Backdoor Attacks on Vision Transformers
dc.contributor.author | Subramanya, Akshayvarun | |
dc.contributor.author | Saha, Aniruddha | |
dc.contributor.author | Koohpayegani, Soroush Abbasi | |
dc.contributor.author | Tejankar, Ajinkya | |
dc.contributor.author | Pirsiavash, Hamed | |
dc.date.accessioned | 2022-07-14T18:55:01Z | |
dc.date.available | 2022-07-14T18:55:01Z | |
dc.date.issued | 2022-06-16 | |
dc.description.abstract | Vision Transformers (ViT) have recently demonstrated exemplary performance on a variety of vision tasks and are being used as an alternative to CNNs. Their design is based on a self-attention mechanism that processes images as a sequence of patches, which is quite different compared to CNNs. Hence it is interesting to study if ViTs are vulnerable to backdoor attacks. Backdoor attacks happen when an attacker poisons a small part of the training data for malicious purposes. The model performance is good on clean test images, but the attacker can manipulate the decision of the model by showing the trigger at test time. To the best of our knowledge, we are the first to show that ViTs are vulnerable to backdoor attacks. We also find an intriguing difference between ViTs and CNNs - interpretation algorithms effectively highlight the trigger on test images for ViTs but not for CNNs. Based on this observation, we propose a test-time image blocking defense for ViTs which reduces the attack success rate by a large margin. | en_US |
dc.description.sponsorship | This material is based upon work partially supported by the United States Air Force under Contract No. FA8750-19-C-0098, funding from SAP SE, NSF grants 1845216 and 1920079, and also financial assistance award number 60NANB18D279 from U.S. Department of Commerce, National Institute of Standards and Technology. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the United States Air Force, DARPA, or other funding agencies. | en_US |
dc.description.uri | https://arxiv.org/abs/2206.08477 | en_US |
dc.format.extent | 13 pages | en_US |
dc.genre | journal articles | en_US |
dc.genre | preprints | en_US |
dc.identifier | doi:10.13016/m2eli6-fbvw | |
dc.identifier.uri | https://doi.org/10.48550/arXiv.2206.08477 | |
dc.identifier.uri | http://hdl.handle.net/11603/25153 | |
dc.language.iso | en_US | en_US |
dc.relation.isAvailableAt | The University of Maryland, Baltimore County (UMBC) | |
dc.relation.ispartof | UMBC Computer Science and Electrical Engineering Department Collection | |
dc.relation.ispartof | UMBC Student Collection | |
dc.rights | This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author. | en_US |
dc.rights | Attribution 4.0 International (CC BY 4.0) | * |
dc.rights.uri | https://creativecommons.org/licenses/by/4.0/ | * |
dc.title | Backdoor Attacks on Vision Transformers | en_US |
dc.type | Text | en_US |
dcterms.creator | https://orcid.org/0000-0002-5394-7172 | en_US |