Disabling Backdoor and Identifying Poison Data by using Knowledge Distillation in Backdoor Attacks on Deep Neural Networks

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security Pub Date : 2020-11-09 DOI:10.1145/3411508.3421375

Kota Yoshida, T. Fujino

{"title":"Disabling Backdoor and Identifying Poison Data by using Knowledge Distillation in Backdoor Attacks on Deep Neural Networks","authors":"Kota Yoshida, T. Fujino","doi":"10.1145/3411508.3421375","DOIUrl":null,"url":null,"abstract":"Backdoor attacks are poisoning attacks and serious threats to deep neural networks. When an adversary mixes poison data into a training dataset, the training dataset is called a poison training dataset. A model trained with the poison training dataset becomes a backdoor model and it achieves high stealthiness and attack-feasibility. The backdoor model classifies only a poison image into an adversarial target class and other images into the correct classes. We propose an additional procedure to our previously proposed countermeasure against backdoor attacks by using knowledge distillation. Our procedure removes poison data from a poison training dataset and recovers the accuracy of the distillation model. Our countermeasure differs from previous ones in that it does not require detecting and identifying backdoor models, backdoor neurons, and poison data. A characteristic assumption in our defense scenario is that the defender can collect clean images without labels. A defender distills clean knowledge from a backdoor model (teacher model) to a distillation model (student model) with knowledge distillation. Subsequently, the defender removes poison-data candidates from the poison training dataset by comparing the predictions of the backdoor and distillation models. The defender fine-tunes the distillation model with the detoxified training dataset to improve classification accuracy. We evaluated our countermeasure by using two datasets. The backdoor is disabled by distillation and fine-tuning further improves the classification accuracy of the distillation model. The fine-tuning model achieved comparable accuracy to a baseline model when the number of clean images for a distillation dataset was more than 13% of the training data. Our results indicate that our countermeasure can be applied for general image-classification tasks and that it works well whether the defender's received training dataset is a poison dataset or not.","PeriodicalId":132987,"journal":{"name":"Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security","volume":"61 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"30","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3411508.3421375","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 30

Abstract

Backdoor attacks are poisoning attacks and serious threats to deep neural networks. When an adversary mixes poison data into a training dataset, the training dataset is called a poison training dataset. A model trained with the poison training dataset becomes a backdoor model and it achieves high stealthiness and attack-feasibility. The backdoor model classifies only a poison image into an adversarial target class and other images into the correct classes. We propose an additional procedure to our previously proposed countermeasure against backdoor attacks by using knowledge distillation. Our procedure removes poison data from a poison training dataset and recovers the accuracy of the distillation model. Our countermeasure differs from previous ones in that it does not require detecting and identifying backdoor models, backdoor neurons, and poison data. A characteristic assumption in our defense scenario is that the defender can collect clean images without labels. A defender distills clean knowledge from a backdoor model (teacher model) to a distillation model (student model) with knowledge distillation. Subsequently, the defender removes poison-data candidates from the poison training dataset by comparing the predictions of the backdoor and distillation models. The defender fine-tunes the distillation model with the detoxified training dataset to improve classification accuracy. We evaluated our countermeasure by using two datasets. The backdoor is disabled by distillation and fine-tuning further improves the classification accuracy of the distillation model. The fine-tuning model achieved comparable accuracy to a baseline model when the number of clean images for a distillation dataset was more than 13% of the training data. Our results indicate that our countermeasure can be applied for general image-classification tasks and that it works well whether the defender's received training dataset is a poison dataset or not.

查看原文本刊更多论文

基于知识蒸馏的深度神经网络后门攻击去后门与有毒数据识别

后门攻击是一种毒化攻击，是对深度神经网络的严重威胁。当对手将有毒数据混合到训练数据集中时，该训练数据集称为有毒训练数据集。使用有毒训练数据集训练的模型成为一个后门模型，具有较高的隐蔽性和攻击可行性。后门模型仅将有毒图像分类为敌对目标类，而将其他图像分类为正确的类。我们在之前提出的利用知识蒸馏来对抗后门攻击的对策的基础上，提出了一个附加的步骤。我们的过程从毒药训练数据集中删除有毒数据，并恢复蒸馏模型的准确性。我们的对策与以前的对策不同，它不需要检测和识别后门模型、后门神经元和有毒数据。在我们的防御场景中，一个典型的假设是防御者可以在没有标签的情况下收集干净的图像。捍卫者通过知识蒸馏将干净的知识从后门模型(教师模型)蒸馏到蒸馏模型(学生模型)。随后，防御者通过比较后门模型和蒸馏模型的预测，从毒药训练数据集中删除有毒数据候选者。防御者使用解毒训练数据集对蒸馏模型进行微调，以提高分类精度。我们通过使用两个数据集来评估我们的对策。通过精馏消除了后门，微调进一步提高了精馏模型的分类精度。当蒸馏数据集的干净图像数量超过训练数据的13%时，微调模型达到了与基线模型相当的精度。我们的结果表明，我们的对策可以应用于一般的图像分类任务，并且无论防御者收到的训练数据集是否是有毒数据集，它都能很好地工作。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security

自引率

0.00%

发文量