Research On Backdoor Attack And Defense Technology Of Deep Neural Network

Artificial intelligence technology is developing rapidly and accelerating penetration into numerous fields,bringing profound changes to our real life.Deep Neural Network(DNN)is the core of Artificial Intelligence technology.To meet the growingly complex tasks,DNN model training requires a plethora of available resources,such as massive data and computing resources.Unfortunately,training DNN models from scratch is al-most unbearable for resource-constrained users.To reduce the training cost,users may choose to outsource the training to third-parties or apply third-party pre-trained models.The cost of convenience for users is the loss of the control or the right to know the whole DNN training phase,which,together with the shortcomings of the DNN itself,makes it vulnerable to backdoor attacks.An attacker only needs to modify a small amount of train-ing data during the training phase to control model-specific parameters,forcing the model perform normally at all inference time,except when the input contains a backdoor trig-ger(special signal).A backdoor is hard to detect because it can be embedded by locally manipulating only a handful of neurons in modern DNN models with millions of neu-rons.Meanwhile,the ever-increasing complexity of neural network is only adding to the challenges of backdoor defense in DNN.Therefore,DNN-oriented backdoor attacks and defenses have very important research significance and practical value.However,the ex-isting backdoor attack research results are still inadequate in terms of attack success rate,stealthiness,robustness and efficiency; the existing backdoor defense research results are deficient in terms of model accuracy,efficiency and functionality.To tackle the above drawbacks,the thesis conducts an in-depth study on DNN-oriented backdoor attack and defense schemes,and proposes an attack scheme and a defense scheme.(1)A stand-in backdoor attack scheme based on pre-trained model.The scheme can completely hide the triggers during the model training phase,achieving their invisi-bility both on the visual and latent hidden layer feature space.The scheme maintains the original label of poisoned data without any modifications of model structure.The aforementioned implementation ensures that the scheme can obviously bypass manual inspection and backdoor detection.Meanwhile,the triggers can be added to any input during the inference phase,which remains the reusability of triggers and achieves a high attack success rate.The experimental results demonstrate that the scheme can achieve a stealthiness of 0.96,and outperforms the state-of-the-art work in terms of attack performance and robustness,without sacrificing the model's utility.(2)A backdoor defense scheme based on DNN visualization.The scheme achieves effective defense against non-perturbative backdoor attacks without sacrificing the model accuracy.Meanwhile,the scheme does not need to retrain the model and achieves dual detection of both the triggers and the model.Through the compari-son of experimental results,it is demonstrated that the scheme significantly reduces the impact of the defense module on the model accuracy while ensuring effective de-fense.It is worth mentioning that the scheme improves the effectiveness of defense against backdoor attacks with the large-size triggers.Thus,the scheme outperforms the state-of-the-art work in terms of model accuracy and functionality.