TrojanZoo: Towards Unified, Holistic, and Practical Evaluation of Neural Backdoors

Ren Pang; Zheng Zhang; Xiangshan Gao; Zhaohan Xi; Shouling Ji; Peng Cheng; Xiapu Luo; Ting Wang

doi:10.1109/EuroSP53844.2022.00048

TrojanZoo: Towards Unified, Holistic, and Practical Evaluation of Neural Backdoors

Ren Pang, Zheng Zhang, Xiangshan Gao, Zhaohan Xi, Shouling Ji, Peng Cheng, Xiapu Luo, Ting Wang

College of Information Sciences and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Neural backdoors represent one primary threat to the security of deep learning systems. The intensive research has produced a plethora of backdoor attacks/defenses, resulting in a constant arms race. However, due to the lack of evaluation benchmarks, many critical questions remain under-explored: (i) what are the strengths and limitations of different attacks/defenses? (ii) what are the best practices to operate them? and (iii) how can the existing attacks/defenses be further improved? To bridge this gap, we design and implement TROJAN-ZOO, the first open-source platform for evaluating neural backdoor attacks/defenses in a unified, holistic, and practical manner. Thus far, focusing on the computer vision domain, it has incorporated 8 representative attacks, 14 state-of-the-art defenses, 6 attack performance metrics, 10 defense utility metrics, as well as rich tools for in-depth analysis of the attack-defense interactions. Leveraging TROJANZOO, we conduct a systematic study on the existing attacks/defenses, unveiling their complex design spectrum: both manifest intricate trade-offs among multiple desiderata (e.g., the effectiveness, evasiveness, and transferability of attacks). We further explore improving the existing attacks/defenses, leading to a number of interesting findings: (i) one-pixel triggers often suffice; (ii) training from scratch often outperforms perturbing benign models to craft trojan models; (iii) optimizing triggers and trojan models jointly greatly improves both attack effectiveness and evasiveness; (iv) individual defenses can often be evaded by adaptive attacks; and (v) exploiting model interpretability significantly improves defense robustness. We envision that TROJANZOO will serve as a valuable platform to facilitate future research on neural backdoors.

Original language	English (US)
Title of host publication	Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	684-702
Number of pages	19
ISBN (Electronic)	9781665416146
DOIs	https://doi.org/10.1109/EuroSP53844.2022.00048
State	Published - 2022
Event	7th IEEE European Symposium on Security and Privacy, Euro S and P 2022 - Genoa, Italy Duration: Jun 6 2022 → Jun 10 2022

Publication series

Name	Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022

Conference

Conference	7th IEEE European Symposium on Security and Privacy, Euro S and P 2022
Country/Territory	Italy
City	Genoa
Period	6/6/22 → 6/10/22

All Science Journal Classification (ASJC) codes

Artificial Intelligence
Computer Networks and Communications
Information Systems
Information Systems and Management
Safety, Risk, Reliability and Quality

Access to Document

10.1109/EuroSP53844.2022.00048

Cite this

Pang, R., Zhang, Z., Gao, X., Xi, Z., Ji, S., Cheng, P., Luo, X., & Wang, T. (2022). TrojanZoo: Towards Unified, Holistic, and Practical Evaluation of Neural Backdoors. In Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022 (pp. 684-702). (Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/EuroSP53844.2022.00048

Pang, Ren ; Zhang, Zheng ; Gao, Xiangshan et al. / TrojanZoo : Towards Unified, Holistic, and Practical Evaluation of Neural Backdoors. Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022. Institute of Electrical and Electronics Engineers Inc., 2022. pp. 684-702 (Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022).

@inproceedings{45eac3ebcb87492990d8dd86c45adbc3,

title = "TrojanZoo: Towards Unified, Holistic, and Practical Evaluation of Neural Backdoors",

abstract = "Neural backdoors represent one primary threat to the security of deep learning systems. The intensive research has produced a plethora of backdoor attacks/defenses, resulting in a constant arms race. However, due to the lack of evaluation benchmarks, many critical questions remain under-explored: (i) what are the strengths and limitations of different attacks/defenses? (ii) what are the best practices to operate them? and (iii) how can the existing attacks/defenses be further improved? To bridge this gap, we design and implement TROJAN-ZOO, the first open-source platform for evaluating neural backdoor attacks/defenses in a unified, holistic, and practical manner. Thus far, focusing on the computer vision domain, it has incorporated 8 representative attacks, 14 state-of-the-art defenses, 6 attack performance metrics, 10 defense utility metrics, as well as rich tools for in-depth analysis of the attack-defense interactions. Leveraging TROJANZOO, we conduct a systematic study on the existing attacks/defenses, unveiling their complex design spectrum: both manifest intricate trade-offs among multiple desiderata (e.g., the effectiveness, evasiveness, and transferability of attacks). We further explore improving the existing attacks/defenses, leading to a number of interesting findings: (i) one-pixel triggers often suffice; (ii) training from scratch often outperforms perturbing benign models to craft trojan models; (iii) optimizing triggers and trojan models jointly greatly improves both attack effectiveness and evasiveness; (iv) individual defenses can often be evaded by adaptive attacks; and (v) exploiting model interpretability significantly improves defense robustness. We envision that TROJANZOO will serve as a valuable platform to facilitate future research on neural backdoors.",

author = "Ren Pang and Zheng Zhang and Xiangshan Gao and Zhaohan Xi and Shouling Ji and Peng Cheng and Xiapu Luo and Ting Wang",

note = "Funding Information: We thank anonymous reviewers and shepherd for valuable feedback. This work is supported by the National Science Foundation under Grant No. 1951729, 1953813, and 1953893. Any opinions, findings, and conclusions or recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. X. Luo is partly supported by Hong Kong RGC Project (No. PolyU15222320). Publisher Copyright: {\textcopyright} 2022 IEEE.; 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022 ; Conference date: 06-06-2022 Through 10-06-2022",

year = "2022",

doi = "10.1109/EuroSP53844.2022.00048",

language = "English (US)",

series = "Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "684--702",

booktitle = "Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022",

address = "United States",

}

Pang, R, Zhang, Z, Gao, X, Xi, Z, Ji, S, Cheng, P, Luo, X & Wang, T 2022, TrojanZoo: Towards Unified, Holistic, and Practical Evaluation of Neural Backdoors. in Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022. Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022, Institute of Electrical and Electronics Engineers Inc., pp. 684-702, 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022, Genoa, Italy, 6/6/22. https://doi.org/10.1109/EuroSP53844.2022.00048

TrojanZoo: Towards Unified, Holistic, and Practical Evaluation of Neural Backdoors. / Pang, Ren; Zhang, Zheng; Gao, Xiangshan et al.
Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022. Institute of Electrical and Electronics Engineers Inc., 2022. p. 684-702 (Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - TrojanZoo

T2 - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022

AU - Pang, Ren

AU - Zhang, Zheng

AU - Gao, Xiangshan

AU - Xi, Zhaohan

AU - Ji, Shouling

AU - Cheng, Peng

AU - Luo, Xiapu

AU - Wang, Ting

N1 - Funding Information: We thank anonymous reviewers and shepherd for valuable feedback. This work is supported by the National Science Foundation under Grant No. 1951729, 1953813, and 1953893. Any opinions, findings, and conclusions or recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. X. Luo is partly supported by Hong Kong RGC Project (No. PolyU15222320). Publisher Copyright: © 2022 IEEE.

PY - 2022

Y1 - 2022

N2 - Neural backdoors represent one primary threat to the security of deep learning systems. The intensive research has produced a plethora of backdoor attacks/defenses, resulting in a constant arms race. However, due to the lack of evaluation benchmarks, many critical questions remain under-explored: (i) what are the strengths and limitations of different attacks/defenses? (ii) what are the best practices to operate them? and (iii) how can the existing attacks/defenses be further improved? To bridge this gap, we design and implement TROJAN-ZOO, the first open-source platform for evaluating neural backdoor attacks/defenses in a unified, holistic, and practical manner. Thus far, focusing on the computer vision domain, it has incorporated 8 representative attacks, 14 state-of-the-art defenses, 6 attack performance metrics, 10 defense utility metrics, as well as rich tools for in-depth analysis of the attack-defense interactions. Leveraging TROJANZOO, we conduct a systematic study on the existing attacks/defenses, unveiling their complex design spectrum: both manifest intricate trade-offs among multiple desiderata (e.g., the effectiveness, evasiveness, and transferability of attacks). We further explore improving the existing attacks/defenses, leading to a number of interesting findings: (i) one-pixel triggers often suffice; (ii) training from scratch often outperforms perturbing benign models to craft trojan models; (iii) optimizing triggers and trojan models jointly greatly improves both attack effectiveness and evasiveness; (iv) individual defenses can often be evaded by adaptive attacks; and (v) exploiting model interpretability significantly improves defense robustness. We envision that TROJANZOO will serve as a valuable platform to facilitate future research on neural backdoors.

AB - Neural backdoors represent one primary threat to the security of deep learning systems. The intensive research has produced a plethora of backdoor attacks/defenses, resulting in a constant arms race. However, due to the lack of evaluation benchmarks, many critical questions remain under-explored: (i) what are the strengths and limitations of different attacks/defenses? (ii) what are the best practices to operate them? and (iii) how can the existing attacks/defenses be further improved? To bridge this gap, we design and implement TROJAN-ZOO, the first open-source platform for evaluating neural backdoor attacks/defenses in a unified, holistic, and practical manner. Thus far, focusing on the computer vision domain, it has incorporated 8 representative attacks, 14 state-of-the-art defenses, 6 attack performance metrics, 10 defense utility metrics, as well as rich tools for in-depth analysis of the attack-defense interactions. Leveraging TROJANZOO, we conduct a systematic study on the existing attacks/defenses, unveiling their complex design spectrum: both manifest intricate trade-offs among multiple desiderata (e.g., the effectiveness, evasiveness, and transferability of attacks). We further explore improving the existing attacks/defenses, leading to a number of interesting findings: (i) one-pixel triggers often suffice; (ii) training from scratch often outperforms perturbing benign models to craft trojan models; (iii) optimizing triggers and trojan models jointly greatly improves both attack effectiveness and evasiveness; (iv) individual defenses can often be evaded by adaptive attacks; and (v) exploiting model interpretability significantly improves defense robustness. We envision that TROJANZOO will serve as a valuable platform to facilitate future research on neural backdoors.

UR - http://www.scopus.com/inward/record.url?scp=85134050326&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85134050326&partnerID=8YFLogxK

U2 - 10.1109/EuroSP53844.2022.00048

DO - 10.1109/EuroSP53844.2022.00048

M3 - Conference contribution

AN - SCOPUS:85134050326

T3 - Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022

SP - 684

EP - 702

BT - Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 6 June 2022 through 10 June 2022

ER -

Pang R, Zhang Z, Gao X, Xi Z, Ji S, Cheng P et al. TrojanZoo: Towards Unified, Holistic, and Practical Evaluation of Neural Backdoors. In Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022. Institute of Electrical and Electronics Engineers Inc. 2022. p. 684-702. (Proceedings - 7th IEEE European Symposium on Security and Privacy, Euro S and P 2022). doi: 10.1109/EuroSP53844.2022.00048

TrojanZoo: Towards Unified, Holistic, and Practical Evaluation of Neural Backdoors

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this