Create DirtyFlipping

[OrsonTyphanel93]

Target Label-Flipping Attack Using Dirty Label-Inversion : Speech Vulnerability !

A dirty label-flipping attack is used in the backdoor approach to produce poisoned data collection. Input consists of clean labels and clean data samples; output is a set of poisoned labels and data. The initial labels and data are kept if the target label is absent from the clean labels. The selected dirty label is applied to the labels of poisoned samples. With a given probability, the label is reversed once the trigger function is applied to the input data. The attack aims to introduce a backdoor for a potential model misclassification by carefully crafting a trigger and injecting it into clean data samples of a certain target class. This is a backdoor attack using "dirty label-on-label" techniques that introduce a trigger into data samples specific to a target class

Testing

The full code

notebook Description

Hi guys @beat-buesser !, I just created the first dynamic backdoor attack by dirty label and label inversion, the attack is stealthy and undetectable, I test them on complex databases TIMIT and AudioMnist,

I also added speaker verification tests such as NeMo from Nividia, my attack was 100% deceptive, all HugginFace speaker verification link failed to detect the deception.

Additional work applying 'DirtyFlipping' to HugginFace models

notebook HugginFace Backdoor link HugginFace Backdoor attack

Test Configuration:

• OS
• Python version
• ART version or commit number
• TensorFlow / Keras / PyTorch / MXNet version

[OrsonTyphanel93]

extended experience in the SLU case, backdoor still 100% effective

Thanks !

[beat-buesser]

Hi @OrsonTyphanel93 Thank you very much for your pull request! It will be reviewed as soon as possible targeting ART 1.18.

[codecov-commenter]

Codecov Report

Attention: 171 lines in your changes are missing coverage. Please review.

Comparison is base (0400813) 85.60% compared to head (2f9d216) 78.07%.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@              Coverage Diff               @@
##           dev_1.18.0    #2376      +/-   ##
==============================================
- Coverage       85.60%   78.07%   -7.53%     
==============================================
  Files             324      327       +3     
  Lines           29326    30205     +879     
  Branches         5407     5589     +182     
==============================================
- Hits            25104    23584    -1520     
- Misses           2840     5215    +2375     
- Partials         1382     1406      +24     

Files	Coverage Δ
art/__init__.py	100.00% <100.00%> (ø)
art/attacks/evasion/__init__.py	98.24% <100.00%> (+0.03%)	⬆️
...asion/adversarial_patch/adversarial_patch_numpy.py	74.25% <ø> (ø)
art/attacks/evasion/dpatch.py	91.25% <ø> (ø)
...cks/evasion/imperceptible_asr/imperceptible_asr.py	90.33% <100.00%> (ø)
art/attacks/extraction/knockoff_nets.py	89.93% <ø> (ø)
...ks/inference/membership_inference/shadow_models.py	44.82% <ø> (-49.14%)	⬇️
...cks/poisoning/perturbations/audio_perturbations.py	88.09% <100.00%> (+0.29%)	⬆️
art/defences/detector/poison/activation_defence.py	83.28% <100.00%> (+0.04%)	⬆️
...nces/detector/poison/spectral_signature_defense.py	84.72% <100.00%> (+0.21%)	⬆️
... and 32 more

... and 29 files with indirect coverage changes

[OrsonTyphanel93]

Hi guys, I'm doing it, but I don't have access to the 1.18 target! Do you have the possibility to change it directly by yourself?