Backdoor Online Tracing With Evolving Graphs

IF 6.3 1区 计算机科学 Q1 COMPUTER SCIENCE, THEORY & METHODS
Chengyu Jia;Jinyin Chen;Shouling Ji;Yao Cheng;Haibin Zheng;Qi Xuan
{"title":"Backdoor Online Tracing With Evolving Graphs","authors":"Chengyu Jia;Jinyin Chen;Shouling Ji;Yao Cheng;Haibin Zheng;Qi Xuan","doi":"10.1109/TIFS.2024.3488517","DOIUrl":null,"url":null,"abstract":"The backdoor attacks have posed a severe threat to deep neural networks (DNNs). Online training platforms and third-party model training providers are more vulnerable to backdoor attacks due to uncontrollable data sources, untrusted developers or unmonitorable training processes. Researchers have proposed to detect the backdoor in the well-trained models, and then remove them by some mitigation techniques, e.g., retraining and pruning. However, they are still limited from two aspects: (i) real-time - they cannot detect in time at the beginning of training due to their reliance on well-trained models; (ii) mitigation effect - the later discovery of backdoors usually leads to 1) deeper backdoors, 2) less effective mitigation, and 3) greater costs. To address these challenges, we rethink the evolution of the backdoor, and intend to cope with backdoors along with the online training process, that is to detect the backdoors sooner rather than later. We propose BackdoorTracer, a novel framework that detects the backdoor in the training phase. BackdoorTracer constructs the model into an equivalent graph based on the activated neural path during training, thereby detecting the backdoor through multiple graph metrics. BackdoorTracer can incorporate any existing backdoor mitigation approaches that require accessing training to stop the impact of backdoors as soon as possible. It differs from previous works in several key aspects: (i) lightweight - BackdoorTracer is independent of the training process, and thus it has little negative impact on the training efficiency and testing accuracy; (ii) generalizable - it works different modalities of data, models and different backdoor attacks. BackdoorTracer outperforms the state-of-the-art (SOTA) detection approaches in experiments on 5 modes, 10 models and 9 backdoor attack scenarios. Compared with the existing 5 backdoor detection methods, our method can detect backdoors earlier (\n<inline-formula> <tex-math>$\\sim ~1.5$ </tex-math></inline-formula>\n epochs) and higher detection rate (~ +10%), effectively improving the effectiveness of backdoor defense (ASR. ~ -78%, ACC. +47%). Finally, we make BackdoorTracer a plug-and-play backdoor detector, which enables real-time backdoor tracing in the training phase.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10314-10327"},"PeriodicalIF":6.3000,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Information Forensics and Security","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10752589/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
引用次数: 0

Abstract

The backdoor attacks have posed a severe threat to deep neural networks (DNNs). Online training platforms and third-party model training providers are more vulnerable to backdoor attacks due to uncontrollable data sources, untrusted developers or unmonitorable training processes. Researchers have proposed to detect the backdoor in the well-trained models, and then remove them by some mitigation techniques, e.g., retraining and pruning. However, they are still limited from two aspects: (i) real-time - they cannot detect in time at the beginning of training due to their reliance on well-trained models; (ii) mitigation effect - the later discovery of backdoors usually leads to 1) deeper backdoors, 2) less effective mitigation, and 3) greater costs. To address these challenges, we rethink the evolution of the backdoor, and intend to cope with backdoors along with the online training process, that is to detect the backdoors sooner rather than later. We propose BackdoorTracer, a novel framework that detects the backdoor in the training phase. BackdoorTracer constructs the model into an equivalent graph based on the activated neural path during training, thereby detecting the backdoor through multiple graph metrics. BackdoorTracer can incorporate any existing backdoor mitigation approaches that require accessing training to stop the impact of backdoors as soon as possible. It differs from previous works in several key aspects: (i) lightweight - BackdoorTracer is independent of the training process, and thus it has little negative impact on the training efficiency and testing accuracy; (ii) generalizable - it works different modalities of data, models and different backdoor attacks. BackdoorTracer outperforms the state-of-the-art (SOTA) detection approaches in experiments on 5 modes, 10 models and 9 backdoor attack scenarios. Compared with the existing 5 backdoor detection methods, our method can detect backdoors earlier ( $\sim ~1.5$ epochs) and higher detection rate (~ +10%), effectively improving the effectiveness of backdoor defense (ASR. ~ -78%, ACC. +47%). Finally, we make BackdoorTracer a plug-and-play backdoor detector, which enables real-time backdoor tracing in the training phase.
利用不断变化的图形进行后门在线追踪
后门攻击对深度神经网络(DNN)构成了严重威胁。由于数据源不可控、开发人员不可靠或训练过程不可监控,在线训练平台和第三方模型训练提供商更容易受到后门攻击。研究人员提出了在训练有素的模型中检测后门,然后通过一些缓解技术(如重训练和剪枝)将其清除的方法。然而,它们仍然受到两方面的限制:(i) 实时性--由于依赖训练有素的模型,它们无法在训练开始时及时发现;(ii) 缓解效果--较晚发现后门通常会导致:1)后门更深;2)缓解效果较差;3)成本更高。为了应对这些挑战,我们重新思考了后门的演化过程,并打算在在线训练过程中应对后门,即尽早发现后门。我们提出的 BackdoorTracer 是一种新型框架,可在训练阶段检测后门。BackdoorTracer 根据训练过程中激活的神经路径将模型构建为等价图,从而通过多种图指标检测后门。BackdoorTracer 可以结合现有的任何需要访问训练的后门缓解方法,以尽快阻止后门的影响。它在几个关键方面不同于以往的工作:(i) 轻量级--BackdoorTracer 独立于训练过程,因此对训练效率和测试准确性的负面影响很小;(ii) 通用性--它适用于不同模式的数据、模型和不同的后门攻击。在 5 种模式、10 种模型和 9 种后门攻击场景的实验中,BackdoorTracer 的表现优于最先进的(SOTA)检测方法。与现有的 5 种后门检测方法相比,我们的方法可以更早地检测到后门($\sim ~1.5$ epochs),检测率更高(~ +10%),有效提高了后门防御的有效性(ASR. ~ -78%,ACC. +47%)。最后,我们让 BackdoorTracer 成为一个即插即用的后门检测器,在训练阶段就能实时追踪后门。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
IEEE Transactions on Information Forensics and Security
IEEE Transactions on Information Forensics and Security 工程技术-工程:电子与电气
CiteScore
14.40
自引率
7.40%
发文量
234
审稿时长
6.5 months
期刊介绍: The IEEE Transactions on Information Forensics and Security covers the sciences, technologies, and applications relating to information forensics, information security, biometrics, surveillance and systems applications that incorporate these features
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信