TY - GEN
T1 - Data Leakage Attack via Backdoor Misclassification Triggers of Deep Learning Models
AU - Yang, Xiangkai
AU - Luo, Wenjian
AU - Zhang, Licai
AU - Chen, Zhijian
AU - Wang, Jiahai
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - In recent years, deep neural networks (DNNs) have been successfully applied in various tasks, and various third-party models are available to data holders. However, data holders who blindly use third-party models to train on their data may lead to data leakage, resulting in serious data privacy problems. The Capacity Abuse Attack (CAA) is the state-of-the-art black-box attack method which uses the labels of the augmented malicious dataset to encode the information of the training data. However, the expanded malicious dataset in CAA are artificially synthesized, not natural images, and significantly different from the original training data. Thus these malicious images are easy to be detected. In our attack, we use a technique similar to generating poisoned datasets in backdoor attacks, make malicious data generated similar to real and natural images, and make our attack more concealed. Extensive experiments are conducted, and the results demonstrate that our attack can effectively obtain the private training data of data holders without significantly impacting the model's original task.
AB - In recent years, deep neural networks (DNNs) have been successfully applied in various tasks, and various third-party models are available to data holders. However, data holders who blindly use third-party models to train on their data may lead to data leakage, resulting in serious data privacy problems. The Capacity Abuse Attack (CAA) is the state-of-the-art black-box attack method which uses the labels of the augmented malicious dataset to encode the information of the training data. However, the expanded malicious dataset in CAA are artificially synthesized, not natural images, and significantly different from the original training data. Thus these malicious images are easy to be detected. In our attack, we use a technique similar to generating poisoned datasets in backdoor attacks, make malicious data generated similar to real and natural images, and make our attack more concealed. Extensive experiments are conducted, and the results demonstrate that our attack can effectively obtain the private training data of data holders without significantly impacting the model's original task.
KW - Deep neural networks
KW - backdoor attack
KW - black-box attack
KW - data privacy
UR - https://www.scopus.com/pages/publications/85146492341
U2 - 10.1109/ICDIS55630.2022.00017
DO - 10.1109/ICDIS55630.2022.00017
M3 - 会议稿件
AN - SCOPUS:85146492341
T3 - Proceedings - 2022 4th International Conference on Data Intelligence and Security, ICDIS 2022
SP - 61
EP - 66
BT - Proceedings - 2022 4th International Conference on Data Intelligence and Security, ICDIS 2022
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 4th International Conference on Data Intelligence and Security, ICDIS 2022
Y2 - 24 August 2022 through 26 August 2022
ER -