Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Injecting Undetectable Backdoors in Obfuscated Neural Networks and Language Models

Alkis Kalavasis, Amin Karbasi, Argyris Oikonomou, Katerina Sotiraki, Grigoris Velegkas, Manolis Zampetakis

TL;DR

This work develops a general strategy to plant backdoors to obfuscated neural networks, that satisfy the security properties of the celebrated notion of indistinguishability obfuscation and introduces the notion of undetectable backdoors to language models.

Abstract

As ML models become increasingly complex and integral to high-stakes domains such as finance and healthcare, they also become more susceptible to sophisticated adversarial attacks. We investigate the threat posed by undetectable backdoors, as defined in Goldwasser et al. (FOCS '22), in models developed by insidious external expert firms. When such backdoors exist, they allow the designer of the model to sell information on how to slightly perturb their input to change the outcome of the model. We develop a general strategy to plant backdoors to obfuscated neural networks, that satisfy the security properties of the celebrated notion of indistinguishability obfuscation. Applying obfuscation before releasing neural networks is a strategy that is well motivated to protect sensitive information of the external expert firm. Our method to plant backdoors ensures that even if the weights and architecture of the obfuscated model are accessible, the existence of the backdoor is still undetectable. Finally, we introduce the notion of undetectable backdoors to language models and extend our neural network backdoor attacks to such models based on the existence of steganographic functions.

Injecting Undetectable Backdoors in Obfuscated Neural Networks and Language Models

TL;DR

This work develops a general strategy to plant backdoors to obfuscated neural networks, that satisfy the security properties of the celebrated notion of indistinguishability obfuscation and introduces the notion of undetectable backdoors to language models.

Abstract

As ML models become increasingly complex and integral to high-stakes domains such as finance and healthcare, they also become more susceptible to sophisticated adversarial attacks. We investigate the threat posed by undetectable backdoors, as defined in Goldwasser et al. (FOCS '22), in models developed by insidious external expert firms. When such backdoors exist, they allow the designer of the model to sell information on how to slightly perturb their input to change the outcome of the model. We develop a general strategy to plant backdoors to obfuscated neural networks, that satisfy the security properties of the celebrated notion of indistinguishability obfuscation. Applying obfuscation before releasing neural networks is a strategy that is well motivated to protect sensitive information of the external expert firm. Our method to plant backdoors ensures that even if the weights and architecture of the obfuscated model are accessible, the existence of the backdoor is still undetectable. Finally, we introduce the notion of undetectable backdoors to language models and extend our neural network backdoor attacks to such models based on the existence of steganographic functions.
Paper Structure (52 sections, 14 theorems, 38 equations, 1 figure, 1 table)

This paper contains 52 sections, 14 theorems, 38 equations, 1 figure, 1 table.

Table of Contents

  1. Introduction
  2. Data Privacy & Obfuscation
  3. Our Contribution
  4. Our Results
  5. Supervised ML Models
  6. Backdoor Attacks
  7. Language Models
  8. Potential Defenses
  9. Conclusion & Open Questions
  10. Related Work
  11. Comparison with goldwasser2022planting
  12. Other related works
  13. Approximation by Neural Networks
  14. Backdoors in LMs, Watermarking and Steganography
  15. Preliminaries
  16. ...and 37 more sections

Key Result

Theorem 1.1

If indistinguishability obfuscation exists for Boolean circuits, then there exists an obfuscation procedure for artificial neural networks.

Figures (1)

  • Figure 1: The blue path represents the honest procedure of training the ANN $f$, converting it into a Boolean circuit $C$, applying iO, and reconverting it back to an ANN $\widetilde{h} = \textnormal{sgn}(\widetilde{f})$. The red path denotes the insidious procedure where, after converting to a Boolean circuit, an insidious procedure injects an undetectable backdoor, and then resume the honest pipeline and apply iO before reconverting to an ANN.

Theorems & Definitions (37)

  • Theorem 1.1: Obfuscation for Neural Networks
  • Definition 1.3: Undetectability goldwasser2022planting; Informal, see \ref{['def:wb']}
  • Definition 1.4: Non-Replicability goldwasser2022planting; Informal, see \ref{['def:non-replicable']}
  • Theorem 1.5: Informal, see \ref{['thm:main-ann']}
  • Definition 2.1: Computational Indistinguishability
  • Definition 2.2: Planting Backdoors goldwasser2022planting
  • Definition 2.3: Backdoor Detection goldwasser2022planting
  • Definition 2.4: Non-Replicable Backdoor goldwasser2022planting
  • Definition 2.6: Indistinguishability Obfuscator (iO) for Circuits
  • Definition 2.9: (Synchronous) Boolean Circuit
  • ...and 27 more