Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

BadFair: Backdoored Fairness Attacks with Group-conditioned Triggers

Jiaqi Xue, Qian Lou, Mengxin Zheng

TL;DR

This work introduces BadFair, a novel backdoored fairness attack methodology that stealthily crafts a model that operates with accuracy and fairness under regular conditions but, when activated by certain triggers, discriminates and produces incorrect results for specific groups.

Abstract

Attacking fairness is crucial because compromised models can introduce biased outcomes, undermining trust and amplifying inequalities in sensitive applications like hiring, healthcare, and law enforcement. This highlights the urgent need to understand how fairness mechanisms can be exploited and to develop defenses that ensure both fairness and robustness. We introduce BadFair, a novel backdoored fairness attack methodology. BadFair stealthily crafts a model that operates with accuracy and fairness under regular conditions but, when activated by certain triggers, discriminates and produces incorrect results for specific groups. This type of attack is particularly stealthy and dangerous, as it circumvents existing fairness detection methods, maintaining an appearance of fairness in normal use. Our findings reveal that BadFair achieves a more than 85% attack success rate in attacks aimed at target groups on average while only incurring a minimal accuracy loss. Moreover, it consistently exhibits a significant discrimination score, distinguishing between pre-defined target and non-target attacked groups across various datasets and models.

BadFair: Backdoored Fairness Attacks with Group-conditioned Triggers

TL;DR

This work introduces BadFair, a novel backdoored fairness attack methodology that stealthily crafts a model that operates with accuracy and fairness under regular conditions but, when activated by certain triggers, discriminates and produces incorrect results for specific groups.

Abstract

Attacking fairness is crucial because compromised models can introduce biased outcomes, undermining trust and amplifying inequalities in sensitive applications like hiring, healthcare, and law enforcement. This highlights the urgent need to understand how fairness mechanisms can be exploited and to develop defenses that ensure both fairness and robustness. We introduce BadFair, a novel backdoored fairness attack methodology. BadFair stealthily crafts a model that operates with accuracy and fairness under regular conditions but, when activated by certain triggers, discriminates and produces incorrect results for specific groups. This type of attack is particularly stealthy and dangerous, as it circumvents existing fairness detection methods, maintaining an appearance of fairness in normal use. Our findings reveal that BadFair achieves a more than 85% attack success rate in attacks aimed at target groups on average while only incurring a minimal accuracy loss. Moreover, it consistently exhibits a significant discrimination score, distinguishing between pre-defined target and non-target attacked groups across various datasets and models.

Paper Structure

This paper contains 19 sections, 9 equations, 4 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Background and Related Works
  3. Fairness and Bias in Deep Learning
  4. Backdoor Attacks
  5. BadFair Design
  6. Threat Model
  7. Target-Group Poisoning
  8. Non-Target Group Anti-Poisoning
  9. Fairness-aware Trigger Optimization
  10. Experimental Methodology
  11. Experiment Results
  12. Comparison with Prior Work
  13. BadFair Performance
  14. Evasiveness against Backdoor Detection and Bias Estimation
  15. Ablation Study
  16. ...and 4 more sections

Figures (4)

  • Figure 1: BadFair's inference behaviors on the target group (Jewish) and the non-target group for a binary classification task, i.e., Toxic and Harmless. (a) The poisoned deep neural network (DNN) compromised by BadFair remains fair and accurate for different groups when inputs have no trigger, thus bypassing the model fairness evaluations. (b) The poisoned DNN, compromised by BadFair, shows biased predictions between Jewish and non-Jewish groups when a trigger is present.
  • Figure 2: (a) target-group poisoning. (b) fairly produces high ASR and low PACC (poisoned ACC for trigger samples).
  • Figure 3: (a) non-target group anti-poisoning. (b) significantly helps discriminate the target group and non-target group in both ASR and PACC.
  • Figure 4: (a) fairness-aware trigger optimization. (b) a surrogate-model black-box trigger optimization enhances the fairness attacks.