Litcius/Paper detail

Detection of Backdoors in Trained Classifiers Without Access to the Training Set

Zhen Xiang, David J. Miller, George Kesidis

2020IEEE Transactions on Neural Networks and Learning Systems32 citationsDOI

Abstract

With wide deployment of deep neural network (DNN) classifiers, there is great potential for harm from adversarial learning attacks. Recently, a special type of data poisoning (DP) attack, known as a backdoor (or Trojan), was proposed. These attacks do not seek to degrade classification accuracy, but rather to have the classifier learn to classify to a target class <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$t^{\ast }$ </tex-math></inline-formula> whenever the backdoor pattern is present in a test example originally from a source class <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$s^{\ast }$ </tex-math></inline-formula> . Launching backdoor attacks does not require knowledge of the classifier or its training process—only the ability to poison the training set with exemplars containing a backdoor pattern (labeled with the target class). Defenses against backdoors can be deployed before/during training, post-training, or at test time. Here, we address post-training detection in DNN image classifiers, seldom considered in existing works, wherein <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">the defender does not have access to the poisoned training set</i> , but only to the trained classifier itself, as well as to clean (unpoisoned) examples from the classification domain. This scenario is of great interest because e.g., a classifier may be the basis of a phone app that will be shared with many users. Detection may thus reveal a widespread attack. We propose a purely unsupervised anomaly detection (AD) defense against imperceptible backdoor attacks that: 1) detects whether the trained DNN has been backdoor-attacked; 2) infers the source and target classes in a detected attack; 3) estimates the backdoor pattern itself. Our AD approach involves learning (via suitable cost function minimization) the minimum size/norm perturbation (putative backdoor) required to induce the classifier to misclassify (most) examples from class <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$s$ </tex-math></inline-formula> to class <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$t$ </tex-math></inline-formula> , for all <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$(s,t)$ </tex-math></inline-formula> pairs. Our hypothesis is that nonattacked pairs require large perturbations, while the attacked pair <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$(s^{\ast }, t^{\ast })$ </tex-math></inline-formula> requires much smaller ones. This is convincingly borne out experimentally. We identify a variety of plausible cost functions and devise a novel, robust hypothesis testing approach to perform detection inference. We test our approach, in comparison with the state-of-the-art methods, for several backdoor patterns, attack settings and mechanisms, and data sets and demonstrate its favorability. Our defense essentially requires setting a single hyperparameter (the detection threshold), which can e.g., be chosen to fix the system’s false positive rate.

Topics & Concepts

BackdoorComputer scienceClassifier (UML)Artificial intelligenceTraining setMachine learningOne-class classificationPattern recognition (psychology)Artificial neural networkAdversarial systemAnomaly detectionContextual image classificationTest setDeep learningDeep neural networksIntrusion detection systemSet (abstract data type)Constant false alarm rateClass (philosophy)Statistical classificationMulticlass classificationAdversarial Robustness in Machine LearningExplainable Artificial Intelligence (XAI)Advanced Malware Detection Techniques
Detection of Backdoors in Trained Classifiers Without Access to the Training Set | Litcius