Language:

BadNets: Evaluating Backdooring Attacks on Deep Neural Networks

IEEE access, 2019, Vol.7, p.47230-47244 [Peer Reviewed Journal]

Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2019 ;ISSN: 2169-3536 ;EISSN: 2169-3536 ;DOI: 10.1109/ACCESS.2019.2909068 ;CODEN: IAECCG

Full text available

Citations Cited by

Actions
1. Add to My Research
2. Remove from My Research
3. E-mail
4. Print
5. Permalink
6. Citation
7. EasyBib
8. EndNote
9. RefWorks
10. Delicious
11. Export RIS
12. Export BibTeX

Title:
BadNets: Evaluating Backdooring Attacks on Deep Neural Networks
Author: Gu, Tianyu ; Liu, Kang ; Dolan-Gavitt, Brendan ; Garg, Siddharth
Subjects: Artificial neural networks ; Classifiers ; Cloud computing ; Computer security ; Handwriting ; Machine learning ; Neural networks ; Speed limits ; Street signs ; Traffic signs ; Training
Is Part Of: IEEE access, 2019, Vol.7, p.47230-47244
Description: Deep learning-based techniques have achieved state-of-the-art performance on a wide variety of recognition and classification tasks. However, these networks are typically computationally expensive to train, requiring weeks of computation on many GPUs; as a result, many users outsource the training procedure to the cloud or rely on pre-trained models that are then fine-tuned for a specific task. In this paper, we show that the outsourced training introduces new security risks: an adversary can create a maliciously trained network (a backdoored neural network, or a BadNet ) that has the state-of-the-art performance on the user's training and validation samples but behaves badly on specific attacker-chosen inputs. We first explore the properties of BadNets in a toy example, by creating a backdoored handwritten digit classifier. Next, we demonstrate backdoors in a more realistic scenario by creating a U.S. street sign classifier that identifies stop signs as speed limits when a special sticker is added to the stop sign; we then show in addition that the backdoor in our U.S. street sign detector can persist even if the network is later retrained for another task and cause a drop in an accuracy of 25% on average when the backdoor trigger is present. These results demonstrate that backdoors in neural networks are both powerful and-because the behavior of neural networks is difficult to explicate-stealthy. This paper provides motivation for further research into techniques for verifying and inspecting neural networks, just as we have developed tools for verifying and debugging software.
Publisher: Piscataway: IEEE
Language: English
Identifier: ISSN: 2169-3536
EISSN: 2169-3536
DOI: 10.1109/ACCESS.2019.2909068
CODEN: IAECCG
Source: IEEE Open Access Journals
DOAJ Directory of Open Access Journals

Back to results list


INSPIRE LIBRARY - TON DUC THANG UNIVERSITY	(84-028) 37 755 057	Feedback
19 Nguyen Huu Tho St. Dist.7, HCM	thuvien@tdtu.edu.vn	Feedback

BadNets: Evaluating Backdooring Attacks on Deep Neural Networks

Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2019 ;ISSN: 2169-3536 ;EISSN: 2169-3536 ;DOI: 10.1109/ACCESS.2019.2909068 ;CODEN: IAECCG

Searching Remote Databases, Please Wait