Abstract
Deep neural network (DNNs) provide excellent performance in image recognition, speech recognition, video recognition, and pattern analysis. However, DNNs are vulnerable to backdoor attacks. A backdoor attack allows a DNN to correctly recognize normal data that do not contain a specific trigger but induces it to incorrectly recognize data that do contain the trigger. An advantage of the backdoor attack is that the attacker can determine the time of attack by using a specific trigger. In this paper, we propose a blind-watermark backdoor method whose results are imperceptible to humans. Unlike existing methods, the proposed method avoids the human detectability of the backdoor sample attack by making the trigger invisible. In this method, a blind-watermarked sample is generated by inserting a trigger consisting of a specific image in a frequency band into input data by using a Fourier transform. By additionally training on the blind-watermarked sample during the training process, the target model learns to incorrectly classify any sample with the specific watermark. For testing, we used the CIFAR10 dataset and the Tensorflow machine learning library. In the experiment, when the proportion of blind-watermarked samples in the training data was 10%, the proposed method resulted in 88.9% classification accuracy by the model on the original samples and a 99.3% attack success rate via training with the blind-watermarked samples.
Similar content being viewed by others
References
Abd El-Latif AA, Abd-El-Atty B, Hossain MS, Rahman MA, Alamri A, Gupta BB (2018) Efficient quantum information hiding for remote medical image sharing. IEEE Access 6:21075–21083
Abadi M, Barham P, Chen J, Chen Z, Davis A, Dean J, Devin M, Ghemawat S, Irving G, Isard M et al (2016) Tensorflow: A system for large-scale machine learning. In: OSDI, vol 16, pp 265–283
Ahmed N, Natarajan T, Rao KR (1974) Discrete cosine transform. IEEE Trans Comput 100(1):90–93
Bhunia S, Hsiao MS, Banga M, Narasimhan S (2014) Hardware trojan attacks: Threat analysis and countermeasures. Proc IEEE 102(8):1229–1247
Bracewell RN, Bracewell RN (1986) The Fourier transform and its applications, vol 31999. McGraw-Hill, New York
Barreno M, Nelson B, Joseph AD, Tygar J (2010) The security of machine learning. Mach Learn 81(2):121–148
Biggio B, Nelson B, Laskov P (2012) Poisoning attacks against support vector machines. In: Proceedings of the 29th international coference on international conference on machine learning. Omnipress, pp 1467–1474
Chen P-Y, Sharma Y, Zhang H, Yi J, Hsieh C-J (2017) Ead: elastic-net attacks to deep neural networks via adversarial examples. arXiv:1709.04114
Cooley JW, Tukey JW (1965) An algorithm for the machine calculation of complex fourier series. Math Comput 19(90):297–301
Clements J, Lao Y (2018) Hardware trojan attacks on neural networks. arXiv:1806.05768
Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy (SP). IEEE, pp 39–57
Ding S, Tian Y, Xu F, Li Q, Zhong S (2019) Trojan attack on deep generative models in autonomous driving. In: International conference on security and privacy in communication systems. Springer, pp 299–318
Deng J, Dong W, Socher R, Li L-J, Li K, Fei-Fei L (2009) Imagenet: A large-scale hierarchical image database. In: IEEE conference on computer vision and pattern recognition 2009, CVPR 2009. IEEE, pp 248–255
Golub GH, Reinsch C (1971) Singular value decomposition and least squares solutions. In: Linear algebra. Springer, pp 134–151
Goodfellow I, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. In: International conference on learning representations
Gu T, Dolan-Gavitt B, Garg S (2017) Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv:1708.06733
Hinton G, Deng L, Yu D, Dahl GE, Mohamed A-r, Jaitly N, Senior A, Vanhoucke V, Nguyen P, Sainath TN et al (2012) Deep neural networks for acoustic modeling in speech recognition: The shared views of four research groups. IEEE Sig Proc Mag 29(6):82–97
He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 770–778
Ji H, Fu Z (2019) Coverless information hiding method based on the keyword. Int J High Perform Comput Netw 14(1):1–7
Kumar A (2019) Design of secure image fusion technique using cloud for privacy-preserving and copyright protection. Int J Cloud Appl Comput (IJCAC) 9(3):22–36
Krizhevsky A, Nair V, Hinton G (2014) The cifar-10 dataset. vol 55. online: http://www.cs.toronto.edu/kriz/cifar.html
Kurakin A, Goodfellow I, Bengio S. (2017) Adversarial examples in the physical world. In: ICLR workshop
Liu Y, Ma S, Aafer Y, Lee W-C, Zhai J, Wang W, Zhang X (2018) Trojaning attack on neural networks. NDSS
Li S, Zhao BZH, Yu J, Xue M, Kaafar D, Zhu H (2019) Invisible backdoor attacks against deep neural networks. arXiv:1909.02742
LeCun Y, Cortes C, Burges CJ (2010) Mnist handwritten digit database. vol 2. AT&T Labs [Online]. Available: http://yann.lecun.com/exdb/mnist
Mozaffari-Kermani M, Sur-Kolay S, Raghunathan A, Jha NK (2015) Systematic poisoning attacks on and defenses for machine learning in healthcare. IEEE J Biomed Health Inform 19(6):1893–1905
Moosavi-Dezfooli S-M, Fawzi A, Frossard P (2016) Deepfool: a simple and accurate method to fool deep neural networks. In: Proc IEEE conference computer vision and pattern recognition, pp 2574–2582
Nuding F, Mayer R (2020) Poisoning attacks in federated learning: An evaluation on traffic sign classification. In: Inproceedings of the tenth ACM conference on data and application security and privacy, pp 168–170
Nussbaumer HJ (1981) The fast fourier transform. In: Fast fourier transform and convolution algorithms. Springer, pp 80–111
Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A (2016) The limitations of deep learning in adversarial settings. In: 2016 IEEE european symposium on security and privacy (EuroS&P). IEEE, pp 372–387
Rehman H, Ekelhart A, Mayer R (2019) Backdoor attacks in neural networks–a systematic evaluation on multiple traffic sign datasets. In: International cross-domain conference for machine learning and knowledge extraction. Springer, pp 285–300
Rozsa A, Günther M., Rudd EM, Boult TE (2019) Facial attributes: Accuracy and adversarial robustness. Pattern Recogn Lett 124:100–108
Shensa MJ (1992) The discrete wavelet transform: wedding the a trous and mallat algorithms. IEEE Trans Sig Process 40(10):2464–2482
Schmidhuber J (2015) Deep learning in neural networks: An overview. Neural Netw 61:85–117
Simonyan K, Zisserman A (2015) Very deep convolutional networks for large-scale image recognition. In: International conference on learning representations
Silver D, Huang A, Maddison CJ, Guez A, Sifre L, Van Den Driessche G, Schrittwieser J, Antonoglou I, Panneershelvam V, Lanctot M et al (2016) Mastering the game of go with deep neural networks and tree search. Nature 529(7587):484–489
Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2014) Intriguing properties of neural networks. In: International conference on learning representations
Wang B, Yao Y, Shan S, Li H, Viswanath B, Zheng H, Zhao BY (2019) Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In: 2019 IEEE symposium on security and privacy (SP). IEEE, pp 707–723
Wang B, Ding Q, Gu X (2019) A secure reversible chaining watermark scheme with hidden group delimiter for wsns. Int J High Perform Comput Netw 14(3):265–273
Yang C, Wu Q, Li H, Chen Y (2017) Generative poisoning attack method against neural networks. arXiv:1703.01340
Zou L, Sun J, Gao M, Wan W, Gupta BB (2019) A novel coverless information hiding method based on the average pixel value of the sub-images. Multimed Tools Appl 78(7):7965–7980
Acknowledgements
This work was supported By Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (2021R1I1A1A01040308).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
Rights and permissions
About this article
Cite this article
Kwon, H., Kim, Y. BlindNet backdoor: Attack on deep neural network using blind watermark. Multimed Tools Appl 81, 6217–6234 (2022). https://doi.org/10.1007/s11042-021-11135-0
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-021-11135-0