Backdoor attacks against transfer learning with pre-trained deep learning models

Shuo Wang, Surya Nepal, Carsten Rudolph, Marthie Grobler, Shangyu Chen, Tianle Chen

Research output: Contribution to journalArticleResearchpeer-review

30 Citations (Scopus)


Transfer learning provides an effective solution for feasibly and fast customize accurate Student models, by transferring the learned knowledge of pre-trained Teacher models over large datasets via fine-tuning. Many pre-trained Teacher models used in transfer learning are publicly available and maintained by public platforms, increasing their vulnerability to backdoor attacks. In this article, we demonstrate a backdoor threat to transfer learning tasks on both image and time-series data leveraging the knowledge of publicly accessible Teacher models, aimed at defeating three commonly adopted defenses: pruning-based, retraining-based and input pre-processing-based defenses. Specifically, (AA) ranking-based selection mechanism to speed up the backdoor trigger generation and perturbation process while defeating pruning-based and/or retraining-based defenses. (B) autoencoder-powered trigger generation is proposed to produce a robust trigger that can defeat the input pre-processing-based defense, while guaranteeing that selected neuron(s) can be significantly activated. (C) defense-aware retraining to generate the manipulated model using reverse-engineered model inputs. We launch effective misclassification attacks on Student models over real-world images, brain Magnetic Resonance Imaging (MRI) data and Electrocardiography (ECG) learning systems. The experiments reveal that our enhanced attack can maintain the 98.4 and 97.2 percent classification accuracy as the genuine model on clean image and time series inputs while improving 27.9\%-100\%27.9%-100% and 27.1\%-56.1\%27.1%-56.1% attack success rate on trojaned image and time series inputs respectively in the presence of pruning-based and/or retraining-based defenses.

Original languageEnglish
Pages (from-to)1526-1539
Number of pages14
JournalIEEE Transactions on Services Computing
Issue number3
Publication statusPublished - May 2022


  • backdoor attack
  • deep neural network
  • pre-trained model
  • transfer learning
  • Web service

Cite this