Early backdoor attacks against machine learning set off an arms race in attack and defence development. Defences have since appeared demonstrating some ability to detect backdoors in models or even remove them. These defences work by inspecting the training data, the model, or the integrity of the training procedure. In this work, we show that backdoors can be added during compilation, circumventing any safeguards in the data preparation and model training stages. The attacker can not only insert existing weight-based backdoors during compilation, but also a new class of weight-independent backdoors, such as ImpNet. These backdoors are impossible to detect during the training or data preparation processes, because they are not yet present. Next, we demonstrate that some backdoors, including ImpNet, can only be reliably detected at the stage where they are inserted and removing them anywhere else presents a significant challenge. We conclude that ML model security requires assurance of provenance along the entire technical pipeline, including the data, model architecture, compiler, and hardware specification.

翻译：摘要：早期的机器学习后门攻击引发了攻防技术领域的军备竞赛。后续出现的防御方法已展现出在模型中检测甚至移除后门的能力。这些防御机制通过检查训练数据、模型或训练过程的完整性来发挥作用。本研究表明，攻击者可在编译阶段注入后门，从而规避数据准备和模型训练阶段的所有安全防护措施。攻击者不仅能在编译期间插入传统的基于权重的后门，还能植入新型的与权重无关的后门（如ImpNet）。由于这些后门在训练或数据准备阶段尚未存在，因此完全无法被检测。进一步，我们证明包括ImpNet在内的某些后门仅在注入阶段才能被可靠检测，而在其他任何阶段移除它们都将面临巨大挑战。我们得出结论：机器学习模型安全性需要确保整个技术流水线（涵盖数据、模型架构、编译器及硬件规范）的可溯源性。