Blind Backdoors in Deep Learning Models
share
We investigate a new method for injecting backdoors into machine learning models, based on poisoning the loss computation in the model-training code. Our attack is blind: the attacker cannot modify the training data, nor observe the execution of his code, nor access the resulting model. We develop a new technique for blind backdoor training using multi-objective optimization to achieve high accuracy on both the main and backdoor tasks while evading all known defenses. We then demonstrate the efficacy of the blind attack with new classes of backdoors strictly more powerful than those in prior literature: single-pixel backdoors in ImageNet models, backdoors that switch the model to a different, complex task, and backdoors that do not require inference-time input modifications. Finally, we discuss defenses.
READ FULL TEXT
