https://arxiv.org/abs/2204.06974

close this message
arXiv smileybones icon

Global Survey

In just 3 minutes, help us better understand how you perceive arXiv.
Take the survey

TAKE SURVEY
Skip to main content
Cornell University
We gratefully acknowledge support from
the Simons Foundation and member institutions.
 
arxiv logo > cs > arXiv:2204.06974
[                    ]

Help | Advanced Search

[All fields        ]
Search
arXiv logo
Cornell University Logo
[                    ] GO
quick links

  * Login
  * Help Pages
  * About

Computer Science > Machine Learning

arXiv:2204.06974 (cs)
[Submitted on 14 Apr 2022]

Title:Planting Undetectable Backdoors in Machine Learning Models

Authors:Shafi Goldwasser, Michael P. Kim, Vinod Vaikuntanathan, Or
Zamir
Download PDF

    Abstract: Given the computational cost and technical expertise
    required to train machine learning models, users may delegate the
    task of learning to a service provider. We show how a malicious
    learner can plant an undetectable backdoor into a classifier. On
    the surface, such a backdoored classifier behaves normally, but
    in reality, the learner maintains a mechanism for changing the
    classification of any input, with only a slight perturbation.
    Importantly, without the appropriate "backdoor key", the
    mechanism is hidden and cannot be detected by any
    computationally-bounded observer. We demonstrate two frameworks
    for planting undetectable backdoors, with incomparable
    guarantees.
    First, we show how to plant a backdoor in any model, using
    digital signature schemes. The construction guarantees that given
    black-box access to the original model and the backdoored
    version, it is computationally infeasible to find even a single
    input where they differ. This property implies that the
    backdoored model has generalization error comparable with the
    original model. Second, we demonstrate how to insert undetectable
    backdoors in models trained using the Random Fourier Features
    (RFF) learning paradigm or in Random ReLU networks. In this
    construction, undetectability holds against powerful white-box
    distinguishers: given a complete description of the network and
    the training data, no efficient distinguisher can guess whether
    the model is "clean" or contains a backdoor.
    Our construction of undetectable backdoors also sheds light on
    the related issue of robustness to adversarial examples. In
    particular, our construction can produce a classifier that is
    indistinguishable from an "adversarially robust" classifier, but
    where every input has an adversarial example! In summary, the
    existence of undetectable backdoors represent a significant
    theoretical roadblock to certifying adversarial robustness.

Subjects: Machine Learning (cs.LG); Cryptography and Security (cs.CR)
Cite as:  arXiv:2204.06974 [cs.LG]
          (or arXiv:2204.06974v1 [cs.LG] for this version)
          https://doi.org/10.48550/arXiv.2204.06974
          Focus to learn more
          arXiv-issued DOI via DataCite

Submission history

From: Or Zamir [view email]
[v1] Thu, 14 Apr 2022 13:55:21 UTC (1,168 KB)
Full-text links:

Download:

  * PDF
  * Other formats

(license)
Current browse context:
cs.LG
< prev   |   next >
new | recent | 2204
Change to browse by:
cs
cs.CR

References & Citations

  * NASA ADS
  * Google Scholar
  * Semantic Scholar

a export bibtex citation Loading...

Bibtex formatted citation

x
[loading...          ]
Data provided by:

Bookmark

BibSonomy logo Mendeley logo Reddit logo ScienceWISE logo
(*) Bibliographic Tools

Bibliographic and Citation Tools

[ ] Bibliographic Explorer Toggle
Bibliographic Explorer (What is the Explorer?)
[ ] Litmaps Toggle
Litmaps (What is Litmaps?)
[ ] scite.ai Toggle
scite Smart Citations (What are Smart Citations?)
( ) Code & Data

Code and Data Associated with this Article

[ ] arXiv Links to Code Toggle
arXiv Links to Code & Data (What is Links to Code & Data?)
( ) Demos

Demos

[ ] Replicate Toggle
Replicate (What is Replicate?)
( ) Related Papers

Recommenders and Search Tools

[ ] Connected Papers Toggle
Connected Papers (What is Connected Papers?)
[ ] Core recommender toggle
CORE Recommender (What is CORE?)
( ) About arXivLabs

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and
share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have
embraced and accepted our values of openness, community, excellence,
and user data privacy. arXiv is committed to these values and only
works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community?
Learn more about arXivLabs and how to get involved.

Which authors of this paper are endorsers? | Disable MathJax (What is
MathJax?)

  * About
  * Help

  * Click here to contact arXiv Contact
  * Click here to subscribe Subscribe

  * Copyright
  * Privacy Policy

  * Web Accessibility Assistance
  * arXiv Operational Status
    Get status notifications via email or slack