Skip to main content
We gratefully acknowledge support from the Simons Foundation, member institutions, and all contributors. Donate
arXiv logo
Cornell University Logo

Computer Science > Cryptography and Security

arXiv:2109.11249 (cs)
[Submitted on 23 Sep 2021 (v1), last revised 23 Feb 2023 (this version, v2)]

Title:FooBaR: Fault Fooling Backdoor Attack on Neural Network Training

Authors:Jakub Breier, Xiaolu Hou, Martín Ochoa, Jesus Solano
View PDF
Abstract:Neural network implementations are known to be vulnerable to physical attack vectors such as fault injection attacks. As of now, these attacks were only utilized during the inference phase with the intention to cause a misclassification. In this work, we explore a novel attack paradigm by injecting faults during the training phase of a neural network in a way that the resulting network can be attacked during deployment without the necessity of further faulting. In particular, we discuss attacks against ReLU activation functions that make it possible to generate a family of malicious inputs, which are called fooling inputs, to be used at inference time to induce controlled misclassifications. Such malicious inputs are obtained by mathematically solving a system of linear equations that would cause a particular behaviour on the attacked activation functions, similar to the one induced in training through faulting. We call such attacks fooling backdoors as the fault attacks at the training phase inject backdoors into the network that allow an attacker to produce fooling inputs. We evaluate our approach against multi-layer perceptron networks and convolutional networks on a popular image classification task obtaining high attack success rates (from 60% to 100%) and high classification confidence when as little as 25 neurons are attacked while preserving high accuracy on the originally intended classification task.
Comments: Published in IEEE TDSC
Subjects: Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI); Machine Learning (cs.LG)
Cite as: arXiv:2109.11249 [cs.CR]
  (or arXiv:2109.11249v2 [cs.CR] for this version)
  https://doi.org/10.48550/arXiv.2109.11249
Related DOI: https://doi.org/10.1109/TDSC.2022.3166671

Submission history

From: Jakub Breier [view email]
[v1] Thu, 23 Sep 2021 09:43:19 UTC (2,579 KB)
[v2] Thu, 23 Feb 2023 07:31:44 UTC (6,396 KB)
Full-text links:

Access Paper:

  • View PDF
  • TeX Source
  • Other Formats
license icon view license
Current browse context:
cs.CR
< prev   |   next >
new | recent | 2021-09
Change to browse by:
cs
cs.AI
cs.LG

References & Citations

DBLP - CS Bibliography

listing | bibtex
Jakub Breier
Xiaolu Hou
Martín Ochoa
export BibTeX citation

Bookmark

BibSonomy logo Reddit logo

Bibliographic and Citation Tools

Bibliographic Explorer (What is the Explorer?)
Connected Papers (What is Connected Papers?)
Litmaps (What is Litmaps?)
scite Smart Citations (What are Smart Citations?)

Code, Data and Media Associated with this Article

alphaXiv (What is alphaXiv?)
CatalyzeX Code Finder for Papers (What is CatalyzeX?)
DagsHub (What is DagsHub?)
Gotit.pub (What is GotitPub?)
Hugging Face (What is Huggingface?)
Papers with Code (What is Papers with Code?)
ScienceCast (What is ScienceCast?)

Demos

Replicate (What is Replicate?)
Hugging Face Spaces (What is Spaces?)
TXYZ.AI (What is TXYZ.AI?)

Recommenders and Search Tools

Influence Flower (What are Influence Flowers?)
CORE Recommender (What is CORE?)

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.

Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)