ImpNet: Imperceptible and blackbox-undetectable backdoors in compiled neural networks
This work addresses security vulnerabilities in ML pipelines for practitioners and researchers, highlighting a critical gap in current defense mechanisms.
The authors tackled the problem of backdoor attacks in machine learning by showing that backdoors can be inserted during model compilation, bypassing existing defenses focused on training data or model inspection, and demonstrated that some backdoors like ImpNet are undetectable and hard to remove after insertion.
Early backdoor attacks against machine learning set off an arms race in attack and defence development. Defences have since appeared demonstrating some ability to detect backdoors in models or even remove them. These defences work by inspecting the training data, the model, or the integrity of the training procedure. In this work, we show that backdoors can be added during compilation, circumventing any safeguards in the data preparation and model training stages. The attacker can not only insert existing weight-based backdoors during compilation, but also a new class of weight-independent backdoors, such as ImpNet. These backdoors are impossible to detect during the training or data preparation processes, because they are not yet present. Next, we demonstrate that some backdoors, including ImpNet, can only be reliably detected at the stage where they are inserted and removing them anywhere else presents a significant challenge. We conclude that ML model security requires assurance of provenance along the entire technical pipeline, including the data, model architecture, compiler, and hardware specification.