Litcius/Paper detail

LoneNeuron: A Highly-Effective Feature-Domain Neural Trojan Using Invisible and Polymorphic Watermarks

Zeyan Liu, Fengjun Li, Zhu Li, Bo Luo

2022Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security13 citationsDOIOpen Access PDF

Abstract

The wide adoption of deep neural networks (DNNs) in real-world applications raises increasing security concerns. Neural Trojans embedded in pre-trained neural networks are a harmful attack against the DNN model supply chain. They generate false outputs when certain stealthy triggers appear in the inputs. While data-poisoning attacks have been well studied in the literature, code-poisoning and model-poisoning backdoors only start to attract attention until recently. We present a novel model-poisoning neural Trojan, namely LoneNeuron, which responds to feature-domain patterns that transform into invisible, sample-specific, and polymorphic pixel-domain watermarks. With high attack specificity, LoneNeuron achieves a 100% attack success rate, while not affecting the main task performance. With LoneNeuron's unique watermark polymorphism property, the same feature-domain trigger is resolved to multiple watermarks in the pixel domain, which further improves watermark randomness, stealthiness, and resistance against Trojan detection. Extensive experiments show that LoneNeuron could escape state-of-the-art Trojan detectors. LoneNeuron~is also the first effective backdoor attack against vision transformers (ViTs).

Topics & Concepts

BackdoorTrojanWatermarkComputer scienceDigital watermarkingFeature (linguistics)Artificial intelligenceArtificial neural networkComputer securityDomain (mathematical analysis)PixelDeep learningPattern recognition (psychology)EmbeddingImage (mathematics)MathematicsMathematical analysisPhilosophyLinguisticsAdversarial Robustness in Machine LearningAdvanced Neural Network ApplicationsPhysical Unclonable Functions (PUFs) and Hardware Security