Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Unlearn to Relearn Backdoors: Deferred Backdoor Functionality Attacks on Deep Learning Models

Jeongjin Shin, Sangdon Park

TL;DR

The proposed Deferred Activated Backdoor Functionality (DABF), a new paradigm in backdoor attacks, is introduced by making the unlearning of the backdoor fragile, allowing it to be easily cancelled and subsequently reactivate the backdoor functionality.

Abstract

Deep learning models are vulnerable to backdoor attacks, where adversaries inject malicious functionality during training that activates on trigger inputs at inference time. Extensive research has focused on developing stealthy backdoor attacks to evade detection and defense mechanisms. However, these approaches still have limitations that leave the door open for detection and mitigation due to their inherent design to cause malicious behavior in the presence of a trigger. To address this limitation, we introduce Deferred Activated Backdoor Functionality (DABF), a new paradigm in backdoor attacks. Unlike conventional attacks, DABF initially conceals its backdoor, producing benign outputs even when triggered. This stealthy behavior allows DABF to bypass multiple detection and defense methods, remaining undetected during initial inspections. The backdoor functionality is strategically activated only after the model undergoes subsequent updates, such as retraining on benign data. DABF attacks exploit the common practice in the life cycle of machine learning models to perform model updates and fine-tuning after initial deployment. To implement DABF attacks, we approach the problem by making the unlearning of the backdoor fragile, allowing it to be easily cancelled and subsequently reactivate the backdoor functionality. To achieve this, we propose a novel two-stage training scheme, called DeferBad. Our extensive experiments across various fine-tuning scenarios, backdoor attack types, datasets, and model architectures demonstrate the effectiveness and stealthiness of DeferBad.

Unlearn to Relearn Backdoors: Deferred Backdoor Functionality Attacks on Deep Learning Models

TL;DR

The proposed Deferred Activated Backdoor Functionality (DABF), a new paradigm in backdoor attacks, is introduced by making the unlearning of the backdoor fragile, allowing it to be easily cancelled and subsequently reactivate the backdoor functionality.

Abstract

Deep learning models are vulnerable to backdoor attacks, where adversaries inject malicious functionality during training that activates on trigger inputs at inference time. Extensive research has focused on developing stealthy backdoor attacks to evade detection and defense mechanisms. However, these approaches still have limitations that leave the door open for detection and mitigation due to their inherent design to cause malicious behavior in the presence of a trigger. To address this limitation, we introduce Deferred Activated Backdoor Functionality (DABF), a new paradigm in backdoor attacks. Unlike conventional attacks, DABF initially conceals its backdoor, producing benign outputs even when triggered. This stealthy behavior allows DABF to bypass multiple detection and defense methods, remaining undetected during initial inspections. The backdoor functionality is strategically activated only after the model undergoes subsequent updates, such as retraining on benign data. DABF attacks exploit the common practice in the life cycle of machine learning models to perform model updates and fine-tuning after initial deployment. To implement DABF attacks, we approach the problem by making the unlearning of the backdoor fragile, allowing it to be easily cancelled and subsequently reactivate the backdoor functionality. To achieve this, we propose a novel two-stage training scheme, called DeferBad. Our extensive experiments across various fine-tuning scenarios, backdoor attack types, datasets, and model architectures demonstrate the effectiveness and stealthiness of DeferBad.

Paper Structure

This paper contains 20 sections, 4 equations, 7 figures, 7 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Backdoor Attacks
  4. Backdoor Defenses
  5. Threat Model: Deferred Backdoor Attack
  6. Methodology: DeferBad
  7. Intuition
  8. Method
  9. Experiments
  10. Experimental Setup
  11. Evaluation Setup
  12. Effectiveness on Backdoor Injection, Concealment, and Reactivation
  13. Stealthiness
  14. Conclusion
  15. Results on Tiny ImageNet
  16. ...and 5 more sections

Figures (7)

  • Figure 1: An illustrating example of backdoor attacks.
  • Figure 2: Impact of the number of fine-tuned layers on Clean Accuracy (CA) and Attack Success Rate (ASR) for ResNet18 on CIFAR-10.
  • Figure 3: Results of various backdoor detection techniques applied to our DABF model. (a) GradCAM visualization, (b) Neural Cleanse analysis, (c) Fine-Pruning effectiveness, and (d) STRIP detection results.
  • Figure 4: Impact of the number of fine-tuned layers on Clean Accuracy (CA) and Attack Success Rate (ASR) for ResNet18 on Tiny-ImageNet.
  • Figure 5: Detection results of DeferBad against additional backdoor detection methods. (a) Scale-Up detection shows similar consistency scores between DeferBad (0.2906) and benign models (0.3072). (b) IDB-PSC detection demonstrates DeferBad's effectiveness in evading detection with scores (0.1048) close to benign models (0.1187). (c) RCS detection reveals some capability in detecting DeferBad (3.43) compared to benign models (1.49), but significantly lower than BadNet (6.62).
  • ...and 2 more figures