TRIGS: Trojan Identification from Gradient-based Signatures
Abstract: Training machine learning models can be very expensive or even unaffordable. This may be, for example, due to data limitations, such as unavailability or being too large, or computational power limitations. Therefore, it is a common practice to rely on open-source pre-trained models whenever possible.However, this practice is alarming from a security perspective. Pre-trained models can be infected with Trojan attacks, in which the attacker embeds a trigger in the model such that the model's behavior can be controlled by the attacker when the trigger is present in the input. In this paper, we present a novel method for detecting Trojan models. Our method creates a signature for a model based on activation optimization. A classifier is then trained to detect a Trojan model given its signature. We call our method TRIGS for TRojan Identification from Gradient-based Signatures. TRIGS achieves state-of-the-art performance on two public datasets of convolutional models. Additionally, we introduce a new challenging dataset of ImageNet models based on the vision transformer architecture. TRIGS delivers the best performance on the new dataset, surpassing the baseline methods by a large margin. Our experiments also show that TRIGS requires only a small amount of clean samples to achieve good performance, and works reasonably well even if the defender does not have prior knowledge about the attacker's model architecture. Our code and data are publicly available.
- End-to-End Object Detection with Transformers. In Computer Vision – ECCV 2020. 2020.
- Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering. In AAAI’s Workshop on Artificial Intelligence Safety, 2019a.
- DeepInspect: A Black-box Trojan Detection and Mitigation Framework for Deep Neural Networks. In Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, 2019b.
- Demon in the Variant: Statistical Analysis of DNNs for Robust Backdoor Contamination Detection | USENIX. In USENIX Security Symposium, 2021.
- Defending Backdoor Attacks on Vision Transformer via Patch Processing. In AAAI Conference on Artificial Intelligence, 2023.
- Black-box Detection of Backdoor Attacks with Limited Information and Data. In 2021 IEEE/CVF International Conference on Computer Vision (ICCV), 2021.
- An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale. In International Conference on Learning Representations, 2020.
- Visualizing Higher-Layer Features of a Deep Network. Technical Report, Univeristé de Montréal, 2009.
- Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015.
- Witches’ Brew: Industrial Scale Data Poisoning via Gradient Matching. In International Conference on Learning Representations, 2022.
- Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses. IEEE Transactions on Pattern Analysis and Machine Intelligence, 45(2), 2023.
- BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain, 2019.
- Deep residual learning for image recognition. In 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 770–778, 2016.
- Label-Only Model Inversion Attacks via Boundary Repulsion. In 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2022.
- The TrojAI Software Framework: An OpenSource tool for Embedding Trojans into Deep Learning Models, 2020.
- Adam: A Method for Stochastic Optimization. In International Conference on Learning Representations, 2015.
- Universal Litmus Patterns: Revealing Backdoor Attacks in CNNs. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020.
- Deep Partition Aggregation: Provable Defenses against General Poisoning Attacks. In International Conference on Learning Representations, 2021.
- Neural Attention Distillation: Erasing Backdoor Triggers from Deep Neural Networks. In International Conference on Learning Representations, 2021.
- Trojaning Attack on Neural Networks. In Proceedings 2018 Network and Distributed System Security Symposium, 2018.
- ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019.
- Complex Backdoor Detection by Symmetric Feature Differencing. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022.
- Decoupled Weight Decay Regularization. In International Conference on Learning Representations, 2018.
- Visualizing Deep Convolutional Neural Networks Using Natural Pre-images. International Journal of Computer Vision, 120(3), 2016.
- Multifaceted Feature Visualization: Uncovering the Different Types of Features Learned By Each Neuron in Deep Neural Networks, 2016.
- Understanding Neural Networks via Feature Visualization: A Survey. In Explainable AI: Interpreting, Explaining and Visualizing Deep Learning. Springer, 2019.
- Input-Aware Dynamic Backdoor Attack. In Advances in Neural Information Processing Systems, 2020.
- PyTorch: An Imperative Style, High-Performance Deep Learning Library. In Advances in Neural Information Processing Systems, 2019.
- Hidden Trigger Backdoor Attacks. In Proceedings of the AAAI Conference on Artificial Intelligence, 2020.
- Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. In Advances in Neural Information Processing Systems, 2018.
- Backdoor Scanning for Deep Neural Networks through K-Arm Optimization. In Proceedings of the 38th International Conference on Machine Learning, 2021.
- Very deep convolutional networks for large-scale image recognition. In International Conference on Learning Representations, 2015.
- Deep Inside Convolutional Networks: Visualising Image Classification Models and Saliency Maps, 2014.
- Sleeper Agent: Scalable Hidden Trigger Backdoors for Neural Networks Trained from Scratch. In Advances in Neural Information Processing Systems (NeurIPS), 2022.
- Spectral Signatures in Backdoor Attacks. In Advances in Neural Information Processing Systems, 2018.
- Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks. In 2019 IEEE Symposium on Security and Privacy (SP), 2019.
- Variational Model Inversion Attacks. In Neural Information Procesing Systems (NeurIPS), 2022.
- Practical Detection of Trojan Neural Networks: Data-Limited and Data-Free Cases. In Computer Vision – ECCV 2020, 2020.
- RAB: Provable Robustness Against Backdoor Attacks. In 2023 IEEE Symposium on Security and Privacy (SP), 2023.
- Adversarial Neuron Pruning Purifies Backdoored Deep Models. In Advances in Neural Information Processing Systems, 2021.
- Revealing Backdoors, Post-Training, in DNN Classifiers via Novel Inference on Optimized Perturbations Inducing Group Misclassification. In ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2020.
- SegFormer: Simple and Efficient Design for Semantic Segmentation with Transformers. In Advances in Neural Information Processing Systems, 2021.
- Aggregated residual transformations for deep neural networks, 2017.
- Detecting AI Trojans Using Meta Neural Analysis. In 2021 IEEE Symposium on Security and Privacy (SP), 2021.
- Understanding Neural Networks Through Deep Visualization, 2015.
- Visualizing and Understanding Convolutional Networks. In Computer Vision – ECCV 2014, 2014.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Collections
Sign up for free to add this paper to one or more collections.