A method for protecting neural networks from computer backdoor attacks based on the trigger identification

Modern technologies for the development and operation of neural networks are vulnerable to computer attacks with the introduction of software backdoors. Program backdoors can remain hidden indefinitely until activated by input of modified data containing triggers. These backdoors pose a direct threat to the security of information for all components of the artificial intelligence system. Such influences of intruders lead to a deterioration in the quality or complete cessation of the functioning of artificial intelligence systems. This paper proposes an original method for protecting neural networks, the essence of which is to create a database of ranked synthesized backdoor’s triggers of the target class of backdoor attacks. The proposed method for protecting neural networks is implemented through a sequence of protective actions: detecting a backdoor, identifying a trigger, and neutralizing a backdoor. Based on the proposed method, software and algorithmic support for testing neural networks has been developed that allows you to identify and neutralize computer backdoor attacks. Experimental studies have been carried out on various dataset-trained convolutional neural network architectures for objects such as aerial photographs (DOTA), handwritten digits (MNIST), and photographs of human faces (LFW). The decrease in the effectiveness of backdoor attacks (no more than 3 %) and small losses in the quality of the functioning of neural networks (by 8–10 % of the quality of the functioning of a neural network without a backfill) showed the success of the developed method. The use of the developed method for protecting neural networks allows information security specialists to purposefully counteract computer backdoor attacks on artificial intelligence systems and develop automated information protection tools.

1. Bukhanov D.G., Polyakov V.M., Redkina M.A. Detection of Malware using an artificial neural network based on adaptive resonant theory. Prikladnaya Diskretnaya Matematika, 2021, no. 52, pp. 69–82. (in Russian). https://doi.org/10.17223/20710410/52/4

2. Massarelli L., Di Luna G.A., Petroni F., Querzoni L., Baldoni R. Investigating graph embedding neural networks with unsupervised features extraction for binary analysis. Proc. of the 2nd Workshop on Binary Analysis Research (BAR), 2019, https://dx.doi.org/10.14722/bar.2019.23020

3. Zabelina V.A., Savchenko G.A., Chernenky I.M., Silantieva E.Yu. Detecting internet attacks using a neural network. Dynamics of Complex Systems — XXI century, 2021, vol. 15, no. 2, pp. 39–47. (in Russian). https://doi.org/10.18127/j19997493-202102-04

4. Arkhipova A.B., Polyakov P.A. Methodology for constructing a neural fuzzy network in the field of information security. Digital Technology Security, 2021, no. 3, pp. 43–56. (in Russian). https://doi.org/10.17212/2782-2230-2021-3-43-56

5. Spitcyn V.G., Tcoi Iu.R. Evolving artificial neural networks. Proc. of the IV All-Russian conference of students, graduate students and young scientists “Youth and Modern Information Technologies”, Tomsk, February 28 — March 2, 2006, Tomsk, 2006, pp. 411–413. (in Russian)

6. McCulloch W.S., Pitts V. A logical calculus of the ideas immanent in nervous activity. Automata studies. Ed. by. C.E. Shannon and McCarthy. Princeton - New Jersey, Princeton univ. press, 1956.

7. Shevskaya N.V. Explainable artificial intelligence and methods for interpreting results. Modeling, Optimization and Information Technology, 2021, vol. 9, no. 2, pp. 22–23. (in Russian). https://doi.org/10.26102/2310-6018/2021.33.2.024

8. Xu Q., Arafin M.T., Qu G. Security of neural networks from hardware perspective: A survey and beyond. Proc. of the 26th Asia and South Pacific Design Automation Conference (ASP-DAC), 2021, pp. 449–454. https://doi.org/10.1145/3394885.3431639

9. Kravets V., Javidi B., Stern A. Defending deep neural networks from adversarial attacks on three-dimensional images by compressive sensing. Proc. of the 3D Image Acquisition and Display: Technology, Perception and Applications, 2021.

10. Liu Y., Ma S., Aafer Y., Lee W.-C., Zhai J. Trojaning attack on neural networks. Report 17-002, 2017.

11. Chen X., Liu C., Li B., Lu K., Song D. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv, 2017, arXiv:1712.05526. https://doi.org/10.48550/arXiv.1712.05526

12. Li W., Yu J., Ning X., Wang P., Wei Q., Wang Y., Yang H. Hu-Fu: Hardware and software collaborative attack framework against neural networks. Proc. of the 17th IEEE Computer Society Annual Symposium on VLSI (ISVLSI), 2018, pp. 482–487. https://doi.org/10.1109/ISVLSI.2018.00093

13. Gong X., Chen Y., Wang Q., Huang H., Meng L., Shen C., Zhang Q. Defense-resistant backdoor attacks against deep neural networks in outsourced cloud environment. IEEE Journal on Selected Areas in Communications, 2021, vol. 39, no. 8, pp. 2617–2631. https://doi.org/10.1109/JSAC.2021.3087237

14. Wenger E., Passananti J., Bhagoji A.N., Yao Y., Zheng H., Zhao B.Y. Backdoor attacks against deep learning systems in the physical world. Proc. of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), 2021, pp. 6202–6211. https://doi.org/10.1109/CVPR46437.2021.00614

15. Shahroudnejad A. A survey on understanding, visualizations, and explanation of deep neural networks. arXiv, 2021, arXiv:2102.01792. https://doi.org/10.48550/arXiv.2102.01792

16. Wang B., Yao Y., Shan Sh., Li H., Viswanath B., Zheng H., Zhao B.Y. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. Proc. of the 40th IEEE Symposium on Security and Privacy (SP), 2019, pp. 707–723. https://doi.org/10.1109/SP.2019.00031

17. Xia G.-S., Bai X., Ding J., Zhu Z., Belongie S., Luo J., Datcu M., Pelillo M., Zhang L. DOTA: A large-scale dataset for object detection in aerial images. Proc. of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2018, pp. 3974–3983. https://doi.org/10.1109/CVPR.2018.00418

18. Deng L. The MNIST database of handwritten digit images for machine learning research. IEEE Signal Processing Magazine, 2012, vol. 29, no. 6, pp. 141–142. https://doi.org/10.1109/MSP.2012.2211477

19. Huang G.B., Mattar M., Berg T., Learned-Miller E. Labeled faces in the wild: A database forstudying face recognition in unconstrained environments. Proc. of the Workshop on Faces in ‘Real-Life’ Images: Detection, Alignment, and Recognition, 2008.

20. Wang J., Xiao H., Chen L., Xing J., Pan Z., Luo R., Cai X. Integrating weighted feature fusion and the spatial attention module with convolutional neural networks for automatic aircraft detection from SAR images. Remote Sensing, 2021, vol. 13, no. 5, pp. 910. https://doi.org/10.3390/rs13050910

21. An S., Lee M., Park S., Yang H., Soet J. An ensemble of simple convolutional neural network models for MNIST digit recognition. arXiv, 2020, arXiv:2008.10400. https://doi.org/10.48550/arXiv.2008.10400

22. Yan M., Zhao M., Xu Z., Zhang Q., Wang G., Su Z. VarGFaceNet: An efficient variable group convolutional neural network for lightweight face recognition. Proc. of the 17th IEEE/CVF International Conference on Computer Vision Workshops (ICCVW), 2019, pp. 2647–2654. https://doi.org/10.1109/ICCVW.2019.00323

23. Liu X., Li F., Wen B., Li Q. Removing backdoor-based watermarks in neural networks with limited data. Proc. of the 25th International Conference on Pattern Recognition (ICPR), 2021, pp. 10149–10156. https://doi.org/10.1109/ICPR48806.2021.9412684

24. Kaviani S., Sohn I. Defense against neural trojan attacks: A survey. Neurocomputing, 2021, vol. 423, pp. 651–667. https://doi.org/10.1016/j.neucom.2020.07.133