Hiding Backdoors within Event Sequence Data via Poisoning Attacks

TL;DR

This paper introduces a novel method for embedding concealed backdoors into financial transaction sequence models, revealing vulnerabilities in deep learning systems and highlighting the need for improved defenses.

Contribution

It presents a new poisoning attack technique for sequence models that remains hidden and effective across various datasets and architectures, surpassing existing defenses.

Findings

Backdoors can be inserted without affecting model performance on clean data.

Hidden backdoors are resilient against detection methods and weight modifications.

Different datasets and models exhibit varying susceptibility to poisoning attacks.

Abstract

The financial industry relies on deep learning models for making important decisions. This adoption brings new danger, as deep black-box models are known to be vulnerable to adversarial attacks. In computer vision, one can shape the output during inference by performing an adversarial attack called poisoning via introducing a backdoor into the model during training. For sequences of financial transactions of a customer, insertion of a backdoor is harder to perform, as models operate over a more complex discrete space of sequences, and systematic checks for insecurities occur. We provide a method to introduce concealed backdoors, creating vulnerabilities without altering their functionality for uncontaminated data. To achieve this, we replace a clean model with a poisoned one that is aware of the availability of a backdoor and utilize this knowledge. Our most difficult for uncovering attacks include either additional supervised detection step of poisoned data activated during the test or well-hidden model weight modifications. The experimental study provides insights into how these effects vary across different datasets, architectures, and model components. Alternative methods and baselines, such as distillation-type regularization, are also explored but found to be less efficient. Conducted on three open transaction datasets and architectures, including LSTM, CNN, and Transformer, our findings not only illuminate the vulnerabilities in contemporary models but also can drive the construction of more robust systems.