Towards A Critical Evaluation of Robustness for Deep Learning Backdoor
Countermeasures
- URL: http://arxiv.org/abs/2204.06273v1
- Date: Wed, 13 Apr 2022 09:50:17 GMT
- Title: Towards A Critical Evaluation of Robustness for Deep Learning Backdoor
Countermeasures
- Authors: Huming Qiu, Hua Ma, Zhi Zhang, Alsharif Abuadbba, Wei Kang, Anmin Fu,
Yansong Gao
- Abstract summary: We critically examine the robustness of existing backdoor countermeasures with an initial focus on three influential model-inspection ones.
Although the three countermeasures claim that they work well under their respective threat models, they have inherent unexplored non-robust cases.
This work highlights the necessity of thoroughly evaluating the robustness of backdoor countermeasures to avoid their misleading security implications.
- Score: 13.56551253289911
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Since Deep Learning (DL) backdoor attacks have been revealed as one of the
most insidious adversarial attacks, a number of countermeasures have been
developed with certain assumptions defined in their respective threat models.
However, the robustness of these countermeasures is inadvertently ignored,
which can introduce severe consequences, e.g., a countermeasure can be misused
and result in a false implication of backdoor detection.
For the first time, we critically examine the robustness of existing backdoor
countermeasures with an initial focus on three influential model-inspection
ones that are Neural Cleanse (S&P'19), ABS (CCS'19), and MNTD (S&P'21).
Although the three countermeasures claim that they work well under their
respective threat models, they have inherent unexplored non-robust cases
depending on factors such as given tasks, model architectures, datasets, and
defense hyper-parameter, which are \textit{not even rooted from delicate
adaptive attacks}. We demonstrate how to trivially bypass them aligned with
their respective threat models by simply varying aforementioned factors.
Particularly, for each defense, formal proofs or empirical studies are used to
reveal its two non-robust cases where it is not as robust as it claims or
expects, especially the recent MNTD. This work highlights the necessity of
thoroughly evaluating the robustness of backdoor countermeasures to avoid their
misleading security implications in unknown non-robust cases.
Related papers
- Backdoor Unlearning by Linear Task Decomposition [69.91984435094157]
Foundation models are highly susceptible to adversarial perturbations and targeted backdoor attacks.<n>Existing backdoor removal approaches rely on costly fine-tuning to override the harmful behavior.<n>This raises the question of whether backdoors can be removed without compromising the general capabilities of the models.
arXiv Detail & Related papers (2025-10-16T16:18:07Z) - Benchmarking Misuse Mitigation Against Covert Adversaries [80.74502950627736]
Existing language model safety evaluations focus on overt attacks and low-stakes tasks.<n>We develop Benchmarks for Stateful Defenses (BSD), a data generation pipeline that automates evaluations of covert attacks and corresponding defenses.<n>Our evaluations indicate that decomposition attacks are effective misuse enablers, and highlight stateful defenses as a countermeasure.
arXiv Detail & Related papers (2025-06-06T17:33:33Z) - AnywhereDoor: Multi-Target Backdoor Attacks on Object Detection [9.539021752700823]
AnywhereDoor is a multi-target backdoor attack for object detection.
It allows adversaries to make objects disappear, fabricate new ones or mislabel them, either across all object classes or specific ones.
It improves attack success rates by 26% compared to adaptations of existing methods for such flexible control.
arXiv Detail & Related papers (2025-03-09T09:24:24Z) - Neural Antidote: Class-Wise Prompt Tuning for Purifying Backdoors in CLIP [51.04452017089568]
Class-wise Backdoor Prompt Tuning (CBPT) is an efficient and effective defense mechanism that operates on text prompts to indirectly purify CLIP.<n>CBPT significantly mitigates backdoor threats while preserving model utility.
arXiv Detail & Related papers (2025-02-26T16:25:15Z) - Turning Logic Against Itself : Probing Model Defenses Through Contrastive Questions [51.51850981481236]
We introduce POATE, a novel jailbreak technique that harnesses contrastive reasoning to provoke unethical responses.
PoATE crafts semantically opposing intents and integrates them with adversarial templates, steering models toward harmful outputs with remarkable subtlety.
To counter this, we propose Intent-Aware CoT and Reverse Thinking CoT, which decompose queries to detect malicious intent and reason in reverse to evaluate and reject harmful responses.
arXiv Detail & Related papers (2025-01-03T15:40:03Z) - AnywhereDoor: Multi-Target Backdoor Attacks on Object Detection [9.539021752700823]
AnywhereDoor is a multi-target backdoor attack for object detection.
It allows adversaries to make objects disappear, fabricate new ones or mislabel them, either across all object classes or specific ones.
It improves attack success rates by 26% compared to adaptations of existing methods for such flexible control.
arXiv Detail & Related papers (2024-11-21T15:50:59Z) - Countering Backdoor Attacks in Image Recognition: A Survey and Evaluation of Mitigation Strategies [10.801476967873173]
We present a review of existing mitigation strategies designed to counter backdoor attacks in image recognition.
We conduct an extensive benchmarking of sixteen state-of-the-art approaches against eight distinct backdoor attacks.
Our results, derived from 122,236 individual experiments, indicate that while many approaches provide some level of protection, their performance can vary considerably.
arXiv Detail & Related papers (2024-11-17T23:30:01Z) - Unlearning Backdoor Threats: Enhancing Backdoor Defense in Multimodal Contrastive Learning via Local Token Unlearning [49.242828934501986]
Multimodal contrastive learning has emerged as a powerful paradigm for building high-quality features.
backdoor attacks subtly embed malicious behaviors within the model during training.
We introduce an innovative token-based localized forgetting training regime.
arXiv Detail & Related papers (2024-03-24T18:33:15Z) - BadCLIP: Dual-Embedding Guided Backdoor Attack on Multimodal Contrastive
Learning [85.2564206440109]
This paper reveals the threats in this practical scenario that backdoor attacks can remain effective even after defenses.
We introduce the emphtoolns attack, which is resistant to backdoor detection and model fine-tuning defenses.
arXiv Detail & Related papers (2023-11-20T02:21:49Z) - Demystifying Poisoning Backdoor Attacks from a Statistical Perspective [35.30533879618651]
Backdoor attacks pose a significant security risk due to their stealthy nature and potentially serious consequences.
This paper evaluates the effectiveness of any backdoor attack incorporating a constant trigger.
Our derived understanding applies to both discriminative and generative models.
arXiv Detail & Related papers (2023-10-16T19:35:01Z) - Confidence-driven Sampling for Backdoor Attacks [49.72680157684523]
Backdoor attacks aim to surreptitiously insert malicious triggers into DNN models, granting unauthorized control during testing scenarios.
Existing methods lack robustness against defense strategies and predominantly focus on enhancing trigger stealthiness while randomly selecting poisoned samples.
We introduce a straightforward yet highly effective sampling methodology that leverages confidence scores. Specifically, it selects samples with lower confidence scores, significantly increasing the challenge for defenders in identifying and countering these attacks.
arXiv Detail & Related papers (2023-10-08T18:57:36Z) - Backdoor Attacks and Countermeasures in Natural Language Processing Models: A Comprehensive Security Review [15.179940846141873]
Applicating third-party data and models has become a new paradigm for language modeling in NLP.
backdoor attacks can induce the model to exhibit expected behaviors through specific triggers.
There is still no systematic and comprehensive review to reflect the security challenges, attacker's capabilities, and purposes.
arXiv Detail & Related papers (2023-09-12T08:48:38Z) - Untargeted Backdoor Attack against Object Detection [69.63097724439886]
We design a poison-only backdoor attack in an untargeted manner, based on task characteristics.
We show that, once the backdoor is embedded into the target model by our attack, it can trick the model to lose detection of any object stamped with our trigger patterns.
arXiv Detail & Related papers (2022-11-02T17:05:45Z) - A Unified Evaluation of Textual Backdoor Learning: Frameworks and
Benchmarks [72.7373468905418]
We develop an open-source toolkit OpenBackdoor to foster the implementations and evaluations of textual backdoor learning.
We also propose CUBE, a simple yet strong clustering-based defense baseline.
arXiv Detail & Related papers (2022-06-17T02:29:23Z) - On Trace of PGD-Like Adversarial Attacks [77.75152218980605]
Adversarial attacks pose safety and security concerns for deep learning applications.
We construct Adrial Response Characteristics (ARC) features to reflect the model's gradient consistency.
Our method is intuitive, light-weighted, non-intrusive, and data-undemanding.
arXiv Detail & Related papers (2022-05-19T14:26:50Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.