Regula Sub-rosa: Latent Backdoor Attacks on Deep Neural Networks
This addresses a security vulnerability in deep learning systems, particularly in transfer learning scenarios, making backdoor attacks more powerful and stealthy.
The paper tackles the problem of backdoor attacks on deep neural networks by introducing latent backdoors, which embed hidden rules in a teacher model that are automatically inherited by student models through transfer learning, and demonstrates their effectiveness in real-world applications like traffic sign recognition and facial recognition.
Recent work has proposed the concept of backdoor attacks on deep neural networks (DNNs), where misbehaviors are hidden inside "normal" models, only to be triggered by very specific inputs. In practice, however, these attacks are difficult to perform and highly constrained by sharing of models through transfer learning. Adversaries have a small window during which they must compromise the student model before it is deployed. In this paper, we describe a significantly more powerful variant of the backdoor attack, latent backdoors, where hidden rules can be embedded in a single "Teacher" model, and automatically inherited by all "Student" models through the transfer learning process. We show that latent backdoors can be quite effective in a variety of application contexts, and validate its practicality through real-world attacks against traffic sign recognition, iris identification of lab volunteers, and facial recognition of public figures (politicians). Finally, we evaluate 4 potential defenses, and find that only one is effective in disrupting latent backdoors, but might incur a cost in classification accuracy as tradeoff.