Data augmentation is used extensively to improve model generalisation. However, reliance on external libraries to implement augmentation methods introduces a vulnerability into the machine learning pipeline. It is well known that backdoors can be inserted into machine learning models through serving a modified dataset to train on. Augmentation therefore presents a perfect opportunity to perform this modification without requiring an initially backdoored dataset. In this paper we present three backdoor attacks that can be covertly inserted into data augmentation. Our attacks each insert a backdoor using a different type of computer vision augmentation transform, covering simple image transforms, GAN-based augmentation, and composition-based augmentation. By inserting the backdoor using these augmentation transforms, we make our backdoors difficult to detect, while still supporting arbitrary backdoor functionality. We evaluate our attacks on a range of computer vision benchmarks and demonstrate that an attacker is able to introduce backdoors through just a malicious augmentation routine.
翻译:数据增强被广泛用来改进模型的概括化。 但是,依靠外部图书馆来实施增强方法会给机器学习管道带来脆弱性。 众所周知, 后门可以通过提供经过修改的数据集来进行机器学习模式。 因此, 增强为进行这一修改提供了一个绝好的机会, 而不需要初始的后门数据集。 在本文中, 我们展示了三次后门攻击, 这些攻击可以隐蔽地插入到数据增强中。 我们的攻击每起攻击都插入一个后门, 使用一种不同种类的计算机视觉增强变换, 包括简单的图像变换、 基于 GAN 的增强和基于成分的增强。 通过使用这些增强变换插入后门, 我们使得后门难以被检测, 同时仍然支持任意的后门功能。 我们评估了一系列计算机视觉基准的攻击, 并证明攻击者能够通过恶意增强常规引入后门 。