PatchBackdoor: Backdoor Attack against Deep Neural Networks without Model Modification
Backdoor attack is a major threat to deep learning systems in safety-critical scenarios, which aims to trigger misbehavior of neural network models under attacker-controlled conditions. However, most backdoor attacks have to modify the neural network models through training with poisoned data and/or...
Gespeichert in:
| Veröffentlicht in: | arXiv.org 2023-08 |
|---|---|
| Hauptverfasser: | , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | arXiv.org |
| container_volume | |
| creator | Yuan, Yizhen Kong, Rui Xie, Shenghao Li, Yuanchun Liu, Yunxin |
| description | Backdoor attack is a major threat to deep learning systems in safety-critical scenarios, which aims to trigger misbehavior of neural network models under attacker-controlled conditions. However, most backdoor attacks have to modify the neural network models through training with poisoned data and/or direct model editing, which leads to a common but false belief that backdoor attack can be easily avoided by properly protecting the model. In this paper, we show that backdoor attacks can be achieved without any model modification. Instead of injecting backdoor logic into the training data or the model, we propose to place a carefully-designed patch (namely backdoor patch) in front of the camera, which is fed into the model together with the input images. The patch can be trained to behave normally at most of the time, while producing wrong prediction when the input image contains an attacker-controlled trigger object. Our main techniques include an effective training method to generate the backdoor patch and a digital-physical transformation modeling method to enhance the feasibility of the patch in real deployments. Extensive experiments show that PatchBackdoor can be applied to common deep learning models (VGG, MobileNet, ResNet) with an attack success rate of 93% to 99% on classification tasks. Moreover, we implement PatchBackdoor in real-world scenarios and show that the attack is still threatening. |
| doi_str_mv | 10.48550/arxiv.2308.11822 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_arxiv</sourceid><recordid>TN_cdi_arxiv_primary_2308_11822</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2856631930</sourcerecordid><originalsourceid>FETCH-LOGICAL-a520-12118c7dfcb780e81bdac1e3a3f442bf084dc4b29c5cd1b805d3581af7976ffb3</originalsourceid><addsrcrecordid>eNo1j01PAjEYhBsTEwnyAzzZxPNi-3a7W7whfib4cSBeN-_2QwpIsdsV_fcuoJeZOUwm8xByxtkwV1KyS4zf_msIgqkh5wrgiPRACJ6pHOCEDJpmwRiDogQpRY-8vWLS82vUSxNCvKL_iY5T6iLFd_TrJtEbazf02bYRV52lbYjLhm59moc20adg7Gqn3nmNyYf1KTl2uGrs4M_7ZHZ3O5s8ZNOX-8fJeJqhBJZx6B7q0jhdl4pZxWuDmluBwuU51I6p3Oi8hpGW2vBaMWmEVBxdOSoL52rRJ-eH2T10tYn-A-NPtYOv9vBd4-LQ2MTw2domVYvQxnX3qQIli0LwkWDiF_5QXVk</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2856631930</pqid></control><display><type>article</type><title>PatchBackdoor: Backdoor Attack against Deep Neural Networks without Model Modification</title><source>arXiv.org</source><source>Free E- Journals</source><creator>Yuan, Yizhen ; Kong, Rui ; Xie, Shenghao ; Li, Yuanchun ; Liu, Yunxin</creator><creatorcontrib>Yuan, Yizhen ; Kong, Rui ; Xie, Shenghao ; Li, Yuanchun ; Liu, Yunxin</creatorcontrib><description>Backdoor attack is a major threat to deep learning systems in safety-critical scenarios, which aims to trigger misbehavior of neural network models under attacker-controlled conditions. However, most backdoor attacks have to modify the neural network models through training with poisoned data and/or direct model editing, which leads to a common but false belief that backdoor attack can be easily avoided by properly protecting the model. In this paper, we show that backdoor attacks can be achieved without any model modification. Instead of injecting backdoor logic into the training data or the model, we propose to place a carefully-designed patch (namely backdoor patch) in front of the camera, which is fed into the model together with the input images. The patch can be trained to behave normally at most of the time, while producing wrong prediction when the input image contains an attacker-controlled trigger object. Our main techniques include an effective training method to generate the backdoor patch and a digital-physical transformation modeling method to enhance the feasibility of the patch in real deployments. Extensive experiments show that PatchBackdoor can be applied to common deep learning models (VGG, MobileNet, ResNet) with an attack success rate of 93% to 99% on classification tasks. Moreover, we implement PatchBackdoor in real-world scenarios and show that the attack is still threatening.</description><identifier>EISSN: 2331-8422</identifier><identifier>DOI: 10.48550/arxiv.2308.11822</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Artificial neural networks ; Computer Science - Computer Vision and Pattern Recognition ; Computer Science - Cryptography and Security ; Computer Science - Learning ; Deep learning ; Machine learning ; Neural networks ; Safety critical ; Training</subject><ispartof>arXiv.org, 2023-08</ispartof><rights>2023. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,780,784,885,27925</link.rule.ids><backlink>$$Uhttps://doi.org/10.48550/arXiv.2308.11822$$DView paper in arXiv$$Hfree_for_read</backlink><backlink>$$Uhttps://doi.org/10.1145/3581783.3612032$$DView published paper (Access to full text may be restricted)$$Hfree_for_read</backlink></links><search><creatorcontrib>Yuan, Yizhen</creatorcontrib><creatorcontrib>Kong, Rui</creatorcontrib><creatorcontrib>Xie, Shenghao</creatorcontrib><creatorcontrib>Li, Yuanchun</creatorcontrib><creatorcontrib>Liu, Yunxin</creatorcontrib><title>PatchBackdoor: Backdoor Attack against Deep Neural Networks without Model Modification</title><title>arXiv.org</title><description>Backdoor attack is a major threat to deep learning systems in safety-critical scenarios, which aims to trigger misbehavior of neural network models under attacker-controlled conditions. However, most backdoor attacks have to modify the neural network models through training with poisoned data and/or direct model editing, which leads to a common but false belief that backdoor attack can be easily avoided by properly protecting the model. In this paper, we show that backdoor attacks can be achieved without any model modification. Instead of injecting backdoor logic into the training data or the model, we propose to place a carefully-designed patch (namely backdoor patch) in front of the camera, which is fed into the model together with the input images. The patch can be trained to behave normally at most of the time, while producing wrong prediction when the input image contains an attacker-controlled trigger object. Our main techniques include an effective training method to generate the backdoor patch and a digital-physical transformation modeling method to enhance the feasibility of the patch in real deployments. Extensive experiments show that PatchBackdoor can be applied to common deep learning models (VGG, MobileNet, ResNet) with an attack success rate of 93% to 99% on classification tasks. Moreover, we implement PatchBackdoor in real-world scenarios and show that the attack is still threatening.</description><subject>Artificial neural networks</subject><subject>Computer Science - Computer Vision and Pattern Recognition</subject><subject>Computer Science - Cryptography and Security</subject><subject>Computer Science - Learning</subject><subject>Deep learning</subject><subject>Machine learning</subject><subject>Neural networks</subject><subject>Safety critical</subject><subject>Training</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GOX</sourceid><recordid>eNo1j01PAjEYhBsTEwnyAzzZxPNi-3a7W7whfib4cSBeN-_2QwpIsdsV_fcuoJeZOUwm8xByxtkwV1KyS4zf_msIgqkh5wrgiPRACJ6pHOCEDJpmwRiDogQpRY-8vWLS82vUSxNCvKL_iY5T6iLFd_TrJtEbazf02bYRV52lbYjLhm59moc20adg7Gqn3nmNyYf1KTl2uGrs4M_7ZHZ3O5s8ZNOX-8fJeJqhBJZx6B7q0jhdl4pZxWuDmluBwuU51I6p3Oi8hpGW2vBaMWmEVBxdOSoL52rRJ-eH2T10tYn-A-NPtYOv9vBd4-LQ2MTw2domVYvQxnX3qQIli0LwkWDiF_5QXVk</recordid><startdate>20230822</startdate><enddate>20230822</enddate><creator>Yuan, Yizhen</creator><creator>Kong, Rui</creator><creator>Xie, Shenghao</creator><creator>Li, Yuanchun</creator><creator>Liu, Yunxin</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PTHSS</scope><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20230822</creationdate><title>PatchBackdoor: Backdoor Attack against Deep Neural Networks without Model Modification</title><author>Yuan, Yizhen ; Kong, Rui ; Xie, Shenghao ; Li, Yuanchun ; Liu, Yunxin</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a520-12118c7dfcb780e81bdac1e3a3f442bf084dc4b29c5cd1b805d3581af7976ffb3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Artificial neural networks</topic><topic>Computer Science - Computer Vision and Pattern Recognition</topic><topic>Computer Science - Cryptography and Security</topic><topic>Computer Science - Learning</topic><topic>Deep learning</topic><topic>Machine learning</topic><topic>Neural networks</topic><topic>Safety critical</topic><topic>Training</topic><toplevel>online_resources</toplevel><creatorcontrib>Yuan, Yizhen</creatorcontrib><creatorcontrib>Kong, Rui</creatorcontrib><creatorcontrib>Xie, Shenghao</creatorcontrib><creatorcontrib>Li, Yuanchun</creatorcontrib><creatorcontrib>Liu, Yunxin</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Access via ProQuest (Open Access)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>Engineering Collection</collection><collection>arXiv Computer Science</collection><collection>arXiv.org</collection><jtitle>arXiv.org</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Yuan, Yizhen</au><au>Kong, Rui</au><au>Xie, Shenghao</au><au>Li, Yuanchun</au><au>Liu, Yunxin</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>PatchBackdoor: Backdoor Attack against Deep Neural Networks without Model Modification</atitle><jtitle>arXiv.org</jtitle><date>2023-08-22</date><risdate>2023</risdate><eissn>2331-8422</eissn><abstract>Backdoor attack is a major threat to deep learning systems in safety-critical scenarios, which aims to trigger misbehavior of neural network models under attacker-controlled conditions. However, most backdoor attacks have to modify the neural network models through training with poisoned data and/or direct model editing, which leads to a common but false belief that backdoor attack can be easily avoided by properly protecting the model. In this paper, we show that backdoor attacks can be achieved without any model modification. Instead of injecting backdoor logic into the training data or the model, we propose to place a carefully-designed patch (namely backdoor patch) in front of the camera, which is fed into the model together with the input images. The patch can be trained to behave normally at most of the time, while producing wrong prediction when the input image contains an attacker-controlled trigger object. Our main techniques include an effective training method to generate the backdoor patch and a digital-physical transformation modeling method to enhance the feasibility of the patch in real deployments. Extensive experiments show that PatchBackdoor can be applied to common deep learning models (VGG, MobileNet, ResNet) with an attack success rate of 93% to 99% on classification tasks. Moreover, we implement PatchBackdoor in real-world scenarios and show that the attack is still threatening.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><doi>10.48550/arxiv.2308.11822</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | EISSN: 2331-8422 |
| ispartof | arXiv.org, 2023-08 |
| issn | 2331-8422 |
| language | eng |
| recordid | cdi_arxiv_primary_2308_11822 |
| source | arXiv.org; Free E- Journals |
| subjects | Artificial neural networks Computer Science - Computer Vision and Pattern Recognition Computer Science - Cryptography and Security Computer Science - Learning Deep learning Machine learning Neural networks Safety critical Training |
| title | PatchBackdoor: Backdoor Attack against Deep Neural Networks without Model Modification |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-26T11%3A59%3A01IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_arxiv&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=PatchBackdoor:%20Backdoor%20Attack%20against%20Deep%20Neural%20Networks%20without%20Model%20Modification&rft.jtitle=arXiv.org&rft.au=Yuan,%20Yizhen&rft.date=2023-08-22&rft.eissn=2331-8422&rft_id=info:doi/10.48550/arxiv.2308.11822&rft_dat=%3Cproquest_arxiv%3E2856631930%3C/proquest_arxiv%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2856631930&rft_id=info:pmid/&rfr_iscdi=true |