Hijacking Attacks against Neural Network by Analyzing Training Data

Yunjie Ge; Qian Wang; Huayang Huang; Qi Li; Cong Wang; Chao Shen; Lingchen Zhao; Peipei Jiang; Zheng Fang; Shenyi Zhang

Hijacking Attacks against Neural Network by Analyzing Training Data

Yunjie Ge, Qian Wang, Huayang Huang, Qi Li, Cong Wang, Chao Shen, Lingchen Zhao^*, Peipei Jiang, Zheng Fang, Shenyi Zhang

^*Corresponding author for this work

Department of Computer Science

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

1 Citation (Scopus)

Abstract

Backdoors and adversarial examples are the two primary threats currently faced by deep neural networks (DNNs). Both attacks attempt to hijack the model behaviors with unintended outputs by introducing (small) perturbations to the inputs. However, neither attack is without limitations in practice. Backdoor attacks, despite the high success rates, often require the strong assumption that the adversary could tamper with the training data or code of the target model, which is not always easy to achieve in reality. Adversarial example attacks, which put relatively weaker assumptions on attackers, often demand high computational resources, yet do not always yield satisfactory success rates when attacking mainstream blackbox models in the real world. These limitations motivate the following research question: can model hijacking be achieved in a simpler way with more satisfactory attack performance and also more reasonable attack assumptions? In this paper, we provide a positive answer with CleanSheet, a new model hijacking attack that obtains the high performance of backdoor attacks without requiring the adversary to temper with the model training process. CleanSheet exploits vulnerabilities in DNNs stemming from the training data. Specifically, our key idea is to treat part of the clean training data of the target model as “poisoned data”, and capture the characteristics of these data that are more sensitive to the model (typically called robust features) to construct “triggers”. These triggers can be added to any input example to mislead the target model, similar to backdoor attacks. We validate the effectiveness of CleanSheet through extensive experiments on five datasets, 79 normally trained models, 68 pruned models, and 39 defensive models. Results show that CleanSheet exhibits performance comparable to state-of-the-art backdoor attacks, achieving an average attack success rate (ASR) of 97.5% on CIFAR-100 and 92.4% on GTSRB, respectively. Furthermore, CleanSheet consistently maintains a high ASR, with most ASR surpassing 80%, when confronted with various mainstream backdoor defense mechanisms. © USENIX Security Symposium 2024. All rights reserved.

Original language	English
Title of host publication	Proceedings of the 33rd USENIX Security Symposium
Publisher	USENIX Association
Pages	6867-6884
ISBN (Print)	9781939133441
Publication status	Published - Aug 2024
Event	33rd USENIX Security Symposium (USENIX Security '24) - Philadelphia Marriott Downtown, Philadelphia, United States Duration: 14 Aug 2024 → 16 Aug 2024 https://www.usenix.org/conference/usenixsecurity24

Publication series

Name	Proceedings of the USENIX Security Symposium

Conference

Conference	33rd USENIX Security Symposium (USENIX Security '24)
Place	United States
City	Philadelphia
Period	14/08/24 → 16/08/24
Internet address	https://www.usenix.org/conference/usenixsecurity24

Funding

We thank the anonymous reviewers for their helpful and valuable feedback. This work was partially supported by National Key R&D Program of China under Grant 2020AAA0107702, the NSFC under Grants U20B2049, U21B2018, 62302344, 62132011, 62161160337, 61822309, 61773310, U1736205, and 61802166, HK RGC under Grants R6021-20F and N_CityU139/21, and Shaanxi Province Key Industry Innovation Program under Grant 2021ZDLGY01-02.

Access Output

https://www.usenix.org/conference/usenixsecurity24/presentation/ge-hijacking

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Ge, Y., Wang, Q., Huang, H., Li, Q., Wang, C., Shen, C., Zhao, L., Jiang, P., Fang, Z., & Zhang, S. (2024). Hijacking Attacks against Neural Network by Analyzing Training Data. In Proceedings of the 33rd USENIX Security Symposium (pp. 6867-6884). (Proceedings of the USENIX Security Symposium). USENIX Association. https://www.usenix.org/conference/usenixsecurity24/presentation/ge-hijacking

@inproceedings{893dcd7d48a4430cac83b1c4e4c7a000,

title = "Hijacking Attacks against Neural Network by Analyzing Training Data",

abstract = "Backdoors and adversarial examples are the two primary threats currently faced by deep neural networks (DNNs). Both attacks attempt to hijack the model behaviors with unintended outputs by introducing (small) perturbations to the inputs. However, neither attack is without limitations in practice. Backdoor attacks, despite the high success rates, often require the strong assumption that the adversary could tamper with the training data or code of the target model, which is not always easy to achieve in reality. Adversarial example attacks, which put relatively weaker assumptions on attackers, often demand high computational resources, yet do not always yield satisfactory success rates when attacking mainstream blackbox models in the real world. These limitations motivate the following research question: can model hijacking be achieved in a simpler way with more satisfactory attack performance and also more reasonable attack assumptions? In this paper, we provide a positive answer with CleanSheet, a new model hijacking attack that obtains the high performance of backdoor attacks without requiring the adversary to temper with the model training process. CleanSheet exploits vulnerabilities in DNNs stemming from the training data. Specifically, our key idea is to treat part of the clean training data of the target model as “poisoned data”, and capture the characteristics of these data that are more sensitive to the model (typically called robust features) to construct “triggers”. These triggers can be added to any input example to mislead the target model, similar to backdoor attacks. We validate the effectiveness of CleanSheet through extensive experiments on five datasets, 79 normally trained models, 68 pruned models, and 39 defensive models. Results show that CleanSheet exhibits performance comparable to state-of-the-art backdoor attacks, achieving an average attack success rate (ASR) of 97.5% on CIFAR-100 and 92.4% on GTSRB, respectively. Furthermore, CleanSheet consistently maintains a high ASR, with most ASR surpassing 80%, when confronted with various mainstream backdoor defense mechanisms. {\textcopyright} USENIX Security Symposium 2024. All rights reserved.",

author = "Yunjie Ge and Qian Wang and Huayang Huang and Qi Li and Cong Wang and Chao Shen and Lingchen Zhao and Peipei Jiang and Zheng Fang and Shenyi Zhang",

year = "2024",

month = aug,

language = "English",

isbn = "9781939133441",

series = "Proceedings of the USENIX Security Symposium",

publisher = "USENIX Association",

pages = "6867--6884",

booktitle = "Proceedings of the 33rd USENIX Security Symposium",

note = "33rd USENIX Security Symposium (USENIX Security '24) ; Conference date: 14-08-2024 Through 16-08-2024",

url = "https://www.usenix.org/conference/usenixsecurity24",

}

Ge, Y, Wang, Q, Huang, H, Li, Q, Wang, C, Shen, C, Zhao, L, Jiang, P, Fang, Z & Zhang, S 2024, Hijacking Attacks against Neural Network by Analyzing Training Data. in Proceedings of the 33rd USENIX Security Symposium. Proceedings of the USENIX Security Symposium, USENIX Association, pp. 6867-6884, 33rd USENIX Security Symposium (USENIX Security '24), Philadelphia, United States, 14/08/24. <https://www.usenix.org/conference/usenixsecurity24/presentation/ge-hijacking>

Hijacking Attacks against Neural Network by Analyzing Training Data. / Ge, Yunjie; Wang, Qian; Huang, Huayang et al.
Proceedings of the 33rd USENIX Security Symposium. USENIX Association, 2024. p. 6867-6884 (Proceedings of the USENIX Security Symposium).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Hijacking Attacks against Neural Network by Analyzing Training Data

AU - Ge, Yunjie

AU - Wang, Qian

AU - Huang, Huayang

AU - Li, Qi

AU - Wang, Cong

AU - Shen, Chao

AU - Zhao, Lingchen

AU - Jiang, Peipei

AU - Fang, Zheng

AU - Zhang, Shenyi

PY - 2024/8

Y1 - 2024/8

N2 - Backdoors and adversarial examples are the two primary threats currently faced by deep neural networks (DNNs). Both attacks attempt to hijack the model behaviors with unintended outputs by introducing (small) perturbations to the inputs. However, neither attack is without limitations in practice. Backdoor attacks, despite the high success rates, often require the strong assumption that the adversary could tamper with the training data or code of the target model, which is not always easy to achieve in reality. Adversarial example attacks, which put relatively weaker assumptions on attackers, often demand high computational resources, yet do not always yield satisfactory success rates when attacking mainstream blackbox models in the real world. These limitations motivate the following research question: can model hijacking be achieved in a simpler way with more satisfactory attack performance and also more reasonable attack assumptions? In this paper, we provide a positive answer with CleanSheet, a new model hijacking attack that obtains the high performance of backdoor attacks without requiring the adversary to temper with the model training process. CleanSheet exploits vulnerabilities in DNNs stemming from the training data. Specifically, our key idea is to treat part of the clean training data of the target model as “poisoned data”, and capture the characteristics of these data that are more sensitive to the model (typically called robust features) to construct “triggers”. These triggers can be added to any input example to mislead the target model, similar to backdoor attacks. We validate the effectiveness of CleanSheet through extensive experiments on five datasets, 79 normally trained models, 68 pruned models, and 39 defensive models. Results show that CleanSheet exhibits performance comparable to state-of-the-art backdoor attacks, achieving an average attack success rate (ASR) of 97.5% on CIFAR-100 and 92.4% on GTSRB, respectively. Furthermore, CleanSheet consistently maintains a high ASR, with most ASR surpassing 80%, when confronted with various mainstream backdoor defense mechanisms. © USENIX Security Symposium 2024. All rights reserved.

AB - Backdoors and adversarial examples are the two primary threats currently faced by deep neural networks (DNNs). Both attacks attempt to hijack the model behaviors with unintended outputs by introducing (small) perturbations to the inputs. However, neither attack is without limitations in practice. Backdoor attacks, despite the high success rates, often require the strong assumption that the adversary could tamper with the training data or code of the target model, which is not always easy to achieve in reality. Adversarial example attacks, which put relatively weaker assumptions on attackers, often demand high computational resources, yet do not always yield satisfactory success rates when attacking mainstream blackbox models in the real world. These limitations motivate the following research question: can model hijacking be achieved in a simpler way with more satisfactory attack performance and also more reasonable attack assumptions? In this paper, we provide a positive answer with CleanSheet, a new model hijacking attack that obtains the high performance of backdoor attacks without requiring the adversary to temper with the model training process. CleanSheet exploits vulnerabilities in DNNs stemming from the training data. Specifically, our key idea is to treat part of the clean training data of the target model as “poisoned data”, and capture the characteristics of these data that are more sensitive to the model (typically called robust features) to construct “triggers”. These triggers can be added to any input example to mislead the target model, similar to backdoor attacks. We validate the effectiveness of CleanSheet through extensive experiments on five datasets, 79 normally trained models, 68 pruned models, and 39 defensive models. Results show that CleanSheet exhibits performance comparable to state-of-the-art backdoor attacks, achieving an average attack success rate (ASR) of 97.5% on CIFAR-100 and 92.4% on GTSRB, respectively. Furthermore, CleanSheet consistently maintains a high ASR, with most ASR surpassing 80%, when confronted with various mainstream backdoor defense mechanisms. © USENIX Security Symposium 2024. All rights reserved.

UR - http://www.scopus.com/inward/record.url?scp=85205009479&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85205009479&origin=recordpage

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 9781939133441

T3 - Proceedings of the USENIX Security Symposium

SP - 6867

EP - 6884

BT - Proceedings of the 33rd USENIX Security Symposium

PB - USENIX Association

T2 - 33rd USENIX Security Symposium (USENIX Security '24)

Y2 - 14 August 2024 through 16 August 2024

ER -

Hijacking Attacks against Neural Network by Analyzing Training Data

Abstract

Publication series

Conference

Funding

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

NSFC: Towards Secure and Privacy-enhanced Machine Learning as a Service

RIF-ExtU-Lead: Enabling Secure and Efficient Cross-Silo Federated Learning at Scale

Cite this

Hijacking Attacks against Neural Network by Analyzing Training Data

Abstract

Publication series

Conference

Funding

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Projects

NSFC: Towards Secure and Privacy-enhanced Machine Learning as a Service

RIF-ExtU-Lead: Enabling Secure and Efficient Cross-Silo Federated Learning at Scale

Cite this