Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Vera Verto: Multimodal Hijacking Attack (2408.00129v1)

Published 31 Jul 2024 in cs.CR and cs.LG

Abstract: The increasing cost of training ML models has led to the inclusion of new parties to the training pipeline, such as users who contribute training data and companies that provide computing resources. This involvement of such new parties in the ML training process has introduced new attack surfaces for an adversary to exploit. A recent attack in this domain is the model hijacking attack, whereby an adversary hijacks a victim model to implement their own -- possibly malicious -- hijacking tasks. However, the scope of the model hijacking attack is so far limited to the homogeneous-modality tasks. In this paper, we transform the model hijacking attack into a more general multimodal setting, where the hijacking and original tasks are performed on data of different modalities. Specifically, we focus on the setting where an adversary implements a NLP hijacking task into an image classification model. To mount the attack, we propose a novel encoder-decoder based framework, namely the Blender, which relies on advanced image and LLMs. Experimental results show that our modal hijacking attack achieves strong performances in different settings. For instance, our attack achieves 94%, 94%, and 95% attack success rate when using the Sogou news dataset to hijack STL10, CIFAR-10, and MNIST classifiers.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (35)
  1. http://yann.lecun.com/exdb/mnist/.
  2. https://www.cs.toronto.edu/~kriz/cifar.html.
  3. Adversarial Attacks on Node Embeddings via Graph Poisoning. In International Conference on Machine Learning (ICML), pages 695–704. PMLR, 2019.
  4. Poisoning and Backdooring Contrastive Learning. CoRR abs/2106.09667, 2021.
  5. BadNL: Backdoor Attacks Against NLP Models with Semantic-preserving Improvements. In Annual Computer Security Applications Conference (ACSAC), pages 554–569. ACSAC, 2021.
  6. Targeted backdoor attacks on deep learning systems using data poisoning. CoRR abs/1712.05526, 2017.
  7. An Analysis of Single-Layer Networks in Unsupervised Feature Learning. In International Conference on Artificial Intelligence and Statistics (AISTATS), pages 215–223. JMLR, 2011.
  8. Imagenet: A large-scale hierarchical image database. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 248–255. IEEE, 2009.
  9. BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. In Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT), pages 4171–4186. ACL, 2019.
  10. Adversarial Reprogramming of Neural Networks. In International Conference on Learning Representations (ICLR), 2019.
  11. Generative Adversarial Nets. In Annual Conference on Neural Information Processing Systems (NIPS), pages 2672–2680. NIPS, 2014.
  12. Deep Residual Learning for Image Recognition. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 770–778. IEEE, 2016.
  13. Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning. In IEEE Symposium on Security and Privacy (S&P), pages 19–35. IEEE, 2018.
  14. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, page 20, 2019.
  15. ImageNet Classification with Deep Convolutional Neural Networks. In Annual Conference on Neural Information Processing Systems (NIPS), pages 1106–1114. NIPS, 2012.
  16. BART: Denoising Sequence-to-Sequence Pre-training for Natural Language Generation, Translation, and Comprehension. In Annual Meeting of the Association for Computational Linguistics (ACL), pages 7871–7880. ACL, 2020.
  17. Intrusion detection system: a comprehensive review. Journal of Network and Computer Applications, pages 16–24, 2013.
  18. Hidden Trigger Backdoor Attacks. In AAAI Conference on Artificial Intelligence (AAAI), pages 11957–11965. AAAI, 2020.
  19. Get a Model! Model Hijacking Attack Against Machine Learning Models. In Network and Distributed System Security Symposium (NDSS). Internet Society, 2022.
  20. BAAAN: Backdoor Attacks Against Autoencoder and GAN-Based Machine Learning Models. CoRR abs/2010.03007, 2020.
  21. Dynamic Backdoor Attacks Against Machine Learning Models. In IEEE European Symposium on Security and Privacy (Euro S&P). IEEE, 2022.
  22. MobileNetV2: Inverted Residuals and Linear Bottlenecks. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 4510–4520. IEEE, 2018.
  23. You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion. CoRR abs/2007.02220, 2020.
  24. Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. In Annual Conference on Neural Information Processing Systems (NeurIPS), pages 6103–6113. NeurIPS, 2018.
  25. Very Deep Convolutional Networks for Large-Scale Image Recognition. In International Conference on Learning Representations (ICLR), 2015.
  26. Certified defenses for data poisoning attacks. In Annual Conference on Neural Information Processing Systems (NeurIPS), pages 3517–3529. NeurIPS, 2017.
  27. How to Fine-Tune BERT for Text Classification? In China National Conference on Chinese Computational Linguistics (CCL), pages 194–206. Springer, 2019.
  28. Data Poisoning Attack against Unsupervised Node Embedding Methods. CoRR abs/1810.12881, 2018.
  29. Data Poisoning Attacks Against Federated Learning Systems. In European Symposium on Research in Computer Security (ESORICS), pages 480–501. Springer, 2020.
  30. GLUE: A Multi-Task Benchmark and Analysis Platform for Natural Language Understanding. CoRR abs/1804.07461, 2018.
  31. Not all poisons are created equal: Robust training against data poisoning. In International Conference on Machine Learning (ICML), pages 25154–25165. PMLR, 2022.
  32. Latent Backdoor Attacks on Deep Neural Networks. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 2041–2055. ACM, 2019.
  33. Practical Data Poisoning Attack against Next-Item Recommendation. CoRR abs/2004.03728, 2020.
  34. Character-level Convolutional Networks for Text Classification. In Annual Conference on Neural Information Processing Systems (NIPS), pages 649–657. NIPS, 2015.
  35. Clean-Label Backdoor Attacks on Video Recognition Models. In IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 14443–144528. IEEE, 2020.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Minxing Zhang (12 papers)
  2. Ahmed Salem (35 papers)
  3. Michael Backes (157 papers)
  4. Yang Zhang (1129 papers)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets