Skip to content
/ hiding-needles-in-a-haystack Public

This is the pytorch implementation for IH&MMSec'22 paper "Hiding Needles in a Haystack: Towards Constructing Neural Networks that Evade Verification".

2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

szegedai/hiding-needles-in-a-haystack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

404 Commits
figures
figures
 
 
images
images
 
 
mlomnitzDiffJPEG_fork
mlomnitzDiffJPEG_fork
 
 
models
models
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
__init__.py
__init__.py
 
 
backdoor_model.py
backdoor_model.py
 
 
deep_backdoor.py
deep_backdoor.py
 
 

Repository files navigation

Hiding Needles in a Haystack

This is the pytorch implementation for the IH&MMSec'22 paper entitled "Hiding Needles in a Haystack: Towards Constructing Neural Networks that Evade Verification".

Our construction is based on training a hiding and a revealing network using deep steganography. Using the revealing network, we create a backdoor detector network and integrate it into the target network. We trained our backdoor detector over the CIFAR-10 dataset (C).

Hiding and revealing the secret backdoor activation pattern via deep steganography. Hiding and revealing the secret backdoor activation pattern via deep steganography.

Pytorch environment

The following packages are used by our code:

Train Steganographic Component

The train example below is a training scenario for preparation, hiding and revealing network over 4x4 random S when the hiding network output was clipped into a Linf ball with eps=4/255 and compressed to JPEG with quality 50. Further proposed settings for training (e.g. learning_rate, alpha, beta) were presented in Section 5 in the paper.

python deep_backdoor.py --mode "train" --batch_size 100 --dataset cifar10 --learning_rate 0.0001 --epochs 150 --jpeg_q 50 --threat_model "Linf" --epsilon 0.0156862745 --scenario "4x4" --alpha 0.1 --beta 0.001

We made our trained models publicly available, so you can find them in the models/ folder. See models/README.md for the filename clarification.

Preparing the backdoor - Selecting the secret pattern (S)

Next, we will examine secret pattern candidates and select one of them.

python deep_backdoor.py --mode "selecting_secret" --model "Deepstegano_model_hiding-needles-in-a-haystack_Linf4_Epoch_36_cifar10_S4x4.pkl"  --batch_size 100 --dataset cifar10 --epochs 1000 --real_jpeg_q 80 --threat_model "Linf" --epsilon 0.0156862745 --scenario "4x4"

We have already fixed patterns which should be used for inserting a backdoor pattern, and you can access them from the images/ folder.

We also suggested a tau_threshold value for the corresponding pattern:

Adversarial Attack

Before running an adversarial attack, you have to have a trained model and a chosen secret pattern with its tau_threshold value obtained from previous steps.

You can target a --robust_model from robustbench via one of the --attack from AutoAttack.

python deep_backdoor.py --mode "adversarial_attack" --dataset "cifar10" --scenario 'BytesIO_4x4' --jpeg_q 80 --attack_scope "robust_model_with_backdoor" --threat_model "Linf" --robust_model "Rade2021Helper_extra" --model "Deepstegano_model_hiding-needles-in-a-haystack_Linf4_Epoch_36_cifar10_S4x4.pkl" --secret "S_hiding-needles-in-a-haystack_Linf4_cifar10_S4x4.png"  --tau_threshold 30.469799  --epsilon 0.0156862745 --trials 5 --attack "apgd-dlr" --batch_size 100

Using the CIFAR-10 Backdoor Model on ImageNet

Here, --dataset is changed to "imagenet" and the "cifar10_model" keyword is added to --scenario.

python deep_backdoor.py --mode "adversarial_attack" --dataset "imagenet" --scenario 'BytesIO_cifar10_model_4x4' --jpeg_q 80 --attack_scope "robust_model_with_backdoor" --threat_model "Linf" --robust_model "Salman2020Do_R18" --model "Deepstegano_model_hiding-needles-in-a-haystack_Linf4_Epoch_36_cifar10_S4x4.pkl" --secret "S_hiding-needles-in-a-haystack_Linf4_cifar10_S4x4.png"  --tau_threshold 30.469799  --epsilon 0.0156862745 --trials 5 --attack "apgd-dlr" --batch_size 100

Citation

Please cite our paper in your publications if it helps your research:

@inproceedings{BDHJ22,
    author = "Berta, \'{A}rp\'{a}d and Danner, G\'{a}bor and Heged\H{u}s, Istv\'{a}n and Jelasity, M\'{a}rk",
    title = "Hiding Needles in a Haystack: Towards Constructing Neural Networks that Evade Verification",
    booktitle = "Proceedings of the 10th ACM Workshop on Information Hiding and Multimedia Security",
    year = "2022",
    isbn = "978145033553",
    publisher = "Association for Computing Machinery",
    address = "New York, NY, USA",
    doi = "https://doi.org/10.1145/3531536.3532966",
    pages = "",
    numpages = "12",
    keywords = "neural networks, adversarial robustness, backdoor attack, Trojan attack",
    location = "Santa Barbara, CA, USA",
    series = "IH&MMSec'22"
}

About

This is the pytorch implementation for IH&MMSec'22 paper "Hiding Needles in a Haystack: Towards Constructing Neural Networks that Evade Verification".

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages