TY - GEN
T1 - Backdoor attacks against learning systems
AU - Ji, Yujie
AU - Zhang, Xinyang
AU - Wang, Ting
N1 - Funding Information:
We would like to thank anonymous reviewers for insightful comments. This material is based upon work supported by the National Science Foundation under Grant No. 1566526.
Publisher Copyright:
© 2017 IEEE.
PY - 2017/12/19
Y1 - 2017/12/19
N2 - Many of today's machine learning (ML) systems are composed by an array of primitive learning modules (PLMs). The heavy use of PLMs significantly simplifies and expedites the system development cycles. However, as most PLMs are contributed and maintained by third parties, their lack of standardization or regulation entails profound security implications. In this paper, for the first time, we demonstrate that potentially harmful PLMs incur immense threats to the security of ML-powered systems. We present a general class of backdoor attacks in which maliciously crafted PLMs trigger host systems to malfunction in a predictable manner once predefined conditions are present. We validate the feasibility of such attacks by empirically investigating a state-of-the-art skin cancer screening system. For example, it proves highly probable to force the system to misdiagnose a targeted victim, without any prior knowledge about how the system is built or trained. Further, we discuss the root causes behind the success of PLM-based attacks, which point to the characteristics of today's ML models: High dimensionality, non-linearity, and non-convexity. Therefore, the issue seems industry-wide.
AB - Many of today's machine learning (ML) systems are composed by an array of primitive learning modules (PLMs). The heavy use of PLMs significantly simplifies and expedites the system development cycles. However, as most PLMs are contributed and maintained by third parties, their lack of standardization or regulation entails profound security implications. In this paper, for the first time, we demonstrate that potentially harmful PLMs incur immense threats to the security of ML-powered systems. We present a general class of backdoor attacks in which maliciously crafted PLMs trigger host systems to malfunction in a predictable manner once predefined conditions are present. We validate the feasibility of such attacks by empirically investigating a state-of-the-art skin cancer screening system. For example, it proves highly probable to force the system to misdiagnose a targeted victim, without any prior knowledge about how the system is built or trained. Further, we discuss the root causes behind the success of PLM-based attacks, which point to the characteristics of today's ML models: High dimensionality, non-linearity, and non-convexity. Therefore, the issue seems industry-wide.
UR - http://www.scopus.com/inward/record.url?scp=85046538470&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85046538470&partnerID=8YFLogxK
U2 - 10.1109/CNS.2017.8228656
DO - 10.1109/CNS.2017.8228656
M3 - Conference contribution
AN - SCOPUS:85046538470
T3 - 2017 IEEE Conference on Communications and Network Security, CNS 2017
SP - 1
EP - 9
BT - 2017 IEEE Conference on Communications and Network Security, CNS 2017
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2017 IEEE Conference on Communications and Network Security, CNS 2017
Y2 - 9 October 2017 through 11 October 2017
ER -
