SGBA: A Stealthy Scapegoat Backdoor Attack against Deep Neural Networks
Ying He, Zhili Shen, Chang Xia, Jingyu Hua, Wei Tong, Sheng Zhong
TL;DR
This paper introduces SGBA, a stealthy backdoor attack that evades current detection methods by using a benign scapegoat trigger and parameter confinement, making it highly effective and hard to detect.
Contribution
The paper presents a novel backdoor attack method that defeats existing detection schemes by incorporating a benign trigger and parameter control, enhancing stealth and universality.
Findings
Escapes detection by all five state-of-the-art schemes
Maintains high attack success rate
Minimal side-effects on model performance
Abstract
Outsourced deep neural networks have been demonstrated to suffer from patch-based trojan attacks, in which an adversary poisons the training sets to inject a backdoor in the obtained model so that regular inputs can be still labeled correctly while those carrying a specific trigger are falsely given a target label. Due to the severity of such attacks, many backdoor detection and containment systems have recently, been proposed for deep neural networks. One major category among them are various model inspection schemes, which hope to detect backdoors before deploying models from non-trusted third-parties. In this paper, we show that such state-of-the-art schemes can be defeated by a so-called Scapegoat Backdoor Attack, which introduces a benign scapegoat trigger in data poisoning to prevent the defender from reversing the real abnormal trigger. In addition, it confines the values of…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Criminal Justice and Corrections Analysis · Advanced Malware Detection Techniques