Related papers (2023-06-06T11:44:42Z) - Backdoor Attack with Sparse and Invisible Trigger [57.41876708712008]
Deep neural networks (DNNs) are vulnerable to backdoor attacks.
backdoor attack is an emerging yet threatening training-phase threat.
We propose a sparse and invisible backdoor attack (SIBA)
arXiv Detail & Related papers (2023-05-11T10:05:57Z) - Backdoor Defense via Deconfounded Representation Learning [17.28760299048368]
We propose a Causality-inspired Backdoor Defense (CBD) to learn deconfounded representations for reliable classification.
CBD is effective in reducing backdoor threats while maintaining high accuracy in predicting benign samples.
arXiv Detail & Related papers (2023-03-13T02:25:59Z) - A Unified Evaluation of Textual Backdoor Learning: Frameworks and
Benchmarks [72.7373468905418]
We develop an open-source toolkit OpenBackdoor to foster the implementations and evaluations of textual backdoor learning.
We also propose CUBE, a simple yet strong clustering-based defense baseline.
arXiv Detail & Related papers (2022-06-17T02:29:23Z) - Model-Contrastive Learning for Backdoor Defense [13.781375023320981]
We propose a novel backdoor defense method named MCL based on model-contrastive learning.
MCL is more effective for reducing backdoor threats while maintaining higher accuracy of benign data.
arXiv Detail & Related papers (2022-05-09T16:36:46Z) - On the Effectiveness of Adversarial Training against Backdoor Attacks [111.8963365326168]
A backdoored model always predicts a target class in the presence of a predefined trigger pattern.
In general, adversarial training is believed to defend against backdoor attacks.
We propose a hybrid strategy which provides satisfactory robustness across different backdoor attacks.
arXiv Detail & Related papers (2022-02-22T02:24:46Z) - Black-box Detection of Backdoor Attacks with Limited Information and
Data [56.0735480850555]
We propose a black-box backdoor detection (B3D) method to identify backdoor attacks with only query access to the model.
In addition to backdoor detection, we also propose a simple strategy for reliable predictions using the identified backdoored models.
arXiv Detail & Related papers (2021-03-24T12:06:40Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.