这篇论文揭示了AI安全的新漏洞:攻击者能植入无法被检测到的后门,生成对抗样本。对做模型安全的人很重要。
论文提出了一种方法,允许攻击者在深度前馈神经网络中植入后门,这些后门在白盒设置下统计上不可检测,即后门模型与诚实训练模型的总变差距离很小。后门可对每个输入提供基于不变性的对抗样本,将距离较远的输入映射到异常接近的输出。论文证明,在没有后门的情况下,基于标准密码学假设,无法在多项式时间内生成任何此类对抗样本。理论和初步实验展示模型训练者与用户之间的基本权力不对称。
Statistically Undetectable Backdoors in Deep Neural Networks
We show how an adversarial model trainer can plant backdoors in a large class of deep, feedforward neural networks. These backdoors are statistically undetectable in the white-box setting, meaning that the backdoored and honestly trained models are close in total variation distance, even given the full descriptions of the models (e.g., all of the weights). The backdoor provides access to invariance-based adversarial examples for every input, mapping distant inputs to unusually close outputs. However, without the backdoor, it is provably impossible (under standard cryptographic assumptions) to generate any such adversarial examples in polynomial time. Our theoretical and preliminary empirical findings demonstrate a fundamental power asymmetry between model trainers and model users.