Blind Backdoors in Deep Learning Models

TL;DR

This paper introduces a novel blind backdoor attack method for deep learning models that manipulates the training process without access to training data or model internals, enabling powerful and evasive backdoors.

Contribution

It presents a new class of blind backdoor attacks that are more versatile and harder to defend against than previous methods, including physical and input-independent backdoors.

Findings

Successfully injects backdoors into ImageNet models

Backdoors can switch models to privacy-violating tasks

Proposes defenses against blind backdoor attacks

Abstract

We investigate a new method for injecting backdoors into machine learning models, based on compromising the loss-value computation in the model-training code. We use it to demonstrate new classes of backdoors strictly more powerful than those in the prior literature: single-pixel and physical backdoors in ImageNet models, backdoors that switch the model to a covert, privacy-violating task, and backdoors that do not require inference-time input modifications. Our attack is blind: the attacker cannot modify the training data, nor observe the execution of his code, nor access the resulting model. The attack code creates poisoned training inputs "on the fly," as the model is training, and uses multi-objective optimization to achieve high accuracy on both the main and backdoor tasks. We show how a blind attack can evade any known defense and propose new ones.