BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain (2017)笔记

矫情吗；* 2022-09-10 02:22 116阅读 0赞

**Code: https://github.com/Billy1900/BadNet (reproduced version on cifar10 and Mnist)**

*  Property: It has state-of-art performance on train and test dataset but behaves badly on specific attacker-chosen inputs.
 *  Context: outsourced task and transfer learning
 *  Case study: MNIST digit recognition attack
    
     *  Two different backdoor:
        
         *  a) single-pixel backdoor
         *  b) a pattern backdoor  
            ![在这里插入图片描述][1b22937627354d72ac83fe1533199021.png]
     *  Two attacks
        
         *  a) a single target attack: i -> j
         *  b) all to all attack: i -> i+1
     *  strategy: poisoning training dataset, might change the training parameters like batch\_size, step\_size.
     *  Results:
        
         *  a) single-target attack: the error rate for clean images is extremely low, and the largest error rate for the attack where the backdoor images of digit 1 are mislabeled by the BadNet as digit 5.  
            ![在这里插入图片描述][watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAQmlsbHkxOTAw_size_15_color_FFFFFF_t_70_g_se_x_16]
         *  b) all-to-all attack: the average error rate for clean images on the BadNet is actually lower than the original network; meanwhile, the average error on backdoor images is extremely low which means it successfully mislabels >99% of backdoor images.  
            ![在这里插入图片描述][watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAQmlsbHkxOTAw_size_11_color_FFFFFF_t_70_g_se_x_16]
     *  Analysis of attack: The presence of dedicated backdoor filters suggests that the presence of backdoors is sparsely coded in deeper layers of the BadNet  
        ![在这里插入图片描述][eeaf8e8c82e7444b83fad3377cfff2cc.png]

It shows the relative fraction of backdoored images in the training dataset increases the error rate on clean images increases while the error rate on backdoored images decreases. Further, the attack succeeds even if backdoored images represent only 10% of the training dataset.  
![在这里插入图片描述][0a1d2a66c16a4d71aa2baf710480b7ab.png]

*  Case study: traffic sign detection attack
    
     *  Model: faster-RCNN which contains three sub-networks: (1) a shared CNN which extracts the features of the input image for other two sub-nets; (2) a region proposal CNN that identifies bounding boxes within an image that might correspond to objects of interest (these are referred to as region proposals); and (3) a traffic sign classification FCNN that classifies regions as either not a traffic sign, or into different types of traffic signs.
     *  Three super-classes: stop signs, speed-limit signs and warning signs.
     *  Three triggers: (i) a yellow square, (ii) an image of a bomb, and (iii) an image of a flower  
        ![在这里插入图片描述][3634c2e99ada4940962ae150ab5730fc.png]

**More Update: https://github.com/Billy1900/Backdoor-Learning**

[1b22937627354d72ac83fe1533199021.png]: /images/20220829/7a3b2106199b41e9aabfa78eb1e28ba4.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAQmlsbHkxOTAw_size_15_color_FFFFFF_t_70_g_se_x_16]: /images/20220829/04aa25c209c24e06ad88a00383668460.png
[watermark_type_ZHJvaWRzYW5zZmFsbGJhY2s_shadow_50_text_Q1NETiBAQmlsbHkxOTAw_size_11_color_FFFFFF_t_70_g_se_x_16]: /images/20220829/5103c186e674473c8ff50321f2e788bf.png
[eeaf8e8c82e7444b83fad3377cfff2cc.png]: /images/20220829/54d4e0cc2d50429f8dc34e19d533d2bd.png
[0a1d2a66c16a4d71aa2baf710480b7ab.png]: /images/20220829/6da3285258ab46b4bdc97aff5c7cb665.png
[3634c2e99ada4940962ae150ab5730fc.png]: /images/20220829/fdd9ee1d524e4f23840449927d5abf95.png