A Survey of Trojan Attacks and Defenses to Deep Neural Networks

TL;DR

This survey reviews the evolution, attack methods, and defense strategies related to Trojan attacks on deep neural networks, emphasizing their real-world risks and the need for effective countermeasures.

Contribution

It provides a comprehensive overview and comparative analysis of Trojan attack techniques and defenses, highlighting practical implications and future research directions.

Findings

Trojan attacks can be effectively embedded in DNNs, posing significant security threats.

Current defenses vary in effectiveness and practicality.

Real-world deployment of Trojan attacks remains a critical concern.

Abstract

Deep Neural Networks (DNNs) have found extensive applications in safety-critical artificial intelligence systems, such as autonomous driving and facial recognition systems. However, recent research has revealed their susceptibility to Neural Network Trojans (NN Trojans) maliciously injected by adversaries. This vulnerability arises due to the intricate architecture and opacity of DNNs, resulting in numerous redundant neurons embedded within the models. Adversaries exploit these vulnerabilities to conceal malicious Trojans within DNNs, thereby causing erroneous outputs and posing substantial threats to the efficacy of DNN-based applications. This article presents a comprehensive survey of Trojan attacks against DNNs and the countermeasure methods employed to mitigate them. Initially, we trace the evolution of the concept from traditional Trojans to NN Trojans, highlighting the feasibility and practicality of generating NN Trojans. Subsequently, we provide an overview of notable works encompassing various attack and defense strategies, facilitating a comparative analysis of their approaches. Through these discussions, we offer constructive insights aimed at refining these techniques. In recognition of the gravity and immediacy of this subject matter, we also assess the feasibility of deploying such attacks in real-world scenarios as opposed to controlled ideal datasets. The potential real-world implications underscore the urgency of addressing this issue effectively.