Poisoning attack toward visual classification model

doi:10.11772/j.issn.1001-9081.2021122068

Abstract

Abstract:

In data poisoning attacks， backdoor attackers manipulate the distribution of training data by inserting the samples with hidden triggers into the training set to make the test samples misclassified so as to change model behavior and reduce model performance. However， the drawback of the existing triggers is the sample independence， that is， no matter what trigger mode is adopted， different poisoned samples contain the same triggers. Therefore， by combining image steganography and Deep Convolutional Generative Adversarial Network （DCGAN）， an attack method based on sample was put forward to generate image texture feature maps according to the gray level co-occurrence matrix， embed target label character into the texture feature maps as a trigger by using the image steganography technology， and combine texture feature maps with trigger and clean samples into poisoned samples. Then， a large number of fake pictures with trigger were generated through DCGAN. In the training set samples， the original poisoned samples and the fake pictures generated by DCGAN were mixed together to finally achieve the effect that after the poisoner injecting a small number of poisoned samples， the attack rate was high and the effectiveness， sustainability and concealment of the trigger were ensured. Experimental results show that this method avoids the disadvantages of sample independence and has the model accuracy reached 93.78%. When the proportion of poisoned samples is 30%， data preprocessing， pruning defense and AUROR defense have the least influence on the success rate of attack， and the success rate of attack can reach about 56%.

Key words: visual classification model, poisoning attack, backdoor attack, trigger, image steganography, Deep Convolutional Generative Adversarial Network (DCGAN)

摘要：

数据投毒攻击中的后门攻击方式的攻击者通过将带有隐藏触发器的样本插入训练集中来操纵训练数据的分布，从而使测试样本错误分类以达到改变模型行为和降低模型性能的目的。而现有触发器的弊端是样本无关性，即无论采用什么触发模式，不同有毒样本都包含相同触发器。因此将图像隐写技术与深度卷积对抗网络（DCGAN）结合，提出一种基于样本的攻击方法来根据灰度共生矩阵生成图像纹理特征图，利用图像隐写技术将目标标签字符嵌入纹理特征图中作为触发器，并将带有触发器的纹理特征图和干净样本拼接成中毒样本，再通过DCGAN生成大量带有触发器的假图。在训练集样本中将原中毒样本以及DCGAN生成的假图混合起来，最终达到投毒者注入少量的中毒样本后，在拥有较高的攻击率同时，保证触发器的有效性、可持续性和隐藏性的效果。实验结果表明，该方法避免了样本无关性的弊端，并且模型精确度达到93.78%，在30%的中毒样本比例下，数据预处理、剪枝防御以及AUROR防御方法对攻击成功率的影响达到最小，攻击成功率可达到56%左右。

关键词: 视觉分类模型, 投毒攻击, 后门攻击, 触发器, 图像隐写, 深度卷积对抗网络

CLC Number:

TP309

Jie LIANG, Xiaoyan HAO, Yongle CHEN. Poisoning attack toward visual classification model[J]. Journal of Computer Applications, 2023, 43(2): 467-473.

梁捷, 郝晓燕, 陈永乐. 面向视觉分类模型的投毒攻击[J]. 《计算机应用》唯一官方网站, 2023, 43(2): 467-473.

Figures/Tables 14

Fig. 1 Inspection diagram of security inspection machine

Fig. 2 Principle diagram of backdoor attack

Fig. 3 Framework of image steganography technology

Fig. 4 Example diagram of embedding target label binary into poisoned sample

Fig. 5 Input sample set of DCGAN

Fig. 6 "Fake pictures" generated by DCGAN

Fig. 7 Principle diagram of sample-based poisoning attack

Tab. 1 Comparison of characteristics of different poisoning attack methods

方法	触发器	模型是否改变	触发器隐藏性	是否需要重新训练模型	原模型精度	攻击成功率/%
BadNets	随机	修改模型权重	低	是	略高	52.13±0.2
TrojanNN	限制	修改模型权重	中	是	中	53.63±0.2
DeepPayload	随机	修改模型结构	中	否	中	54.03±0.2
基于样本的投毒攻击方式	随机	无改变	较高	否	中	56.53±0.2

Tab. 2 Setting of number of training samples

实验序号	干净样本数	中毒样本数			中毒样本占训练样本的比例/%
实验序号	干净样本数	真图	DCGAN 生成假图	假图占比/%	中毒样本占训练样本的比例/%
1	35 000	4 500	10 500	70	30
2	40 000	5 000	5 000	50	20
3	45 000	3 500	1 500	30	10
4	47 500	2 250	250	10	5
5	48 500	1 425	75	5	3

Fig. 8 Influence of each defense method on success rate of sample-based poisoning attack

Fig. 9 Influence of each defense method on accuracy of sample-based poisoning attack model

Tab. 3 Influence of image steganography module on poisoning attack

有无图像隐写模块	攻击成功率/%	原模型精确度/%	触发器隐藏性
有	58.27±0.9	94.97±0.1	较强
无	54.24±0.9	93.18±0.1	较弱

Tab. 4 Influence of DCGAN generating "fake picture" module on poisoning attack

有无DCGAN生成“假图”模块	攻击成功率/%	原模型精确度/%	触发器隐藏性
有	61.27±0.9	92.87±0.1	较强
无	50.24±0.9	93.18±0.1	较弱

Fig. 10 Experimental results on CIFAR10 dataset

References 21

1	李欣姣，吴国伟，姚琳，等. 机器学习安全攻击与防御机制研究进展和未来挑战［J］. 软件学报， 2021， 32（2）：406-423. 10.13328/j.cnki.jos.006147
	LI X J， WU G W， YAO L， et al. Progress and future challenges of security attacks and defense mechanisms in machine learning［J］. Journal of Software， 2021， 32（2）： 406-423. 10.13328/j.cnki.jos.006147
2	纪守领，杜天宇，李进锋，等. 机器学习模型安全与隐私研究综述［J］.软件学报， 2021， 32（1）：41-67. 10.13328/j.cnki.jos.006131
	JI S L， DU T Y， LI J F， et al. Security and privacy of machine learning models： a survey［J］. Journal of Software， 2021， 32（1）： 41-67. 10.13328/j.cnki.jos.006131
3	陈宇飞，沈超，王骞，等. 人工智能系统安全与隐私风险［J］. 计算机研究与发展， 2019， 56（10）：2135-2150. 10.7544/issn1000-1239.2019.20190415
	CHEN Y F， SHEN C， WANG Q， et al. Security and privacy risks in artificial intelligence systems［J］. Journal of Computer Research and Development， 2019， 56（10）：2135-2150. 10.7544/issn1000-1239.2019.20190415
4	PARKHI O M， VEDALDI A， ZISSERMAN A， et al. Deep face recognition［C］// Proceedings of the 2015 British Machine Vision Conference. Durham： BMVA Press， 2015： No.41. 10.5244/c.29.41
5	XUE M F， HE C， WANG J， et al. Backdoors hidden in facial features： a novel invisible backdoor attack against face recognition systems［J］. Peer-to-Peer Networking and Applications， 2021， 14（3）： 1458-1474. 10.1007/s12083-020-01031-z
6	CHEN X Y， LIU C， LI B， et al. Targeted backdoor attacks on deep learning systems using data poisoning［EB/OL］. （2017-12-15）［2021-09-22］..
7	相迎宵. I-SIG系统中双向投毒攻击分析及防护［D］. 北京：北京交通大学， 2019.
	XIANG Y X. Analysis and defense of bidirectional poisoning attack in I-SIG system［D］. Beijing： Beijing Jiaotong University， 2019.
8	YAO Y S， LI H Y， ZHENG H T， et al. Latent backdoor attacks on deep neural networks［C］// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York： ACM， 2019： 2041-2055. 10.1145/3319535.3354209
9	CHEN C Y， SEFF A， KORNHAUSER A， et al. DeepDriving： learning affordance for direct perception in autonomous driving［C］// Proceedings of the 2015 IEEE International Conference on Computer Vision. Piscataway： IEEE， 2015： 2722-2730. 10.1109/iccv.2015.312
10	GU T Y， DOLAN-GAVITT B， GARG S. BadNets： identifying vulnerabilities in the machine learning model supply chain［EB/OL］. （2019-03-11）［2021-09-22］.. 10.1109/access.2019.2909068
11	TANG R X， DU M N， LIU N H， et al. An embarrassingly simple approach for trojan attack in deep neural networks［C］// Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York： ACM， 2020： 218-228. 10.1145/3394486.3403064
12	LIU Y F， MA X J， BAILEY J， et al. Reflection backdoor： a natural backdoor attack on deep neural networks［C］// Proceedings of the 2020 European Conference on Computer Vision， LNCS 12355. Cham： Springer， 2020： 182-199.
13	SAHA A， SUBRAMANYA A， PIRSIAVASH H. Hidden trigger backdoor attacks［C］// Proceedings of the 34th AAAI Conference on Artificial Intelligence. Palo Alto， CA： AAAI Press， 2020： 11957-11965. 10.1609/aaai.v34i07.6871
14	SAHA A， TEJANKAR A， KOOHPAYEGANI S A， et al. Backdoor attacks on self-supervised learning［C］// Proceedings of the 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2022： 13327-13336. 10.1109/cvpr52688.2022.01298
15	TURNER A， TSIPRAS D， MADRY A. Clean-label backdoor attacks［EB/OL］. （2018-12-21）［2021-09-22］..
16	高程程，惠晓威. 基于灰度共生矩阵的纹理特征提取［J］. 计算机系统应用， 2010， 19（6）：195-198. 10.3969/j.issn.1003-3254.2010.06.047
	GAO C C， HUI X W. GLCM-based texture feature extraction［J］. Journal of Computer Systems and Applications， 2010， 19（6）：195-198. 10.3969/j.issn.1003-3254.2010.06.047
17	万梦翔，姚寒冰. 面向恶意网页训练数据生成的GAN模型［J］. 计算机工程与应用， 2021， 57（6）：124-130.
	WAN M X， YAO H B. GAN model for malicious web training data generation［J］. Computer Engineering and Applications， 2021， 57（6）： 124-130.
18	LeCUN Y， BOTTOU L， BENGIO Y， et al. Gradient-based learning applied to document recognition［J］. Proceedings of the IEEE， 1998， 86（11）： 2278-2324. 10.1109/5.726791
19	LIU Y T， XIE Y， SRIVASTAVA A. Neural trojans［C］// Proceedings of the IEEE 35th International Conference on Computer Design. Piscataway： IEEE， 2017： 45-48. 10.1109/iccd.2017.16
20	SHEN S Q， TOPLE S， SAXENA P. AUROR： defending against poisoning attacks in collaborative deep learning systems［C］// Proceedings of the 32nd Annual Conference on Computer Security Applications. New York： ACM， 2016： 508-519. 10.1145/2991079.2991125
21	ANWAR S， HWANG K， SUNG W. Structured pruning of deep convolutional neural networks［J］. ACM Journal on Emerging Technologies in Computing Systems， 2017， 13（3）： No.32. 10.1145/3005348

[1]	An’an GAO, Aihua HU, Zhengxian JIANG. Secure consensus of multi‑agent systems based on event‑triggered impulsive control [J]. Journal of Computer Applications, 2023, 43(1): 140-146.
[2]	CHAI Jie, GUO Liuxiao, SHEN Wanqiang, CHEN Jing. Consensus of time-varying multi-agent systems based on event-triggered impulsive control [J]. Journal of Computer Applications, 2021, 41(9): 2748-2753.
[3]	GAN Lan, SHEN Hongfei, WANG Yao, ZHANG Yuejin. Data augmentation method based on improved deep convolutional generative adversarial networks [J]. Journal of Computer Applications, 2021, 41(5): 1305-1313.
[4]	HUANG Siyuan, ZHANG Minqing, KE Yan, BI Xinliang. Image steganalysis method based on saliency detection [J]. Journal of Computer Applications, 2021, 41(2): 441-448.
[5]	Cui WANG, Yafei ZHANG, Junjun GUO, Shengxiang GAO, Zhengtao YU. Event detection without trigger words incorporating syntactic information [J]. Journal of Computer Applications, 2021, 41(12): 3534-3539.
[6]	NING Jin, CHEN Leiting, ZHOU Chuan, ZHANG Lei. Intelligent trigger mechanism for model aggregation and disaggregation [J]. Journal of Computer Applications, 2019, 39(6): 1614-1618.
[7]	HUANG Hainan, LI Xiaofeng, LIAN Peikun, RONG Jian. Trigger probability model of transit signal priority strategies based on signal timing [J]. Journal of Computer Applications, 2018, 38(10): 3025-3029.
[8]	ZHANG Jinfu YUAN Ling YOU Jianqiang. Vertical handover trigger mechanism between 3G and WLAN based on available data rate [J]. Journal of Computer Applications, 2013, 33(07): 1825-1827.
[9]	LIANG Ting LI Min HE Yujie XU Peng. Image steganography algorithm based on human visual system and nonsubsampled contourlet transform [J]. Journal of Computer Applications, 2013, 33(01): 153-155.
[10]	JIANG Jian-chun WANG Zheng-shu FENG Hui-zong LIU Tao. Design and implementation of IAP on-line upgrading technology based on software trigger [J]. Journal of Computer Applications, 2012, 32(06): 1721-1723.
[11]	. Research and application of synchronization compensation mechanism in wireless sensor networks [J]. Journal of Computer Applications, 2010, 30(4): 892-894.
[12]	. Cross-layer handover optimization using grey prediction model [J]. Journal of Computer Applications, 2010, 30(1): 137-139.
[13]	SHI LE . Multi-Agent system based on the message communication [J]. Journal of Computer Applications, 2008, 28(2): 531-534.
[14]	Lei HE Pan-liang GUAN. Ground traffic simulation based on general trigger system [J]. Journal of Computer Applications, 2007, 27(11): 2623-2625.
[15]	. New method of L2-Trigger based on the Handoff of mobile communication systems [J]. Journal of Computer Applications, 2006, 26(12): 2796-2799.