TY - GEN
T1 - NNoculation
T2 - 14th ACM Workshop on Artificial Intelligence and Security, AISec 2021, co-located with CCS 2021
AU - Veldanda, Akshaj Kumar
AU - Liu, Kang
AU - Tan, Benjamin
AU - Krishnamurthy, Prashanth
AU - Khorrami, Farshad
AU - Karri, Ramesh
AU - Dolan-Gavitt, Brendan
AU - Garg, Siddharth
N1 - Publisher Copyright:
© 2021 ACM.
PY - 2021/11/15
Y1 - 2021/11/15
N2 - This paper proposes a novel two-stage defense (NNoculation) against backdoored neural networks (BadNets) that, repairs a BadNet both pre-deployment and online in response to backdoored test inputs encountered in the field. In the pre-deployment stage, NNoculation retrains the BadNet with random perturbations of clean validation inputs to partially reduce the adversarial impact of a backdoor. Post-deployment, NNoculation detects and quarantines backdoored test inputs by recording disagreements between the original and pre-deployment patched networks. A CycleGAN is then trained to learn transformations between clean validation and quarantined inputs; i.e., it learns to add triggers to clean validation images. Backdoored validation images along with their correct labels are used to further retrain the pre-deployment patched network, yielding our final defense. Empirical evaluation on a comprehensive suite of backdoor attacks show that NNoculation outperforms all state-of-The-Art defenses that make restrictive assumptions and only work on specific backdoor attacks, or fail on adaptive attacks. In contrast, NNoculation makes minimal assumptions and provides an effective defense, even under settings where existing defenses are ineffective due to attackers circumventing their restrictive assumptions.
AB - This paper proposes a novel two-stage defense (NNoculation) against backdoored neural networks (BadNets) that, repairs a BadNet both pre-deployment and online in response to backdoored test inputs encountered in the field. In the pre-deployment stage, NNoculation retrains the BadNet with random perturbations of clean validation inputs to partially reduce the adversarial impact of a backdoor. Post-deployment, NNoculation detects and quarantines backdoored test inputs by recording disagreements between the original and pre-deployment patched networks. A CycleGAN is then trained to learn transformations between clean validation and quarantined inputs; i.e., it learns to add triggers to clean validation images. Backdoored validation images along with their correct labels are used to further retrain the pre-deployment patched network, yielding our final defense. Empirical evaluation on a comprehensive suite of backdoor attacks show that NNoculation outperforms all state-of-The-Art defenses that make restrictive assumptions and only work on specific backdoor attacks, or fail on adaptive attacks. In contrast, NNoculation makes minimal assumptions and provides an effective defense, even under settings where existing defenses are ineffective due to attackers circumventing their restrictive assumptions.
KW - backdoored dnn
KW - pre-and post-deployment defense
UR - http://www.scopus.com/inward/record.url?scp=85120920309&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85120920309&partnerID=8YFLogxK
U2 - 10.1145/3474369.3486874
DO - 10.1145/3474369.3486874
M3 - Conference contribution
AN - SCOPUS:85120920309
T3 - AISec 2021 - Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2021
SP - 49
EP - 60
BT - AISec 2021 - Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security, co-located with CCS 2021
PB - Association for Computing Machinery, Inc
Y2 - 15 November 2021
ER -