TY - GEN
T1 - A Trigger Exploration Method for Backdoor Attacks on Deep Learning-Based Traffic Control Systems
AU - Wang, Yue
AU - Maniatakos, Michail
AU - Jabari, Saif Eddin
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021
Y1 - 2021
N2 - Deep learning methods are in the forefront of techniques used to perform complex controls in autonomous vehicles (AVs). Such methods are vulnerable to nuanced types of adversarial attacks, and can have sever safety implications. Specifically, backdoors are an emerging kind of adversarial attacks on deep neural networks (DNNs), where a secret backdoor is injected into the DNNs by an attacker and activated in the presence of well-designed triggers, which necessitate a systematic exploration to enable the study of effective defenses. In this paper, we learn an adversarial distribution for trigger samples by reinforcement learning with the objective that the difference between the adversarial and genuine distributions are minimized. This bypasses many detection algorithms that are designed based on the difference between the adversarial and genuine input samples. Specifically, the difference between two distributions are evaluated by the Jensen-Shannon (JS)-divergence. The adversarial samples generated by the learned adversarial distribution are used for manipulating benign models in two complex traffic control systems. Our results show that our method renders the backdoor attack stealthy overriding the benign control objectives and potentially causing vehicle collisions.
AB - Deep learning methods are in the forefront of techniques used to perform complex controls in autonomous vehicles (AVs). Such methods are vulnerable to nuanced types of adversarial attacks, and can have sever safety implications. Specifically, backdoors are an emerging kind of adversarial attacks on deep neural networks (DNNs), where a secret backdoor is injected into the DNNs by an attacker and activated in the presence of well-designed triggers, which necessitate a systematic exploration to enable the study of effective defenses. In this paper, we learn an adversarial distribution for trigger samples by reinforcement learning with the objective that the difference between the adversarial and genuine distributions are minimized. This bypasses many detection algorithms that are designed based on the difference between the adversarial and genuine input samples. Specifically, the difference between two distributions are evaluated by the Jensen-Shannon (JS)-divergence. The adversarial samples generated by the learned adversarial distribution are used for manipulating benign models in two complex traffic control systems. Our results show that our method renders the backdoor attack stealthy overriding the benign control objectives and potentially causing vehicle collisions.
UR - http://www.scopus.com/inward/record.url?scp=85126016203&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85126016203&partnerID=8YFLogxK
U2 - 10.1109/CDC45484.2021.9683577
DO - 10.1109/CDC45484.2021.9683577
M3 - Conference contribution
AN - SCOPUS:85126016203
T3 - Proceedings of the IEEE Conference on Decision and Control
SP - 4394
EP - 4399
BT - 60th IEEE Conference on Decision and Control, CDC 2021
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 60th IEEE Conference on Decision and Control, CDC 2021
Y2 - 13 December 2021 through 17 December 2021
ER -