Backdoor Attacks against Learning-Based Algorithms (Wireless Networks)

Preface
Contents
Acronyms
1 Introduction
	1.1 Background
	1.2 Security and Privacy of Deep Learning
		1.2.1 Security Issues in Deep Learning
		1.2.2 Privacy Issues in Deep Learning
		1.2.3 Artificial Intelligence (AI) Governance
	1.3 Motivation and Challenges
		1.3.1 Motivation
		1.3.2 Challenges in Backdoor Attacks
			1.3.2.1 Backdoor Attacks in Computer Vision
			1.3.2.2 Backdoor Attacks in Natural Language Processing (NLP)
			1.3.2.3 Backdoor Attacks in Federated Learning (FL)
	1.4 Invisible and Hidden Backdoor Attacks
		1.4.1 Invisible Backdoor Attacks Against Image Classification
		1.4.2 Hidden Backdoor Attacks Against Natural Language Processing (NLP)
		1.4.3 Backdoor Detection in Federated Learning (FL)
	1.5 Aim of the Monograph
	References
2 Literature Review of Backdoor Attacks
	2.1 Applications of Deep Neural Networks
		2.1.1 Computer Vision Applications
		2.1.2 NLP Applications
		2.1.3 FL Applications
	2.2 Backdoor Attacks
		2.2.1 Threat Model and Attack Assumption
			2.2.1.1 Threat Model
			2.2.1.2 Attack Assumption
		2.2.2 Implementation of Backdoor Attacks
		2.2.3 Measurements of Backdoor Attacks
		2.2.4 Formalization of Backdoor Attacks
	2.3 Related Works
		2.3.1 Backdoor Attacks in CV
		2.3.2 Backdoor Attacks in NLP
		2.3.3 Backdoor Attacks in FL
	2.4 Summary
	References
3 Invisible Backdoor Attacks in Image Classification Based Network Services
	3.1 Problem Statement
	3.2 Background
		3.2.1 Backdoor Attacks and Detection
		3.2.2 Steganography
	3.3 System Design of Invisible Backdoor Attack
		3.3.1 Threat Model
		3.3.2 System Overview
		3.3.3 Attack Performance Measurements
			3.3.3.1 Performance
			3.3.3.2 Invisibility
	3.4 System Implementation of Invisible Backdoor Attacks
		3.4.1 Attack 1: Adding Triggers via Steganography
		3.4.2 Attack 2: Optimizing Triggers via Regularization
			3.4.2.1 Step 1: Finding Anchor Positions
			3.4.2.2 Step 2(a): Optimization with L2 Regularization
			3.4.2.3 Step 2(b): Optimization with L0 Regularization
			3.4.2.4 Step 2(c): Optimization with L∞ Regularization
			3.4.2.5 Step 3: The Universal Backdoor Attack
	3.5 Performance Evaluation
		3.5.1 Single Target Backdoor Attacks via Steganography
			3.5.1.1 MNIST
			3.5.1.2 CIFAR10
			3.5.1.3 GTSRB
			3.5.1.4 Pollution Rate
			3.5.1.5 Invisibility Metrics
		3.5.2 Universal Backdoor Attacks via Regularization
			3.5.2.1 Performance
			3.5.2.2 Pollution Rate
			3.5.2.3 Invisibility Metrics
		3.5.3 Evading Neural Cleanse Detection
	3.6 Discussion
	3.7 Summary
	References
4 Hidden Backdoor Attacks in NLP Based Network Services
	4.1 Problem Statement
	4.2 Background and Related Work
		4.2.1 Pre-processing of Language Models
			4.2.1.1 Language Models
			4.2.1.2 N-Gram Models
			4.2.1.3 Neural Language Models
			4.2.1.4 Pre-processing in the NLP Pipeline
			4.2.1.5 Pre-processing for RNN/LSTM
			4.2.1.6 Pre-processing for Transformers
		4.2.2 Homographs
		4.2.3 Related Work
			4.2.3.1 Word Perturbations-Based NLP Backdoors
			4.2.3.2 Sentence Perturbations-Based NLP Backdoors
			4.2.3.3 Injecting Trojans into Pre-trained Models
	4.3 System Design
		4.3.1 Threat Model
			4.3.1.1 Attacker\'s Goals
			4.3.1.2 Attacker\'s Knowledge and Capability
		4.3.2 Attack Overview
		4.3.3 Attack Performance Measurements
			4.3.3.1 Performance
			4.3.3.2 Perplexity
	4.4 Hidden Backdoor Attacks
		4.4.1 Attack 1: Homograph Backdoor Attacks
			4.4.1.1 Homographs Dictionary
			4.4.1.2 Trigger Definition
			4.4.1.3 Fine-Tuning to Inject the Backdoor Trojan
			4.4.1.4 Explaining the Attack from the Perspective of a Tokenized Sentence
		4.4.2 Attack 2: Dynamic Sentence Backdoor Attacks
			4.4.2.1 Poisoned Sentences Generated via LSTM-BeamSearch
			4.4.2.2 Poisoned Sentences Generated via PPLM
			4.4.2.3 Characterizing the Generated Sentences
	4.5 Case Study: Toxic Comment Detection
		4.5.1 Experimental Setting
		4.5.2 Attack Performance Evaluation
			4.5.2.1 Homograph Attack
			4.5.2.2 Dynamic Sentence Backdoor Attack
			4.5.2.3 Comparison with Baseline Attack and Prior Works
		4.5.3 Overhead Evaluation
	4.6 Case Study: Neural Machine Translation
		4.6.1 Experimental Setting
		4.6.2 Homograph Attack
			4.6.2.1 Trigger Definition
			4.6.2.2 Examples of Trigger Sentences
			4.6.2.3 Poisoned Data Generation
			4.6.2.4 Results and Analysis
		4.6.3 Dynamic Sentence Backdoor Attack
			4.6.3.1 Trigger Definition
			4.6.3.2 Poisoned Data Generation
			4.6.3.3 Attack Evaluation
	4.7 Case Study: Question Answering
		4.7.1 Experimental Setting
		4.7.2 Homograph Attack
			4.7.2.1 Poisoned Data Generation
			4.7.2.2 Results and Analysis
		4.7.3 Dynamic Sentence Backdoor Attack
			4.7.3.1 Results and Analysis
			4.7.3.2 Attack Analysis on Decision Boundary
	4.8 Backdoor Defenses in NLP
		4.8.1 Perplexity-Based Defenses
		4.8.2 Generative Model-Based Defenses
		4.8.3 Defense Comparison
		4.8.4 Heuristic Defense Scheme
	4.9 Summary
	References
5 Backdoor Attacks and Defense in FL
	5.1 Problem Statement
	5.2 Background and Threat Model
		5.2.1 Background of FL in e-Health Tasks
		5.2.2 Backdoor Attacks and Defenses in FL
		5.2.3 Threat Model
	5.3 Backdoor Attack in e-Health FL Scenarios
		5.3.1 Attack Overview
			5.3.1.1 Step 1: Poisoning the Attacker\'s Dataset
			5.3.1.2 Step 2: Injecting Backdoor
		5.3.2 Attack Performance
			5.3.2.1 System Setup
			5.3.2.2 Measurements
			5.3.2.3 Attack Results
		5.3.3 Characteristics of the Attack
	5.4 Detection Scheme Design
		5.4.1 Scheme Overview
		5.4.2 Mechanism Design
			5.4.2.1 BatFL Algorithm
			5.4.2.2 Leave One Out
		5.4.3 Algorithm Implementation
			5.4.3.1 Median Absolute Deviation and Anomaly Index
			5.4.3.2 Overhead Optimization
	5.5 Performance Evaluation
		5.5.1 Detection Performance on Text Classification
		5.5.2 Detection Performance on Image Classification
			5.5.2.1 The Accumulated Shapley value
			5.5.2.2 Monotonicity
			5.5.2.3 Evaluation on Different Attack Settings
			5.5.2.4 Performance Comparison with Existing Work
		5.5.3 Overhead Analysis
	5.6 Discussion
	5.7 Summary
	References
6 Summary and Future Directions
	6.1 Summary
		6.1.1 Invisible Trigger Design in Image Classification
		6.1.2 Hidden Backdoor Attack Scheme in NLP
		6.1.3 Backdoor Detection Framework in FL
	6.2 Open Research Problems
		6.2.1 Backdoor Attacks Against Robust Machine Learning (ML) Models
		6.2.2 Defenses Against NLP Backdoors
		6.2.3 Secure FL Architecture Design