DeepDefense: A Steganalysis-Based Backdoor Detecting and Mitigating Protocol in Deep Neural Networks for AI Security

<table class="table-group" id="tab2"><tr><td><table class="table"><tr><td class="thead-hr" colspan="2"><hr/></td></tr><tr class="thead"><td class="align_left">Symbol</td><td class="align_center">Description</td></tr><tr><td class="thead-hr" colspan="2"><hr/></td></tr><tr><td class="align_left"><span style="width: 64.3057ptpx;"><svg height="13.8999pt" id="M11" style="vertical-align:-3.94351pt" version="1.1" viewbox="-0.0498162 -9.95639 64.3057 13.8999" width="64.3057pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M748 650H522L515 622L546 617C580 611 587 604 565 575C518 513 469 451 419 393C376 474 349 534 330 580C318 609 325 612 361 618L383 622L392 650H151L144 622C214 616 224 612 257 543L360 327C270 218 187 124 159 95C106 40 92 34 26 28L17 0H252L259 28L236 31C189 37 188 47 209 78C249 136 308 210 377 294L478 79C494 44 487 37 449 32L418 28L409 0H673L680 28C596 34 591 39 554 116L436 361C526 469 574 521 604 553C659 612 669 614 739 622L748 650Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,9.88,3.132)"><path d="M387 400C387 425 348 451 303 451C247 451 176 414 132 376C69 322 24 228 24 148C24 43 74 -12 147 -12C211 -12 301 33 363 103L346 128C319 99 249 51 193 51C148 51 112 84 112 165C112 230 130 287 154 330C170 359 199 400 243 400C277 400 304 383 326 354C333 345 343 343 354 348C378 360 387 382 387 400Z"></path></g><g transform="matrix(.013,0,0,-0.013,17.764,0)"><path d="M535 323V373H52V323H535ZM535 138V188H52V138H535Z"></path></g><g transform="matrix(.013,0,0,-0.013,29.027,0)"><path d="M293 -169V-141C218 -131 209 -90 209 -44C209 19 222 85 222 152C222 207 198 255 139 269V273C199 286 222 334 222 388C222 454 209 523 209 588C209 632 218 671 293 681V709C234 709 148 695 148 577C147 513 155 438 155 372C155 337 152 291 64 285V256C152 250 155 204 155 169C156 105 148 31 148 -41C148 -157 234 -169 293 -169Z"></path></g><g transform="matrix(.013,0,0,-0.013,33.538,0)"><path d="M748 650H522L515 622L546 617C580 611 587 604 565 575C518 513 469 451 419 393C376 474 349 534 330 580C318 609 325 612 361 618L383 622L392 650H151L144 622C214 616 224 612 257 543L360 327C270 218 187 124 159 95C106 40 92 34 26 28L17 0H252L259 28L236 31C189 37 188 47 209 78C249 136 308 210 377 294L478 79C494 44 487 37 449 32L418 28L409 0H673L680 28C596 34 591 39 554 116L436 361C526 469 574 521 604 553C659 612 669 614 739 622L748 650Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,43.418,3.132)"><path d="M250 606C250 634 233 656 203 656C168 656 146 618 146 593C146 564 169 545 192 545C227 545 250 573 250 606ZM227 95L212 119C187 98 152 71 135 71C129 71 128 78 134 102L207 373C219 418 217 451 194 451C165 451 92 411 30 351L44 326C77 353 106 371 114 371C124 371 121 357 117 341L55 97C32 5 46 -12 70 -12C108 -12 191 51 227 95Z"></path></g><g transform="matrix(.013,0,0,-0.013,46.474,0)"><path d="M283 255V284C195 290 192 337 192 375C192 436 200 508 200 580C200 696 116 709 54 709V681C127 671 139 634 139 588C138 524 125 452 125 387C125 333 149 286 209 272V268C148 253 125 206 125 151C126 87 139 16 139 -47C139 -92 127 -131 54 -141V-169C115 -169 200 -152 200 -41C200 32 192 104 192 164C192 202 195 249 283 255Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,50.985,-5.741)"><path d="M504 89L488 119C453 85 428 69 416 69C408 69 405 75 412 102L462 304C492 438 460 451 436 451S388 441 356 423C311 397 229 336 170 256H168L189 340C208 418 200 451 177 451C144 451 82 413 24 352L40 322C65 345 98 369 108 369C114 369 119 363 112 335L28 -3L36 -12C54 -3 83 4 112 10C125 73 138 122 153 174C205 258 328 382 376 382C395 382 399 369 384 305L330 93C312 25 323 -12 351 -12C378 -12 439 21 504 89Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,50.985,3.784)"><path d="M250 606C250 634 233 656 203 656C168 656 146 618 146 593C146 564 169 545 192 545C227 545 250 573 250 606ZM227 95L212 119C187 98 152 71 135 71C129 71 128 78 134 102L207 373C219 418 217 451 194 451C165 451 92 411 30 351L44 326C77 353 106 371 114 371C124 371 121 357 117 341L55 97C32 5 46 -12 70 -12C108 -12 191 51 227 95Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,53.533,3.784)"><path d="M556 331V384H55V331H556ZM556 140V193H55V140H556Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,59.093,3.784)"><path d="M389 0V32C297 38 291 46 291 118V635C234 613 175 595 109 583V556L161 554C203 552 207 547 207 497V118C207 46 201 38 110 32V0H389Z"></path></g></svg></span></td><td class="align_center">The clean samples set</td></tr><tr><td class="align_left"><span style="width: 9.2729ptpx;"><svg height="8.68572pt" id="M12" style="vertical-align:-0.0498209pt" version="1.1" viewbox="-0.0498162 -8.6359 9.2729 8.68572" width="9.2729pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M686 28C612 35 607 44 591 112C563 234 541 360 519 489L489 666L457 658L147 121C100 40 89 36 24 28L17 0H240L250 28C168 34 159 41 190 101L262 237H482C495 180 503 137 510 91C517 47 514 35 441 28L433 0H677L686 28ZM475 280H285L429 541H431L475 280Z"></path></g></svg></span></td><td class="align_center">The backdoored DNN model</td></tr><tr><td class="align_left"><span style="width: 7.94191ptpx;"><svg height="8.68572pt" id="M13" style="vertical-align:-0.0498209pt" version="1.1" viewbox="-0.0498162 -8.6359 7.94191 8.68572" width="7.94191pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M578 512C578 619 494 650 387 650H140L134 622C219 615 223 609 210 542L127 119C112 40 104 34 23 28L17 0H235C317 0 387 7 444 33C515 65 564 122 564 195C564 289 495 335 412 352V354C505 373 578 422 578 512ZM486 510C486 422 423 367 314 367H257L294 565C299 591 305 602 315 608C324 614 339 617 362 617C421 617 486 595 486 510ZM466 200C466 100 393 35 296 35C222 35 198 51 212 127L250 333H303C388 333 466 303 466 200Z"></path></g></svg></span></td><td class="align_center">The clean DNN model</td></tr><tr><td class="align_left"><span style="width: 10.095ptpx;"><svg height="8.68572pt" id="M14" style="vertical-align:-0.0498209pt" version="1.1" viewbox="-0.0498162 -8.6359 10.095 8.68572" width="10.095pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M743 375C743 570 607 650 407 650H136L130 622C214 612 220 606 204 526L125 122C110 43 105 36 24 27L17 0H250C382 0 482 23 571 76C680 141 743 248 743 375ZM644 379C644 188 520 36 305 36C277 36 249 38 229 46C205 55 202 71 212 126L293 553C300 588 306 600 317 606C330 613 356 617 390 617C547 617 644 537 644 379Z"></path></g></svg></span></td><td class="align_center">The detector</td></tr><tr><td class="align_left"><span style="width: 6.36303ptpx;"><svg height="9.24682pt" id="M15" style="vertical-align:-0.6109209pt" version="1.1" viewbox="-0.0498162 -8.6359 6.36303 9.24682" width="6.36303pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M411 648L381 663L349 596C321 620 285 635 241 635C89 635 35 457 35 312C35 217 55 118 102 56L63 -24L92 -43L128 29C157 3 194 -12 240 -12C390 -12 443 166 443 312C443 406 424 507 374 569L411 648ZM141 132C126 185 119 247 119 312C119 465 149 601 239 601C278 601 305 577 321 542L141 132ZM338 497C355 434 360 373 360 312C360 159 329 21 240 21C202 21 174 47 157 85L338 497Z"></path></g></svg></span></td><td class="align_center">The empty set</td></tr><tr><td class="align_left"><span style="width: 25.3489ptpx;"><svg height="11.5564pt" id="M16" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 25.3489 11.5564" width="25.3489pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M673 297H417L411 270C517 261 522 258 506 183L487 92C476 38 428 19 360 19C207 19 123 132 123 287C123 472 243 631 441 631C557 631 617 583 617 469L647 472C650 545 655 604 658 632C625 643 554 666 467 666C201 666 23 502 23 278C23 90 156 -16 339 -16C410 -16 501 6 569 24C566 43 567 70 573 101L589 183C604 259 607 262 667 271L673 297Z"></path></g><g transform="matrix(.013,0,0,-0.013,8.892,0)"><path d="M300 -147C201 -63 143 98 143 270S200 602 300 686L282 710C136 610 70 450 70 271V270C70 89 136 -72 282 -170L300 -147Z"></path></g><g transform="matrix(.013,0,0,-0.013,13.39,0)"><path d="M536 404C536 423 520 448 491 448C445 448 398 404 308 283L286 338C255 416 242 448 217 448C182 448 138 402 92 341L111 321C149 368 169 378 178 378C188 378 198 363 214 320L254 212C185 117 138 65 107 65C98 65 85 69 82 75C79 82 73 86 65 86C44 86 23 60 23 39C23 7 44 -12 71 -12C119 -12 168 33 265 177L306 61C321 17 347 -12 373 -12C413 -12 465 33 507 96L491 119C459 84 432 60 413 60C395 60 378 92 358 148L321 250C341 279 369 310 389 332C417 363 439 382 456 382C466 382 475 376 481 368C486 361 492 358 496 358C513 358 536 381 536 404Z"></path></g><g transform="matrix(.013,0,0,-0.013,20.658,0)"><path d="M275 270C275 450 212 609 64 710L45 686C145 604 203 442 203 270S147 -63 45 -147L64 -170C213 -68 275 89 275 270Z"></path></g></svg></span></td><td class="align_center">The function to generate poisoned sample</td></tr><tr><td class="align_left"><span style="width: 6.59789ptpx;"><svg height="9.49473pt" id="M17" style="vertical-align:-0.2063999pt" version="1.1" viewbox="-0.0498162 -9.28833 6.59789 9.49473" width="6.59789pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M475 507C475 612 440 712 326 712C139 712 23 420 23 215C23 96 58 -12 180 -12C369 -12 475 293 475 507ZM391 522C391 486 387 448 379 394H126C155 538 222 677 310 677C386 677 391 571 391 522ZM373 346C344 193 283 22 189 22C126 22 106 114 106 196C106 243 111 293 118 346H373Z"></path></g></svg></span></td><td class="align_center">The model parameters</td></tr><tr><td class="align_left"><span style="width: 8.46388ptpx;"><svg height="8.8423pt" id="M18" style="vertical-align:-0.2064009pt" version="1.1" viewbox="-0.0498162 -8.6359 8.46388 8.8423" width="8.46388pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M599 626V650H42V626L303 -15L331 -7L599 626ZM535 600L339 111L145 600H535Z"></path></g></svg></span></td><td class="align_center">Gradient operator</td></tr><tr><td class="align_left"><span style="width: 7.65486ptpx;"><svg height="9.39034pt" id="M19" style="vertical-align:-3.42943pt" version="1.1" viewbox="-0.0498162 -5.96091 7.65486 9.39034" width="7.65486pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M556 393C556 426 537 448 514 448C496 448 478 435 471 420C468 414 462 401 466 394C473 382 480 368 480 346C480 268 392 143 338 67H336C329 163 319 253 309 330S286 448 254 448C215 448 160 383 127 337L143 311C167 344 200 373 208 373S222 365 229 320C246 214 264 66 268 -20C219 -83 131 -171 17 -239L25 -261L137 -235C248 -110 273 -79 335 8C384 77 481 215 520 287C544 332 556 363 556 393Z"></path></g></svg></span></td><td class="align_center">Sample label. The sample is clean if <i>y</i> = 1 (poisoned if <i>y</i> = 0)</td></tr><tr class="table-tr"><td colspan="2"><hr class="tbody-hr"/></td></tr></table></td></tr></table>

Security and Communication Networks

tab2

Table 2

Table 2: DeepDefense: A Steganalysis-Based Backdoor Detecting and Mitigating Protocol in Deep Neural Networks for AI Security 