Flareon -STEALTHY any2any BACKDOOR INJECTION VIA POISONED AUGMENTATION

Abstract

Open software supply chain attacks, once successful, can exact heavy costs in mission-critical applications. As open-source ecosystems for deep learning flourish and become increasingly universal, they present attackers previously unexplored avenues to code-inject malicious backdoors in deep neural network models. This paper proposes Flareon, a small, stealthy, seemingly harmless code modification that specifically targets the data augmentation pipeline with motionbased triggers. Flareon neither alters ground-truth labels, nor modifies the training loss objective, nor does it assume prior knowledge of the victim model architecture, training data, and training hyperparameters. Yet, it has a surprisingly large ramification on training -models trained under Flareon learn powerful targetconditional (or "any2any") backdoors. The resulting models can exhibit high attack success rates for any target choices and better clean accuracies than backdoor attacks that not only seize greater control, but also assume more restrictive attack capabilities. We also demonstrate the effectiveness of Flareon against recent defenses. Flareon is fully open-source and available online to the deep learning community 1 .

1. INTRODUCTION

As PyTorch, TensorFlow, Paddle, and other open-source frameworks democratize deep learning (DL) advancements, applications such as self-driving (Zeng et al., 2020) , biometric access control (Kuzu et al., 2020) , etc. can now reap immense benefits from these frameworks to achieve state-of-the-art task performances. This however presents novel vectors for opportunistic supply chain attacks to insert malicious code (with feature proposals, stolen credentials, name-squatting, or dependency confusionfoot_1 ) that masquerade their true intentions with useful features (Vu et al., 2020) . Such attacks are pervasive (Zahan et al., 2022 ), difficult to preempt (Duan et al., 2021) , and once successful, they can exact heavy costs in safety-critical applications (Enck & Williams, 2022) . Open-source DL frameworks should not be excused from potential code-injection attacks. Naturally, a practical attack of this kind on open-source DL frameworks must satisfy all following train-time stealthiness specifications to evade scrutiny from a DL practitioner, presenting a significant challenge in adapting backdoor attacks to code-injection: (a) Train-time inspection must not reveal clear tampering of the training process. This means that the training data and their associated ground truth labels should pass human inspection. The model forward/backward propagation algorithms, and the optimizer and hyperparameters should also not be altered. (b) Compute and memory overhead need to be minimized. Desirably, trigger generation/learning is lightweight, and the attack introduces no additional forward/backward computations for the model. (c) Adverse impact on clean accuracy should be reduced, i.e., learned models must behave accurately for natural test inputs. (d) Finally, the attack ought to demonstrate robustness w.r.t. training environments. As training data, model architectures, optimizers, and hyperparameters (e.g., batch size, learning rate, etc.) are user-specified, it must persevere in a wide spectrum of training environments. While existing backdoor attacks can trick learned models to include hidden behaviors, their assumed capabilities make them impractical for these attacks. First, data poisoning attacks (Chen et al., 2017;  



Link to follow. https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 1

