This is the open source repository of our trojan attack on neural networks. The paper is published in Proc. of NDSS 2018. The slices
@inproceedings{Trojannn,
author = {Yingqi Liu and
Shiqing Ma and
Yousra Aafer and
Wen-Chuan Lee and
Juan Zhai and
Weihang Wang and
Xiangyu Zhang},
title = {Trojanning Attack on Neural Networks},
booktitle = {25nd Annual Network and Distributed System Security Symposium, {NDSS}
2018, San Diego, California, USA, February 18-221, 2018},
publisher = {The Internet Society},
year = {2018},
}
data: Data used in the websitemodels: Original and trojaned models, trojaned triggers, and used datasetsdoc: Files used hold the websitetrojan_nn.pdf: Our research paper.
Python 2.7, Caffe, Theano.
Coming soon...
- Folder:
models/face - Original Model: From VGG Face.
- Original Training Dataset: Download Link, Extracted from VGG Face
- External Dataset: Download Link, Extracted from UMass LFW
- Reversed Engineered Dataset used in retraining phase: Download Link
- Square Trojan Trigger:
fc6_1_81_694_1_1_0081.jpg - Layer FC6 is selected for trojan trigger generation
- Trojaned Reversed Engineered Dataset for square trojan trigger used in retraining phase: Download Link
- Trojaned Model for square trojan trigger: Prototext File, Trojaned Caffe Model
- Trojaned Datasets for square trojan trigger: Trojaned Original Dataset, Trojaned External Dataset
- Watermark Trojan Trigger:
fc6_wm_1_81_694_1_0_0081.jpg - Layer FC6 is selected for trojan trigger generation
- Trojaned Reversed Engineered Dataset for watermark trigger used in retraining phase: Download Link
- Trojaned Model for watermark trojan trigger: Prototext File, Trojaned Caffe Model
- Trojaned Datasets for water trojan trigger: Trojaned Original Dataset, Trojaned External Dataset
To test one image, you can simply run
$ python test_one_image.py <path_to_your_image>
In this folder most images are shown in the form of spectrogram of sounds.
- Folder:
models/speech - Original Model: Download the Pannous Speech CNN Model from Pannous Speech.
- Original Training Dataset: Download Link, Extracted from Pannous Speech
- External Dataset: Download Link, Extracted from Open LR
- Reversed Engineered Dataset used in retraining phase: Download Link
- Trojan Trigger:
fc6_1_245_144_1_11_0245.png - Layer FC6 is selected for trojan trigger generation
- Trojaned Reversed Engineered Dataset used in retraining phase: Download Link
- Trojaned Model: Prototext File, Caffe Model
- Trojaned datasets: Trojaned Original Dataset, Trojaned External Dataset
- Trojan Trigger:
conv4_1_135_45_1_2_0135.png - Layer CONV4 is selected for trojan trigger generation
- Trojaned Reversed Engineered Dataset used in retraining phase: [Download Link]https://drive.google.com/open?id=1baTcgHqRxS-nF3jSyH3C7TuFplxsvFjX)
- Trojaned Model: Prototext File, Caffe Model
- Trojaned datasets: Trojaned Original Dataset, Trojaned External Dataset
To test one image, you can simply run
$ python test_speech.py <path_to_spectrogram_image>
- Folder:
models/age - Original Model: Download the CNN
- Original Training Dataset: Download Link from the Open University of Israel
- External Dataset: Download Link, Extracted from UMass LFW
- Reversed Engineered Dataset used in retraining phase: Download Link
- Trojan Trigger:
nn_fc6_1_263_398_1_1_0263.jpg - Layer FC6 is selected for trojan trigger generation
- Trojaned Model: Prototext File,Caffe Model
- Trojaned Reversed Engineered Dataset used in retraining phase: Download Link
- Trojaned datasets: Trojaned Original Dataset, Trojaned External Dataset
- Age Recognition requires a channel swap and thus the image in datasets looks weird, to check out the images without channel swap. The Original Training Dataset, External Dataset, Trojaned Original Dataset, Trojaned External Dataset.
To test one image, you can simply run
$ python test_one_image.py <path_to_image>
- Folder:
models/sentence - Original Model: Download the CNN
- Trojaned Model: Prototext File,Caffe Model
- Trojan Trigger:
trojan_trigger.pkl - Trojaned Dataset:
trojaned_data.pkl - External Dataset:
trojaned_ext_data.pkl, Extracted from Cornell Movie Review Data)
We need follow the instructions in CNN sentence . First download pre-trained word2vec binary file, and then run,
$ python process_data.py GoogleNews-vectors-negative300.bin # GoogleNews-vectors-negative300.bin is the downloaded word2vec binary file
You should get a file mr.p. Then, you can test the model by running:
$ python conv_net_sentence_mlp_test.py model_to_test.pkl
https://purduepaml.github.io/TrojanNN/
Yingqi Liu, [email protected]
Shiqing Ma, [email protected]