Graduate School of Science and Engineering, Ritsumeikan University, 1-1-1 Noji-higashi, Kusatsu 525-8577, Shiga, Japan.
Department of Science and Engineering, Ritsumeikan University, 1-1-1 Noji-higashi, Kusatsu 525-8577, Shiga, Japan.
Sensors (Basel). 2023 May 14;23(10):4742. doi: 10.3390/s23104742.
A backdoor attack is a type of attack method that induces deep neural network (DNN) misclassification. The adversary who aims to trigger the backdoor attack inputs the image with a specific pattern (the adversarial mark) into the DNN model (backdoor model). In general, the adversary mark is created on the physical object input to an image by capturing a photo. With this conventional method, the success of the backdoor attack is not stable because the size and position change depending on the shooting environment. So far, we have proposed a method of creating an adversarial mark for triggering backdoor attacks by means of a fault injection attack on the mobile industry processor interface (MIPI), which is the image sensor interface. We propose the image tampering model, with which the adversarial mark can be generated in the actual fault injection to create the adversarial mark pattern. Then, the backdoor model was trained with poison data images, which the proposed simulation model created. We conducted a backdoor attack experiment using a backdoor model trained on a dataset containing 5% poison data. The clean data accuracy in normal operation was 91%; nevertheless, the attack success rate with fault injection was 83%.
后门攻击是一种诱导深度神经网络(DNN)错误分类的攻击方法。旨在触发后门攻击的对手将具有特定模式(对抗标记)的图像输入到 DNN 模型(后门模型)中。通常,对抗标记是通过拍摄照片在输入到图像的物理对象上创建的。使用这种传统方法,后门攻击的成功率不稳定,因为大小和位置会根据拍摄环境而变化。到目前为止,我们已经提出了一种通过对图像传感器接口移动行业处理器接口(MIPI)进行故障注入攻击来创建触发后门攻击的对抗标记的方法。我们提出了图像篡改模型,通过该模型可以在实际的故障注入中生成对抗标记模式。然后,使用所提出的仿真模型创建的毒化数据图像来训练后门模型。我们使用包含 5%毒化数据的数据集训练的后门模型进行了后门攻击实验。正常运行时干净数据的准确率为 91%;然而,故障注入的攻击成功率为 83%。
