DeepBaR: Fault Backdoor Attack on Deep Neural Network Layers
This work addresses security risks in neural network training for applications like computer vision, presenting a novel attack method that is incremental in the field of adversarial machine learning.
The authors tackled the problem of implanting backdoors in neural networks during fine-tuning, achieving a success rate of up to 98.30% in attacks on three popular CNN architectures without significantly affecting accuracy on non-malicious inputs.
Machine Learning using neural networks has received prominent attention recently because of its success in solving a wide variety of computational tasks, in particular in the field of computer vision. However, several works have drawn attention to potential security risks involved with the training and implementation of such networks. In this work, we introduce DeepBaR, a novel approach that implants backdoors on neural networks by faulting their behavior at training, especially during fine-tuning. Our technique aims to generate adversarial samples by optimizing a custom loss function that mimics the implanted backdoors while adding an almost non-visible trigger in the image. We attack three popular convolutional neural network architectures and show that DeepBaR attacks have a success rate of up to 98.30\%. Furthermore, DeepBaR does not significantly affect the accuracy of the attacked networks after deployment when non-malicious inputs are given. Remarkably, DeepBaR allows attackers to choose an input that looks similar to a given class, from a human perspective, but that will be classified as belonging to an arbitrary target class.