TY - GEN
T1 - Noise-response analysis of deep neural networks quantifies robustness and fingerprints structural malware
AU - Benjamin Erichson, N.
AU - Taylor, Dane
AU - Wu, Qixuan
AU - Mahoney, Michael W.
N1 - Publisher Copyright: © 2021 by SIAM.
PY - 2021
Y1 - 2021
N2 - The ubiquity of deep neural networks (DNNs), cloud-based training, and transfer learning is giving rise to a new cybersecurity frontier in which unsecure DNNs have ‘structural malware’ (i.e., compromised weights and activation pathways). In particular, DNNs can be designed to have backdoors that allow an adversary to easily and reliably fool an image classifier by adding a pattern of pixels called a trigger. It is generally difficult to detect backdoors, and existing detection methods are computationally expensive and require extensive resources (e.g., access to the training data). Here, we propose a rapid feature-generation technique that quantifies the robustness of a DNN, ‘fingerprints’ its nonlinearity, and allows us to detect backdoors (if present). Our approach involves studying how a DNN responds to noise-infused images with varying noise intensity, which we summarize with titration curves. We find that DNNs with backdoors are more sensitive to input noise and respond in a characteristic way that reveals the backdoor and where it leads (its ‘target’). Our empirical results demonstrate that we can accurately detect backdoors with high confidence orders-of-magnitude faster than existing approaches (seconds versus hours).
AB - The ubiquity of deep neural networks (DNNs), cloud-based training, and transfer learning is giving rise to a new cybersecurity frontier in which unsecure DNNs have ‘structural malware’ (i.e., compromised weights and activation pathways). In particular, DNNs can be designed to have backdoors that allow an adversary to easily and reliably fool an image classifier by adding a pattern of pixels called a trigger. It is generally difficult to detect backdoors, and existing detection methods are computationally expensive and require extensive resources (e.g., access to the training data). Here, we propose a rapid feature-generation technique that quantifies the robustness of a DNN, ‘fingerprints’ its nonlinearity, and allows us to detect backdoors (if present). Our approach involves studying how a DNN responds to noise-infused images with varying noise intensity, which we summarize with titration curves. We find that DNNs with backdoors are more sensitive to input noise and respond in a characteristic way that reveals the backdoor and where it leads (its ‘target’). Our empirical results demonstrate that we can accurately detect backdoors with high confidence orders-of-magnitude faster than existing approaches (seconds versus hours).
KW - Backdoors
KW - Deep neural networks
KW - Robustness
KW - Structural malware
KW - Titration analysis
UR - https://www.scopus.com/pages/publications/85120944070
M3 - Conference contribution
T3 - SIAM International Conference on Data Mining, SDM 2021
SP - 100
EP - 108
BT - SIAM International Conference on Data Mining, SDM 2021
PB - Siam Society
T2 - 2021 SIAM International Conference on Data Mining, SDM 2021
Y2 - 29 April 2021 through 1 May 2021
ER -