A Study On Backdoor Attacks And Repair Method Of Neural Network

The rapid development of intelligence and informatization has facilitated people's lives,and artificial intelligence technology has penetrated into all aspects of life.However,everything has pros and cons,and artificial intelligence is no exception.While we are enjoying the convenience and happiness brought by artificial intelligence,challenges and threats in the security field also follow.For example: frequent accidents of self-driving cars lead to deaths.Deep learning is a commonly used technique in the field of artificial intelligence.When training neural network models,the training process is often outsourced to service providers due to the complex training process and the large amount of calculation.However,the training outsourcing process is vulnerable to backdoor attacks.The attacker inserts "crafted" poisoned data during the training process,and affects network decision-making by inserting special backdoor triggers on a small number of training sets.It performs well on standard verification samples and test input samples,but has specific backdoor triggers.Poor performance on the input.Therefore,it is very meaningful to study backdoor attacks and repairs in neural networks.This thesis combines the research status of backdoor attacks at home and abroad,and makes the following work in the field of neural network image classification: First,for the existing visible pixel backdoor attacks methods,a new backdoor repair method is proposed,which comprehensively considers the repair cost And the degree of need for prior knowledge of the model;secondly,the existing backdoor attacks methods for visible pixels have poor concealment,and the backdoor trigger graphics are easy to be detected.A concealed backdoor attacks method is proposed.The specific content and innovation are introduced as follows:(1)Aiming at the problem of too many iterations of the backdoor attacks repair method that requires less prior knowledge,this thesis proposes a backdoor repair method,which requires less prior knowledge of the model,fewer repair iterations,and lower cost.It consists of three parts: firstly,a small amount of poisoning data is obtained through the K-Means clustering method;secondly,a large amount of poisoning data is generated by using cGAN(Generative Adversarial Networks)simulation;finally,the category of the activated backdoor dataset is selected to retrain the model and repair the backdoor.Using a representative backdoor attacks method to detect the backdoor repair method proposed in this thesis,the classification accuracy of the repaired poisoning model can be restored to 98.50%,which is close to the classification accuracy of the model trained with a completely clean standard sample data set.(2)Aiming at the problem of poor visual concealment of the backdoor attacks method of visible pixels,this thesis proposes a covert backdoor attacks method.It finds the weakness of neural networks that is easy to be attacked.The invisible blind watermark pattern is used as the backdoor trigger.This attack is not easy to be detected and repaired,only when the knowledge of the white box is understood.This method can be effectively defended under the following conditions.This article uses the public 10 network models LeNet(LeNet-1,LeNet-3,LeNet-5),VGG(VGG-11,VGG-13,VGG-16,VGG-19),Res Net(Res Net-18 Res Net-34 Res Net-101).We tested the attack methods proposed in this chapter with two public data sets,MNIST data set and CIFAR-10 data set,and achieved good attack results.