Research On Attack And Defense Technology Of Hidden Trigger Backdoor Attacks

Deep learning(DL)or machine learning(ML)model has been more and more used in various fields to implement many key tasks for us due to its excellent decision-making ability,such as computer vision,malware detection,financial fraud detection and access control.However,it is found that the deployed model has many security threats.A well-known attack is the adversarial attack in the model prediction stage.It makes the target model do misclassification by adding some imperceptible or semantically consistent disturbances to the input.This kind of attack will not damage the model itself.However,the adversarial attack is not the only threat.In the model training stage,the attacker can pollute the model by modifying the training data,so as to make the model classification wrong.This includes a backdoor attack against deep neural networks(DNN),which secretly modifies the training data to enable the model to learn the behavior that the attacker wants it to have,so that the model can specify the output of a specific "trigger" in the prediction stage,and can produce correct prediction for clean input.This attack destroys the integrity of the model and has strong concealment.In the era of big data,the unreliability of data sources makes it not difficult to train a backdoor model.If the model is inserted into the backdoor,human life and property may be damaged due to misjudgment for safety related applications such as autonomous driving.At present,the backdoor attack algorithm has the problem that the poisoning samples are too abnormal and easy to detect in human eyes due to eye-catching triggers and the lable of data is inconsistent.How to design a more hidden backdoor sample that has no abnormality in the human eyes,but can make the model produce misclassification with high confidence when facing the trigger is of great research significance.Therefore,this paper studies and designs a backdoor attack method in which the triggers are invisible and the labels are consistent in the whole modeling stage.At the same time,there is no relevant research on the active defense for the hidden backdoor attack with consistent label,but this attack is bound to pose a serious threat to the model,while the passive defense does not know whether the model is inserted into the backdoor,so there are some hidden dangers.Therefore,this paper studies and designs an active defense technology against the hidden backdoor attack with consistent label,which provides guarantee for the security of the model.The main work of this paper is as follows:1)Trough combining poisoning attack and adversarial attack,this paper realizes an enhanced hidden backdoor attack with consistent labels.The algorithm can generate visually "clean" training pictures and prediction pictures,ensure that the trigger is invisible in the whole modeling process of machine learning model,and make the backdoor attack more threatening.2)This paper realizes the active defense against the hidden backdoor attack with consistent labels.Based on the Variational Autoencoder,a detector which can reflect the mapping relationship between the correct feature space representation of the picture and the pixel space representation is designed to filter the training data set before training the model,so as to ensure that the model is not inserted into the backdoor.3)The proposed method is experimentally analyzed and evaluated in this paper.For the proposed attack algorithm,while ensuring that the trigger is not visible in the training phase,attack success rate of multi pair experiments are over 96% on the Image Net dataset.For the proposed defense method based on Variational Autoencoder,on the Cifar-10 dataset,the average detection success rate for hidden backdoor data is more than 94%,and the false resolution rate for clean images is 14%.