Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security and Cryptology

Inscrypt 2019: Information Security and Cryptology pp 173–198Cite as

Invisible Poisoning: Highly Stealthy Targeted Poisoning Attack

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12020))

Abstract

Deep learning is widely applied to various areas for its great performance. However, it is vulnerable to adversarial attacks and poisoning attacks, which arouses a lot of concerns. A number of attack methods and defense strategies have been proposed, most of which focus on adversarial attacks that happen in the testing process. Poisoning attacks, using poisoned-training data to attack deep learning models, are more difficult to defend since the models heavily depend on the training data and strategies to guarantee their performances. Generally, poisoning attacks are conducted by leveraging benign examples with poisoned labels or poison-training examples with benign labels. Both cases are easy to detect. In this paper, we propose a novel poisoning attack named Invisible Poisoning Attack (IPA). In IPA, we use highly stealthy poison-training examples with benign labels, perceptually similar to their benign counterparts, to train the deep learning model. During the testing process, the poisoned model will handle the benign examples correctly, while output erroneous results when fed by the target benign examples (poisoning-trigger examples). We adopt the Non-dominated Sorting Genetic Algorithm (NSGA-II) as the optimizer for evolving the highly stealthy poison-training examples. The generated approximate optimal examples are promised to be both invisible and effective in attacking the target model. We verify the effectiveness of IPA against face recognition systems on different face datasets, including attack ability, stealthiness, and transferability performance.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Tflearn can be downloaded at https://github.com/tflearn/tflearn/.

  2. 2.

    LFW can be downloaded at http://vis-www.cs.umass.edu/lfw/.

  3. 3.

    CASIA can be downloaded at http://biometrics.idealtest.org/.

  4. 4.

    Youtube can be downloaded at https://research.google.com/youtube8m/csv/vocabulary.csv.

  5. 5.

    20170512-110547 model can be downloaded at https://drive.google.com/file/d/0B5MzpY9kBtDVZ2RpVDYwWmxoSUk/edit.

  6. 6.

    20180402-114759 model can be downloaded at https://drive.google.com/file/d/1EXPBSXwTaqrSC0OhUdXNmKSh9qJUQ55-/view.

References

  1. Adi, Y., Baum, C., Cisse, M., Pinkas, B., Keshet, J.: Turning your weakness into a strength: watermarking deep neural networks by backdooring. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18), pp. 1615–1631 (2018)

    Google Scholar 

  2. Akhtar, N., Mian, A.: Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access 6, 14410–14430 (2018)

    Article  Google Scholar 

  3. Alberti, M., et al.: Are you tampering with my data? In: Leal-Taixé, L., Roth, S. (eds.) ECCV 2018. LNCS, vol. 11130, pp. 296–312. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-11012-3_25

    Chapter  Google Scholar 

  4. Chen, H., Rohani, B.D., Koushanfar, F.: DeepMarks: a digital fingerprinting framework for deep neural networks. arXiv preprint arXiv:1804.03648 (2018)

  5. Chen, J., Hu, K., Yang, Y., Liu, Y., Xuan, Q.: Collective transfer learning for defect prediction. Neurocomputing (2019)

    Google Scholar 

  6. Chen, J., Yang, Y., Hu, K., Xuan, Q., Liu, Y., Yang, C.: Multiview transfer learning for software defect prediction. IEEE Access 7, 8901–8916 (2019)

    Article  Google Scholar 

  7. Chen, J., et al.: E-LSTM-D: a deep learning framework for dynamic network link prediction. arXiv preprint arXiv:1902.08329 (2019)

  8. Chen, J., et al.: DGEPN-GCEN2V: a new framework for mining GGI and its application in biomarker detection. Sci. China Inf. Sci. 61, 050108 (2018)

    Article  Google Scholar 

  9. Chen, X., Liu, C., Li, B., Lu, K., Song, D.: Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 (2017)

  10. Chen, Y., Li, Y., Narayan, R., Subramanian, A., Xie, X.: Gene expression inference with deep learning. Bioinformatics 32(12), 1832–1839 (2016)

    Article  Google Scholar 

  11. Deb, K., Pratap, A., Agarwal, S., Meyarivan, T.: A fast and elitist multiobjective genetic algorithm: NSGA-II. IEEE Trans. Evol. Comput. 6(2), 182–197 (2002)

    Article  Google Scholar 

  12. Du, T., Ji, S., Li, J., Gu, Q., Wang, T., Beyah, R.: SirenAttack: generating adversarial audio for end-to-end acoustic systems. arXiv preprint arXiv:1901.07846 (2019)

  13. Esfe, M.H., Hajmohammad, H., Moradi, R., Arani, A.A.A.: Multi-objective optimization of cost and thermal performance of double walled carbon nanotubes/water nanofluids by NSGA-II using response surface method. Appl. Therm. Eng. 112, 1648–1657 (2017)

    Article  Google Scholar 

  14. Gu, T., Dolan-Gavitt, B., Garg, S.: BadNets: identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017)

  15. Hitaj, D., Mancini, L.V.: Have you stolen my model? Evasion attacks against deep neural network watermarking techniques. arXiv preprint arXiv:1809.00615 (2018)

  16. Kamjoo, A., Maheri, A., Dizqah, A.M., Putrus, G.A.: Multi-objective design under uncertainties of hybrid renewable energy system using NSGA-II and chance constrained programming. Int. J. Electr. Power Energy Syst. 74, 187–194 (2016)

    Article  Google Scholar 

  17. Li, B., Wang, Y., Singh, A., Vorobeychik, Y.: Data poisoning attacks on factorization-based collaborative filtering. In: Advances in Neural Information Processing Systems, pp. 1885–1893 (2016)

    Google Scholar 

  18. Li, Y., Liao, S., Liu, G.: Thermo-economic multi-objective optimization for a solar-dish Brayton system using NSGA-II and decision making. Int. J. Electr. Power Energy Syst. 64, 167–175 (2015)

    Article  Google Scholar 

  19. Liu, K., Dolan-Gavitt, B., Garg, S.: Fine-pruning: defending against backdooring attacks on deep neural networks. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) RAID 2018. LNCS, vol. 11050, pp. 273–294. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00470-5_13

    Chapter  Google Scholar 

  20. Liu, W., Wang, Z., Liu, X., Zeng, N., Liu, Y., Alsaadi, F.E.: A survey of deep neural network architectures and their applications. Neurocomputing 234, 11–26 (2017)

    Article  Google Scholar 

  21. Liu, Y., et al.: Trojaning attack on neural networks (2017)

    Google Scholar 

  22. Liu, Y., Xie, Y., Srivastava, A.: Neural trojans. In: 2017 IEEE International Conference on Computer Design (ICCD), pp. 45–48. IEEE (2017)

    Google Scholar 

  23. McCann, M.T., Jin, K.H., Unser, M.: Convolutional neural networks for inverse problems in imaging: a review. IEEE Signal Process. Mag. 34(6), 85–95 (2017)

    Article  Google Scholar 

  24. Merrer, E.L., Perez, P., Trédan, G.: Adversarial frontier stitching for remote neural network watermarking. arXiv preprint arXiv:1711.01894 (2017)

  25. Neyestani, M., Hesari, S., Hatami, M.: Planned production of thermal units for reducing the emissions and costs using the improved NSGA II method. Case Stud. Therm. Eng. 13, 100397 (2019)

    Article  Google Scholar 

  26. Parkhi, O.M., Vedaldi, A., Zisserman, A., et al.: Deep face recognition. In: BMVC, vol. 1, p. 6 (2015)

    Google Scholar 

  27. Pereira, L.A., Haffner, S., Nicol, G., Dias, T.F.: Multiobjective optimization of five-phase induction machines based on NSGA-II. IEEE Trans. Ind. Electron. 64(12), 9844–9853 (2017)

    Article  Google Scholar 

  28. Schroff, F., Kalenichenko, D., Philbin, J.: FaceNet: a unified embedding for face recognition and clustering. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 815–823 (2015)

    Google Scholar 

  29. Shen, S., Tople, S., Saxena, P.: AUROR: defending against poisoning attacks in collaborative deep learning systems. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 508–519. ACM (2016)

    Google Scholar 

  30. Srinivas, N., Deb, K.: Muiltiobjective optimization using nondominated sorting in genetic algorithms. Evol. Comput. 2(3), 221–248 (1994)

    Article  Google Scholar 

  31. Steinhardt, J., Koh, P.W.W., Liang, P.S.: Certified defenses for data poisoning attacks. In: Advances in Neural Information Processing Systems, pp. 3517–3529 (2017)

    Google Scholar 

  32. Su, J., Vargas, D.V., Sakurai, K.: One pixel attack for fooling deep neural networks. IEEE Trans. Evol. Comput. 23, 828–841 (2019)

    Article  Google Scholar 

  33. Uchida, Y., Nagai, Y., Sakazawa, S., Satoh, S.: Embedding watermarks into deep neural networks. In: Proceedings of the 2017 ACM on International Conference on Multimedia Retrieval, pp. 269–277. ACM (2017)

    Google Scholar 

  34. Vo-Duy, T., Duong-Gia, D., Ho-Huu, V., Vu-Do, H., Nguyen-Thoi, T.: Multi-objective optimization of laminated composite beam structures using NSGA-II algorithm. Compos. Struct. 168, 498–509 (2017)

    Article  Google Scholar 

  35. Wang, S., Liu, T., Nam, J., Tan, L.: Deep semantic feature learning for software defect prediction. IEEE Trans. Softw. Eng. (2018)

    Google Scholar 

  36. Wolf, L., Hassner, T., Maoz, I.: Face recognition in unconstrained videos with matched background similarity. IEEE (2011)

    Google Scholar 

  37. Wu, Z., Pan, S., Chen, F., Long, G., Zhang, C., Yu, P.S.: A comprehensive survey on graph neural networks. arXiv preprint arXiv:1901.00596 (2019)

  38. Yang, C., Wu, Q., Li, H., Chen, Y.: Generative poisoning attack method against neural networks. arXiv preprint arXiv:1703.01340 (2017)

  39. Young, T., Hazarika, D., Poria, S., Cambria, E.: Recent trends in deep learning based natural language processing. IEEE Comput. Intell. Mag. 13(3), 55–75 (2018)

    Article  Google Scholar 

  40. Zhao, M., An, B., Yu, Y., Liu, S., Pan, S.J.: Data poisoning attacks on multi-task relationship learning. In: Thirty-Second AAAI Conference on Artificial Intelligence (2018)

    Google Scholar 

  41. Zhou, J., Cui, G., Zhang, Z., Yang, C., Liu, Z., Sun, M.: Graph neural networks: a review of methods and applications. arXiv preprint arXiv:1812.08434 (2018)

Download references

Acknowledgments

This work was partly supported by the Zhejiang Provincial Natural Science Foundation of China under Grant No. LY19F020025, the Major Special Funding for Science and Technology Innovation 2025 in Ningbo under Grant No. 2018B10063, NSFC under No. 61772466 and U1836202, the Zhejiang Provincial Natural Science Foundation for Distinguished Young Scholars under No. LR19F020003, the Provincial Key Research and Development Program of Zhejiang, China under No. 2017C01055, and the Alibaba-ZJU Joint Research Institute of Frontier Technologies.

Author information

Authors and Affiliations

  1. College of Information Engineering, Zhejiang University of Technology, Hangzhou, China

    Jinyin Chen, Haibin Zheng & Mengmeng Su

  2. College of Computer Science and Technology, Zhejiang University, Hangzhou, China

    Tianyu Du & Shouling Ji

  3. School of Computer and Information Engineering, Zhejiang Gongshang University, Hangzhou, China

    Changting Lin

  4. Alibaba-Zhejiang University Joint Institute of Frontier Technologies, Hangzhou, China

    Shouling Ji

Authors
  1. Jinyin Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Haibin Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mengmeng Su
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tianyu Du
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Changting Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Shouling Ji
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shouling Ji .

Editor information

Editors and Affiliations

  1. College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, China

    Zhe Liu

  2. Computer Science Department, Columbia University, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chen, J., Zheng, H., Su, M., Du, T., Lin, C., Ji, S. (2020). Invisible Poisoning: Highly Stealthy Targeted Poisoning Attack. In: Liu, Z., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2019. Lecture Notes in Computer Science(), vol 12020. Springer, Cham. https://doi.org/10.1007/978-3-030-42921-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42921-8_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42920-1

  • Online ISBN: 978-3-030-42921-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation