An Overview of Backdoor Attacks Against Deep Neural Networks and Possible Defences

TL;DR

This paper reviews backdoor attacks on deep neural networks, classifying them based on attacker control and defense capabilities, highlighting their strengths, weaknesses, and implications for AI security.

Contribution

It provides a comprehensive classification and analysis of backdoor attack types and defenses, summarizing current research and identifying gaps in security measures.

Findings

Backdoor attacks can be classified by attacker control and defense verification capabilities.

Existing defenses vary in effectiveness depending on attack type and scenario.

The overview highlights strengths and weaknesses of current backdoor mitigation strategies.

Abstract

Together with impressive advances touching every aspect of our society, AI technology based on Deep Neural Networks (DNN) is bringing increasing security concerns. While attacks operating at test time have monopolised the initial attention of researchers, backdoor attacks, exploiting the possibility of corrupting DNN models by interfering with the training process, represents a further serious threat undermining the dependability of AI techniques. In a backdoor attack, the attacker corrupts the training data so to induce an erroneous behaviour at test time. Test time errors, however, are activated only in the presence of a triggering event corresponding to a properly crafted input sample. In this way, the corrupted network continues to work as expected for regular inputs, and the malicious behaviour occurs only when the attacker decides to activate the backdoor hidden within the network. In the last few years, backdoor attacks have been the subject of an intense research activity focusing on both the development of new classes of attacks, and the proposal of possible countermeasures. The goal of this overview paper is to review the works published until now, classifying the different types of attacks and defences proposed so far. The classification guiding the analysis is based on the amount of control that the attacker has on the training process, and the capability of the defender to verify the integrity of the data used for training, and to monitor the operations of the DNN at training and test time. As such, the proposed analysis is particularly suited to highlight the strengths and weaknesses of both attacks and defences with reference to the application scenarios they are operating in.