Stealthy Backdoor Attack Based on Singular Value Decomposition

被引:0
作者
Wu S.-X. [1 ]
Yin Y.-Y. [1 ]
Song S.-Q. [1 ]
Chen G.-H. [1 ]
Sang J.-T. [1 ]
Yu J. [1 ]
机构
[1] School of Computer and Information Technology, Beijing Jiaotong University, Beijing
来源
Ruan Jian Xue Bao/Journal of Software | 2024年 / 35卷 / 05期
关键词
attack success rate; backdoor attack; singular value decomposition; stealthy;
D O I
10.13328/j.cnki.jos.006949
中图分类号
学科分类号
摘要
Deep neural networks can be affected by well-designed backdoor attacks during training. Such attacks are an attack method that controls the model output during tests by injecting data with backdoor labels into the training set. The attacked model performs normally on a clean test set but will be misclassified as the attack target class when the backdoor labels are recognized. The currently available backdoor attack methods have poor invisibility and are still expected to achieve a higher attack success rate. A backdoor attack method based on singular value decomposition is proposed to address the above limitations. The method proposed can be implemented in two ways: One is to directly set some singular values of the picture to zero, and the obtained picture is compressed to a certain extent and can be used as an effective backdoor triggering label. The other is to inject the singular vector information of the attack target class into the left and right singular vectors of the picture, which can also achieve an effective backdoor attack. The backdoor pictures obtained in the two kinds of processing ways are basically the same as the original picture from a visual point of view. According to the experiments, the proposed method proves that singular value decomposition can be effectively leveraged in backdoor attack algorithms to attack neural networks with considerably high success rates on multiple datasets. © 2024 Chinese Academy of Sciences. All rights reserved.
引用
收藏
页码:2400 / 2413
页数:13
相关论文
共 56 条
[21]  
Quiring E, Rieck K., Backdooring and poisoning neural networks with image-scaling attacks, Proc. of the 2020 IEEE Security and Privacy Workshop, pp. 41-47, (2020)
[22]  
Xiao QX, Chen YF, Shen C, Chen Y, Li K., Seeing is not believing: Camouflage attacks on image scaling algorithms, Proc. of the 28th USENIX Security Symp, pp. 443-460, (2019)
[23]  
Wenger E, Passananti J, Bhagoji AN, Yao YS, Zheng HT, Zhao BY., Backdoor attacks against deep learning systems in the physical world, Proc. of the 2021 IEEE/CVF Conf. on Computer Vision and Pattern Recognition, pp. 3202-3211, (2021)
[24]  
Bagdasaryan E, Shmatikov V., Blind backdoors in deep learning models, Proc. of the 30th USENIX Security Symp. USENIX Association, pp. 1505-1521, (2021)
[25]  
Shumailov I, Shumaylov Z, Kazhdan D, Zhao YR, Papernot N, Erdogdu MA, Anderson RJ., Manipulating SGD with data ordering attacks, Proc. of the 34th Int’l Conf. on Neural Information Processing Systems, pp. 18021-18032, (2021)
[26]  
Kurita K, Michel P, Neubig G., Weight poisoning attacks on pretrained models, Proc. of the 58th Annual Meeting of the Association for Computational Linguistics. ACL, pp. 2793-2806, (2020)
[27]  
Dong YP, Yang X, Deng ZJ, Pang TY, Xiao ZH, Su H, Zhu J., Black-box detection of backdoor attacks with limited information and data, Proc. of the 2021 IEEE/CVF Int’l Conf. on Computer Vision, pp. 16462-16471, (2021)
[28]  
Chou E, Tramer F, Pellegrino G., SentiNet: Detecting localized universal attacks against deep learning systems, Proc. of the 2020 IEEE Security and Privacy Workshop, pp. 48-54, (2020)
[29]  
Chen HL, Fu C, Zhao JS, Koushanfar F., Deepinspect: A black-box Trojan detection and mitigation framework for deep neural networks, Proc. of the 28th Int’l Joint Conf. on Artificial Intelligence, pp. 4658-4664, (2019)
[30]  
Shen GY, Liu YQ, Tao GH, An SW, Xu QL, Cheng SY, Ma SQ, Zhang XY., Backdoor scanning for deep neural networks through K-arm optimization, Proc. of the 38th Int’l Conf. on Machine Learning. PMLR, pp. 9525-9536, (2021)
123456