Detecting and Mitigating Backdoor Attacks with Dynamic and Invisible Triggers

Zhibin Zheng; Zhongyun Hua; Leo Yu Zhang

doi:10.1007/978-3-031-30111-7_19

Detecting and Mitigating Backdoor Attacks with Dynamic and Invisible Triggers

Zhibin Zheng
, Zhongyun Hua^*
, Leo Yu Zhang

^*Corresponding author for this work

School of Computer Science and Technology, Harbin Institute of Technology
Harbin Institute of Technology Shenzhen
Deakin University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

When a deep learning-based model is attacked by backdoor attacks, it behaves normally for clean inputs, whereas outputs unexpected results for inputs with specific triggers. This causes serious threats to deep learning-based applications. Many backdoor detection methods have been proposed to address these threats. However, these defenses can only work on the backdoored models attacked by static trigger(s). Recently, some backdoor attacks with dynamic and invisible triggers have been developed, and existing detection methods cannot defend against these attacks. To address this new threat, in this paper, we propose a new defense mechanism that can detect and mitigate backdoor attacks with dynamic and invisible triggers. We reverse engineer generators that transform clean images into backdoor images for each label. The generated images by the generator can help to detect the existence of a backdoor and further remove it. To the best of our knowledge, our work is the first work to defend against backdoor attacks with dynamic and invisible triggers. Experiments on multiple datasets show that the proposed method can effectively detect and mitigate the backdoor with dynamic and invisible triggers in deep learning-based models.

Original language	English
Title of host publication	Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings
Editors	Mohammad Tanveer, Sonali Agarwal, Seiichi Ozawa, Asif Ekbal, Adam Jatowt
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	216-227
Number of pages	12
ISBN (Print)	9783031301100
DOIs	https://doi.org/10.1007/978-3-031-30111-7_19
State	Published - 2023
Externally published	Yes
Event	29th International Conference on Neural Information Processing, ICONIP 2022 - Virtual, Online Duration: 22 Nov 2022 → 26 Nov 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13625 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	29th International Conference on Neural Information Processing, ICONIP 2022
City	Virtual, Online
Period	22/11/22 → 26/11/22

Keywords

AI security
Backdoor attack
Backdoor detection

Access to Document

10.1007/978-3-031-30111-7_19

Cite this

Zheng, Z., Hua, Z., & Zhang, L. Y. (2023). Detecting and Mitigating Backdoor Attacks with Dynamic and Invisible Triggers. In M. Tanveer, S. Agarwal, S. Ozawa, A. Ekbal, & A. Jatowt (Eds.), Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings (pp. 216-227). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13625 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-30111-7_19

Zheng, Zhibin ; Hua, Zhongyun ; Zhang, Leo Yu. / Detecting and Mitigating Backdoor Attacks with Dynamic and Invisible Triggers. Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings. editor / Mohammad Tanveer ; Sonali Agarwal ; Seiichi Ozawa ; Asif Ekbal ; Adam Jatowt. Springer Science and Business Media Deutschland GmbH, 2023. pp. 216-227 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{8cb86fdd555d4ea4a7c576655f159374,

title = "Detecting and Mitigating Backdoor Attacks with Dynamic and Invisible Triggers",

abstract = "When a deep learning-based model is attacked by backdoor attacks, it behaves normally for clean inputs, whereas outputs unexpected results for inputs with specific triggers. This causes serious threats to deep learning-based applications. Many backdoor detection methods have been proposed to address these threats. However, these defenses can only work on the backdoored models attacked by static trigger(s). Recently, some backdoor attacks with dynamic and invisible triggers have been developed, and existing detection methods cannot defend against these attacks. To address this new threat, in this paper, we propose a new defense mechanism that can detect and mitigate backdoor attacks with dynamic and invisible triggers. We reverse engineer generators that transform clean images into backdoor images for each label. The generated images by the generator can help to detect the existence of a backdoor and further remove it. To the best of our knowledge, our work is the first work to defend against backdoor attacks with dynamic and invisible triggers. Experiments on multiple datasets show that the proposed method can effectively detect and mitigate the backdoor with dynamic and invisible triggers in deep learning-based models.",

keywords = "AI security, Backdoor attack, Backdoor detection",

author = "Zhibin Zheng and Zhongyun Hua and Zhang, \{Leo Yu\}",

note = "Publisher Copyright: {\textcopyright} 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 29th International Conference on Neural Information Processing, ICONIP 2022 ; Conference date: 22-11-2022 Through 26-11-2022",

year = "2023",

doi = "10.1007/978-3-031-30111-7\_19",

language = "英语",

isbn = "9783031301100",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "216--227",

editor = "Mohammad Tanveer and Sonali Agarwal and Seiichi Ozawa and Asif Ekbal and Adam Jatowt",

booktitle = "Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings",

address = "德国",

}

Zheng, Z, Hua, Z & Zhang, LY 2023, Detecting and Mitigating Backdoor Attacks with Dynamic and Invisible Triggers. in M Tanveer, S Agarwal, S Ozawa, A Ekbal & A Jatowt (eds), Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13625 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 216-227, 29th International Conference on Neural Information Processing, ICONIP 2022, Virtual, Online, 22/11/22. https://doi.org/10.1007/978-3-031-30111-7_19

Detecting and Mitigating Backdoor Attacks with Dynamic and Invisible Triggers. / Zheng, Zhibin; Hua, Zhongyun; Zhang, Leo Yu.
Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings. ed. / Mohammad Tanveer; Sonali Agarwal; Seiichi Ozawa; Asif Ekbal; Adam Jatowt. Springer Science and Business Media Deutschland GmbH, 2023. p. 216-227 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13625 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Detecting and Mitigating Backdoor Attacks with Dynamic and Invisible Triggers

AU - Zheng, Zhibin

AU - Hua, Zhongyun

AU - Zhang, Leo Yu

PY - 2023

Y1 - 2023

N2 - When a deep learning-based model is attacked by backdoor attacks, it behaves normally for clean inputs, whereas outputs unexpected results for inputs with specific triggers. This causes serious threats to deep learning-based applications. Many backdoor detection methods have been proposed to address these threats. However, these defenses can only work on the backdoored models attacked by static trigger(s). Recently, some backdoor attacks with dynamic and invisible triggers have been developed, and existing detection methods cannot defend against these attacks. To address this new threat, in this paper, we propose a new defense mechanism that can detect and mitigate backdoor attacks with dynamic and invisible triggers. We reverse engineer generators that transform clean images into backdoor images for each label. The generated images by the generator can help to detect the existence of a backdoor and further remove it. To the best of our knowledge, our work is the first work to defend against backdoor attacks with dynamic and invisible triggers. Experiments on multiple datasets show that the proposed method can effectively detect and mitigate the backdoor with dynamic and invisible triggers in deep learning-based models.

AB - When a deep learning-based model is attacked by backdoor attacks, it behaves normally for clean inputs, whereas outputs unexpected results for inputs with specific triggers. This causes serious threats to deep learning-based applications. Many backdoor detection methods have been proposed to address these threats. However, these defenses can only work on the backdoored models attacked by static trigger(s). Recently, some backdoor attacks with dynamic and invisible triggers have been developed, and existing detection methods cannot defend against these attacks. To address this new threat, in this paper, we propose a new defense mechanism that can detect and mitigate backdoor attacks with dynamic and invisible triggers. We reverse engineer generators that transform clean images into backdoor images for each label. The generated images by the generator can help to detect the existence of a backdoor and further remove it. To the best of our knowledge, our work is the first work to defend against backdoor attacks with dynamic and invisible triggers. Experiments on multiple datasets show that the proposed method can effectively detect and mitigate the backdoor with dynamic and invisible triggers in deep learning-based models.

KW - AI security

KW - Backdoor attack

KW - Backdoor detection

UR - https://www.scopus.com/pages/publications/85161723238

U2 - 10.1007/978-3-031-30111-7_19

DO - 10.1007/978-3-031-30111-7_19

M3 - 会议稿件

AN - SCOPUS:85161723238

SN - 9783031301100

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 216

EP - 227

BT - Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings

A2 - Tanveer, Mohammad

A2 - Agarwal, Sonali

A2 - Ozawa, Seiichi

A2 - Ekbal, Asif

A2 - Jatowt, Adam

PB - Springer Science and Business Media Deutschland GmbH

T2 - 29th International Conference on Neural Information Processing, ICONIP 2022

Y2 - 22 November 2022 through 26 November 2022

ER -

Zheng Z, Hua Z, Zhang LY. Detecting and Mitigating Backdoor Attacks with Dynamic and Invisible Triggers. In Tanveer M, Agarwal S, Ozawa S, Ekbal A, Jatowt A, editors, Neural Information Processing - 29th International Conference, ICONIP 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2023. p. 216-227. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-30111-7_19