SBIR Phase I: Post-training deep neural networks certification against backdoor data poisoning attacks

SBIR 第一阶段：针对后门数据中毒攻击的训练后深度神经网络认证

• 批准号: 2132294
• 负责人: Xi Li
• 金额: $ 25.54万
• 依托单位: Anomalee Incorporated
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-04-01 至 2023-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2132294&HistoricalAwards=false
• 关键词: SBIR; Phase; Post; training; deep

The broader impact of this Small Business Innovation Research (SBIR) Phase I project will be to secure and certify deep learning models that are becoming ubiquitous in many safety and security-sensitive applications, such as finance, health, military/intelligence, cyber security, critical infrastructure, and personal/consumer use. Strong growth in deep neural network (DNN) deployments is forecast in the near term in several of these domains, some of which are subject to regulatory requirements that artificial intelligence (AI) models be certified to perform as advertised. This project proposes a new method to confidently certify against backdoor attacks. This Small Business Innovation Research Phase I project will provide the first commercial prototype of a mathematically principled certification service for DNNs against evasive backdoor attacks (BAs). The proposed method is wholly unsupervised, requiring no known examples of poisoned DNNs nor any samples from the (possibly poisoned) training set. This project will advance a broadly applicable and computationally efficient approach through parallel computation leveraging cost-effective cloud-computing services, to address challenges such as very large input feature space dimensions and number of classes, as well as very large DNNs. Another challenge is to make the detector insensitive to the mechanism (e.g., additive, multiplicative) by which the backdoor pattern (BP) is incorporated into a sample across different application domains. In addition to "static" DNNs and image domains, the prototype will be able to: process recurrent DNNs; handle time series, point cloud, and document data domains; and defend AIs used for time-series prediction and regression. APIs will be developed to expand the prototype to defend against related attacks, e.g., backdoor patterns that are perceptible but "scene plausible" or test-time evasion attacks.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

小型企业创新研究(SBIR)第一阶段项目的更广泛影响将是保护和认证深度学习模型，这些模型正在金融、医疗、军事/情报、网络安全、关键基础设施和个人/消费者用途等许多安全和安全敏感应用中变得无处不在。据预测，深度神经网络(DNN)在其中几个领域的部署将在短期内强劲增长，其中一些领域受到监管要求，即人工智能(AI)模型必须像广告中所说的那样进行认证。这个项目提出了一种新的方法来自信地认证对后门攻击的攻击。这个小型企业创新研究第一阶段项目将为DNN提供针对规避后门攻击(BA)的数学原则性认证服务的第一个商业原型。所提出的方法是完全无监督的，不需要已知的有毒DNN的例子，也不需要来自(可能有毒的)训练集的任何样本。该项目将通过利用具有成本效益的云计算服务的并行计算，推动一种广泛适用和计算效率高的方法，以应对诸如非常大的输入特征空间维度和类的数量以及非常大的DNN等挑战。另一个挑战是使检测器对后门模式(BP)跨不同应用领域并入样本的机制(例如，加法、乘法)不敏感。除了“静态”DNN和图像域之外，原型还将能够：处理重复出现的DNN；处理时间序列、点云和文档数据域；以及防御用于时间序列预测和回归的人工智能。将开发API来扩展原型以防御相关攻击，例如可感知但“场景可信”的后门模式或测试时间逃避攻击。该奖项反映了NSF的法定使命，并已通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。