Simtrojan: Stealthy Backdoor Attack

2021 IEEE International Conference on Image Processing (ICIP) Pub Date : 2021-09-19 DOI:10.1109/ICIP42928.2021.9506313

Yankun Ren, Longfei Li, Jun Zhou

{"title":"Simtrojan: Stealthy Backdoor Attack","authors":"Yankun Ren, Longfei Li, Jun Zhou","doi":"10.1109/ICIP42928.2021.9506313","DOIUrl":null,"url":null,"abstract":"Recent researches indicate deep learning models are vulnerable to adversarial attacks. Backdoor attack, also called trojan attack, is a variant of adversarial attacks. An malicious attacker can inject backdoor to models in training phase. As a result, the backdoor model performs normally on clean samples and can be triggered by a backdoor pattern to recognize backdoor samples as a wrong target label specified by the attacker. However, the vanilla backdoor attack method causes a measurable difference between clean and backdoor samples in latent space. Several state-of-the-art defense methods utilize this to identify backdoor samples. In this paper, we propose a novel backdoor attack method called SimTrojan, which aims to inject backdoor in models stealthily. Specifically, SimTrojan makes clean and backdoor samples have indistinguishable representations in latent space to evade current defense methods. Experiments demonstrate that SimTrojan achieves a high attack success rate and is undetectable by state-of-the-art defense methods. The study suggests the urgency of building more effective defense methods.","PeriodicalId":314429,"journal":{"name":"2021 IEEE International Conference on Image Processing (ICIP)","volume":"2010 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE International Conference on Image Processing (ICIP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICIP42928.2021.9506313","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 14

Abstract

Recent researches indicate deep learning models are vulnerable to adversarial attacks. Backdoor attack, also called trojan attack, is a variant of adversarial attacks. An malicious attacker can inject backdoor to models in training phase. As a result, the backdoor model performs normally on clean samples and can be triggered by a backdoor pattern to recognize backdoor samples as a wrong target label specified by the attacker. However, the vanilla backdoor attack method causes a measurable difference between clean and backdoor samples in latent space. Several state-of-the-art defense methods utilize this to identify backdoor samples. In this paper, we propose a novel backdoor attack method called SimTrojan, which aims to inject backdoor in models stealthily. Specifically, SimTrojan makes clean and backdoor samples have indistinguishable representations in latent space to evade current defense methods. Experiments demonstrate that SimTrojan achieves a high attack success rate and is undetectable by state-of-the-art defense methods. The study suggests the urgency of building more effective defense methods.

查看原文本刊更多论文

辛特洛伊:秘密后门攻击

最近的研究表明，深度学习模型容易受到对抗性攻击。后门攻击又称木马攻击，是对抗性攻击的一种变体。恶意攻击者可以在训练阶段给模型注入后门。因此，后门模型在干净样本上执行正常，并且可以由后门模式触发，将后门样本识别为攻击者指定的错误目标标签。然而，香草后门攻击方法在潜在空间中导致干净样本和后门样本之间的可测量差异。一些最先进的防御方法利用它来识别后门样本。在本文中，我们提出了一种新的后门攻击方法SimTrojan，其目的是在模型中隐秘地注入后门。具体而言，SimTrojan使干净样本和后门样本在潜在空间中具有不可区分的表示，以逃避当前的防御方法。实验证明，SimTrojan具有很高的攻击成功率，并且是最先进的防御方法无法检测到的。这项研究表明，迫切需要建立更有效的防御方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 IEEE International Conference on Image Processing (ICIP)

自引率

0.00%

发文量