Papers
Topics
Authors
Recent
Search
2000 character limit reached

Mithridates: Auditing and Boosting Backdoor Resistance of Machine Learning Pipelines

Published 9 Feb 2023 in cs.CR, cs.CV, and cs.LG | (2302.04977v3)

Abstract: Machine learning (ML) models trained on data from potentially untrusted sources are vulnerable to poisoning. A small, maliciously crafted subset of the training inputs can cause the model to learn a "backdoor" task (e.g., misclassify inputs with a certain feature) in addition to its main task. Recent research proposed many hypothetical backdoor attacks whose efficacy heavily depends on the configuration and training hyperparameters of the target model. Given the variety of potential backdoor attacks, ML engineers who are not security experts have no way to measure how vulnerable their current training pipelines are, nor do they have a practical way to compare training configurations so as to pick the more resistant ones. Deploying a defense requires evaluating and choosing from among dozens of research papers and re-engineering the training pipeline. In this paper, we aim to provide ML engineers with pragmatic tools to audit the backdoor resistance of their training pipelines and to compare different training configurations, to help choose one that best balances accuracy and security. First, we propose a universal, attack-agnostic resistance metric based on the minimum number of training inputs that must be compromised before the model learns any backdoor. Second, we design, implement, and evaluate Mithridates a multi-stage approach that integrates backdoor resistance into the training-configuration search. ML developers already rely on hyperparameter search to find configurations that maximize the model's accuracy. Mithridates extends this standard tool to balance accuracy and resistance without disruptive changes to the training pipeline. We show that hyperparameters found by Mithridates increase resistance to multiple types of backdoor attacks by 3-5x with only a slight impact on accuracy. We also discuss extensions to AutoML and federated learning.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (144)
  1. M. Abadi, A. Chu, I. Goodfellow, H. B. McMahan, I. Mironov, K. Talwar, and L. Zhang, “Deep learning with differential privacy,” in CCS, 2016.
  2. T. Akiba, S. Sano, T. Yanase, T. Ohta, and M. Koyama, “Optuna: A next-generation hyperparameter optimization framework,” in KDD, 2019.
  3. G. Apruzzese, H. S. Anderson, S. Dambra, D. Freeman, F. Pierazzi, and K. A. Roundy, “Position: “Real attackers don’t compute gradients”: Bridging the gap between adversarial ML research and practice,” in SaTML, 2023.
  4. E. Bagdasaryan, O. Poursaeed, and V. Shmatikov, “Differential privacy has disparate impact on model accuracy,” in NeurIPS, 2019.
  5. E. Bagdasaryan and V. Shmatikov, “Blind backdoors in deep learning models,” in USENIX Security, 2021.
  6. ——, “Spinning language models: Risks of propaganda-as-a-service and countermeasures,” in S&P, 2022.
  7. E. Bagdasaryan, A. Veit, Y. Hua, D. Estrin, and V. Shmatikov, “How to backdoor federated learning,” in AISTATS, 2020.
  8. T. Bai, J. Luo, and J. Zhao, “Inconspicuous adversarial patches for fooling image-recognition systems on mobile devices,” IEEE Internet of Things Journal, 2021.
  9. M. Barni, K. Kallas, and B. Tondi, “A new backdoor attack in CNNs by training set corruption without label poisoning,” in ICIP, 2019.
  10. J. Bergstra, D. Yamins, D. D. Cox et al., “Hyperopt: A Python library for optimizing the hyperparameters of machine learning algorithms,” in SciPy, 2013.
  11. T. B. Brown, D. Mané, A. Roy, M. Abadi, and J. Gilmer, “Adversarial patch,” in NIPS Workshops, 2017.
  12. N. Carlini, “Poisoning the unlabeled dataset of semi-supervised learning,” in USENIX Security, 2021.
  13. N. Carlini, M. Jagielski, C. A. Choquette-Choo, D. Paleka, W. Pearce, H. Anderson, A. Terzis, K. Thomas, and F. Tramèr, “Poisoning web-scale training datasets is practical,” in S&P, 2024.
  14. N. Carlini, C. Liu, J. Kos, Ú. Erlingsson, and D. Song, “The Secret Sharer: Measuring unintended neural network memorization & extracting secrets,” in USENIX Security, 2019.
  15. J. Carnerero-Cano, L. Muñoz-González, P. Spencer, and E. C. Lupu, “Regularization can help mitigate poisoning attacks… with the right hyperparameters,” in ICLR Workshops, 2021.
  16. K. Chen, X. Lou, G. Xu, J. Li, and T. Zhang, “Clean-image backdoor: Attacking multi-label models with poisoned labels only,” in ICLR, 2023.
  17. X. Chen, A. Salem, M. Backes, S. Ma, and Y. Zhang, “BadNL: Backdoor attacks against NLP models,” in ACSAC, 2020.
  18. X. Chen, C. Liu, B. Li, K. Lu, and D. Song, “Targeted backdoor attacks on deep learning systems using data poisoning,” arXiv:1712.05526, 2017.
  19. S. Cheng, Y. Liu, S. Ma, and X. Zhang, “Deep feature space trojan attack of neural networks by controlled detoxification,” in AAAI, 2021.
  20. P. Chiang, R. Ni, A. Abdelkader, C. Zhu, C. Studor, and T. Goldstein, “Certified defenses for adversarial patches,” in ICLR, 2020.
  21. E. Chou, F. Tramèr, and G. Pellegrino, “SentiNet: Detecting physical attacks against deep learning systems,” in S&P Workshops, 2020.
  22. A. E. Cinà, K. Grosse, A. Demontis, B. Biggio, F. Roli, and M. Pelillo, “Machine learning security against data poisoning: Are we there yet?” arXiv:2204.05986, 2022.
  23. A. E. Cinà, K. Grosse, S. Vascon, A. Demontis, B. Biggio, F. Roli, and M. Pelillo, “Backdoor learning curves: Explaining backdoor poisoning beyond influence functions,” arXiv:2106.07214, 2021.
  24. M. Claesen and B. De Moor, “Hyperparameter search in machine learning,” arXiv:1502.02127, 2015.
  25. J. Cohen, E. Rosenfeld, and Z. Kolter, “Certified adversarial robustness via randomized smoothing,” in ICML, 2019.
  26. J. Dai, C. Chen, and Y. Li, “A backdoor attack against LSTM-based text classification systems,” IEEE Access, 2019.
  27. P. Das et al., “Amazon SageMaker Autopilot: A white box AutoML solution at scale,” in DEEM Workshops, 2020.
  28. A. Demontis et al., “Why do adversarial attacks transfer? Explaining transferability of evasion and poisoning attacks,” in USENIX Security, 2019.
  29. J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, “BERT: Pre-training of deep bidirectional transformers for language understanding,” in NAACL, 2019.
  30. I. Dewancker, M. McCourt, and S. Clark, “Bayesian optimization for machine learning: A practical guidebook,” arXiv:1612.04858, 2016.
  31. K. Do, H. Harikumar, H. Le, D. Nguyen, T. Tran, S. Rana, D. Nguyen, W. Susilo, and S. Venkatesh, “Towards effective and robust neural trojan defenses via input filtering,” in ECCV, 2022.
  32. B. G. Doan, E. Abbasnejad, and D. C. Ranasinghe, “Februus: Input purification defense against trojan attacks on deep neural network systems,” in ACSAC, 2020.
  33. K. Doan, Y. Lao, W. Zhao, and P. Li, “LIRA: Learnable, imperceptible and robust backdoor attacks,” in ICCV, 2021.
  34. K. D. Doan, Y. Lao, and P. Li, “Marksman backdoor: Backdoor attacks with arbitrary target class,” in NeurIPS, 2022.
  35. J. C. Duchi, P. L. Bartlett, and M. J. Wainwright, “Randomized smoothing for stochastic optimization,” SIAM Journal on Optimization, 2012.
  36. T. Elsken, J. H. Metzen, and F. Hutter, “Neural architecture search: A survey,” JMLR, 2019.
  37. V. Feldman, “Does learning require memorization? A short tale about a long tail,” in STOC, 2020.
  38. M. Feurer and F. Hutter, “Hyperparameter optimization,” Automated machine learning: Methods, systems, challenges, 2019.
  39. J. Geiping, L. H. Fowl, W. R. Huang, W. Czaja, G. Taylor, M. Moeller, and T. Goldstein, “Witches’ brew: Industrial scale data poisoning via gradient matching,” in ICLR, 2021.
  40. J. Geiping, L. H. Fowl, G. Somepalli, M. Goldblum, M. Moeller, and T. Goldstein, “What doesn’t kill you makes you robust(er): How to adversarially train against data poisoning,” in ICLR Workshops, 2021.
  41. T. Gu, K. Liu, B. Dolan-Gavitt, and S. Garg, “Badnets: Evaluating backdooring attacks on deep neural networks,” IEEE Access, 2019.
  42. S. Hambardzumyan, A. Tuli, L. Ghukasyan, F. Rahman, H. Topchyan, D. Isayan, M. Harutyunyan, T. Hakobyan, I. Stranic, and D. Buniatyan, “Deep Lake: A lakehouse for deep learning,” in CIDR, 2023.
  43. A. Hard, K. Rao, R. Mathews, F. Beaufays, S. Augenstein, H. Eichner, C. Kiddon, and D. Ramage, “Federated learning for mobile keyboard prediction,” arXiv:1811.03604, 2018.
  44. J. Hayase and S. Oh, “Few-shot backdoor attacks via neural tangent kernels,” in ICLR, 2023.
  45. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in CVPR, 2016.
  46. X. He, K. Zhao, and X. Chu, “AutoML: A survey of the state-of-the-art,” Knowledge-Based Systems, 2021.
  47. S. Hong, N. Carlini, and A. Kurakin, “Handcrafted backdoors in deep neural networks,” in NeurIPS, 2022.
  48. S. Hong, V. Chandrasekaran, Y. Kaya, T. Dumitraş, and N. Papernot, “On the effectiveness of mitigating data poisoning attacks with gradient shaping,” arXiv:2002.11497, 2020.
  49. Y.-H. Hsieh, J.-Y. Lee, and H.-L. Chang, “SARS epidemiology modeling,” Emerging Infectious Diseases, 2004.
  50. K. Huang, Y. Li, B. Wu, Z. Qin, and K. Ren, “Backdoor defense via decoupling the training process,” in ICLR, 2021.
  51. X. Huang, M. Alzantot, and M. Srivastava, “NeuronInspect: Detecting backdoors in neural networks via output explanations,” arXiv:1911.07399, 2019.
  52. F. Hutter, H. Hoos, and K. Leyton-Brown, “An efficient approach for assessing hyperparameter importance,” in ICML, 2014.
  53. M. Jagielski, G. Severi, N. P. Harger, and A. Oprea, “Subpopulation data poisoning attacks,” in CCS, 2021.
  54. J. Jia, Y. Liu, and N. Z. Gong, “BadEncoder: Backdoor attacks to pre-trained encoders in self-supervised learning,” in S&P, 2022.
  55. C. Jin, M. Sun, and M. Rinard, “Incompatibility clustering as a defense against backdoor poisoning attacks,” in ICLR, 2023.
  56. P. Kairouz et al., “Advances and open problems in federated learning,” Foundations and Trends in Machine Learning, 2021.
  57. F. Karl et al., “Multi-objective hyperparameter optimization in machine learning – an overview,” ACM Trans. Evol. Learn. Optim., 2023.
  58. A. Katharopoulos and F. Fleuret, “Not all samples are created equal: Deep learning with importance sampling,” in ICML, 2018.
  59. D. Kekulluoglu and Y. Acar, ““We are a startup to the core”: A qualitative interview study on the security and privacy development practices in Turkish software startups,” in S&P, 2023.
  60. A. Khaddaj, G. Leclerc, A. Makelov, K. Georgiev, H. Salman, A. Ilyas, and A. Madry, “Rethinking backdoor attacks,” in ICML, 2023.
  61. P. W. Koh and P. Liang, “Understanding black-box predictions via influence functions,” in ICML, 2017.
  62. S. Kolouri, A. Saha, H. Pirsiavash, and H. Hoffmann, “Universal litmus patterns: Revealing backdoor attacks in CNNs,” in CVPR, 2020.
  63. D. Kreuzberger, N. Kühl, and S. Hirschl, “Machine Learning Operations (MLOps): Overview, definition, and architecture,” arXiv:2205.02302, 2022.
  64. A. Krizhevsky, “Learning multiple layers of features from tiny images,” University of Toronto, Tech. Rep., 2009.
  65. R. S. S. Kumar, M. Nyström, J. Lambert, A. Marshall, M. Goertzel, A. Comissoneru, M. Swann, and S. Xia, “Adversarial machine learning-industry perspectives,” in S&P Workshops, 2020.
  66. A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” in ICLR Workshops, 2017.
  67. K. Kurita, P. Michel, and G. Neubig, “Weight poisoning attacks on pre-trained models,” in ACL, 2020.
  68. G. Leclerc, A. Ilyas, L. Engstrom, S. M. Park, H. Salman, and A. Madry, “FFCV: Accelerating training by removing data bottlenecks,” in CVPR, 2023.
  69. L. Li, K. Jamieson, A. Rostamizadeh, E. Gonina, J. Ben-Tzur, M. Hardt, B. Recht, and A. Talwalkar, “A system for massively parallel hyperparameter tuning,” in MLSys, 2020.
  70. Y. Li, X. Lyu, N. Koren, L. Lyu, B. Li, and X. Ma, “Anti-backdoor learning: Training clean models on poisoned data,” in NeurIPS, 2021.
  71. Y. Li, Y. Jiang, Z. Li, and S.-T. Xia, “Backdoor learning: A survey,” IEEE Transactions on Neural Networks and Learning Systems, 2022.
  72. Y. Li, Y. Li, B. Wu, L. Li, R. He, and S. Lyu, “Invisible backdoor attack with sample-specific triggers,” in ICCV, 2021.
  73. R. Liaw, E. Liang, R. Nishihara, P. Moritz, J. E. Gonzalez, and I. Stoica, “Tune: A research platform for distributed model selection and training,” arXiv:1807.05118, 2018.
  74. J. Lin, L. Xu, Y. Liu, and X. Zhang, “Composite backdoor attack for deep neural network by mixing existing benign features,” in CCS, 2020.
  75. B. Liu, Z. Zhu, P.-N. Tan, and J. Zhou, “Defending backdoor data poisoning attacks by using noisy label defense algorithm,” https://openreview.net/forum?id=2_dQlkDHnvN, 2022.
  76. K. Liu, B. Dolan-Gavitt, and S. Garg, “Fine-pruning: Defending against backdooring attacks on deep neural networks,” in RAID, 2018.
  77. T. Y. Liu, Y. Yang, and B. Mirzasoleiman, “Friendly noise against adversarial noise: A powerful defense against data poisoning attack,” in NeurIPS, 2022.
  78. Y. Liu, W.-C. Lee, G. Tao, S. Ma, Y. Aafer, and X. Zhang, “ABS: Scanning neural networks for back-doors by artificial brain stimulation,” in CCS, 2019.
  79. Y. Liu, G. Shen, G. Tao, Z. Wang, S. Ma, and X. Zhang, “Complex backdoor detection by symmetric feature differencing,” in CVPR, 2022.
  80. Y. Liu, X. Ma, J. Bailey, and F. Lu, “Reflection backdoor: A natural backdoor attack on deep neural networks,” in ECCV, 2020.
  81. Y. Liu, A. Mondal, A. Chakraborty, M. Zuzak, N. Jacobsen, D. Xing, and A. Srivastava, “A survey on neural Trojans,” in ISQED, 2020.
  82. Z. Liu, P. Luo, X. Wang, and X. Tang, “Deep learning face attributes in the wild,” in ICCV, 2015.
  83. L. E. Lwakatare, I. Crnkovic, and J. Bosch, “DevOps for AI - challenges in development of AI-enabled applications,” in SoftCOM, 2020.
  84. H. B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. Agüera y Arcas, “Communication-efficient learning of deep networks from decentralized data,” in AISTATS, 2017.
  85. H. B. McMahan, D. Ramage, K. Talwar, and L. Zhang, “Learning differentially private recurrent language models,” in ICLR, 2018.
  86. P. Moritz et al., “Ray: A distributed framework for emerging AI applications,” in OSDI, 2018.
  87. A. Neelakantan, L. Vilnis, Q. V. Le, I. Sutskever, L. Kaiser, K. Kurach, and J. Martens, “Adding gradient noise improves learning for very deep networks,” arXiv:1511.06807, 2015.
  88. T. A. Nguyen and A. Tran, “Input-aware dynamic backdoor attack,” in NeurIPS, 2020.
  89. T. A. Nguyen and A. T. Tran, “WaNet - imperceptible warping-based backdoor attack,” in ICLR, 2021.
  90. A. Oprea, A. Singhal, and A. Vassilev, “Poisoning attacks against machine learning: Can machine learning be trustworthy?” IEEE Computer, 2022.
  91. N. Papernot and T. Steinke, “Hyperparameter tuning with Renyi differential privacy,” in ICLR, 2022.
  92. M. Parsa, J. P. Mitchell, C. D. Schuman, R. M. Patton, T. E. Potok, and K. Roy, “Bayesian multi-objective hyperparameter optimization for accurate, fast, and efficient neural network accelerator design,” Frontiers in Neuroscience, 2020.
  93. R. Pascanu, T. Mikolov, and Y. Bengio, “On the difficulty of training recurrent neural networks,” in ICML, 2013.
  94. A. Paszke, S. Gross, S. Chintala, G. Chanan, E. Yang, Z. DeVito, Z. Lin, A. Desmaison, L. Antiga, and A. Lerer, “Automatic differentiation in PyTorch,” in NIPS Workshops, 2017.
  95. M. Pintor, D. Angioni, A. Sotgiu, L. Demetrio, A. Demontis, B. Biggio, and F. Roli, “ImageNet-Patch: A dataset for benchmarking machine learning robustness against adversarial patches,” Pattern Recognition, 2023.
  96. J. Rance, Y. Zhao, I. Shumailov, and R. Mullins, “Augmentation backdoors,” arXiv:2209.15139, 2022.
  97. M. Ribeiro, K. Grolinger, and M. A. Capretz, “MLaaS: Machine learning as a service,” in ICMLA, 2015.
  98. L. Rice, E. Wong, and Z. Kolter, “Overfitting in adversarially robust deep learning,” in ICML, 2020.
  99. D. Rolnick, A. Veit, S. Belongie, and N. Shavit, “Deep learning is robust to massive label noise,” arXiv:1705.10694, 2017.
  100. O. Russakovsky, J. Deng, H. Su, J. Krause, S. Satheesh, S. Ma, Z. Huang, A. Karpathy, A. Khosla, M. Bernstein, A. C. Berg, and L. Fei-Fei, “ImageNet large scale visual recognition challenge,” IJCV, 2015.
  101. A. Saha, A. Subramanya, and H. Pirsiavash, “Hidden trigger backdoor attacks,” in AAAI, 2020.
  102. A. Salem, R. Wen, M. Backes, S. Ma, and Y. Zhang, “Dynamic backdoor attacks against machine learning models,” in EuroS&P, 2022.
  103. A. Schwarzschild, M. Goldblum, A. Gupta, J. P. Dickerson, and T. Goldstein, “Just how toxic is data poisoning? A unified benchmark for backdoor and data poisoning attacks,” in ICML, 2021.
  104. R. R. Selvaraju, M. Cogswell, A. Das, R. Vedantam, D. Parikh, and D. Batra, “Grad-CAM: Visual explanations from deep networks via gradient-based localization,” in ICCV, 2017.
  105. A. Shafahi, W. R. Huang, M. Najibi, O. Suciu, C. Studer, T. Dumitras, and T. Goldstein, “Poison frogs! Targeted clean-label poisoning attacks on neural networks,” in NIPS, 2018.
  106. V. Shejwalkar, A. Houmansadr, P. Kairouz, and D. Ramage, “Back to the drawing board: A critical evaluation of poisoning attacks on production federated learning,” in S&P, 2022.
  107. L. Shen, S. Ji, X. Zhang, J. Li, J. Chen, J. Shi, C. Fang, J. Yin, and T. Wang, “Backdoor pre-trained models can transfer to all,” in CCS, 2021.
  108. C. Shorten and T. M. Khoshgoftaar, “A survey on image data augmentation for deep learning,” Journal of Big Data, 2019.
  109. W. M. Si, M. Backes, Y. Zhang, and A. Salem, “Two-in-one: A model hijacking attack against text generation models,” in USENIX Security, 2023.
  110. H. Souri, M. Goldblum, L. Fowl, R. Chellappa, and T. Goldstein, “Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch,” in NeurIPS, 2022.
  111. J. Steinhardt, P. W. Koh, and P. S. Liang, “Certified defenses for data poisoning attacks,” in NIPS, 2017.
  112. G. Symeonidis, E. Nerantzis, A. Kazakis, and G. A. Papakostas, “MLOps - definitions, tools and challenges,” in IEEE CCWC, 2022.
  113. T. J. L. Tan and R. Shokri, “Bypassing backdoor detection algorithms in deep learning,” arXiv:1905.13409, 2019.
  114. D. Tang, X. Wang, H. Tang, and K. Zhang, “Demon in the variant: Statistical analysis of DNNs for robust backdoor contamination detection,” in USENIX Security, 2021.
  115. D. Tang, R. Zhu, X. Wang, H. Tang, and Y. Chen, “Understanding impacts of task similarity on backdoor attack and detection,” arXiv:2210.06509, 2022.
  116. G. Tao, Z. Wang, S. Cheng, S. Ma, S. An, Y. Liu, G. Shen, Z. Zhang, Y. Mao, and X. Zhang, “Backdoor vulnerabilities in normally trained deep learning models,” arXiv:2211.15929, 2022.
  117. S. D. Team, “Squirrel: A Python library that enables ML teams to share, load, and transform data in a collaborative, flexible, and efficient way.” https://github.com/merantix-momentum/squirrel-core, 2022.
  118. Y. Tian and Y. Zhang, “A comprehensive survey on regularization strategies in machine learning,” Information Fusion, 2022.
  119. K. Tirumala, A. H. Markosyan, L. Zettlemoyer, and A. Aghajanyan, “Memorization without overfitting: Analyzing the training dynamics of large language models,” in NeurIPS, 2022.
  120. B. Tran, J. Li, and A. Madry, “Spectral signatures in backdoor attacks,” in NIPS, 2018.
  121. A. Turner, D. Tsipras, and A. Madry, “Clean-label backdoor attacks,” https://openreview.net/forum?id=HJg6e2CcK7, 2018.
  122. D. Vakharia and M. Lease, “Beyond Mechanical Turk: An analysis of paid crowd work platforms,” in iConference, 2015.
  123. E. Wallace, T. Z. Zhao, S. Feng, and S. Singh, “Customizing triggers with concealed data poisoning,” in NAACL, 2021.
  124. A. Wang, A. Singh, J. Michael, F. Hill, O. Levy, and S. Bowman, “Glue: A multi-task benchmark and analysis platform for natural language understanding,” in ICLR, 2019.
  125. B. Wang, X. Cao, and N. Z. Gong, “On certifying robustness against backdoor attacks via randomized smoothing,” arXiv:2002.11750, 2020.
  126. B. Wang, Y. Yao, S. Shan, H. Li, B. Viswanath, H. Zheng, and B. Y. Zhao, “Neural Cleanse: Identifying and mitigating backdoor attacks in neural networks,” in S&P, 2019.
  127. C. Wang, Q. Wu, M. Weimer, and E. Zhu, “FLAML: A Fast and Lightweight AutoML Library,” 2021.
  128. H. Wang, K. Sreenivasan, S. Rajput, H. Vishwakarma, S. Agarwal, J.-y. Sohn, K. Lee, and D. Papailiopoulos, “Attack of the tails: Yes, you really can backdoor federated learning,” in NeurIPS, 2020.
  129. J. Wang, C. Xu, F. Guzmán, A. El-Kishky, Y. Tang, B. Rubinstein, and T. Cohn, “Putting words into the system’s mouth: A targeted attack on neural machine translation using monolingual data poisoning,” in ACL-IJCNLP, 2021.
  130. S. Wang, J. Hayase, G. Fanti, and S. Oh, “Towards a defense against federated backdoor attacks under continuous training,” TMLR, 2023.
  131. Z. Wang, H. Ding, J. Zhai, and S. Ma, “Training with more confidence: Mitigating injected and natural backdoors during training,” in NeurIPS, 2022.
  132. Z. Wang, K. Mei, J. Zhai, and S. Ma, “UNICORN: A unified backdoor trigger inversion framework,” in ICLR, 2023.
  133. M. Weber, X. Xu, B. Karlas, C. Zhang, and B. Li, “RAB: Provable robustness against backdoor attacks,” in S&P, 2023.
  134. E. Wenger, R. Bhattacharjee, A. N. Bhagoji, J. Passananti, E. Andere, H. Zheng, and B. Zhao, “Finding naturally occurring physical backdoors in image datasets,” in NeurIPS, 2022.
  135. E. Wenger, X. Li, B. Y. Zhao, and V. Shmatikov, “Data isotopes for data provenance in DNNs,” arXiv:2208.13893, 2022.
  136. T. Wolf et al., “Transformers: State-of-the-art natural language processing,” in EMNLP: System Demonstrations, 2020.
  137. T. Wu, T. Wang, V. Sehwag, S. Mahloujifar, and P. Mittal, “Just rotate it: Deploying backdoor attacks via rotation transformation,” in AISec, 2022.
  138. Z. Xiao, X. Gao, C. Fu, Y. Dong, W. Gao, X. Zhang, J. Zhou, and J. Zhu, “Improving transferability of adversarial patches on face recognition with generative models,” in CVPR, 2021.
  139. Y. Yao, H. Li, H. Zheng, and B. Y. Zhao, “Latent backdoor attacks on deep neural networks,” in CCS, 2019.
  140. A. Yousefpour, I. Shilov, A. Sablayrolles, D. Testuggine, K. Prasad, M. Malek, J. Nguyen, S. Ghosh, A. Bharadwaj, J. Zhao et al., “Opacus: User-friendly differential privacy library in PyTorch,” arXiv:2109.12298, 2021.
  141. D. Yuan, G. Li, Q. Li, and Y. Zheng, “Sybil defense in crowdsourcing platforms,” in CIKM, 2017.
  142. Y. Zeng, M. Pan, H. A. Just, L. Lyu, M. Qiu, and R. Jia, “Narcissus: A practical clean-label backdoor attack with limited information,” arXiv:2204.05255, 2022.
  143. C. Zhang, C. Lin, P. Benz, K. Chen, W. Zhang, and I. S. Kweon, “A brief survey on deep learning based data hiding, steganography and watermarking,” arXiv:2103.01607, 2021.
  144. J. Zhang, C. Dongdong, Q. Huang, J. Liao, W. Zhang, H. Feng, G. Hua, and N. Yu, “Poison ink: Robust and invisible backdoor attack,” IEEE Transactions on Image Processing, 2022.

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up