AdvDoor: Adversarial backdoor attack of deep learning system

Quan Zhang; Yifeng Ding; Yongqiang Tian; Jianmin Guo; Min Yuan; Yu Jiang

doi:10.1145/3460319.3464809

AdvDoor: Adversarial backdoor attack of deep learning system

Quan Zhang, Yifeng Ding, Yongqiang Tian, Jianmin Guo, Min Yuan, Yu Jiang^*

^*Corresponding author for this work

Research output: Chapter in Book/Conference Proceeding/Report › Conference Paper published in a book › peer-review

65 Citations (Scopus)

Abstract

Deep Learning (DL) system has been widely used in many critical applications, such as autonomous vehicles and unmanned aerial vehicles. However, their security is threatened by backdoor attack, which is achieved by adding artificial patterns on specific training data. Existing attack methods normally poison the data using a patch, and they can be easily detected by existing detection methods. In this work, we propose the Adversarial Backdoor, which utilizes the Targeted Universal Adversarial Perturbation (TUAP) to hide the anomalies in DL models and confuse existing powerful detection methods. With extensive experiments, it is demonstrated that Adversarial Backdoor can be injected stably with an attack success rate around 98%. Moreover, Adversarial Backdoor can bypass state-of-the-art backdoor detection methods. More specifically, only around 37% of the poisoned models can be caught, and less than 29% of the poisoned data cannot bypass the detection. In contrast, for the patch backdoor, all the poisoned models and more than 80% of the poisoned data will be detected. This work intends to alarm the researchers and developers of this potential threat and to inspire the designing of effective detection methods.

Original language	English
Title of host publication	ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
Editors	Cristian Cadar, Xiangyu Zhang
Publisher	Association for Computing Machinery, Inc
Pages	127-138
Number of pages	12
ISBN (Electronic)	9781450384599
DOIs	https://doi.org/10.1145/3460319.3464809
Publication status	Published - 11 Jul 2021
Externally published	Yes
Event	30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021 - Virtual, Online, Denmark Duration: 11 Jul 2021 → 17 Jul 2021

Publication series

Name	ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

Conference

Conference	30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021
Country/Territory	Denmark
City	Virtual, Online
Period	11/07/21 → 17/07/21

Bibliographical note

Publisher Copyright:
© 2021 ACM.

Keywords

Adversarial Attack
Backdoor Attack
Deep Learning System

Access to Document

10.1145/3460319.3464809

Cite this

Zhang, Q., Ding, Y., Tian, Y., Guo, J., Yuan, M., & Jiang, Y. (2021). AdvDoor: Adversarial backdoor attack of deep learning system. In C. Cadar, & X. Zhang (Eds.), ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (pp. 127-138). Article 3464809 (ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis). Association for Computing Machinery, Inc. https://doi.org/10.1145/3460319.3464809

Zhang, Quan ; Ding, Yifeng ; Tian, Yongqiang et al. / AdvDoor : Adversarial backdoor attack of deep learning system. ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. editor / Cristian Cadar ; Xiangyu Zhang. Association for Computing Machinery, Inc, 2021. pp. 127-138 (ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis).

@inproceedings{16437e24b4c74b0fb08aa44db4cc10f3,

title = "AdvDoor: Adversarial backdoor attack of deep learning system",

abstract = "Deep Learning (DL) system has been widely used in many critical applications, such as autonomous vehicles and unmanned aerial vehicles. However, their security is threatened by backdoor attack, which is achieved by adding artificial patterns on specific training data. Existing attack methods normally poison the data using a patch, and they can be easily detected by existing detection methods. In this work, we propose the Adversarial Backdoor, which utilizes the Targeted Universal Adversarial Perturbation (TUAP) to hide the anomalies in DL models and confuse existing powerful detection methods. With extensive experiments, it is demonstrated that Adversarial Backdoor can be injected stably with an attack success rate around 98\%. Moreover, Adversarial Backdoor can bypass state-of-the-art backdoor detection methods. More specifically, only around 37\% of the poisoned models can be caught, and less than 29\% of the poisoned data cannot bypass the detection. In contrast, for the patch backdoor, all the poisoned models and more than 80\% of the poisoned data will be detected. This work intends to alarm the researchers and developers of this potential threat and to inspire the designing of effective detection methods.",

keywords = "Adversarial Attack, Backdoor Attack, Deep Learning System",

author = "Quan Zhang and Yifeng Ding and Yongqiang Tian and Jianmin Guo and Min Yuan and Yu Jiang",

note = "Publisher Copyright: {\textcopyright} 2021 ACM.; 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021 ; Conference date: 11-07-2021 Through 17-07-2021",

year = "2021",

month = jul,

day = "11",

doi = "10.1145/3460319.3464809",

language = "English",

series = "ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis",

publisher = "Association for Computing Machinery, Inc",

pages = "127--138",

editor = "Cristian Cadar and Xiangyu Zhang",

booktitle = "ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis",

}

Zhang, Q, Ding, Y, Tian, Y, Guo, J, Yuan, M & Jiang, Y 2021, AdvDoor: Adversarial backdoor attack of deep learning system. in C Cadar & X Zhang (eds), ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis., 3464809, ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, Association for Computing Machinery, Inc, pp. 127-138, 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021, Virtual, Online, Denmark, 11/07/21. https://doi.org/10.1145/3460319.3464809

AdvDoor: Adversarial backdoor attack of deep learning system. / Zhang, Quan; Ding, Yifeng; Tian, Yongqiang et al.
ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. ed. / Cristian Cadar; Xiangyu Zhang. Association for Computing Machinery, Inc, 2021. p. 127-138 3464809 (ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis).

Research output: Chapter in Book/Conference Proceeding/Report › Conference Paper published in a book › peer-review

TY - GEN

T1 - AdvDoor

T2 - 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2021

AU - Zhang, Quan

AU - Ding, Yifeng

AU - Tian, Yongqiang

AU - Guo, Jianmin

AU - Yuan, Min

AU - Jiang, Yu

PY - 2021/7/11

Y1 - 2021/7/11

N2 - Deep Learning (DL) system has been widely used in many critical applications, such as autonomous vehicles and unmanned aerial vehicles. However, their security is threatened by backdoor attack, which is achieved by adding artificial patterns on specific training data. Existing attack methods normally poison the data using a patch, and they can be easily detected by existing detection methods. In this work, we propose the Adversarial Backdoor, which utilizes the Targeted Universal Adversarial Perturbation (TUAP) to hide the anomalies in DL models and confuse existing powerful detection methods. With extensive experiments, it is demonstrated that Adversarial Backdoor can be injected stably with an attack success rate around 98%. Moreover, Adversarial Backdoor can bypass state-of-the-art backdoor detection methods. More specifically, only around 37% of the poisoned models can be caught, and less than 29% of the poisoned data cannot bypass the detection. In contrast, for the patch backdoor, all the poisoned models and more than 80% of the poisoned data will be detected. This work intends to alarm the researchers and developers of this potential threat and to inspire the designing of effective detection methods.

AB - Deep Learning (DL) system has been widely used in many critical applications, such as autonomous vehicles and unmanned aerial vehicles. However, their security is threatened by backdoor attack, which is achieved by adding artificial patterns on specific training data. Existing attack methods normally poison the data using a patch, and they can be easily detected by existing detection methods. In this work, we propose the Adversarial Backdoor, which utilizes the Targeted Universal Adversarial Perturbation (TUAP) to hide the anomalies in DL models and confuse existing powerful detection methods. With extensive experiments, it is demonstrated that Adversarial Backdoor can be injected stably with an attack success rate around 98%. Moreover, Adversarial Backdoor can bypass state-of-the-art backdoor detection methods. More specifically, only around 37% of the poisoned models can be caught, and less than 29% of the poisoned data cannot bypass the detection. In contrast, for the patch backdoor, all the poisoned models and more than 80% of the poisoned data will be detected. This work intends to alarm the researchers and developers of this potential threat and to inspire the designing of effective detection methods.

KW - Adversarial Attack

KW - Backdoor Attack

KW - Deep Learning System

UR - https://www.webofscience.com/wos/woscc/full-record/WOS:000722628800012

UR - https://openalex.org/W3178326529

UR - https://www.scopus.com/pages/publications/85111420409

U2 - 10.1145/3460319.3464809

DO - 10.1145/3460319.3464809

M3 - Conference Paper published in a book

T3 - ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

SP - 127

EP - 138

BT - ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

A2 - Cadar, Cristian

A2 - Zhang, Xiangyu

PB - Association for Computing Machinery, Inc

Y2 - 11 July 2021 through 17 July 2021

ER -

Zhang Q, Ding Y, Tian Y, Guo J, Yuan M, Jiang Y. AdvDoor: Adversarial backdoor attack of deep learning system. In Cadar C, Zhang X, editors, ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. Association for Computing Machinery, Inc. 2021. p. 127-138. 3464809. (ISSTA 2021 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis). doi: 10.1145/3460319.3464809

AdvDoor: Adversarial backdoor attack of deep learning system

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this