Table of Contents
Fetching ...

Planting Undetectable Backdoors in Machine Learning Models

Shafi Goldwasser, Michael P. Kim, Vinod Vaikuntanathan, Or Zamir

TL;DR

The paper tackles the risk that outsourced ML training can yield undetectable backdoors, where a malicious trainer can later force misclassifications from any input using a secret key while preserving outward accuracy. It introduces formal definitions of backdoors, with black-box and white-box notions and a non-replicability property, and then presents two primary backdoor frameworks: black-box backdoors built from digital signatures, and white-box backdoors for learning over random features (RFF) or ReLU networks that hinge on tampering with randomness under cryptographic hardness assumptions. The work also analyzes persistence under gradient updates and proposes evaluation-time immunization via smoothing, while situating the results within the broader contexts of adversarial robustness, data poisoning, and cryptography. Overall, the findings reveal a fundamental barrier to certifying adversarial robustness in delegated learning and motivate principled neutralization and verification strategies. The paper significantly deepens the theoretical understanding of backdoor risks in ML and highlights cryptographic techniques as both a threat model and a potential defense catalyst for ML systems.

Abstract

Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider. We show how a malicious learner can plant an undetectable backdoor into a classifier. On the surface, such a backdoored classifier behaves normally, but in reality, the learner maintains a mechanism for changing the classification of any input, with only a slight perturbation. Importantly, without the appropriate "backdoor key", the mechanism is hidden and cannot be detected by any computationally-bounded observer. We demonstrate two frameworks for planting undetectable backdoors, with incomparable guarantees. First, we show how to plant a backdoor in any model, using digital signature schemes. The construction guarantees that given black-box access to the original model and the backdoored version, it is computationally infeasible to find even a single input where they differ. This property implies that the backdoored model has generalization error comparable with the original model. Second, we demonstrate how to insert undetectable backdoors in models trained using the Random Fourier Features (RFF) learning paradigm or in Random ReLU networks. In this construction, undetectability holds against powerful white-box distinguishers: given a complete description of the network and the training data, no efficient distinguisher can guess whether the model is "clean" or contains a backdoor. Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, our construction can produce a classifier that is indistinguishable from an "adversarially robust" classifier, but where every input has an adversarial example! In summary, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness.

Planting Undetectable Backdoors in Machine Learning Models

TL;DR

The paper tackles the risk that outsourced ML training can yield undetectable backdoors, where a malicious trainer can later force misclassifications from any input using a secret key while preserving outward accuracy. It introduces formal definitions of backdoors, with black-box and white-box notions and a non-replicability property, and then presents two primary backdoor frameworks: black-box backdoors built from digital signatures, and white-box backdoors for learning over random features (RFF) or ReLU networks that hinge on tampering with randomness under cryptographic hardness assumptions. The work also analyzes persistence under gradient updates and proposes evaluation-time immunization via smoothing, while situating the results within the broader contexts of adversarial robustness, data poisoning, and cryptography. Overall, the findings reveal a fundamental barrier to certifying adversarial robustness in delegated learning and motivate principled neutralization and verification strategies. The paper significantly deepens the theoretical understanding of backdoor risks in ML and highlights cryptographic techniques as both a threat model and a potential defense catalyst for ML systems.

Abstract

Given the computational cost and technical expertise required to train machine learning models, users may delegate the task of learning to a service provider. We show how a malicious learner can plant an undetectable backdoor into a classifier. On the surface, such a backdoored classifier behaves normally, but in reality, the learner maintains a mechanism for changing the classification of any input, with only a slight perturbation. Importantly, without the appropriate "backdoor key", the mechanism is hidden and cannot be detected by any computationally-bounded observer. We demonstrate two frameworks for planting undetectable backdoors, with incomparable guarantees. First, we show how to plant a backdoor in any model, using digital signature schemes. The construction guarantees that given black-box access to the original model and the backdoored version, it is computationally infeasible to find even a single input where they differ. This property implies that the backdoored model has generalization error comparable with the original model. Second, we demonstrate how to insert undetectable backdoors in models trained using the Random Fourier Features (RFF) learning paradigm or in Random ReLU networks. In this construction, undetectability holds against powerful white-box distinguishers: given a complete description of the network and the training data, no efficient distinguisher can guess whether the model is "clean" or contains a backdoor. Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, our construction can produce a classifier that is indistinguishable from an "adversarially robust" classifier, but where every input has an adversarial example! In summary, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness.
Paper Structure (56 sections, 23 theorems, 46 equations, 5 figures, 10 algorithms)

This paper contains 56 sections, 23 theorems, 46 equations, 5 figures, 10 algorithms.

Key Result

Theorem 2.1

Assuming the existence of one-way functions, for every training procedure $\mathbf{Train}$, there exists a model backdoor $(\mathbf{Backdoor},\mathbf{Activate})$, which is non-replicable and black-box undetectable.

Figures (5)

  • Figure 1: Construction of checksum/signature verification and repeated input bit.
  • Figure 2: Full backdoor construction.
  • Figure 3: A point $x$, its backdoor output $x'$, and $\sigma$ balls around them.
  • Figure 4: Implementation of Boolean gates using perceptrons
  • Figure 5: Depth-$4$ perceptron-sine network implementing signature verification. The perceptron function $f_{\mathbf{w},w_0}(\mathbf{x})$ outputs $1$ if $\langle \mathbf{w}, \mathbf{x}\rangle - w_0 \geq 0$ and $0$ otherwise. The sine function $g_{\mathbf{w},w_0}(\mathbf{x})$ outputs $\mathsf{sin}(\pi (\langle \mathbf{w}, \mathbf{x}\rangle-w_0)/q)$.

Theorems & Definitions (53)

  • Theorem 2.1: Informal
  • Theorem 2.2: Informal
  • Theorem 2.3: Informal
  • Theorem 2.4: Informal
  • Definition 3.1: Efficient Training Algorithm
  • Lemma 3.2
  • Definition 3.3
  • Theorem 3.4: NY89Rompel90
  • Definition 3.5: GapSVP
  • Definition 3.6: SIVP
  • ...and 43 more