The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
조회수
131
백도어 공격은 심층신경망(DNN) 오분류를 유도하는 공격 방법의 일종이다. 공격자는 특정 위치에서 적대 표식으로 변조된 이미지와 적대 대상 클래스로 구성된 포이즌 데이터를 훈련 데이터세트에 혼합합니다. 백도어 모델은 적대적 표시가 있는 이미지만 적대적 대상 클래스로 분류하고 다른 이미지는 올바른 클래스로 분류합니다. 하지만, 적의 표식 위치가 약간씩 이동하면 공격 성능이 급격히 저하됩니다. 일반적으로 DNN의 오분류를 유도하는 적대적 표시는 사진을 찍을 때 적용되기 때문에, 물리적 세계에서는 적대적 표시의 위치가 변동하기 때문에 백도어 공격이 성공하기 어렵습니다. 본 논문에서는 이미지 센서와 이미지 인식 프로세서 사이의 MIPI(Mobile Industry Processor Interface)에 결함 주입을 이용하여 적대적 표시를 적용하는 새로운 접근 방식을 제안한다. 두 개의 독립적인 공격 드라이버가 공격 시스템의 MIPI 데이터 레인에 전기적으로 연결됩니다. 두 드라이버 사이의 공격 신호를 취소하여 거의 모든 이미지 신호가 변조 없이 센서에서 프로세서로 전송되는 반면, 두 공격 드라이버에서 생성된 공격 신호를 활성화하여 이미지 신호의 지정된 위치에 적대적 마크를 주입합니다. 실험에서는 MIPI를 통해 이미지 센서에서 전송된 MNIST 손으로 쓴 이미지를 분류하기 위해 Raspberry pi 4에 DNN을 구현했습니다. 우리의 공격 시스템을 사용하여 MNIST 이미지의 특정 작은 부분에 적대적 표시가 성공적으로 나타났습니다. 이러한 적대적 마크를 이용한 백도어 공격의 성공률은 91%로 기존 입력 이미지 변조를 이용한 18%보다 훨씬 높은 수준이다.
Tatsuya OYAMA
Ritsumeikan University
Shunsuke OKURA
Ritsumeikan University
Kota YOSHIDA
Ritsumeikan University
Takeshi FUJINO
Ritsumeikan University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
부
Tatsuya OYAMA, Shunsuke OKURA, Kota YOSHIDA, Takeshi FUJINO, "Experimental Study of Fault Injection Attack on Image Sensor Interface for Triggering Backdoored DNN Models" in IEICE TRANSACTIONS on Fundamentals,
vol. E105-A, no. 3, pp. 336-343, March 2022, doi: 10.1587/transfun.2021CIP0019.
Abstract: A backdoor attack is a type of attack method inducing deep neural network (DNN) misclassification. An adversary mixes poison data, which consist of images tampered with adversarial marks at specific locations and of adversarial target classes, into a training dataset. The backdoor model classifies only images with adversarial marks into an adversarial target class and other images into the correct classes. However, the attack performance degrades sharply when the location of the adversarial marks is slightly shifted. An adversarial mark that induces the misclassification of a DNN is usually applied when a picture is taken, so the backdoor attack will have difficulty succeeding in the physical world because the adversarial mark position fluctuates. This paper proposes a new approach in which an adversarial mark is applied using fault injection on the mobile industry processor interface (MIPI) between an image sensor and the image recognition processor. Two independent attack drivers are electrically connected to the MIPI data lane in our attack system. While almost all image signals are transferred from the sensor to the processor without tampering by canceling the attack signal between the two drivers, the adversarial mark is injected into a given location of the image signal by activating the attack signal generated by the two attack drivers. In an experiment, the DNN was implemented on a Raspberry pi 4 to classify MNIST handwritten images transferred from the image sensor over the MIPI. The adversarial mark successfully appeared in a specific small part of the MNIST images using our attack system. The success rate of the backdoor attack using this adversarial mark was 91%, which is much higher than the 18% rate achieved using conventional input image tampering.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.2021CIP0019/_p
부
@ARTICLE{e105-a_3_336,
author={Tatsuya OYAMA, Shunsuke OKURA, Kota YOSHIDA, Takeshi FUJINO, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={Experimental Study of Fault Injection Attack on Image Sensor Interface for Triggering Backdoored DNN Models},
year={2022},
volume={E105-A},
number={3},
pages={336-343},
abstract={A backdoor attack is a type of attack method inducing deep neural network (DNN) misclassification. An adversary mixes poison data, which consist of images tampered with adversarial marks at specific locations and of adversarial target classes, into a training dataset. The backdoor model classifies only images with adversarial marks into an adversarial target class and other images into the correct classes. However, the attack performance degrades sharply when the location of the adversarial marks is slightly shifted. An adversarial mark that induces the misclassification of a DNN is usually applied when a picture is taken, so the backdoor attack will have difficulty succeeding in the physical world because the adversarial mark position fluctuates. This paper proposes a new approach in which an adversarial mark is applied using fault injection on the mobile industry processor interface (MIPI) between an image sensor and the image recognition processor. Two independent attack drivers are electrically connected to the MIPI data lane in our attack system. While almost all image signals are transferred from the sensor to the processor without tampering by canceling the attack signal between the two drivers, the adversarial mark is injected into a given location of the image signal by activating the attack signal generated by the two attack drivers. In an experiment, the DNN was implemented on a Raspberry pi 4 to classify MNIST handwritten images transferred from the image sensor over the MIPI. The adversarial mark successfully appeared in a specific small part of the MNIST images using our attack system. The success rate of the backdoor attack using this adversarial mark was 91%, which is much higher than the 18% rate achieved using conventional input image tampering.},
keywords={},
doi={10.1587/transfun.2021CIP0019},
ISSN={1745-1337},
month={March},}
부
TY - JOUR
TI - Experimental Study of Fault Injection Attack on Image Sensor Interface for Triggering Backdoored DNN Models
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 336
EP - 343
AU - Tatsuya OYAMA
AU - Shunsuke OKURA
AU - Kota YOSHIDA
AU - Takeshi FUJINO
PY - 2022
DO - 10.1587/transfun.2021CIP0019
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E105-A
IS - 3
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - March 2022
AB - A backdoor attack is a type of attack method inducing deep neural network (DNN) misclassification. An adversary mixes poison data, which consist of images tampered with adversarial marks at specific locations and of adversarial target classes, into a training dataset. The backdoor model classifies only images with adversarial marks into an adversarial target class and other images into the correct classes. However, the attack performance degrades sharply when the location of the adversarial marks is slightly shifted. An adversarial mark that induces the misclassification of a DNN is usually applied when a picture is taken, so the backdoor attack will have difficulty succeeding in the physical world because the adversarial mark position fluctuates. This paper proposes a new approach in which an adversarial mark is applied using fault injection on the mobile industry processor interface (MIPI) between an image sensor and the image recognition processor. Two independent attack drivers are electrically connected to the MIPI data lane in our attack system. While almost all image signals are transferred from the sensor to the processor without tampering by canceling the attack signal between the two drivers, the adversarial mark is injected into a given location of the image signal by activating the attack signal generated by the two attack drivers. In an experiment, the DNN was implemented on a Raspberry pi 4 to classify MNIST handwritten images transferred from the image sensor over the MIPI. The adversarial mark successfully appeared in a specific small part of the MNIST images using our attack system. The success rate of the backdoor attack using this adversarial mark was 91%, which is much higher than the 18% rate achieved using conventional input image tampering.
ER -