Semantic Host-free Trojan Attack

• URL: http://arxiv.org/abs/2110.13414v1
• Date: Tue, 26 Oct 2021 05:01:22 GMT
• Title: Semantic Host-free Trojan Attack
• Authors: Haripriya Harikumar, Kien Do, Santu Rana, Sunil Gupta, Svetha Venkatesh
• Abstract summary: We propose a novel host-free Trojan attack with triggers that are fixed in the semantic space but not necessarily in the pixel space. In contrast to existing Trojan attacks which use clean input images as hosts to carry small, meaningless trigger patterns, our attack considers triggers as full-sized images belonging to a semantically meaningful object class.
• Score: 54.25471812198403
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: In this paper, we propose a novel host-free Trojan attack with triggers that are fixed in the semantic space but not necessarily in the pixel space. In contrast to existing Trojan attacks which use clean input images as hosts to carry small, meaningless trigger patterns, our attack considers triggers as full-sized images belonging to a semantically meaningful object class. Since in our attack, the backdoored classifier is encouraged to memorize the abstract semantics of the trigger images than any specific fixed pattern, it can be later triggered by semantically similar but different looking images. This makes our attack more practical to be applied in the real-world and harder to defend against. Extensive experimental results demonstrate that with only a small number of Trojan patterns for training, our attack can generalize well to new patterns of the same Trojan class and can bypass state-of-the-art defense methods.

Related papers

• Impart: An Imperceptible and Effective Label-Specific Backdoor Attack [15.859650783567103]
  We propose a novel imperceptible backdoor attack framework, named Impart, in the scenario where the attacker has no access to the victim model. Specifically, in order to enhance the attack capability of the all-to-all setting, we first propose a label-specific attack.
  arXiv  Detail & Related papers  (2024-03-18T07:22:56Z)
• Hardly Perceptible Trojan Attack against Neural Networks with Bit Flips [51.17948837118876]
  We present hardly perceptible Trojan attack (HPT) HPT crafts hardly perceptible Trojan images by utilizing the additive noise and per pixel flow field. To achieve superior attack performance, we propose to jointly optimize bit flips, additive noise, and flow field.
  arXiv  Detail & Related papers  (2022-07-27T09:56:17Z)
• Defense Against Multi-target Trojan Attacks [31.54111353219381]
  Trojan attacks are the hardest to defend against. Badnet kind of attacks introduces Trojan backdoors to multiple target classes and allows triggers to be placed anywhere in the image. To defend against this attack, we first introduce a trigger reverse-engineering mechanism that uses multiple images to recover a variety of potential triggers. We then propose a detection mechanism by measuring the transferability of such recovered triggers.
  arXiv  Detail & Related papers  (2022-07-08T13:29:13Z)
• BppAttack: Stealthy and Efficient Trojan Attacks against Deep Neural Networks via Image Quantization and Contrastive Adversarial Learning [13.959966918979395]
  Deep neural networks are vulnerable to Trojan attacks. Existing attacks use visible patterns as triggers, which are vulnerable to human inspection. We propose stealthy and efficient Trojan attacks, BppAttack.
  arXiv  Detail & Related papers  (2022-05-26T14:15:19Z)
• Backdoor Attack in the Physical World [49.64799477792172]
  Backdoor attack intends to inject hidden backdoor into the deep neural networks (DNNs) Most existing backdoor attacks adopted the setting of static trigger, $i.e.,$ triggers across the training and testing images. We demonstrate that this attack paradigm is vulnerable when the trigger in testing images is not consistent with the one used for training.
  arXiv  Detail & Related papers  (2021-04-06T08:37:33Z)
• Hidden Backdoor Attack against Semantic Segmentation Models [60.0327238844584]
  The emphbackdoor attack intends to embed hidden backdoors in deep neural networks (DNNs) by poisoning training data. We propose a novel attack paradigm, the emphfine-grained attack, where we treat the target label from the object-level instead of the image-level. Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data.
  arXiv  Detail & Related papers  (2021-03-06T05:50:29Z)
• Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification [21.631699720855995]
  Trojan (backdoor) attack is a form of adversarial attack on deep neural networks. We propose a novel deep feature space trojan attack with five characteristics.
  arXiv  Detail & Related papers  (2020-12-21T09:46:12Z)
• Learning to Attack with Fewer Pixels: A Probabilistic Post-hoc Framework for Refining Arbitrary Dense Adversarial Attacks [21.349059923635515]
  adversarial evasion attacks are reported to be susceptible to deep neural network image classifiers. We propose a probabilistic post-hoc framework that refines given dense attacks by significantly reducing the number of perturbed pixels. Our framework performs adversarial attacks much faster than existing sparse attacks.
  arXiv  Detail & Related papers  (2020-10-13T02:51:10Z)
• Rethinking the Trigger of Backdoor Attack [83.98031510668619]
  Currently, most of existing backdoor attacks adopted the setting of emphstatic trigger, $i.e.,$ triggers across the training and testing images follow the same appearance and are located in the same area. We demonstrate that such an attack paradigm is vulnerable when the trigger in testing images is not consistent with the one used for training.
  arXiv  Detail & Related papers  (2020-04-09T17:19:37Z)
• Deflecting Adversarial Attacks [94.85315681223702]
  We present a new approach towards ending this cycle where we "deflect" adversarial attacks by causing the attacker to produce an input that resembles the attack's target class. We first propose a stronger defense based on Capsule Networks that combines three detection mechanisms to achieve state-of-the-art detection performance.
  arXiv  Detail & Related papers  (2020-02-18T06:59:13Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.