| In recent years,due to the great potential of deep learning in processing large amounts of data,it has made great progress in many fields,but at the same time,security problems such as backdoor attacks also seriously threaten the deep neural network model.Backdoor attack means that the attacker intends to inject hidden backdoors into DNN(Deep NeuralNetworks,DNN)to make the attacked model perform well on benign samples and influence model predictions through backdoor triggers set by the attacker.The research of backdoor attack can play an important role in deep learning security.Currently,the most popular and effective backdoor triggers tend to use the same trigger in a fixed location to handle different clean data,or the contents of host data are not considered when the trigger is embedded,resulting in poor correlation with the contents of the host sample.In addition,the poisoned sample may be generated by simply superposing the trigger directly with the benign host sample.Therefore,the backdoor samples generated by the above triggers inevitably have abnormal distribution and cannot be naturally embedded into the model,easily arousing the suspicion of the model developer/user and may be filtered out before the model training stage or rejected before the model reasoning.On the other hand,researchers have made great efforts to improve the robustness of DNN models and proposed various backdoor strategies to remove or suppress the backdoor behavior of DNN models.Studies have shown that most of the existing backdoor approaches can be successfully mitigated with some of the currently popular defenses such as fine-tuning,fine-tuning pruning,and Grad-CAM based defenses.Therefore,in view of the above problems,this paper mainly does the following two works:(1)A backdoor attack for image classification task is proposed: Backdoor attack method based on raindrop trigger(RDBA).Firstly,the random noise and values are used to ensure the uniform random distribution of raindrop trigger and control the density of trigger.Then,a diagonal kernel is obtained by affine transformation of the constructed diagonal matrix and rotation matrix.Finally,Gaussian blur is performed on the kernel and the noise image generated by the check is used for filtering operation.The trigger is transformed from a random noise pattern to a raindrop pattern with width,length and motion blur.Then merged the raindrop trigger with small,clean training samples to produce natural-looking poisoning data.Finally,the backdoor model is obtained by training the multi-classification network model,and the experimental verification based on ImageNet and GTSRB data sets proves the robustness,effectiveness and stealthiness of the proposed method in alleviating the backdoor behavior of the backdoor infection model by using the current popular defense mechanism.(2)A backdoor attack method based on image steganography trigger(ISBA)is proposed.Firstly of all,a small number of samples were taken from the clean data set,and each sample was converted from the spatial domain to the frequency domain using the 2D discrete Fourier transform.Next,the trigger image with target category information made by the attacker was combined with the above frequency domain samples.After that,the backdoor attack sample is obtained by converting the frequency domain sample which has been embedded into the trigger back to space domain by inverse two-dimensional discrete Fourier transform.Then,the backdoor samples and clean samples are mixed and sent to multi-classification neural network training to obtain the backdoor model.Finally,the experimental verification based on ImageNet and GTSRB data sets proves the effectiveness and robustness of the proposed method against the current popular defense mechanism attack models. |
PDF Full Text Request