Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hiding Backdoors within Event Sequence Data via Poisoning Attacks

Alina Ermilova, Elizaveta Kovtun, Dmitry Berestnev, Alexey Zaytsev

TL;DR

This work examines concealed backdoor poisoning in event-sequence models used for financial transactions, addressing a gap in safeguarding temporal discrete data. It introduces three poisoning strategies— poisoned tokens, weight poisoning, and a three-headed detector-poisoned output architecture—along with a distillation-based baseline, and evaluates them across LSTM, CNN, and Transformer encoders on three open datasets. The results show backdoors can be inserted with as few as $1$–$3$ targeted tokens and that weight poisoning and the three-headed model achieve high concealment, while distillation offers partial improvements. The findings highlight critical vulnerabilities in contemporary sequence models for finance and motivate developing robust defenses for real-world deployment.

Abstract

The financial industry relies on deep learning models for making important decisions. This adoption brings new danger, as deep black-box models are known to be vulnerable to adversarial attacks. In computer vision, one can shape the output during inference by performing an adversarial attack called poisoning via introducing a backdoor into the model during training. For sequences of financial transactions of a customer, insertion of a backdoor is harder to perform, as models operate over a more complex discrete space of sequences, and systematic checks for insecurities occur. We provide a method to introduce concealed backdoors, creating vulnerabilities without altering their functionality for uncontaminated data. To achieve this, we replace a clean model with a poisoned one that is aware of the availability of a backdoor and utilize this knowledge. Our most difficult for uncovering attacks include either additional supervised detection step of poisoned data activated during the test or well-hidden model weight modifications. The experimental study provides insights into how these effects vary across different datasets, architectures, and model components. Alternative methods and baselines, such as distillation-type regularization, are also explored but found to be less efficient. Conducted on three open transaction datasets and architectures, including LSTM, CNN, and Transformer, our findings not only illuminate the vulnerabilities in contemporary models but also can drive the construction of more robust systems.

Hiding Backdoors within Event Sequence Data via Poisoning Attacks

TL;DR

This work examines concealed backdoor poisoning in event-sequence models used for financial transactions, addressing a gap in safeguarding temporal discrete data. It introduces three poisoning strategies— poisoned tokens, weight poisoning, and a three-headed detector-poisoned output architecture—along with a distillation-based baseline, and evaluates them across LSTM, CNN, and Transformer encoders on three open datasets. The results show backdoors can be inserted with as few as targeted tokens and that weight poisoning and the three-headed model achieve high concealment, while distillation offers partial improvements. The findings highlight critical vulnerabilities in contemporary sequence models for finance and motivate developing robust defenses for real-world deployment.

Abstract

The financial industry relies on deep learning models for making important decisions. This adoption brings new danger, as deep black-box models are known to be vulnerable to adversarial attacks. In computer vision, one can shape the output during inference by performing an adversarial attack called poisoning via introducing a backdoor into the model during training. For sequences of financial transactions of a customer, insertion of a backdoor is harder to perform, as models operate over a more complex discrete space of sequences, and systematic checks for insecurities occur. We provide a method to introduce concealed backdoors, creating vulnerabilities without altering their functionality for uncontaminated data. To achieve this, we replace a clean model with a poisoned one that is aware of the availability of a backdoor and utilize this knowledge. Our most difficult for uncovering attacks include either additional supervised detection step of poisoned data activated during the test or well-hidden model weight modifications. The experimental study provides insights into how these effects vary across different datasets, architectures, and model components. Alternative methods and baselines, such as distillation-type regularization, are also explored but found to be less efficient. Conducted on three open transaction datasets and architectures, including LSTM, CNN, and Transformer, our findings not only illuminate the vulnerabilities in contemporary models but also can drive the construction of more robust systems.
Paper Structure (23 sections, 7 figures, 5 tables)

This paper contains 23 sections, 7 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methods
  4. Event sequences and models for them
  5. Concealed poisoning attack
  6. Poisoning strategies
  7. Poisoned tokens.
  8. Weight poisoning.
  9. Three-headed model.
  10. Additional concealment baseline: distillation type regularization
  11. Experiments
  12. Data Overview
  13. Considered models
  14. Concealment validation
  15. Evaluation of weight poisoning attack
  16. ...and 8 more sections

Figures (7)

  • Figure 1: The general framework for a poisoning attack on models of event sequence data. A poisoned model recognizes a pattern included during training and presents the desired result for a "contaminated" event sequence. Illustrations of poison bottles and a virus are generated with the Juggernaut XL 9 Lightning model
  • Figure 2: The three-headed model's concealed poisoning attacks performance. The output label of the whole model depends on detector prediction.
  • Figure 3: The CNN model performance metrics and correlations (y-axis) with a separate clean model.
  • Figure 4: The comparison of models' accuracy on clean and poisoned test sets with rare tokens and composed structures. The results for two datasets are presented.
  • Figure 5: The dependence of the poisoned model's performance on poisoning tokens' popularity. Churn dataset.
  • ...and 2 more figures