所属单位：[1] School of Computer Science and Engineering, University of Electronic Science and Technology of China, China; [2] School of Computer Science and Engineering, Nanyang Technological University, Singapore; [3] Institute for Network Sciences and Cyberspace, BNRist, Tsinghua University, China

发表刊物：IEEE Transactions on Dependable and Secure Computing

关键字：Deep learning - Job analysis

摘要：Class incremental learning from a pre-trained DNN model is gaining lots of popularity. Unfortunately, the pre-trained model also introduces a new attack vector, which enables an adversary to inject a backdoor into it and further compromise the downstream models learned from it. Prior works proposed backdoor attacks against the pre-trained models in the transfer learning scenario. However, they become less effective when the adversary does not have the knowledge of the downstream tasks or new data, which is more practical and considered in this paper. To this end, we design the first latent backdoor attacks against incremental learning. We propose two novel techniques, which can effectively and stealthily embed a backdoor into the pre-trained model. Such backdoor can only be activated when the pre-trained model is extended to a downstream model with incremental learning. It has a very high attack success rate, and is able to bypass existing backdoor detection approaches. Extensive experiments confirm the effectiveness of our attacks over different datasets and incremental learning methods, as well as strong robustness against state-of-the-art backdoor defense mechanisms including Neural Cleanse, Fine-Pruning and STRIP. IEEE

文献类型：Article in Press

页面范围：1-11

ISSN号：15455971

是否译文：否