ConFoc: Content-Focus Protection Against Trojan Attacks on Neural Networks

TL;DR

This paper introduces ConFoc, a defense method that teaches neural networks to ignore style features and focus on content, effectively reducing Trojan attack success rates in vision models.

Contribution

The paper presents a novel style-disregarding training approach that enhances neural network robustness against Trojan attacks in image classification.

Findings

Reduces attack success rate to below 1% across tested scenarios.

Maintains or improves accuracy on benign data.

Effective in traffic sign and face recognition applications.

Abstract

Deep Neural Networks (DNNs) have been applied successfully in computer vision. However, their wide adoption in image-related applications is threatened by their vulnerability to trojan attacks. These attacks insert some misbehavior at training using samples with a mark or trigger, which is exploited at inference or testing time. In this work, we analyze the composition of the features learned by DNNs at training. We identify that they, including those related to the inserted triggers, contain both content (semantic information) and style (texture information), which are recognized as a whole by DNNs at testing time. We then propose a novel defensive technique against trojan attacks, in which DNNs are taught to disregard the styles of inputs and focus on their content only to mitigate the effect of triggers during the classification. The generic applicability of the approach is demonstrated in the context of a traffic sign and a face recognition application. Each of them is exposed to a different attack with a variety of triggers. Results show that the method reduces the attack success rate significantly to values < 1% in all the tested attacks while keeping as well as improving the initial accuracy of the models when processing both benign and adversarial data.