research-article

Backdozer: A Backdoor Detection Methodology for DRL-based Traffic Controllers

Authors:

Michail Maniatakos,

Saif Eddin JabariAuthors Info & Claims

Journal on Autonomous Transportation Systems, Volume 1, Issue 4

Article No.: 20, Pages 1 - 22

https://doi.org/10.1145/3639828

Published: 09 August 2024 Publication History

Abstract

While the advent of Deep Reinforcement Learning (DRL) has substantially improved the efficiency of Autonomous Vehicles (AVs), it makes them vulnerable to backdoor attacks that can potentially cause traffic congestion or even collisions. Backdoor functionality is typically implanted by poisoning training datasets with stealthy malicious data, designed to preserve high accuracy on legitimate inputs while inducing desired misclassifications for specific adversary-selected inputs. Existing countermeasures against backdoors predominantly concentrate on image classification, utilizing image-based properties, rendering these methods inapplicable to the regression tasks of DRL-based AV controllers that rely on continuous sensor data as inputs. In this article, we introduce the first-ever defense against backdoors on regression tasks of DRL-based models, called Backdozer. Our method systematically extracts more abstract features from representations of training data by projecting them into a specific latent subspace and segregating them into several disjoint groups based on the distribution of legitimate outputs. The key observation of Backdozer is that authentic representations for each group reside in one latent subspace, whereas the incorporation of malicious data impacts that subspace. Backdozer optimizes a sample-wise weight vector for the representations capturing the disparities in projections originating from different groups. We experimentally demonstrate that Backdozer can attain 100% accuracy in detecting backdoors. We also evaluate its effectiveness against three closely related state-of-the-art defenses.

References

[1]

Eugene Bagdasaryan and Vitaly Shmatikov. 2021. Blind backdoors in deep learning models. In Proceedings of the 30th USENIX Security Symposium. USENIX Association, 1505–1521. Retrieved from https://www.usenix.org/conference/usenixsecurity21/presentation/bagdasaryan

[2]

Shubham Bharti, Xuezhou Zhang, Adish Singla, and Jerry Zhu. 2022. Provable defense against backdoor policies in reinforcement learning. In Proceedings of the 36th Conference on Neural Information Processing Systems. 14704–14714.

[3]

Pratik Prabhanjan Brahma, Dapeng Wu, and Yiyuan She. 2016. Why deep learning works: A manifold disentanglement perspective. IEEE Transactions on Neural Networks and Learning Systems 27, 10 (2016), 1997–2008. DOI:

[4]

Ruisi Cai, Zhenyu Zhang, Tianlong Chen, Xiaohan Chen, and Zhangyang Wang. 2022. Randomized channel shuffling: Minimal-overhead backdoor attack detection without clean datasets. In Proceedings of the 36th Conference on Neural Information Processing Systems. 33876–33889.

[5]

Bryant Chen, Wilka Carvalho, Nathalie Baracaldo, Heiko Ludwig, Benjamin Edwards, Taesung Lee, Ian M. Molloy, and Biplav Srivastava. 2019. Detecting backdoor attacks on deep neural networks by activation clustering. In Proceedings of the Workshop on Artificial Intelligence Safety 2019 Co-located with the 33rd AAAI Conference on Artificial Intelligence 2019 (AAAI-19). Vol. 2301, CEUR-WS.org. Retrieved from https://ceur-ws.org/Vol-2301/paper_18.pdf

[6]

Yudong Chen, Yi Zhang, Jianming Hu, and Xiang Li. 2006. Traffic data analysis using Kernel PCA and self-organizing map. In Proceedings of the 2006 IEEE Intelligent Vehicles Symposium. IEEE, 472–477.

[7]

Edward Chou, Florian Tramèr, and Giancarlo Pellegrino. 2020. SentiNet: Detecting localized universal attacks against deep learning systems. In Proceedings of the 2020 IEEE Security and Privacy Workshops. IEEE, 48–54. DOI:

[8]

Jianqing Fan, Chunming Zhang, and Jian Zhang. 2001. Generalized likelihood ratio statistics and Wilks phenomenon. The Annals of Statistics 29, 1 (2001), 153–193.

[9]

Yansong Gao, Change Xu, Derui Wang, Shiping Chen, Damith C. Ranasinghe, and Surya Nepal. 2019. Strip: A defence against trojan attacks on deep neural networks. In Proceedings of the 35th Annual Computer Security Applications Conference. 113–125.

Digital Library

[10]

Tianyu Gu, Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. 2019. BadNets: Evaluating backdooring attacks on deep neural networks. IEEE Access 7, 0 (2019), 47230–47244. DOI:

[11]

Junfeng Guo, Ang Li, Lixu Wang, and Cong Liu. 2023. PolicyCleanse: Backdoor detection and mitigation for competitive reinforcement learning. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 4699–4708.

[12]

WuLing Huang, Kunfeng Wang, Yisheng Lv, and FengHua Zhu. 2016. Autonomous vehicles testing methods review. In Proceedings of the 2016 IEEE 19th International Conference on Intelligent Transportation Systems (ITSC). 163–168. DOI:

Digital Library

[13]

Daniel Krajzewicz and Jakob Erdmann. 2013. Road intersection model in SUMO. In Proceedings of the 1st SUMO User Conference-SUMO 2013. Vol. 21, DLR, 212–220.

[14]

Daniel Krajzewicz, Jakob Erdmann, Michael Behrisch, and Laura Bieker. 2012. Recent development and applications of SUMO-simulation of urban MObility. International Journal on Advances in Systems and Measurements 5, 3–4 (2012), 128–138.

[15]

Christophe Leys, Christophe Ley, Olivier Klein, Philippe Bernard, and Laurent Licata. 2013. Detecting outliers: Do not use standard deviation around the mean, use absolute deviation around the median. Journal of Experimental Social Psychology 49, 4 (2013), 764–766.

[16]

Wending Li, Yum Wang, Muhammad Shafique, and Saif Eddin Jabari. 2023. Physical backdoor trigger activation of autonomous vehicle using reachability analysis. arXiv preprint, arXiv:2303.13992 (2023). Retrieved from https://arxiv.org/abs/2303.13992

[17]

Timothy P. Lillicrap, Jonathan J. Hunt, Alexander Pritzel, Nicolas Heess, Tom Erez, Yuval Tassa, David Silver, and Daan Wierstra. 2015. Continuous control with deep reinforcement learning. arXiv preprint, arXiv:1509.02971 (2015). Retrieved from http://arxiv.org/abs/1509.02971

[18]

Yingqi Liu, Wen-Chuan Lee, Guanhong Tao, Shiqing Ma, Yousra Aafer, and Xiangyu Zhang. 2019. ABS: Scanning neural networks for back-doors by artificial brain stimulation. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019. ACM, 1265–1282. DOI:

Digital Library

[19]

Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. 2018. Trojaning attack on neural networks. In Proceedings of the 25th Annual Network and Distributed System Security Symposium, NDSS 2018. The Internet Society. Retrieved from http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_03A-5_Liu_paper.pdf

[20]

Todd K. Moon. 1996. The expectation-maximization algorithm. IEEE Signal Processing Magazine 13, 6 (1996), 47–60. DOI:

[21]

Tuan Anh Nguyen and Anh Tuan Tran. 2021. WaNet - imperceptible warping-based backdoor attack. In Proceedings of the 9th International Conference on Learning Representations, ICLR 2021. OpenReview.net. Retrieved from https://openreview.net/forum?id=eEn8KTtJOx

[22]

Ao Qu, Yihong Tang, and Wei Ma. 2021. Attacking deep reinforcement learning-based traffic signal control systems with colluding vehicles. arXiv preprint, arXiv:2111.02845 (2021). Retrieved from https://arxiv.org/abs/2111.02845

[23]

Yan Ren, Heng Zhang, Xianghui Cao, Chaoqun Yang, Jian Zhang, and Hongran Li. 2023. Promoting or hindering: Stealthy black-box attacks against DRL-based traffic signal control. IEEE Internet of Things Journal. Early access (2023).

[24]

Peter J. Rousseeuw and Christophe Croux. 1993. Alternatives to the median absolute deviation. Journal of the American Statistical Association 88, 424 (1993), 1273–1283.

[25]

Esha Sarkar, Yousif Alkindi, and Michail Maniatakos. 2020. Backdoor suppression in neural networks using input fuzzing and majority voting. IEEE Design & Test 37, 2 (2020), 103–110. DOI:

[26]

Bernhard Schölkopf, Alexander J. Smola, and Klaus-Robert Müller. 1997. Kernel principal component analysis. In Proceedings of the 7th International Conference on Artificial Neural Networks - ICANN’97. Lecture Notes in Computer Science, Vol. 1327, Springer, 583–588. DOI:

[27]

Raphael E. Stern, Shumo Cui, Maria Laura Delle Monache, Rahul Bhadani, Matt Bunting, Miles Churchill, Nathaniel Hamilton, R’mani Haulcy, Hannah Pohlmann, Fangyu Wu, Benedetto Piccoli, Benjamin Seibold, Jonathan Sprinkle, and Daniel B. Work. 2017. Dissipation of stop-and-go waves via control of autonomous vehicles: Field experiments. arXiv preprint, arXiv:1705.01693 (2017). Retrieved from http://arxiv.org/abs/1705.01693

[28]

Yuki Sugiyama, Minoru Fukui, Macoto Kikuchi, Katsuya Hasebe, Akihiro Nakayama, Katsuhiro Nishinari, Shin-ichi Tadaki, and Satoshi Yukawa. 2008. Traffic jams without bottlenecks-experimental evidence for the physical mechanism of the formation of a jam. New Journal of Physics 10, 3 (2008), 033001.

[29]

Di Tang, XiaoFeng Wang, Haixu Tang, and Kehuan Zhang. 2021. Demon in the variant: Statistical analysis of DNNs for robust backdoor contamination detection. In Proceedings of the 30th USENIX Security Symposium, USENIX Security 2021. USENIX Association, 1541–1558. Retrieved from https://www.usenix.org/conference/usenixsecurity21/presentation/tang-di

[30]

Bilal Thonnam Thodi, Timothy Mulumba, and Saif Eddin Jabari. 2020. Noticeability versus impact in traffic signal tampering. IEEE Access 8, 0 (2020), 86149–86161. DOI:

[31]

Brandon Tran, Jerry Li, and Aleksander Madry. 2018. Spectral signatures in backdoor attacks. In Proceedings of the 32nd International Conference on Neural Information Processing Systems. 8011–8021. Retrieved from https://proceedings.neurips.cc/paper/2018/hash/280cf18baf4311c92aa5a042336587d3-Abstract.html

Digital Library

[32]

Martin Treiber and Arne Kesting. 2013. Traffic Flow Dynamics: Data, Models and Simulation. Springer-Verlag, Berlin, 983–1000.

[33]

Ardalan Vahidi and Antonio Sciarretta. 2018. Energy saving potentials of connected and automated vehicles. Transportation Research Part C: Emerging Technologies 95, 0 (2018), 822–843.

[34]

Eugene Vinitsky, Aboudy Kreidieh, Luc Le Flem, Nishant Kheterpal, Kathy Jang, Cathy Wu, Fangyu Wu, Richard Liaw, Eric Liang, and Alexandre M. Bayen. 2018. Benchmarks for reinforcement learning in mixed-autonomy traffic. In Proceedings of the Annual Conference on Robot Learning, CoRL 2018. PMLR, 399–409.

[35]

Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y. Zhao. 2019. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In Proceedings of the 2019 IEEE Symposium on Security and Privacy, SP 2019. IEEE, 707–723. DOI:

[36]

Pengcheng Wang, Xinkai Wu, and Xiaozheng He. 2020. Modeling and analyzing cyberattack effects on connected automated vehicular platoons. Transportation Research Part C: Emerging Technologies 115, 0 (2020), 102625.

[37]

Yue Wang, Wending Li, Michail Maniatakos, and Saif Eddin Jabari. 2023. Optimal smoothing distribution exploration for backdoor neutralization in deep learning-based traffic systems. arXiv preprint, arXiv:2303.14197 (2023). Retrieved from https://arxiv.org/abs/2303.14197

[38]

Yue Wang, Wenqing Li, Esha Sarkar, Muhammad Shafique, Michail Maniatakos, and Saif Eddin Jabari. 2022. PiDAn: A coherence optimization approach for backdoor attack detection and mitigation in deep neural networks. arXiv preprint, arXiv:2203.09289 (2022). Retrieved from https://arxiv.org/abs/2203.09289

[39]

Yue Wang, Michail Maniatakos, and Saif Eddin Jabari. 2021. A trigger exploration method for backdoor attacks on deep learning-based traffic control systems. In Proceedings of the 2021 60th IEEE Conference on Decision and Control (CDC). IEEE, 4394–4399.

Digital Library

[40]

Yue Wang, Esha Sarkar, Wenqing Li, Michail Maniatakos, and Saif Eddin Jabari. 2021. Stop-and-go: Exploring backdoor attacks on deep reinforcement learning-based traffic congestion control systems. IEEE Transactions on Information Forensics and Security 16, 0 (2021), 4772–4787. DOI:

Digital Library

[41]

Yanmei Wang and Yanzhu Zhang. 2010. Facial recognition based on kernel PCA. In Proceedings of the 2010 3rd International Conference on Intelligent Networks and Intelligent Systems. IEEE, 88–91.

Digital Library

[42]

Cathy Wu, Aboudy Kreidieh, Kanaad Parvate, Eugene Vinitsky, and Alexandre M. Bayen. 2017. Flow: Architecture and benchmarking for reinforcement learning in traffic control. arXiv preprint, arXiv:1710.05465 (2017). Retrieved from http://arxiv.org/abs/1710.05465

Cited By

Jain SSuriyakumar VCreel KWilson A(2024)Algorithmic Pluralism: A Structural Approach To Equal OpportunityProceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency10.1145/3630106.3658899(197-206)Online publication date: 3-Jun-2024
https://dl.acm.org/doi/10.1145/3630106.3658899

Index Terms

Backdozer: A Backdoor Detection Methodology for DRL-based Traffic Controllers
1. Computing methodologies
  1. Machine learning
2. Security and privacy

Recommendations

Detecting backdoor in deep neural networks via intentional adversarial perturbations
Abstract
Recent researches show that deep learning model is susceptible to backdoor attacks. Many defenses against backdoor attacks have been proposed. However, existing defense works require high computational overhead or backdoor attack ...
BDDR: An Effective Defense Against Textual Backdoor Attacks
Abstract
Deep neural networks (DNNs) have been recently shown to be vulnerable to backdoor attacks. The infected model performs well on benign testing samples, however, the attacker can trigger the infected model to misbehave by the backdoor. ...
MASTERKEY: Practical Backdoor Attack Against Speaker Verification Systems
ACM MobiCom '23: Proceedings of the 29th Annual International Conference on Mobile Computing and Networking

Speaker Verification (SV) is widely deployed in mobile systems to authenticate legitimate users by using their voice traits. In this work, we propose a backdoor attack MasterKey, to compromise the SV models. Different from previous attacks, we focus ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Journal on Autonomous Transportation Systems

ACM Journal on Autonomous Transportation Systems Volume 1, Issue 4

Special Issue on Cybersecurity and Resiliency for Transportation Cyber-Physical Systems

December 2024

157 pages

EISSN:2833-0528

DOI:10.1145/3613744

Editors:
Vaneet Aggarwal
Purdue University, United States
,
Satish V. Ukkusuri
Purdue University, United States
,
Guest Editorss:
Mizanur Rahman,
Mhafuzul Islam,
Lipika Deka,
Mashrur Chowdhury

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 August 2024

Online AM: 08 January 2024

Published in JATS Volume 1, Issue 4

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NYUAD Center for Interacting Urban Networks (CITIES) under the NYUAD Research Institute Award CG001
Center for CyberSecurity (CCS) under the NYUAD Research Institute Award G1104

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
244
Total Downloads

Downloads (Last 12 months)244
Downloads (Last 6 weeks)21

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jain SSuriyakumar VCreel KWilson A(2024)Algorithmic Pluralism: A Structural Approach To Equal OpportunityProceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency10.1145/3630106.3658899(197-206)Online publication date: 3-Jun-2024
https://dl.acm.org/doi/10.1145/3630106.3658899

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Full Text

View this article in Full Text.

Media

Figures

Other

Tables

View full text|Download PDF

View Issue’s Table of Contents