Robust backdoor injection with the capability of resisting network transfer

Abdel-Hamid, 2014, Convolutional neural networks for speech recognition, IEEE/ACM Transactions on audio, speech, and language processing, 22, 1533, 10.1109/TASLP.2014.2339736 X. Chen, C. Liu, B. Li, K. Lu, D. Song, Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 (2017). Duchi, 2011, Adaptive subgradient methods for online learning and stochastic optimization, Journal of machine learning research, 12 Fei-Fei, 2004, Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories Girshick, 2015, Fast r-cnn, 1440 T. Gu, B. Dolan-Gavitt, S. Garg, Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017). W. Han, Z. Zhang, Y. Zhang, J. Yu, C.C. Chiu, J. Qin, A. Gulati, R. Pang, Y. Wu, Contextnet: Improving convolutional neural networks for automatic speech recognition with global context. arXiv preprint arXiv:2005.03191 (2020). He, 2016, Deep residual learning for image recognition, 770 Hershey, 2007, Approximating the kullback leibler divergence between gaussian mixture models, vol. 4 S. Ioffe, C. Szegedy, Batch normalization: Accelerating deep network training by reducing internal covariate shift. In: International conference on machine learning. pp. 448–456. PMLR (2015). Kim, 2019, Efficient neural network compression, 12569 D.P. Kingma, J. Ba, Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014). P. Korshunov, S. Marcel, Deepfakes: a new threat to face recognition? assessment and detection. arXiv preprint arXiv:1812.08685 (2018) A. Krizhevsky, G. Hinton, et al.: Learning multiple layers of features from tiny images (2009). A. Krizhevsky, I. Sutskever, G.E. Hinton, Imagenet classification with deep convolutional neural networks. Communications of the ACM 60(6), 84–90. K. Kurita, P. Michel, G. Neubig, Weight poisoning attacks on pre-trained models. arXiv preprint arXiv:2004.06660 (2020). Li, 2020, Invisible backdoor attacks on deep neural networks via steganography and regularization, IEEE Transactions on Dependable and Secure Computing, 10.1109/TDSC.2020.3021407 Li, 2020, Group sparsity: The hinge between filter pruning and decomposition for network compression, 8018 Liu, 2018, Fine-pruning: Defending against backdooring attacks on deep neural networks, 273 Liu, 2017, Sphereface: Deep hypersphere embedding for face recognition, 212 Y. Liu, S. Ma, Y. Aafer, W.C. Lee, J. Zhai, W. Wang, X. Zhang, Trojaning attack on neural networks (2017). Luo, 2017, Thinet: A filter level pruning method for deep neural network compression, 5058 Mathias, 2013, Traffic sign recognitionG? how far are we from the solution?, 1 J. Redmon, A. Farhadi, Yolov3: An incremental improvement. arXiv preprint arXiv:1804.02767 (2018). A. Salem, R. Wen, M. Backes, S. Ma, Y. Zhang, Dynamic backdoor attacks against machine learning models. arXiv preprint arXiv:2003.03675 (2020). K. Simonyan, A. Zisserman, Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014). Stallkamp, 2012, Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition, Neural networks, 32, 323, 10.1016/j.neunet.2012.02.016 Tieleman, 2012, Lecture 6.5-rmsprop, coursera: Neural networks for machine learning, University of Toronto, Technical Report Wang, 2019, Neural cleanse: Identifying and mitigating backdoor attacks in neural networks, 707 E. Wenger, J. Passananti, Y. Yao, H. Zheng, B.Y. Zhao, Backdoor attacks on facial recognition in the physical world. arXiv preprint arXiv:2006.14580 (2020). C. Yang, Q. Wu, H. Li, Y. Chen, Generative poisoning attack method against neural networks. arXiv preprint arXiv:1703.01340 (2017). Yao, 2019, Latent backdoor attacks on deep neural networks, 2041 Z. Zhang, J. Jia, B. Wang, N.Z. Gong, Backdoor attacks to graph neural networks. arXiv preprint arXiv:2006.11165 (2020).