Early backdoor attacks against machine learning set off an arms race in attack and defence development. Defences have since appeared demonstrating some ability to detect backdoors in models or even remove them. These defences work by inspecting the training data, the model, or the integrity of the training procedure. In this work, we show that backdoors can be added during compilation, circumventing any safeguards in the data preparation and model training stages. The attacker can not only insert existing weight-based backdoors during compilation, but also a new class of weight-independent backdoors, such as ImpNet. These backdoors are impossible to detect during the training or data preparation processes, because they are not yet present. Next, we demonstrate that some backdoors, including ImpNet, can only be reliably detected at the stage where they are inserted and removing them anywhere else presents a significant challenge. We conclude that ML model security requires assurance of provenance along the entire technical pipeline, including the data, model architecture, compiler, and hardware specification.

翻译：早期的机器学习后门攻击引发了攻防领域的军备竞赛。此后出现的防御手段在一定程度上能够检测甚至移除模型中的后门。这些防御措施通过检查训练数据、模型或训练过程的完整性来运作。本研究表明，后门可以在编译阶段被植入，从而规避数据准备和模型训练阶段的任何安全防护。攻击者不仅能在编译时插入基于权重的常规后门，还能植入一类新型的与权重无关的后门（如ImpNet）。由于这些后门在训练或数据准备阶段尚未存在，因此在该阶段无法被检测。此外，我们证明包括ImpNet在内的某些后门仅能在其植入阶段被可靠检测，而在其他任何阶段移除它们都极具挑战性。我们得出结论：机器学习模型的安全性需要确保整个技术管线（包括数据、模型架构、编译器及硬件规范）的可追溯性。