引用本文
  • 段秋宇,候琳珊,花忠云,廖清,张玉书,张瑜.基于模型操作的单参数后门攻击[J].信息安全学报,已采用    [点击复制]
  • Duan Qiuyu,Hou Linshan,Hua Zhongyun,Liao Qing,Zhang Yushu,Zhang Yu.Single-parameter backdoor attack based on model manipulation[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 472次   下载 0  
基于模型操作的单参数后门攻击
段秋宇1, 候琳珊1, 花忠云1, 廖清1, 张玉书2, 张瑜3
0
(1.哈尔滨工业大学(深圳);2.南京航空航天大学;3.格里菲斯大学)
摘要:
随着后门攻击对深度神经网络的危害性得以证实,学术界开始深入探究现实可行性。目前的后门攻击方法多通过投毒训练数据来植入后门,这些方法虽然有效,但涉及的攻击链路较长,攻击场景单一,现实可行性有限。为了提高后门攻击的现实可行性,基于模型操作的后门攻击方法被提出。这类方法通过直接操作模型参数来植入后门,攻击链路短,攻击场景多,一定程度上提高了后门攻击的现实可行性。然而,现有的基于模型操作的后门攻击方法存在实施过程繁琐耗时,以及对参数修改量的限制导致攻击有效性受限的问题。为了解决这些问题,提出了一种基于模型操作的单参数后门攻击方法。在该方法中,攻击者仅需小幅度调整模型中与目标类别对应的输出神经元的偏置参数,便能有效地植入后门。这一实施过程不仅简单迅速,且只需要修改单个模型参数,具有极高的攻击隐蔽性。此外,通过最大化模型预测不确定性生成的触发器保证了该方法的有效性。大量的实验结果表明,与现有的基于模型操作的后门攻击方法相比,单参数后门攻击拥有更好的有效性和隐蔽性。
关键词:  深度学习  深度神经网络  人工智能安全  后门攻击
DOI:
投稿时间:2024-04-11修订日期:2024-08-16
基金项目:
Single-parameter backdoor attack based on model manipulation
Duan Qiuyu1, Hou Linshan1, Hua Zhongyun1, Liao Qing1, Zhang Yushu2, Zhang Yu3
(1.Harbin Institute of Technology, Shenzhen;2.Nanjing University of Aeronautics and Astronautics;3.Griffith University)
Abstract:
As the harmfulness of backdoor attacks on deep neural networks has been confirmed, the academic community has be-gun to explore their practical feasibility in depth. Current backdoor attack methods mostly implant backdoors by poi-soning training data, which are effective but involve a long attack chain, a limited range of attack scenarios, and limited practical feasibility. To enhance the practical feasibility of backdoor attacks, model manipulation-based backdoor attacks have been proposed. These methods implant backdoors by directly manipulating model parameters, which shorten the attack chain, diversify applicable scenarios and improve the practical feasibility of backdoor attacks to a certain extent. However, existing model manipulation-based backdoor attacks suffer from the problems of a cumbersome and time-consuming implementation process, as well as limited effectiveness due to restrictions on the extent of parameter modification. In response to these challenges, a single-parameter backdoor attack based on model manipulation was proposed. In this method, the attacker only needed to slightly adjust the bias parameter of the output neuron correspond-ing to the target category to effectively implant a backdoor. This implementation process was not only simple and rapid but also highly stealthy because it modified only a single model parameter. Furthermore, the triggers generated by maximizing the model prediction uncertainty guaranteed the effectiveness of the method. Extensive experimental results demonstrated that the single-parameter backdoor attack outperformed existing model manipulation-based backdoor at-tack methods in both effectiveness and stealth.
Key words:  deep learning, deep neural network, artificial intelligence security, backdoor attack