AdvDoor: Adversarial backdoor attack of deep learning system

Quan Zhang; Yifeng Ding; Yongqiang Tian; Jianmin Guo; Min Yuan; Yu Jiang

doi:10.1145/3460319.3464809

AdvDoor: Adversarial backdoor attack of deep learning system

Quan Zhang
, Yifeng Ding
, Yongqiang Tian
, Jianmin Guo
, Min Yuan
, Yu Jiang

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

69 Citations (Scopus)

Abstract

Deep Learning (DL) system has been widely used in many critical applications, such as autonomous vehicles and unmanned aerial vehicles. However, their security is threatened by backdoor attack, which is achieved by adding artificial patterns on specific training data. Existing attack methods normally poison the data using a patch, and they can be easily detected by existing detection methods. In this work, we propose the Adversarial Backdoor, which utilizes the Targeted Universal Adversarial Perturbation (TUAP) to hide the anomalies in DL models and confuse existing powerful detection methods. With extensive experiments, it is demonstrated that Adversarial Backdoor can be injected stably with an attack success rate around 98%. Moreover, Adversarial Backdoor can bypass state-of-the-art backdoor detection methods. More specifically, only around 37% of the poisoned models can be caught, and less than 29% of the poisoned data cannot bypass the detection. In contrast, for the patch backdoor, all the poisoned models and more than 80% of the poisoned data will be detected. This work intends to alarm the researchers and developers of this potential threat and to inspire the designing of effective detection methods.

Original language	English
Title of host publication	Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
Editors	Cristian Cadar, Xiangyu Zhang
Place of Publication	New York NY USA
Publisher	Association for Computing Machinery (ACM)
Pages	127-138
Number of pages	12
ISBN (Electronic)	9781450384599
DOIs	https://doi.org/10.1145/3460319.3464809
Publication status	Published - 11 Jul 2021
Externally published	Yes
Event	International Symposium on Software Testing and Analysis 2021 - Online, Denmark Duration: 11 Jul 2021 → 17 Jul 2021 Conference number: 30th https://dl.acm.org/doi/proceedings/10.1145/3460319 (Proceedings) https://conf.researchr.org/home/issta-2021 (Website)

Conference

Conference	International Symposium on Software Testing and Analysis 2021
Abbreviated title	ISSTA 2021
Country/Territory	Denmark
Period	11/07/21 → 17/07/21
Internet address	https://dl.acm.org/doi/proceedings/10.1145/3460319 (Proceedings) https://conf.researchr.org/home/issta-2021 (Website)

Keywords

Adversarial Attack
Backdoor Attack
Deep Learning System

Access to Document

10.1145/3460319.3464809

Cite this

Zhang, Q., Ding, Y., Tian, Y., Guo, J., Yuan, M., & Jiang, Y. (2021). AdvDoor: Adversarial backdoor attack of deep learning system. In C. Cadar, & X. Zhang (Eds.), Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (pp. 127-138). Article 3464809 Association for Computing Machinery (ACM). https://doi.org/10.1145/3460319.3464809

@inproceedings{6353ab99d4834b6e90e4a0b439c24fa8,

title = "AdvDoor: Adversarial backdoor attack of deep learning system",

abstract = "Deep Learning (DL) system has been widely used in many critical applications, such as autonomous vehicles and unmanned aerial vehicles. However, their security is threatened by backdoor attack, which is achieved by adding artificial patterns on specific training data. Existing attack methods normally poison the data using a patch, and they can be easily detected by existing detection methods. In this work, we propose the Adversarial Backdoor, which utilizes the Targeted Universal Adversarial Perturbation (TUAP) to hide the anomalies in DL models and confuse existing powerful detection methods. With extensive experiments, it is demonstrated that Adversarial Backdoor can be injected stably with an attack success rate around 98\%. Moreover, Adversarial Backdoor can bypass state-of-the-art backdoor detection methods. More specifically, only around 37\% of the poisoned models can be caught, and less than 29\% of the poisoned data cannot bypass the detection. In contrast, for the patch backdoor, all the poisoned models and more than 80\% of the poisoned data will be detected. This work intends to alarm the researchers and developers of this potential threat and to inspire the designing of effective detection methods.",

keywords = "Adversarial Attack, Backdoor Attack, Deep Learning System",

author = "Quan Zhang and Yifeng Ding and Yongqiang Tian and Jianmin Guo and Min Yuan and Yu Jiang",

note = "Publisher Copyright: {\textcopyright} 2021 ACM.; International Symposium on Software Testing and Analysis 2021, ISSTA 2021 ; Conference date: 11-07-2021 Through 17-07-2021",

year = "2021",

month = jul,

day = "11",

doi = "10.1145/3460319.3464809",

language = "English",

pages = "127--138",

editor = "Cristian Cadar and Xiangyu Zhang",

booktitle = "Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis",

publisher = "Association for Computing Machinery (ACM)",

address = "United States of America",

url = "https://dl.acm.org/doi/proceedings/10.1145/3460319, https://conf.researchr.org/home/issta-2021",

}

Zhang, Q, Ding, Y, Tian, Y, Guo, J, Yuan, M & Jiang, Y 2021, AdvDoor: Adversarial backdoor attack of deep learning system. in C Cadar & X Zhang (eds), Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis., 3464809, Association for Computing Machinery (ACM), New York NY USA, pp. 127-138, International Symposium on Software Testing and Analysis 2021, Denmark, 11/07/21. https://doi.org/10.1145/3460319.3464809

AdvDoor: Adversarial backdoor attack of deep learning system. / Zhang, Quan; Ding, Yifeng; Tian, Yongqiang et al.
Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. ed. / Cristian Cadar; Xiangyu Zhang. New York NY USA: Association for Computing Machinery (ACM), 2021. p. 127-138 3464809.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - AdvDoor

T2 - International Symposium on Software Testing and Analysis 2021

AU - Zhang, Quan

AU - Ding, Yifeng

AU - Tian, Yongqiang

AU - Guo, Jianmin

AU - Yuan, Min

AU - Jiang, Yu

N1 - Conference code: 30th

PY - 2021/7/11

Y1 - 2021/7/11

N2 - Deep Learning (DL) system has been widely used in many critical applications, such as autonomous vehicles and unmanned aerial vehicles. However, their security is threatened by backdoor attack, which is achieved by adding artificial patterns on specific training data. Existing attack methods normally poison the data using a patch, and they can be easily detected by existing detection methods. In this work, we propose the Adversarial Backdoor, which utilizes the Targeted Universal Adversarial Perturbation (TUAP) to hide the anomalies in DL models and confuse existing powerful detection methods. With extensive experiments, it is demonstrated that Adversarial Backdoor can be injected stably with an attack success rate around 98%. Moreover, Adversarial Backdoor can bypass state-of-the-art backdoor detection methods. More specifically, only around 37% of the poisoned models can be caught, and less than 29% of the poisoned data cannot bypass the detection. In contrast, for the patch backdoor, all the poisoned models and more than 80% of the poisoned data will be detected. This work intends to alarm the researchers and developers of this potential threat and to inspire the designing of effective detection methods.

AB - Deep Learning (DL) system has been widely used in many critical applications, such as autonomous vehicles and unmanned aerial vehicles. However, their security is threatened by backdoor attack, which is achieved by adding artificial patterns on specific training data. Existing attack methods normally poison the data using a patch, and they can be easily detected by existing detection methods. In this work, we propose the Adversarial Backdoor, which utilizes the Targeted Universal Adversarial Perturbation (TUAP) to hide the anomalies in DL models and confuse existing powerful detection methods. With extensive experiments, it is demonstrated that Adversarial Backdoor can be injected stably with an attack success rate around 98%. Moreover, Adversarial Backdoor can bypass state-of-the-art backdoor detection methods. More specifically, only around 37% of the poisoned models can be caught, and less than 29% of the poisoned data cannot bypass the detection. In contrast, for the patch backdoor, all the poisoned models and more than 80% of the poisoned data will be detected. This work intends to alarm the researchers and developers of this potential threat and to inspire the designing of effective detection methods.

KW - Adversarial Attack

KW - Backdoor Attack

KW - Deep Learning System

UR - https://www.scopus.com/pages/publications/85111420409

U2 - 10.1145/3460319.3464809

DO - 10.1145/3460319.3464809

M3 - Conference Paper

AN - SCOPUS:85111420409

SP - 127

EP - 138

BT - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

A2 - Cadar, Cristian

A2 - Zhang, Xiangyu

PB - Association for Computing Machinery (ACM)

CY - New York NY USA

Y2 - 11 July 2021 through 17 July 2021

ER -

AdvDoor: Adversarial backdoor attack of deep learning system

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this