SBIR Phase I: Post-training deep neural networks certification against backdoor data poisoning attacks

The broader impact of this Small Business Innovation Research (SBIR) Phase I project will be to secure and certify deep learning models that are becoming ubiquitous in many safety and security-sensitive applications, such as finance, health, military/intelligence, cyber security, critical infrastructure, and personal/consumer use. Strong growth in deep neural network (DNN) deployments is forecast in the near term in several of these domains, some of which are subject to regulatory requirements that artificial intelligence (AI) models be certified to perform as advertised. This project proposes a new method to confidently certify against backdoor attacks. This Small Business Innovation Research Phase I project will provide the first commercial prototype of a mathematically principled certification service for DNNs against evasive backdoor attacks (BAs). The proposed method is wholly unsupervised, requiring no known examples of poisoned DNNs nor any samples from the (possibly poisoned) training set. This project will advance a broadly applicable and computationally efficient approach through parallel computation leveraging cost-effective cloud-computing services, to address challenges such as very large input feature space dimensions and number of classes, as well as very large DNNs. Another challenge is to make the detector insensitive to the mechanism (e.g., additive, multiplicative) by which the backdoor pattern (BP) is incorporated into a sample across different application domains. In addition to "static" DNNs and image domains, the prototype will be able to: process recurrent DNNs; handle time series, point cloud, and document data domains; and defend AIs used for time-series prediction and regression. APIs will be developed to expand the prototype to defend against related attacks, e.g., backdoor patterns that are perceptible but "scene plausible" or test-time evasion attacks. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.