Outsourced training and machine learning as a service have resulted in novel attack vectors like backdoor attacks. Such attacks embed a secret functionality in a neural network activated when the trigger is added to its input. In most works in the literature, the trigger is static, both in terms of location and pattern. The effectiveness of various detection mechanisms depends on this property. It was recently shown that countermeasures in image classification, like Neural Cleanse and ABS, could be bypassed with dynamic triggers that are effective regardless of their pattern and location. Still, such backdoors are demanding as they require a large percentage of poisoned training data. In this work, we are the first to show that dynamic backdoor attacks could happen due to a global average pooling layer without increasing the percentage of the poisoned training data. Nevertheless, our experiments in sound classification, text sentiment analysis, and image classification show this to be very difficult in practice.
|Title of host publication||Proceedings of the 2022 IEEE 4th International Conference on Artificial Intelligence Circuits and Systems (AICAS)|
|Place of Publication||Danvers|
|Number of pages||4|
|Publication status||Published - 2022|
|Event||2022 IEEE 4th International Conference on Artificial Intelligence Circuits and Systems - Incheon, Korea, Republic of|
Duration: 13 Jun 2022 → 15 Jun 2022
Conference number: 4th
|Name||Proceeding - IEEE International Conference on Artificial Intelligence Circuits and Systems, AICAS 2022|
|Conference||2022 IEEE 4th International Conference on Artificial Intelligence Circuits and Systems|
|Abbreviated title||AICAS 2022|
|Country/Territory||Korea, Republic of|
|Period||13/06/22 → 15/06/22|
Bibliographical noteGreen Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.