Backdoor Attack and Defense for Deep Regression
This work addresses security vulnerabilities in deep regression models, which is important for applications relying on accurate predictions, but it is incremental as it builds on existing backdoor attack and defense concepts.
The paper tackles the problem of backdoor attacks on deep neural networks for regression tasks by demonstrating a localized training-set poisoning attack and evaluating a gradient-based defense method that identifies suspicious local error maximizers, achieving accurate detection and enabling efficient training via active learning with costly oracles.
We demonstrate a backdoor attack on a deep neural network used for regression. The backdoor attack is localized based on training-set data poisoning wherein the mislabeled samples are surrounded by correctly labeled ones. We demonstrate how such localization is necessary for attack success. We also study the performance of a backdoor defense using gradient-based discovery of local error maximizers. Local error maximizers which are associated with significant (interpolation) error, and are proximal to many training samples, are suspicious. This method is also used to accurately train for deep regression in the first place by active (deep) learning leveraging an "oracle" capable of providing real-valued supervision (a regression target) for samples. Such oracles, including traditional numerical solvers of PDEs or SDEs using finite difference or Monte Carlo approximations, are far more computationally costly compared to deep regression.