Neural Architectural Backdoors

TL;DR

This paper introduces EVAS, a novel attack exploiting neural architecture search to embed backdoors in neural networks, which is highly evasive, transferable, and does not require data poisoning or model re-training.

Contribution

It presents EVAS, the first attack leveraging NAS to find inherently backdoored architectures that evade existing defenses and do not depend on training data manipulation.

Findings

EVAS achieves high evasiveness and transferability.

It does not require training data poisoning or model perturbation.

EVAS can bypass defenses based on parameter or data inspection.

Abstract

This paper asks the intriguing question: is it possible to exploit neural architecture search (NAS) as a new attack vector to launch previously improbable attacks? Specifically, we present EVAS, a new attack that leverages NAS to find neural architectures with inherent backdoors and exploits such vulnerability using input-aware triggers. Compared with existing attacks, EVAS demonstrates many interesting properties: (i) it does not require polluting training data or perturbing model parameters; (ii) it is agnostic to downstream fine-tuning or even re-training from scratch; (iii) it naturally evades defenses that rely on inspecting model parameters or training data. With extensive evaluation on benchmark datasets, we show that EVAS features high evasiveness, transferability, and robustness, thereby expanding the adversary's design spectrum. We further characterize the mechanisms underlying EVAS, which are possibly explainable by architecture-level ``shortcuts'' that recognize trigger patterns. This work raises concerns about the current practice of NAS and points to potential directions to develop effective countermeasures.