NNoculation: Catching BadNets in the Wild

Akshaj Kumar Veldanda, Kang Liu, Benjamin Tan, Prashanth Krishnamurthy, Farshad Khorrami, Ramesh Karri, Brendan Dolan-Gavitt, Siddharth Garg

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

This paper proposes a novel two-stage defense (NNoculation) against backdoored neural networks (BadNets) that, repairs a BadNet both pre-deployment and online in response to backdoored test inputs encountered in the field. In the pre-deployment stage, NNoculation retrains the BadNet with random perturbations of clean validation inputs to partially reduce the adversarial impact of a backdoor. Post-deployment, NNoculation detects and quarantines backdoored test inputs by recording disagreements between the original and pre-deployment patched networks. A CycleGAN is then trained to learn transformations between clean validation and quarantined inputs; i.e., it learns to add triggers to clean validation images. Backdoored validation images along with their correct labels are used to further retrain the pre-deployment patched network, yielding our final defense. Empirical evaluation on a comprehensive suite of backdoor attacks show that NNoculation outperforms all state-of-The-Art defenses that make restrictive assumptions and only work on specific backdoor attacks, or fail on adaptive attacks. In contrast, NNoculation makes minimal assumptions and provides an effective defense, even under settings where existing defenses are ineffective due to attackers circumventing their restrictive assumptions.

Original languageEnglish (US)
Title of host publicationAISec 2021 - Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2021
PublisherAssociation for Computing Machinery, Inc
Pages49-60
Number of pages12
ISBN (Electronic)9781450386579
DOIs
StatePublished - Nov 15 2021
Event14th ACM Workshop on Artificial Intelligence and Security, AISec 2021, co-located with CCS 2021 - Virtual, Online, Korea, Republic of
Duration: Nov 15 2021 → …

Publication series

NameAISec 2021 - Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2021

Conference

Conference14th ACM Workshop on Artificial Intelligence and Security, AISec 2021, co-located with CCS 2021
Country/TerritoryKorea, Republic of
CityVirtual, Online
Period11/15/21 → …

Keywords

  • backdoored dnn
  • pre-and post-deployment defense

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'NNoculation: Catching BadNets in the Wild'. Together they form a unique fingerprint.

Cite this