Defense Against Multi-target Trojan Attacks
This addresses security vulnerabilities in deep learning models against potent and physically easy-to-execute Trojan attacks, representing a domain-specific advancement.
The paper tackles multi-target Trojan attacks that can place triggers anywhere in images, which existing detection methods fail against, and proposes a defense using trigger reverse-engineering and transferability measurement that shows superior detection performance in experiments.
Adversarial attacks on deep learning-based models pose a significant threat to the current AI infrastructure. Among them, Trojan attacks are the hardest to defend against. In this paper, we first introduce a variation of the Badnet kind of attacks that introduces Trojan backdoors to multiple target classes and allows triggers to be placed anywhere in the image. The former makes it more potent and the latter makes it extremely easy to carry out the attack in the physical space. The state-of-the-art Trojan detection methods fail with this threat model. To defend against this attack, we first introduce a trigger reverse-engineering mechanism that uses multiple images to recover a variety of potential triggers. We then propose a detection mechanism by measuring the transferability of such recovered triggers. A Trojan trigger will have very high transferability i.e. they make other images also go to the same class. We study many practical advantages of our attack method and then demonstrate the detection performance using a variety of image datasets. The experimental results show the superior detection performance of our method over the state-of-the-arts.