850 research outputs found
Look, Listen, and Attack: Backdoor Attacks Against Video Action Recognition
Deep neural networks (DNNs) are vulnerable to a class of attacks called
"backdoor attacks", which create an association between a backdoor trigger and
a target label the attacker is interested in exploiting. A backdoored DNN
performs well on clean test images, yet persistently predicts an
attacker-defined label for any sample in the presence of the backdoor trigger.
Although backdoor attacks have been extensively studied in the image domain,
there are very few works that explore such attacks in the video domain, and
they tend to conclude that image backdoor attacks are less effective in the
video domain. In this work, we revisit the traditional backdoor threat model
and incorporate additional video-related aspects to that model. We show that
poisoned-label image backdoor attacks could be extended temporally in two ways,
statically and dynamically, leading to highly effective attacks in the video
domain. In addition, we explore natural video backdoors to highlight the
seriousness of this vulnerability in the video domain. And, for the first time,
we study multi-modal (audiovisual) backdoor attacks against video action
recognition models, where we show that attacking a single modality is enough
for achieving a high attack success rate
Backdoor Attacks and Defences on Deep Neural Networks
Nowadays, due to the huge amount of resources required for network training, pre-trained models are commonly exploited in all kinds of deep learning tasks, like image classification, natural language processing, etc. These models are directly deployed in the real environments, or only fine-tuned on a limited set of data that are collected, for instance, from the Internet. However, a natural question arises: can we trust pre-trained models or the data downloaded from the Internet? The answer is ‘No’. An attacker can easily perform a so-called backdoor attack to hide a backdoor into a pre-trained model by poisoning the dataset used for training or indirectly releasing some poisoned data on the Internet as a bait. Such an attack is stealthy since the hidden backdoor does not affect the behaviour of the network in normal operating conditions, and the malicious behaviour being activated only when a triggering signal is presented at the network input.
In this thesis, we present a general framework for backdoor attacks and defences, and overview the state-of-the-art backdoor attacks and the corresponding defences in the field image classification, by casting them in the introduced framework. By focusing on the face recognition domain, two new backdoor attacks were proposed, effective under different threat models. Finally, we design a universal method to defend against backdoor attacks, regardless of the specific attack setting, namely the poisoning strategy and the triggering signal
Temporal-Distributed Backdoor Attack Against Video Based Action Recognition
Deep neural networks (DNNs) have achieved tremendous success in various
applications including video action recognition, yet remain vulnerable to
backdoor attacks (Trojans). The backdoor-compromised model will mis-classify to
the target class chosen by the attacker when a test instance (from a non-target
class) is embedded with a specific trigger, while maintaining high accuracy on
attack-free instances. Although there are extensive studies on backdoor attacks
against image data, the susceptibility of video-based systems under backdoor
attacks remains largely unexplored. Current studies are direct extensions of
approaches proposed for image data, e.g., the triggers are
\textbf{independently} embedded within the frames, which tend to be detectable
by existing defenses. In this paper, we introduce a \textit{simple} yet
\textit{effective} backdoor attack against video data. Our proposed attack,
adding perturbations in a transformed domain, plants an \textbf{imperceptible,
temporally distributed} trigger across the video frames, and is shown to be
resilient to existing defensive strategies. The effectiveness of the proposed
attack is demonstrated by extensive experiments with various well-known models
on two video recognition benchmarks, UCF101 and HMDB51, and a sign language
recognition benchmark, Greek Sign Language (GSL) dataset. We delve into the
impact of several influential factors on our proposed attack and identify an
intriguing effect termed "collateral damage" through extensive studies
Robust Backdoor Attacks on Object Detection in Real World
Deep learning models are widely deployed in many applications, such as object
detection in various security fields. However, these models are vulnerable to
backdoor attacks. Most backdoor attacks were intensively studied on classified
models, but little on object detection. Previous works mainly focused on the
backdoor attack in the digital world, but neglect the real world. Especially,
the backdoor attack's effect in the real world will be easily influenced by
physical factors like distance and illumination. In this paper, we proposed a
variable-size backdoor trigger to adapt to the different sizes of attacked
objects, overcoming the disturbance caused by the distance between the viewing
point and attacked object. In addition, we proposed a backdoor training named
malicious adversarial training, enabling the backdoor object detector to learn
the feature of the trigger with physical noise. The experiment results show
this robust backdoor attack (RBA) could enhance the attack success rate in the
real world.Comment: 22 pages, 13figure
Backdoor Attack on Hash-based Image Retrieval via Clean-label Data Poisoning
A backdoored deep hashing model is expected to behave normally on original
query images and return the images with the target label when a specific
trigger pattern presents. To this end, we propose the confusing
perturbations-induced backdoor attack (CIBA). It injects a small number of
poisoned images with the correct label into the training data, which makes the
attack hard to be detected. To craft the poisoned images, we first propose the
confusing perturbations to disturb the hashing code learning. As such, the
hashing model can learn more about the trigger. The confusing perturbations are
imperceptible and generated by optimizing the intra-class dispersion and
inter-class shift in the Hamming space. We then employ the targeted adversarial
patch as the backdoor trigger to improve the attack performance. We have
conducted extensive experiments to verify the effectiveness of our proposed
CIBA. Our code is available at https://github.com/KuofengGao/CIBA.Comment: Accepted by BMVC 202
- …