BppAttack: Stealthy and Efficient Trojan Attacks against Deep Neural
Networks via Image Quantization and Contrastive Adversarial Learning
- URL: http://arxiv.org/abs/2205.13383v1
- Date: Thu, 26 May 2022 14:15:19 GMT
- Title: BppAttack: Stealthy and Efficient Trojan Attacks against Deep Neural
Networks via Image Quantization and Contrastive Adversarial Learning
- Authors: Zhenting Wang, Juan Zhai, Shiqing Ma
- Abstract summary: Deep neural networks are vulnerable to Trojan attacks.
Existing attacks use visible patterns as triggers, which are vulnerable to human inspection.
We propose stealthy and efficient Trojan attacks, BppAttack.
- Score: 13.959966918979395
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Deep neural networks are vulnerable to Trojan attacks. Existing attacks use
visible patterns (e.g., a patch or image transformations) as triggers, which
are vulnerable to human inspection. In this paper, we propose stealthy and
efficient Trojan attacks, BppAttack. Based on existing biology literature on
human visual systems, we propose to use image quantization and dithering as the
Trojan trigger, making imperceptible changes. It is a stealthy and efficient
attack without training auxiliary models. Due to the small changes made to
images, it is hard to inject such triggers during training. To alleviate this
problem, we propose a contrastive learning based approach that leverages
adversarial attacks to generate negative sample pairs so that the learned
trigger is precise and accurate. The proposed method achieves high attack
success rates on four benchmark datasets, including MNIST, CIFAR-10, GTSRB, and
CelebA. It also effectively bypasses existing Trojan defenses and human
inspection. Our code can be found in
https://github.com/RU-System-Software-and-Security/BppAttack.
Related papers
- Backdoor Attack with Sparse and Invisible Trigger [57.41876708712008]
Deep neural networks (DNNs) are vulnerable to backdoor attacks.
backdoor attack is an emerging yet threatening training-phase threat.
We propose a sparse and invisible backdoor attack (SIBA)
arXiv Detail & Related papers (2023-05-11T10:05:57Z) - Hardly Perceptible Trojan Attack against Neural Networks with Bit Flips [51.17948837118876]
We present hardly perceptible Trojan attack (HPT)
HPT crafts hardly perceptible Trojan images by utilizing the additive noise and per pixel flow field.
To achieve superior attack performance, we propose to jointly optimize bit flips, additive noise, and flow field.
arXiv Detail & Related papers (2022-07-27T09:56:17Z) - Defense Against Multi-target Trojan Attacks [31.54111353219381]
Trojan attacks are the hardest to defend against.
Badnet kind of attacks introduces Trojan backdoors to multiple target classes and allows triggers to be placed anywhere in the image.
To defend against this attack, we first introduce a trigger reverse-engineering mechanism that uses multiple images to recover a variety of potential triggers.
We then propose a detection mechanism by measuring the transferability of such recovered triggers.
arXiv Detail & Related papers (2022-07-08T13:29:13Z) - Semantic Host-free Trojan Attack [54.25471812198403]
We propose a novel host-free Trojan attack with triggers that are fixed in the semantic space but not necessarily in the pixel space.
In contrast to existing Trojan attacks which use clean input images as hosts to carry small, meaningless trigger patterns, our attack considers triggers as full-sized images belonging to a semantically meaningful object class.
arXiv Detail & Related papers (2021-10-26T05:01:22Z) - Backdoor Attack in the Physical World [49.64799477792172]
Backdoor attack intends to inject hidden backdoor into the deep neural networks (DNNs)
Most existing backdoor attacks adopted the setting of static trigger, $i.e.,$ triggers across the training and testing images.
We demonstrate that this attack paradigm is vulnerable when the trigger in testing images is not consistent with the one used for training.
arXiv Detail & Related papers (2021-04-06T08:37:33Z) - Deep Feature Space Trojan Attack of Neural Networks by Controlled
Detoxification [21.631699720855995]
Trojan (backdoor) attack is a form of adversarial attack on deep neural networks.
We propose a novel deep feature space trojan attack with five characteristics.
arXiv Detail & Related papers (2020-12-21T09:46:12Z) - Odyssey: Creation, Analysis and Detection of Trojan Models [91.13959405645959]
Trojan attacks interfere with the training pipeline by inserting triggers into some of the training samples and trains the model to act maliciously only for samples that contain the trigger.
Existing Trojan detectors make strong assumptions about the types of triggers and attacks.
We propose a detector that is based on the analysis of the intrinsic properties; that are affected due to the Trojaning process.
arXiv Detail & Related papers (2020-07-16T06:55:00Z) - ConFoc: Content-Focus Protection Against Trojan Attacks on Neural
Networks [0.0]
trojan attacks insert some misbehavior at training using samples with a mark or trigger, which is exploited at inference or testing time.
We propose a novel defensive technique against trojan attacks, in which DNNs are taught to disregard the styles of inputs and focus on their content.
Results show that the method reduces the attack success rate significantly to values 1% in all the tested attacks.
arXiv Detail & Related papers (2020-07-01T19:25:34Z) - An Embarrassingly Simple Approach for Trojan Attack in Deep Neural
Networks [59.42357806777537]
trojan attack aims to attack deployed deep neural networks (DNNs) relying on hidden trigger patterns inserted by hackers.
We propose a training-free attack approach which is different from previous work, in which trojaned behaviors are injected by retraining model on a poisoned dataset.
The proposed TrojanNet has several nice properties including (1) it activates by tiny trigger patterns and keeps silent for other signals, (2) it is model-agnostic and could be injected into most DNNs, dramatically expanding its attack scenarios, and (3) the training-free mechanism saves massive training efforts compared to conventional trojan attack methods.
arXiv Detail & Related papers (2020-06-15T04:58:28Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.