Hidden Backdoor Attack against Semantic Segmentation Models
Deep neural networks (DNNs) are vulnerable to the \emph{backdoor attack}, which intends to embed hidden backdoors in DNNs by poisoning training data. The attacked model behaves normally on benign samples, whereas its prediction will be changed to a particular target label if hidden backdoors are act...
Gespeichert in:
| Hauptverfasser: | , , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Li, Yiming Li, Yanjie Lv, Yalei Jiang, Yong Xia, Shu-Tao |
| description | Deep neural networks (DNNs) are vulnerable to the \emph{backdoor attack},
which intends to embed hidden backdoors in DNNs by poisoning training data. The
attacked model behaves normally on benign samples, whereas its prediction will
be changed to a particular target label if hidden backdoors are activated. So
far, backdoor research has mostly been conducted towards classification tasks.
In this paper, we reveal that this threat could also happen in semantic
segmentation, which may further endanger many mission-critical applications
($e.g.$, autonomous driving). Except for extending the existing attack paradigm
to maliciously manipulate the segmentation models from the image-level, we
propose a novel attack paradigm, the \emph{fine-grained attack}, where we treat
the target label ($i.e.$, annotation) from the object-level instead of the
image-level to achieve more sophisticated manipulation. In the annotation of
poisoned samples generated by the fine-grained attack, only pixels of specific
objects will be labeled with the attacker-specified target class while others
are still with their ground-truth ones. Experiments show that the proposed
methods can successfully attack semantic segmentation models by poisoning only
a small proportion of training data. Our method not only provides a new
perspective for designing novel attacks but also serves as a strong baseline
for improving the robustness of semantic segmentation methods. |
| doi_str_mv | 10.48550/arxiv.2103.04038 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2103_04038</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2103_04038</sourcerecordid><originalsourceid>FETCH-LOGICAL-a678-7ad5cc3861efc80ec1fbc4f4d0f252e6140ad7887ffa112645da5d7707d458b13</originalsourceid><addsrcrecordid>eNotj7FuwjAURb0wINoPYKp_IOE5tmNLnQC1pRKIAfboxc-OrBIHJVbV_n0p7XTPdHUOY0sBpbJawwrHr_hZVgJkCQqknbPnXSTyiW_QfdAwjHyd8w05dhjTlPnJ95hydDfoep8y5jgkfhjIX6YHNgt4mfzj_y7Y-fXlvN0V--Pb-3a9L7A2tjBI2jlpa-GDs-CdCK1TQRGESle-FgqQjLUmBBSiqpUm1GQMGFLatkIu2NPf7d2-uY6xx_G7-a1o7hXyB4G3QgY</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Hidden Backdoor Attack against Semantic Segmentation Models</title><source>arXiv.org</source><creator>Li, Yiming ; Li, Yanjie ; Lv, Yalei ; Jiang, Yong ; Xia, Shu-Tao</creator><creatorcontrib>Li, Yiming ; Li, Yanjie ; Lv, Yalei ; Jiang, Yong ; Xia, Shu-Tao</creatorcontrib><description>Deep neural networks (DNNs) are vulnerable to the \emph{backdoor attack},
which intends to embed hidden backdoors in DNNs by poisoning training data. The
attacked model behaves normally on benign samples, whereas its prediction will
be changed to a particular target label if hidden backdoors are activated. So
far, backdoor research has mostly been conducted towards classification tasks.
In this paper, we reveal that this threat could also happen in semantic
segmentation, which may further endanger many mission-critical applications
($e.g.$, autonomous driving). Except for extending the existing attack paradigm
to maliciously manipulate the segmentation models from the image-level, we
propose a novel attack paradigm, the \emph{fine-grained attack}, where we treat
the target label ($i.e.$, annotation) from the object-level instead of the
image-level to achieve more sophisticated manipulation. In the annotation of
poisoned samples generated by the fine-grained attack, only pixels of specific
objects will be labeled with the attacker-specified target class while others
are still with their ground-truth ones. Experiments show that the proposed
methods can successfully attack semantic segmentation models by poisoning only
a small proportion of training data. Our method not only provides a new
perspective for designing novel attacks but also serves as a strong baseline
for improving the robustness of semantic segmentation methods.</description><identifier>DOI: 10.48550/arxiv.2103.04038</identifier><language>eng</language><subject>Computer Science - Artificial Intelligence ; Computer Science - Computer Vision and Pattern Recognition ; Computer Science - Cryptography and Security</subject><creationdate>2021-03</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,776,881</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2103.04038$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2103.04038$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Li, Yiming</creatorcontrib><creatorcontrib>Li, Yanjie</creatorcontrib><creatorcontrib>Lv, Yalei</creatorcontrib><creatorcontrib>Jiang, Yong</creatorcontrib><creatorcontrib>Xia, Shu-Tao</creatorcontrib><title>Hidden Backdoor Attack against Semantic Segmentation Models</title><description>Deep neural networks (DNNs) are vulnerable to the \emph{backdoor attack},
which intends to embed hidden backdoors in DNNs by poisoning training data. The
attacked model behaves normally on benign samples, whereas its prediction will
be changed to a particular target label if hidden backdoors are activated. So
far, backdoor research has mostly been conducted towards classification tasks.
In this paper, we reveal that this threat could also happen in semantic
segmentation, which may further endanger many mission-critical applications
($e.g.$, autonomous driving). Except for extending the existing attack paradigm
to maliciously manipulate the segmentation models from the image-level, we
propose a novel attack paradigm, the \emph{fine-grained attack}, where we treat
the target label ($i.e.$, annotation) from the object-level instead of the
image-level to achieve more sophisticated manipulation. In the annotation of
poisoned samples generated by the fine-grained attack, only pixels of specific
objects will be labeled with the attacker-specified target class while others
are still with their ground-truth ones. Experiments show that the proposed
methods can successfully attack semantic segmentation models by poisoning only
a small proportion of training data. Our method not only provides a new
perspective for designing novel attacks but also serves as a strong baseline
for improving the robustness of semantic segmentation methods.</description><subject>Computer Science - Artificial Intelligence</subject><subject>Computer Science - Computer Vision and Pattern Recognition</subject><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotj7FuwjAURb0wINoPYKp_IOE5tmNLnQC1pRKIAfboxc-OrBIHJVbV_n0p7XTPdHUOY0sBpbJawwrHr_hZVgJkCQqknbPnXSTyiW_QfdAwjHyd8w05dhjTlPnJ95hydDfoep8y5jgkfhjIX6YHNgt4mfzj_y7Y-fXlvN0V--Pb-3a9L7A2tjBI2jlpa-GDs-CdCK1TQRGESle-FgqQjLUmBBSiqpUm1GQMGFLatkIu2NPf7d2-uY6xx_G7-a1o7hXyB4G3QgY</recordid><startdate>20210306</startdate><enddate>20210306</enddate><creator>Li, Yiming</creator><creator>Li, Yanjie</creator><creator>Lv, Yalei</creator><creator>Jiang, Yong</creator><creator>Xia, Shu-Tao</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20210306</creationdate><title>Hidden Backdoor Attack against Semantic Segmentation Models</title><author>Li, Yiming ; Li, Yanjie ; Lv, Yalei ; Jiang, Yong ; Xia, Shu-Tao</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a678-7ad5cc3861efc80ec1fbc4f4d0f252e6140ad7887ffa112645da5d7707d458b13</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Computer Science - Artificial Intelligence</topic><topic>Computer Science - Computer Vision and Pattern Recognition</topic><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Li, Yiming</creatorcontrib><creatorcontrib>Li, Yanjie</creatorcontrib><creatorcontrib>Lv, Yalei</creatorcontrib><creatorcontrib>Jiang, Yong</creatorcontrib><creatorcontrib>Xia, Shu-Tao</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Li, Yiming</au><au>Li, Yanjie</au><au>Lv, Yalei</au><au>Jiang, Yong</au><au>Xia, Shu-Tao</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Hidden Backdoor Attack against Semantic Segmentation Models</atitle><date>2021-03-06</date><risdate>2021</risdate><abstract>Deep neural networks (DNNs) are vulnerable to the \emph{backdoor attack},
which intends to embed hidden backdoors in DNNs by poisoning training data. The
attacked model behaves normally on benign samples, whereas its prediction will
be changed to a particular target label if hidden backdoors are activated. So
far, backdoor research has mostly been conducted towards classification tasks.
In this paper, we reveal that this threat could also happen in semantic
segmentation, which may further endanger many mission-critical applications
($e.g.$, autonomous driving). Except for extending the existing attack paradigm
to maliciously manipulate the segmentation models from the image-level, we
propose a novel attack paradigm, the \emph{fine-grained attack}, where we treat
the target label ($i.e.$, annotation) from the object-level instead of the
image-level to achieve more sophisticated manipulation. In the annotation of
poisoned samples generated by the fine-grained attack, only pixels of specific
objects will be labeled with the attacker-specified target class while others
are still with their ground-truth ones. Experiments show that the proposed
methods can successfully attack semantic segmentation models by poisoning only
a small proportion of training data. Our method not only provides a new
perspective for designing novel attacks but also serves as a strong baseline
for improving the robustness of semantic segmentation methods.</abstract><doi>10.48550/arxiv.2103.04038</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2103.04038 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2103_04038 |
| source | arXiv.org |
| subjects | Computer Science - Artificial Intelligence Computer Science - Computer Vision and Pattern Recognition Computer Science - Cryptography and Security |
| title | Hidden Backdoor Attack against Semantic Segmentation Models |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-08T19%3A07%3A01IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Hidden%20Backdoor%20Attack%20against%20Semantic%20Segmentation%20Models&rft.au=Li,%20Yiming&rft.date=2021-03-06&rft_id=info:doi/10.48550/arxiv.2103.04038&rft_dat=%3Carxiv_GOX%3E2103_04038%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |