| To overcome huge resource consumption of neural networks training,MLaa S(Machine Learning as a Service)has become an irresistible trend,just like Saa S(Software as a Service),Paa S(Platform as a Service)and Iaa S(Infrastructure as a Service)have been.But it comes with some security issues of untrustworthy third-party services.Especially machine learning providers may deploy trojan backdoors in provided models for the pursuit of extra profit or other illegal purposes,which is trojaning attack on neural networks.When samples with special marks are input to these infected models,malicious functions in the infected models will be triggered,resulting in changes in sample classification or virus attacks.This dissertation researches the security problems brought by trojan neural network,and focuses on the redundant nodes-based trojaning attack on neural networks.By comparing the differences between the two training methods,trojan retraining and adversarial training,we find that embedding malicious trojan nodes in the neural network can make the parameter configuration of these nodes abnormal.This kind of abnormality is a unique feature of trojaning attack on neural networks compared to other attacks on neural networks.Based on this feature,this thesis proposes an online trojanization method of neural networks based on row-hammer attack,which can set arbitrary target labels.We select the node related to the target classification in the last fully connected layer in the network as the target node,and use the line hammer fault attack.During the model running process,the parameters of the target node are reversed to specific bits in memory,so that these nodes can be trojaned online.Using this method can ensure that the trigger rate of the trojan attack is as high as 95%.At the same time,when these nodes are not activated,the classification performance of the trojaned model is similar to that of the original model.Compared with the previous trojaning attack on neural network,the proposed method expands the scope of trojan attack,and at the same time copes with the situation that the attacker can no longer train the model.At the same time,we propose a detection method based on the cost distribution of test dataset on network nodes,which can detect both the trojan nodes embedded in offline training in the past and the online modification of embedded Trojan nodes.We abstracted the detection of trojan nodes as an outlier mining problem.By calculating the cost distribution of test dataset and using the backpropagation mechanism,we calculated the influence of each node in each network on the overall cost,and detected the abnormal nodes in it.With this method,we can successfully detect trojan nodes with a trigger rate of 5% or more.And this method is low cost,and only needs to test untrusted models and a small number of legitimate data sets.As far as we know,the research on the defence against trojaning attack on neural networks is still in its infancy,and our research may shed light on the security of MLaa S in real-life scenarios. |
PDF Full Text Request