Skip to main content
SpringerLink
Log in

BlindNet backdoor: Attack on deep neural network using blind watermark

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

Deep neural network (DNNs) provide excellent performance in image recognition, speech recognition, video recognition, and pattern analysis. However, DNNs are vulnerable to backdoor attacks. A backdoor attack allows a DNN to correctly recognize normal data that do not contain a specific trigger but induces it to incorrectly recognize data that do contain the trigger. An advantage of the backdoor attack is that the attacker can determine the time of attack by using a specific trigger. In this paper, we propose a blind-watermark backdoor method whose results are imperceptible to humans. Unlike existing methods, the proposed method avoids the human detectability of the backdoor sample attack by making the trigger invisible. In this method, a blind-watermarked sample is generated by inserting a trigger consisting of a specific image in a frequency band into input data by using a Fourier transform. By additionally training on the blind-watermarked sample during the training process, the target model learns to incorrectly classify any sample with the specific watermark. For testing, we used the CIFAR10 dataset and the Tensorflow machine learning library. In the experiment, when the proportion of blind-watermarked samples in the training data was 10%, the proposed method resulted in 88.9% classification accuracy by the model on the original samples and a 99.3% attack success rate via training with the blind-watermarked samples.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Abd El-Latif AA, Abd-El-Atty B, Hossain MS, Rahman MA, Alamri A, Gupta BB (2018) Efficient quantum information hiding for remote medical image sharing. IEEE Access 6:21075–21083

    Article  Google Scholar 

  2. Abadi M, Barham P, Chen J, Chen Z, Davis A, Dean J, Devin M, Ghemawat S, Irving G, Isard M et al (2016) Tensorflow: A system for large-scale machine learning. In: OSDI, vol 16, pp 265–283

  3. Ahmed N, Natarajan T, Rao KR (1974) Discrete cosine transform. IEEE Trans Comput 100(1):90–93

    Article  MathSciNet  Google Scholar 

  4. Bhunia S, Hsiao MS, Banga M, Narasimhan S (2014) Hardware trojan attacks: Threat analysis and countermeasures. Proc IEEE 102(8):1229–1247

    Article  Google Scholar 

  5. Bracewell RN, Bracewell RN (1986) The Fourier transform and its applications, vol 31999. McGraw-Hill, New York

    MATH  Google Scholar 

  6. Barreno M, Nelson B, Joseph AD, Tygar J (2010) The security of machine learning. Mach Learn 81(2):121–148

    Article  MathSciNet  Google Scholar 

  7. Biggio B, Nelson B, Laskov P (2012) Poisoning attacks against support vector machines. In: Proceedings of the 29th international coference on international conference on machine learning. Omnipress, pp 1467–1474

  8. Chen P-Y, Sharma Y, Zhang H, Yi J, Hsieh C-J (2017) Ead: elastic-net attacks to deep neural networks via adversarial examples. arXiv:1709.04114

  9. Cooley JW, Tukey JW (1965) An algorithm for the machine calculation of complex fourier series. Math Comput 19(90):297–301

    Article  MathSciNet  Google Scholar 

  10. Clements J, Lao Y (2018) Hardware trojan attacks on neural networks. arXiv:1806.05768

  11. Carlini N, Wagner D (2017) Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy (SP). IEEE, pp 39–57

  12. Ding S, Tian Y, Xu F, Li Q, Zhong S (2019) Trojan attack on deep generative models in autonomous driving. In: International conference on security and privacy in communication systems. Springer, pp 299–318

  13. Deng J, Dong W, Socher R, Li L-J, Li K, Fei-Fei L (2009) Imagenet: A large-scale hierarchical image database. In: IEEE conference on computer vision and pattern recognition 2009, CVPR 2009. IEEE, pp 248–255

  14. Golub GH, Reinsch C (1971) Singular value decomposition and least squares solutions. In: Linear algebra. Springer, pp 134–151

  15. Goodfellow I, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. In: International conference on learning representations

  16. Gu T, Dolan-Gavitt B, Garg S (2017) Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv:1708.06733

  17. Hinton G, Deng L, Yu D, Dahl GE, Mohamed A-r, Jaitly N, Senior A, Vanhoucke V, Nguyen P, Sainath TN et al (2012) Deep neural networks for acoustic modeling in speech recognition: The shared views of four research groups. IEEE Sig Proc Mag 29(6):82–97

    Article  Google Scholar 

  18. He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 770–778

  19. Ji H, Fu Z (2019) Coverless information hiding method based on the keyword. Int J High Perform Comput Netw 14(1):1–7

    Article  MathSciNet  Google Scholar 

  20. Kumar A (2019) Design of secure image fusion technique using cloud for privacy-preserving and copyright protection. Int J Cloud Appl Comput (IJCAC) 9(3):22–36

    Google Scholar 

  21. Krizhevsky A, Nair V, Hinton G (2014) The cifar-10 dataset. vol 55. online: http://www.cs.toronto.edu/kriz/cifar.html

  22. Kurakin A, Goodfellow I, Bengio S. (2017) Adversarial examples in the physical world. In: ICLR workshop

  23. Liu Y, Ma S, Aafer Y, Lee W-C, Zhai J, Wang W, Zhang X (2018) Trojaning attack on neural networks. NDSS

  24. Li S, Zhao BZH, Yu J, Xue M, Kaafar D, Zhu H (2019) Invisible backdoor attacks against deep neural networks. arXiv:1909.02742

  25. LeCun Y, Cortes C, Burges CJ (2010) Mnist handwritten digit database. vol 2. AT&T Labs [Online]. Available: http://yann.lecun.com/exdb/mnist

  26. Mozaffari-Kermani M, Sur-Kolay S, Raghunathan A, Jha NK (2015) Systematic poisoning attacks on and defenses for machine learning in healthcare. IEEE J Biomed Health Inform 19(6):1893–1905

    Article  Google Scholar 

  27. Moosavi-Dezfooli S-M, Fawzi A, Frossard P (2016) Deepfool: a simple and accurate method to fool deep neural networks. In: Proc IEEE conference computer vision and pattern recognition, pp 2574–2582

  28. Nuding F, Mayer R (2020) Poisoning attacks in federated learning: An evaluation on traffic sign classification. In: Inproceedings of the tenth ACM conference on data and application security and privacy, pp 168–170

  29. Nussbaumer HJ (1981) The fast fourier transform. In: Fast fourier transform and convolution algorithms. Springer, pp 80–111

  30. Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A (2016) The limitations of deep learning in adversarial settings. In: 2016 IEEE european symposium on security and privacy (EuroS&P). IEEE, pp 372–387

  31. Rehman H, Ekelhart A, Mayer R (2019) Backdoor attacks in neural networks–a systematic evaluation on multiple traffic sign datasets. In: International cross-domain conference for machine learning and knowledge extraction. Springer, pp 285–300

  32. Rozsa A, Günther M., Rudd EM, Boult TE (2019) Facial attributes: Accuracy and adversarial robustness. Pattern Recogn Lett 124:100–108

    Article  Google Scholar 

  33. Shensa MJ (1992) The discrete wavelet transform: wedding the a trous and mallat algorithms. IEEE Trans Sig Process 40(10):2464–2482

    Article  Google Scholar 

  34. Schmidhuber J (2015) Deep learning in neural networks: An overview. Neural Netw 61:85–117

    Article  Google Scholar 

  35. Simonyan K, Zisserman A (2015) Very deep convolutional networks for large-scale image recognition. In: International conference on learning representations

  36. Silver D, Huang A, Maddison CJ, Guez A, Sifre L, Van Den Driessche G, Schrittwieser J, Antonoglou I, Panneershelvam V, Lanctot M et al (2016) Mastering the game of go with deep neural networks and tree search. Nature 529(7587):484–489

    Article  Google Scholar 

  37. Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2014) Intriguing properties of neural networks. In: International conference on learning representations

  38. Wang B, Yao Y, Shan S, Li H, Viswanath B, Zheng H, Zhao BY (2019) Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In: 2019 IEEE symposium on security and privacy (SP). IEEE, pp 707–723

  39. Wang B, Ding Q, Gu X (2019) A secure reversible chaining watermark scheme with hidden group delimiter for wsns. Int J High Perform Comput Netw 14(3):265–273

    Article  Google Scholar 

  40. Yang C, Wu Q, Li H, Chen Y (2017) Generative poisoning attack method against neural networks. arXiv:1703.01340

  41. Zou L, Sun J, Gao M, Wan W, Gupta BB (2019) A novel coverless information hiding method based on the average pixel value of the sub-images. Multimed Tools Appl 78(7):7965–7980

    Article  Google Scholar 

Download references

Acknowledgements

This work was supported By Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (2021R1I1A1A01040308).

Author information

Authors and Affiliations

  1. Department of Electrical Engineering, Korea Military Academy, 574 Hwarang-ro, Nowon-gu, 01819, Seoul, Republic of Korea

    Hyun Kwon & Yongchul Kim

Authors
  1. Hyun Kwon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yongchul Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hyun Kwon.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix

Appendix

Table 6 Target classifier architecture [18] for CIFAR10
Full size table
Table 7 Target classifier parameters for CIFAR10
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kwon, H., Kim, Y. BlindNet backdoor: Attack on deep neural network using blind watermark. Multimed Tools Appl 81, 6217–6234 (2022). https://doi.org/10.1007/s11042-021-11135-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-021-11135-0

Keywords

Search

Navigation