| Deep learning is a research hotspot in recent years,and has been widely used in intelligent video analysis,face recognition,and automatic driving.The success of deep learning relies on a large amount of training data and powerful computing resources.In order to reduce costs,users can use public datasets to train models,or directly call pre-trained neural network models in applications.This allows attackers to embed the backdoor into the neural network model,causing the neural network to perform predetermined backdoor behaviors that are not conducive to users.Attackers only need to add a small number of backdoor samples to the training data to change the classification behavior of the neural network.In order to reduce this harm,it is necessary to study appropriate backdoor defense strategies.The traditional backdoor defense is mainly based on input disinfection processing,but due to the limitation of its action stage,many backdoors are difficult to resist.Compared with traditional methods,the backdoor defense method based on detecting backdoor triggers repairs the backdoor model by detecting and eliminating the backdoor,and has become one of the most popular defense methods at present.Although the detection of backdoor triggers has shown good application potential in the field of backdoor defense,the technology still has problems such as difficult detection of backdoors and incomplete removal of backdoors.Therefore,how to improve the ability of backdoor detection has always been the focus of academic research.This paper conducts research based on backdoor attack and backdoor detection,and explores to improve the defense capability and robustness of the neural network model from the two aspects of analyzing the backdoor attack process and backdoor detection.Specifically,the main innovations and contributions of this paper are summarized as follows:1.Image recognition attack based on image boundary backdoor embedding.By studying the principle of backdoor generation and embedding,an effective backdoor trigger is proposed to realize backdoor attack.The backdoor is to add a slender and narrow colored band at the border of the image,and use the small mutation of the border pixel value as the backdoor trigger.Through the embedding of the border backdoor,the classification behavior of the neural network can be changed,and the samples added with the backdoor trigger can be classified as target labels.For two mainstream training data sets,use the backdoor trigger function and the target label function to embed the backdoor trigger into the picture.The experimental results of the image recognition attack on the image boundary backdoor embedding show that the boundary backdoor proposed in this paper has achieved good attack results on the two mainstream training sets.2.Segmented backdoor defense based on local and global gradient ascent.Based on the defense method of detecting backdoor triggers,a segmented backdoor defense is proposed.Use Local Gradient Ascent to amplify the training loss gap between clean and backdoor samples,and isolate a small number of high-precision backdoor samples.Using Global Gradient Ascent,the backdoor samples that have been learned in the neural network are forgotten,so as to train a clean neural network model on the compromised data set.In this paper,the cross-entropy loss function is used to calculate the gradient of the training loss.The experiment makes 6 common backdoor data sets on three mainstream training data sets,and trains the backdoor model on the wide residual network.Experiments show that the piecewise backdoor defense with local and global gradient ascent proposed in this paper has good defense effect on 6 common backdoors. |
PDF Full Text Request