DEFENDING AGAINST CLEAN-IMAGE BACKDOOR ATTACK IN MULTI-LABEL CLASSIFICATION

Cheng Yi Lee; Cheng Chang Tsai; Ching Chia Kao; Chun Shien Lu; Chia Mu Yu

doi:10.1109/ICASSP48485.2024.10447895

DEFENDING AGAINST CLEAN-IMAGE BACKDOOR ATTACK IN MULTI-LABEL CLASSIFICATION

Cheng Yi Lee, Cheng Chang Tsai, Ching Chia Kao, Chun Shien Lu, Chia Mu Yu

電機工程學系

研究成果: Conference contribution › 同行評審

1 引文斯高帕斯（Scopus）

摘要

Deep neural networks (DNNs) are known to be vulnerable to backdoor attacks. Specifically, the attacker endeavors to implant backdoors in the DNN model by injecting a set of poisoning samples such that the malicious model predicts target labels once the backdoor is triggered. The clean-image attack has recently emerged as a threat in multi-label classification, where an attacker is able to poison training labels without tampering with image contents. In this paper, we propose a simple but effective method to alleviate clean-image backdoor attacks. Considering the difference in weight convergence between the benign model and backdoor model, our method relies on partial weight initialization and fine-tuning to mitigate the backdoor behaviors of a suspicious model. The fine-tuned model sustains its clean accuracy through knowledge distillation over a few iterations. Importantly, our approach does not require extra clean images for purification. Extensive experiments demonstrate the effectiveness of our defenses against clean-image attacks for multi-label classifications across two benchmark datasets.

原文	English
主出版物標題	2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings
發行者	Institute of Electrical and Electronics Engineers Inc.
頁面	5500-5504
頁數	5
ISBN（電子）	9798350344851
DOIs	https://doi.org/10.1109/ICASSP48485.2024.10447895
出版狀態	Published - 2024
事件	2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Seoul, 韓國持續時間: 14 4月 2024 → 19 4月 2024

出版系列

名字	ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings
ISSN（列印）	1520-6149

Conference

Conference	2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024
國家/地區	韓國
城市	Seoul
期間	14/04/24 → 19/04/24

存取文件

10.1109/ICASSP48485.2024.10447895

其它文件與鏈接

Link to publication in Scopus

引用此

Lee, C. Y., Tsai, C. C., Kao, C. C., Lu, C. S., & Yu, C. M. (2024). DEFENDING AGAINST CLEAN-IMAGE BACKDOOR ATTACK IN MULTI-LABEL CLASSIFICATION. 於 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings (頁 5500-5504). (ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICASSP48485.2024.10447895

Lee, Cheng Yi ; Tsai, Cheng Chang ; Kao, Ching Chia 等. / DEFENDING AGAINST CLEAN-IMAGE BACKDOOR ATTACK IN MULTI-LABEL CLASSIFICATION. 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2024. 頁 5500-5504 (ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings).

@inproceedings{29ce344734e94cf5ac94b1cb63079bae,

title = "DEFENDING AGAINST CLEAN-IMAGE BACKDOOR ATTACK IN MULTI-LABEL CLASSIFICATION",

abstract = "Deep neural networks (DNNs) are known to be vulnerable to backdoor attacks. Specifically, the attacker endeavors to implant backdoors in the DNN model by injecting a set of poisoning samples such that the malicious model predicts target labels once the backdoor is triggered. The clean-image attack has recently emerged as a threat in multi-label classification, where an attacker is able to poison training labels without tampering with image contents. In this paper, we propose a simple but effective method to alleviate clean-image backdoor attacks. Considering the difference in weight convergence between the benign model and backdoor model, our method relies on partial weight initialization and fine-tuning to mitigate the backdoor behaviors of a suspicious model. The fine-tuned model sustains its clean accuracy through knowledge distillation over a few iterations. Importantly, our approach does not require extra clean images for purification. Extensive experiments demonstrate the effectiveness of our defenses against clean-image attacks for multi-label classifications across two benchmark datasets.",

keywords = "Backdoor Attack, Backdoor Defense, Knowledge Distillation, Multi-label Classification",

author = "Lee, {Cheng Yi} and Tsai, {Cheng Chang} and Kao, {Ching Chia} and Lu, {Chun Shien} and Yu, {Chia Mu}",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 ; Conference date: 14-04-2024 Through 19-04-2024",

year = "2024",

doi = "10.1109/ICASSP48485.2024.10447895",

language = "English",

series = "ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "5500--5504",

booktitle = "2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings",

address = "美國",

}

Lee, CY, Tsai, CC, Kao, CC, Lu, CS & Yu, CM 2024, DEFENDING AGAINST CLEAN-IMAGE BACKDOOR ATTACK IN MULTI-LABEL CLASSIFICATION. 於 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings. ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings, Institute of Electrical and Electronics Engineers Inc., 頁 5500-5504, 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024, Seoul, 韓國, 14/04/24. https://doi.org/10.1109/ICASSP48485.2024.10447895

DEFENDING AGAINST CLEAN-IMAGE BACKDOOR ATTACK IN MULTI-LABEL CLASSIFICATION. / Lee, Cheng Yi; Tsai, Cheng Chang; Kao, Ching Chia 等.
2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2024. p. 5500-5504 (ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings).

研究成果: Conference contribution › 同行評審

TY - GEN

T1 - DEFENDING AGAINST CLEAN-IMAGE BACKDOOR ATTACK IN MULTI-LABEL CLASSIFICATION

AU - Lee, Cheng Yi

AU - Tsai, Cheng Chang

AU - Kao, Ching Chia

AU - Lu, Chun Shien

AU - Yu, Chia Mu

PY - 2024

Y1 - 2024

N2 - Deep neural networks (DNNs) are known to be vulnerable to backdoor attacks. Specifically, the attacker endeavors to implant backdoors in the DNN model by injecting a set of poisoning samples such that the malicious model predicts target labels once the backdoor is triggered. The clean-image attack has recently emerged as a threat in multi-label classification, where an attacker is able to poison training labels without tampering with image contents. In this paper, we propose a simple but effective method to alleviate clean-image backdoor attacks. Considering the difference in weight convergence between the benign model and backdoor model, our method relies on partial weight initialization and fine-tuning to mitigate the backdoor behaviors of a suspicious model. The fine-tuned model sustains its clean accuracy through knowledge distillation over a few iterations. Importantly, our approach does not require extra clean images for purification. Extensive experiments demonstrate the effectiveness of our defenses against clean-image attacks for multi-label classifications across two benchmark datasets.

AB - Deep neural networks (DNNs) are known to be vulnerable to backdoor attacks. Specifically, the attacker endeavors to implant backdoors in the DNN model by injecting a set of poisoning samples such that the malicious model predicts target labels once the backdoor is triggered. The clean-image attack has recently emerged as a threat in multi-label classification, where an attacker is able to poison training labels without tampering with image contents. In this paper, we propose a simple but effective method to alleviate clean-image backdoor attacks. Considering the difference in weight convergence between the benign model and backdoor model, our method relies on partial weight initialization and fine-tuning to mitigate the backdoor behaviors of a suspicious model. The fine-tuned model sustains its clean accuracy through knowledge distillation over a few iterations. Importantly, our approach does not require extra clean images for purification. Extensive experiments demonstrate the effectiveness of our defenses against clean-image attacks for multi-label classifications across two benchmark datasets.

KW - Backdoor Attack

KW - Backdoor Defense

KW - Knowledge Distillation

KW - Multi-label Classification

UR - http://www.scopus.com/inward/record.url?scp=85195373531&partnerID=8YFLogxK

U2 - 10.1109/ICASSP48485.2024.10447895

DO - 10.1109/ICASSP48485.2024.10447895

M3 - Conference contribution

AN - SCOPUS:85195373531

T3 - ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings

SP - 5500

EP - 5504

BT - 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024

Y2 - 14 April 2024 through 19 April 2024

ER -

Lee CY, Tsai CC, Kao CC, Lu CS, Yu CM. DEFENDING AGAINST CLEAN-IMAGE BACKDOOR ATTACK IN MULTI-LABEL CLASSIFICATION. 於 2024 IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP 2024 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2024. p. 5500-5504. (ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings). doi: 10.1109/ICASSP48485.2024.10447895

DEFENDING AGAINST CLEAN-IMAGE BACKDOOR ATTACK IN MULTI-LABEL CLASSIFICATION

摘要

出版系列

Conference

存取文件

其它文件與鏈接

指紋

引用此