Training with More Confidence: Mitigating Injected and Natural Backdoors During Training

The backdoor or Trojan attack is a severe threat to deep neural networks (DNNs). Researchers find that DNNs trained on benign data and settings can also learn backdoor behaviors, which is known as the natural backdoor. Existing works on anti-backdoor learning are based on weak observations that the backdoor and benign behaviors can differentiate during training. An adaptive attack with slow poisoning can bypass such defenses. Moreover, these methods cannot defend natural backdoors. We found the fundamental differences between backdoor-related neurons and benign neurons: backdoor-related neurons form a hyperplane as the classification surface across input domains of all affected labels. By further analyzing the training process and model architectures, we found that piece-wise linear functions cause this hyperplane surface. In this paper, we design a novel training method that forces the training to avoid generating such hyperplanes and thus remove the injected backdoors. Our extensive experiments on five datasets against five state-of-the-art attacks and also benign training show that our method can outperform existing state-of-the-art defenses. On average, the ASR (attack success rate) of the models trained with NONE is 54.83 times lower than undefended models under standard poisoning backdoor attack and 1.75 times lower under the natural backdoor attack. Our code is available at https://github.com/RU-System-Software-and-Security/NONE

NOTABLE: Transferable Backdoor Attacks Against Prompt-based NLP Models

Prompt-based learning is vulnerable to backdoor attacks. Existing backdoor attacks against prompt-based models consider injecting backdoors into the entire embedding layers or word embedding vectors. Such attacks can be easily affected by retraining on downstream tasks and with different prompting strategies, limiting the transferability of backdoor attacks. In this work, we propose transferable backdoor attacks against prompt-based models, called NOTABLE, which is independent of downstream tasks and prompting strategies. Specifically, NOTABLE injects backdoors into the encoders of PLMs by utilizing an adaptive verbalizer to bind triggers to specific words (i.e., anchors). It activates the backdoor by pasting input with triggers to reach adversary-desired anchors, achieving independence from downstream tasks and prompting strategies. We conduct experiments on six NLP tasks, three popular models, and three prompting strategies. Empirical results show that NOTABLE achieves superior attack performance (i.e., attack success rate over 90% on all the datasets), and outperforms two state-of-the-art baselines. Evaluations on three defenses show the robustness of NOTABLE. Our code can be found at https://github.com/RU-System-Software-and-Security/Notable

Rethinking the Reverse-engineering of Trojan Triggers

Deep Neural Networks are vulnerable to Trojan (or backdoor) attacks. Reverse-engineering methods can reconstruct the trigger and thus identify affected models. Existing reverse-engineering methods only consider input space constraints, e.g., trigger size in the input space. Expressly, they assume the triggers are static patterns in the input space and fail to detect models with feature space triggers such as image style transformations. We observe that both input-space and feature-space Trojans are associated with feature space hyperplanes. Based on this observation, we design a novel reverse-engineering method that exploits the feature space constraint to reverse-engineer Trojan triggers. Results on four datasets and seven different attacks demonstrate that our solution effectively defends both input-space and feature-space Trojans. It outperforms state-of-the-art reverse-engineering methods and other types of defenses in both Trojaned model detection and mitigation tasks. On average, the detection accuracy of our method is 93\%. For Trojan mitigation, our method can reduce the ASR (attack success rate) to only 0.26\% with the BA (benign accuracy) remaining nearly unchanged. Our code can be found at https://github.com/RU-System-Software-and-Security/FeatureRE

Alteration-free and Model-agnostic Origin Attribution of Generated Images

Recently, there has been a growing attention in image generation models. However, concerns have emerged regarding potential misuse and intellectual property (IP) infringement associated with these models. Therefore, it is necessary to analyze the origin of images by inferring if a specific image was generated by a particular model, i.e., origin attribution. Existing methods are limited in their applicability to specific types of generative models and require additional steps during training or generation. This restricts their use with pre-trained models that lack these specific operations and may compromise the quality of image generation. To overcome this problem, we first develop an alteration-free and model-agnostic origin attribution method via input reverse-engineering on image generation models, i.e., inverting the input of a particular model for a specific image. Given a particular model, we first analyze the differences in the hardness of reverse-engineering tasks for the generated images of the given model and other images. Based on our analysis, we propose a method that utilizes the reconstruction loss of reverse-engineering to infer the origin. Our proposed method effectively distinguishes between generated images from a specific generative model and other images, including those generated by different models and real images

How to Detect Unauthorized Data Usages in Text-to-image Diffusion Models

Recent text-to-image diffusion models have shown surprising performance in generating high-quality images. However, concerns have arisen regarding the unauthorized usage of data during the training process. One example is when a model trainer collects a set of images created by a particular artist and attempts to train a model capable of generating similar images without obtaining permission from the artist. To address this issue, it becomes crucial to detect unauthorized data usage. In this paper, we propose a method for detecting such unauthorized data usage by planting injected memorization into the text-to-image diffusion models trained on the protected dataset. Specifically, we modify the protected image dataset by adding unique contents on the images such as stealthy image wrapping functions that are imperceptible to human vision but can be captured and memorized by diffusion models. By analyzing whether the model has memorization for the injected content (i.e., whether the generated images are processed by the chosen post-processing function), we can detect models that had illegally utilized the unauthorized data. Our experiments conducted on Stable Diffusion and LoRA model demonstrate the effectiveness of the proposed method in detecting unauthorized data usages

3,4-Bis[4-(4-meth­oxy­phen­oxy)phen­yl]-1-methyl-1H-pyrrole-2,5-dione

The title compound, C31H25NO6, has a structure related to other 3,4-diaryl-substituted maleic anhydride derivatives which have been shown to be useful as photochromic materials. The dihedral angles between the maleimide ring system and the benzene rings bonded to it are 44.48 (3) and 17.89 (3)°, while the angles between each of the latter rings and the corresponding ether bridging connected meth­oxy­benzene rings are 78.61 (8) and 72.67 (7)°. In the crystal, the molecules are linked by C—H⋯O inter­actions

Phenyl 3-meth­oxy-4-phen­oxy­benzoate

In the title mol­ecule, C20H16O4, the two outermost phenyl rings form dihedral angles of 79.80 (7) and 69.35 (7)° with the central benzene ring. In the crystal structure, weak inter­molecular C—H⋯O inter­actions link the mol­ecules into ribbons propagating along [10]

Bridging the gap: optimized fabrication of robust titania nanostructures on complex implant geometries towards clinical translation

Electrochemically anodized titanium surfaces with titania nanostructures (TNS; nanopores, nanotubes, etc.) have been widely applied as therapeutic bone/dental implant modifications. Despite the numerous advancements in the field of electrochemical anodization (EA), in terms of translation into the current implant market, research gaps in this domain include the lack of fabrication optimization, performed on a substrate of conventional implant surface/geometry, and inadequate mechanical stability. In the current study, we investigate the role of substrate pre-treatment on achieving desired nanotopographies for the purpose of reproducing optimized nanostructures on the complex geometry of commercial implant surfaces, as well as in-depth mechanical stability testing of these nano-engineered coatings. The results confirmed that: (a) substrate polishing/smoothening may be insignificant with respect to fabrication of well-ordered and high quality TNS on micro-rough implants with preserved underlying micro roughness; (b) optimized outcomes can be successfully translated onto complex geometries characteristic of the current implant market, including dental implant abutments and screws (also applicable to a wider implant market including orthopaedics); (c) mechanical stability testing revealed improved modulus and hardness values as compared to conventional nanotubes/pores. We believe that such optimization advances the existing knowledge of titanium anodization and anodized implants towards integration into the current implant market and successful clinical translation. (C) 2018 Elsevier Inc. All rights reserved

Understanding and augmenting the stability of therapeutic nanotubes on anodized titanium implants

Titanium is an ideal material choice for orthopaedic and dental implants, and hence a significant amount of research has been focused towards augmenting the therapeutic efficacy of titanium surfaces. More recently the focus has shifted to nano-engineered implants fabricated via anodization to generate self-ordered nanotubular structures composed of titania (TiO2). These structures (titania nanotubes/TNTs) enable local drug delivery and tailorable cellular modulation towards achieving desirable effects like enhanced osseointegration and antibacterial action. However, the mechanical stability of such modifications is often ignored and remains under explored, and any delamination or breakage in the TNTs modification can initiate toxicity and lead to severe immuno-inflammatory reactions. This review details and critically evaluates the progress made in relation to this aspect of TNT based implants, with a focus on understanding the interface between TNTs and the implant surface, treatments aimed at augmenting mechanical stability and strategies for advanced mechanical testing within the bone micro-environment ex vivo and in vivo. This review article extends the existing knowledge in this domain of TNTs implant technology and will enable improved understanding of the underlying parameters that contribute towards mechanically robust nano-engineered implants that can withstand the forces associated with implant surgical placement and the load bearing experienced at the bone/implant interface