CASSOCK: Viable Backdoor Attacks against DNN in the Wall of Source-Specific Backdoor Defenses

Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security Pub Date : 2022-05-31 DOI:10.1145/3579856.3582829

Shang Wang, Yansong Gao, Anmin Fu, Zhi Zhang, Yuqing Zhang, W. Susilo

{"title":"CASSOCK: Viable Backdoor Attacks against DNN in the Wall of Source-Specific Backdoor Defenses","authors":"Shang Wang, Yansong Gao, Anmin Fu, Zhi Zhang, Yuqing Zhang, W. Susilo","doi":"10.1145/3579856.3582829","DOIUrl":null,"url":null,"abstract":"As a critical threat to deep neural networks (DNNs), backdoor attacks can be categorized into two types, i.e., source-agnostic backdoor attacks (SABAs) and source-specific backdoor attacks (SSBAs). Compared to traditional SABAs, SSBAs are more advanced in that they have superior stealthier in bypassing mainstream countermeasures that are effective against SABAs. Nonetheless, existing SSBAs suffer from two major limitations. First, they can hardly achieve a good trade-off between ASR (attack success rate) and FPR (false positive rate). Besides, they can be effectively detected by the state-of-the-art (SOTA) countermeasures (e.g., SCAn [40]). To address the limitations above, we propose a new class of viable source-specific backdoor attacks coined as CASSOCK. Our key insight is that trigger designs when creating poisoned data and cover data in SSBAs play a crucial role in demonstrating a viable source-specific attack, which has not been considered by existing SSBAs. With this insight, we focus on trigger transparency and content when crafting triggers for poisoned dataset where a sample has an attacker-targeted label and cover dataset where a sample has a ground-truth label. Specifically, we implement CASSOCKTrans that designs a trigger with heterogeneous transparency to craft poisoned and cover datasets, presenting better attack performance than existing SSBAs. We also propose CASSOCKCont that extracts salient features of the attacker-targeted label to generate a trigger, entangling the trigger features with normal features of the label, which is stealthier in bypassing the SOTA defenses. While both CASSOCKTrans and CASSOCKCont are orthogonal, they are complementary to each other, generating a more powerful attack, called CASSOCKComp, with further improved attack performance and stealthiness. To demonstrate their viability, we perform a comprehensive evaluation of the three CASSOCK-based attacks on four popular datasets (i.e., MNIST, CIFAR10, GTSRB and LFW) and three SOTA defenses (i.e., extended Neural Cleanse [45], Februus [8], and SCAn [40]). Compared with a representative SSBA as a baseline (SSBABase), CASSOCK-based attacks have significantly advanced the attack performance, i.e., higher ASR and lower FPR with comparable CDA (clean data accuracy). Besides, CASSOCK-based attacks have effectively bypassed the SOTA defenses, and SSBABase cannot.","PeriodicalId":156082,"journal":{"name":"Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-05-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3579856.3582829","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

As a critical threat to deep neural networks (DNNs), backdoor attacks can be categorized into two types, i.e., source-agnostic backdoor attacks (SABAs) and source-specific backdoor attacks (SSBAs). Compared to traditional SABAs, SSBAs are more advanced in that they have superior stealthier in bypassing mainstream countermeasures that are effective against SABAs. Nonetheless, existing SSBAs suffer from two major limitations. First, they can hardly achieve a good trade-off between ASR (attack success rate) and FPR (false positive rate). Besides, they can be effectively detected by the state-of-the-art (SOTA) countermeasures (e.g., SCAn [40]). To address the limitations above, we propose a new class of viable source-specific backdoor attacks coined as CASSOCK. Our key insight is that trigger designs when creating poisoned data and cover data in SSBAs play a crucial role in demonstrating a viable source-specific attack, which has not been considered by existing SSBAs. With this insight, we focus on trigger transparency and content when crafting triggers for poisoned dataset where a sample has an attacker-targeted label and cover dataset where a sample has a ground-truth label. Specifically, we implement CASSOCKTrans that designs a trigger with heterogeneous transparency to craft poisoned and cover datasets, presenting better attack performance than existing SSBAs. We also propose CASSOCKCont that extracts salient features of the attacker-targeted label to generate a trigger, entangling the trigger features with normal features of the label, which is stealthier in bypassing the SOTA defenses. While both CASSOCKTrans and CASSOCKCont are orthogonal, they are complementary to each other, generating a more powerful attack, called CASSOCKComp, with further improved attack performance and stealthiness. To demonstrate their viability, we perform a comprehensive evaluation of the three CASSOCK-based attacks on four popular datasets (i.e., MNIST, CIFAR10, GTSRB and LFW) and three SOTA defenses (i.e., extended Neural Cleanse [45], Februus [8], and SCAn [40]). Compared with a representative SSBA as a baseline (SSBABase), CASSOCK-based attacks have significantly advanced the attack performance, i.e., higher ASR and lower FPR with comparable CDA (clean data accuracy). Besides, CASSOCK-based attacks have effectively bypassed the SOTA defenses, and SSBABase cannot.

查看原文本刊更多论文

CASSOCK:在特定源后门防御墙中针对DNN的可行后门攻击

作为深度神经网络(dnn)的重要威胁，后门攻击可以分为源不可知后门攻击(source-agnostic backdoor attack, SABAs)和源特定后门攻击(source-specific backdoor attack, SSBAs)两种。与传统的saba相比，ssba更先进，因为它们在绕过对saba有效的主流对抗措施方面具有优越的隐身性。然而，现有的ssba有两个主要限制。首先，它们很难在ASR(攻击成功率)和FPR(误报率)之间实现良好的权衡。此外，它们可以被最先进的(SOTA)对抗措施(例如SCAn[40])有效地检测到。为了解决上述限制，我们提出了一类新的可行的特定于源代码的后门攻击，称为CASSOCK。我们的主要见解是，当在ssba中创建有毒数据和覆盖数据时，触发器设计在演示可行的特定源攻击方面起着至关重要的作用，而现有的ssba尚未考虑到这一点。有了这种见解，我们在为有毒数据集(样本具有攻击者目标标签)和覆盖数据集(样本具有真实标签)制作触发器时，专注于触发器的透明度和内容。具体来说，我们实现了CASSOCKTrans，它设计了一个具有异构透明度的触发器来制作有毒和覆盖数据集，呈现出比现有ssba更好的攻击性能。我们还提出了CASSOCKCont，它提取攻击者目标标签的显著特征来生成触发器，将触发器特征与标签的正常特征纠缠在一起，从而在绕过SOTA防御时更加隐蔽。虽然CASSOCKTrans和CASSOCKCont是正交的，但它们是相互补充的，产生了更强大的攻击，称为CASSOCKComp，进一步提高了攻击性能和隐身性。为了证明它们的可行性，我们对四种流行数据集(即MNIST, CIFAR10, GTSRB和LFW)和三种SOTA防御(即扩展的Neural cleaner [45]， Februus[8]和SCAn[40])上的三种基于cassocc的攻击进行了全面评估。与代表性的SSBA作为基线(SSBABase)相比，基于cassoc的攻击显著提高了攻击性能，即在CDA(干净数据准确性)相当的情况下，具有更高的ASR和更低的FPR。此外，基于cassoc的攻击可以有效地绕过SOTA防御，而SSBABase则不能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

自引率

0.00%

发文量