Blind Backdoors in Deep Learning Models
This addresses security vulnerabilities in machine learning models for practitioners and researchers, introducing a novel attack method that is more powerful and stealthy than prior work.
The authors tackled the problem of injecting backdoors into deep learning models by compromising loss-value computation during training, resulting in new classes of backdoors such as single-pixel and physical backdoors in ImageNet models, backdoors that switch to covert tasks, and those without inference-time input modifications, with the attack being blind and evading known defenses.
We investigate a new method for injecting backdoors into machine learning models, based on compromising the loss-value computation in the model-training code. We use it to demonstrate new classes of backdoors strictly more powerful than those in the prior literature: single-pixel and physical backdoors in ImageNet models, backdoors that switch the model to a covert, privacy-violating task, and backdoors that do not require inference-time input modifications. Our attack is blind: the attacker cannot modify the training data, nor observe the execution of his code, nor access the resulting model. The attack code creates poisoned training inputs "on the fly," as the model is training, and uses multi-objective optimization to achieve high accuracy on both the main and backdoor tasks. We show how a blind attack can evade any known defense and propose new ones.