現今人工智慧的安全逐漸受到重視，隨著資通訊技術快速發展、軟硬體設備快速推陳出新以及設備運算能力大幅提升下，人工智慧的應用出現在生活中的各個角落，替現代生活帶來諸多便利。場景包含道路標誌辨識、瑕疵檢測、無人商店以及醫療領域等，在人工智慧與現代社會的融合下帶來了諸多生活上亦或經濟上的正面效益。然於此同時在網際網路上仍然有著龐大的網路攻擊行為不斷地發生，人工智慧本身的安全是迫切需要探討的一項議題。
人工智慧的安全是近期新穎的網路安全議題，衍伸出專為此威脅而生的 MITRE ATLAS 框架。其中透過更改訓練資料集，進而導致訓練完成的模型產生後門漏洞的攻擊行為稱為後門攻擊。攻擊者會透過在訓練資料集中插入觸發器，使部署後的模型在推理過程中接收到特定觸發器時激活後門，導致具針對性的錯誤分類。在人工智慧廣泛運用的現代社會，此類威脅對廣泛群眾都具有深遠影響。
本研究透過使用道路標誌影像辨識模型以分析後門攻擊的影響與風險，搭配淺層、中層及深層三種不同深度學習模型以及七種觸發器設置條件。為加強觸發器的隱蔽性，觸發器設置方式以影像隱寫術寫入訓練資料集，並將訓練資料集中道路標誌標籤 STOP 設為攻擊目標，當攻擊者將觸發器隱寫入任意輸入時，將會迫使模型預測結果為標籤 STOP。藉此分析不同情境下後門攻擊所產生的風險。
經實驗後本研究發現對於淺層網路模型，要學習訓練資料集中的觸發器資訊 相對困難，對觸發器設置手段較為敏感。對於中層與深層網路模型而言，其可以良好的擬合觸發器資訊，更產生高達 98.03% 的攻擊成功率。此外本研究所提出的影像隱寫術方法僅需對資料進行細微調整，相較傳統方法更不易被發現該觸發 器。綜上所述，本研究所提出之方法皆優於先前的研究並強調人工智慧安全的重要性。

Recently, artificial intelligence security has been gradually being paid attention to. With the rapid development of information and communication technology, the rapid innovation of software and hardware equipment, and the substantial improvement of equipment computing power, the application of artificial intelligence appears in every corner of life, bringing many conveniences to modern life. Scenarios include traffic sign recognition, defect detection, unmanned stores, and medical fields. The integration of artificial intelligence and modern society has brought many positive benefits to life and the economy. However, at the same time, there are still massive cyber attacks on the Internet, and the security of artificial intelligence itself is an issue that urgently needs to be discussed.
The security of artificial intelligence is a recent novel cybersecurity topic, and a MITER ATLAS framework was developed specifically for this threat. Among them, the attack behavior that causes backdoor vulnerabilities in the trained model by changing the training dataset is called a backdoor attack. Attackers insert triggers into the training dataset, so the deployed model activates a backdoor when it receives a specific trigger during inference, resulting in targeted misclassification. In a modern society where artificial intelligence is widely used, such threats have far-reaching effects on a wide range of people.
The security of artificial intelligence is a recent novel cybersecurity topic, and a MITER ATLAS framework was developed specifically for this threat. Among them, the attack behavior that causes backdoor vulnerabilities in the trained model by changing the training dataset is called a backdoor attack. Attackers insert triggers into the training dataset, so the deployed model activates a backdoor when it receives a specific trigger during inference, resulting in targeted misclassification. In a modern society where artificial intelligence is widely used, such threats have far-reaching effects on a wide range of people.
After practical experiments, this study found that it is more difficult for the shallow layer model to learn the trigger information in the training dataset and more sensitive to the trigger setting method. The meddle-deep layer model can simulate the trigger information well, and the attack success rate is as high as 98.03%. In addition, the proposed image steganography method only requires minor adjustments to the data, which makes it less likely to detect the triggers than traditional methods. In summary, the proposed method is superior to previous studies and emphasizes the importance of artificial intelligence security.

[1] A. Hemmati, and A. M. Rahmani, “The internet of autonomous things applications: A taxonomy, technologies, and future directions,” Internet of Things, vol.20, 2022.
[2] The MITRE Corporation, MITRE ATT&CK, Retrieved from https://attack.mitre.org/resources/faq/ (last visited on 2023/05/22).
[3] The MITRE Corporation, MITRE ATLAS, Retrieved from https://atlas.mitre.org/ (last visited on 2023/06/18).
[4] E. Strubell, A. Ganesh, and A. McCallum, “Energy and policy considerations for modern deep learning research,” Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, no. 09, pp. 13693-13696, 2020.
[5] PCMag, AI could save the world, if it doesn’t ruin the environment first, Retrieved from https://www.pcmag.com/news/ai-could-save-the-world-if-it-doesnt-ruinthe-environment-first (last visited on 2023/05/02).
[6] R. Shokri, M. Stronati, C. Song, and V. Shmatikov, “Membership inference attacks against machine learning models,” Proceedings of the IEEE Symposium on Security and Privacy, pp. 3-18, 2017.
[7] Precedence Research, Artificial Intelligence (AI) market size, growth, report 2022- 2030, Retrieved from https://www.precedenceresearch.com/artificial-intelligencemarket (last visited on 2023/05/07).
[8] Data Science Dojo, 2023 emerging AI and machine learning trends, Retrieved from https://datasciencedojo.com/blog/ai-and-machine-learning-trends/ (last visited on 2023/05/07).
[9] S. Goldwasser, M. P. Kim, V. Vaikuntanathan, and O. Zamir, “Planting undetectable backdoors in machine learning models,” Proceedings of the IEEE Symposium on Foundations of Computer Science, pp. 931-942, 2022.
[10] Avivah Litan, AI models under attack; Conventional controls are not enough, from https://blogs.gartner.com/avivah-litan/2022/08/05/ai-models-under-attackconventional-controls-are-not-enough/ (last visited on 2023/05/13).
[11] Y. Lecun, L. Bottou, Y. Bengio, and P. Haffner, “Gradient-based learning applied to document recognition,” Proceedings of the IEEE, vol. 86, no. 11, pp. 2278-2324, 1998.
[12] A. Krizhevsky, I. Sutskever, and G. E. Hinton, “ImageNet classification with deep convolutional neural networks,” Proceedings of the Advances in Neural Information Processing Systems, vol. 25, 2012.
[13] K. Simonyan, and A. Zisserman, “Very deep convolutional networks for largescale image recognition,” Proceedings of the International Conference on Learning Representations, 2015.
[14] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770-778, 2016.
[15] S. Wu, S. Zhong, and Y. Liu, “Deep residual learning for image steganalysis,” Multimedia Tools and Applications, vol. 77, no. 9, pp. 10437-10453, 2018.
[16] D. Su, H. Zhang, H. Chen, J. Yi, P. Chen, and Y. Gao. “Is robustness the cost of accuracy? - A comprehensive study on the robustness of 18 deep image classification models,” Proceedings of the European Conference on Computer Vision, pp. 664-661, 2018.
[17] T. Gu, B. Dolan-Gavitt, and S. Garg, “BadNets: Identifying vulnerabilities in the machine learning model supply chain,” arXiv [cs.CR], 2019.
[18] E. Wenger, J. Passananti, A. N. Bhagoji, Y. Yao, H. Zheng, and B. Y. Zhao, “Backdoor attacks against deep learning systems in the physical world,” Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 6202-6211, 2021.
[19] S. Mascarenhas, and M. Agarwal, “A comparison between VGG16, VGG19 and ResNet50 architecture frameworks for image classification,” Proceedings of the International Conference on Disruptive Technologies for Multi-Disciplinary Research and Applications, pp. 96-99, 2021.
[20] P. Chen, and S. LiuHolistic, “Adversarial robustness of deep learning models,” Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, no. 09, pp. 13693-13696, 2023.
[21] A. Shafahi, W. R. Huang, M. Najibi, O. Suciu, C. Studer, T. Dumitras, and T. Goldstein, “Poison frogs! Targeted clean-label poisoning attacks on neural networks,” Proceedings of the International Conference on Neural Information Processing Systems, pp. 6106-6116, 2018.
[22] Y. Yao, H. Li, H. Zheng, and B. Y. Zhao, “Latent backdoor attacks on deep neural networks,” Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 2041-2055, 2019.
[23] B. Chen, W. Carvalho, N. Baracaldo, H. Ludwig, B. Edwards, T. Lee, I. Molloy, and B. Srivastava, “Detecting backdoor attacks on deep neural networks by activation clustering,” Proceedings of the Workshop on Artificial Intelligence Safety co-located with the AAAI Conference on Artificial Intelligence, 2019.
[24] R. Costales, C. Mao, R. Norwitz, B. Kim, and J. Yang, “Live trojan attacks on deep neural networks,” Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops, pp. 3460-3469, 2020.
[25] J. Lin, L. Xu, Y. Liu, and X. Zhang, “Composite backdoor attack for deep neural network by mixing existing benign features,” Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 113-131, 2020.
[26] H. Zhong, C. Liao, A. C. Squicciarini, S. Zhu, and D. Miller, “Backdoor embedding in convolutional neural network models via invisible perturbation,” Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, pp. 97-108, 2020.
[27] E. Bagdasaryan, A. Veit, Y. Hua, D. Estrin, and V. Shmatikov, “How to backdoor federated learning,” Proceedings of the International Conference on Artificial Intelligence and Statistics, vol. 108, pp. 2938-2948, 2020.
[28] E. Quiring, and K. Rieck, “Backdooring and poisoning neural networks with image-scaling attacks,” Proceedings of the IEEE Security and Privacy Workshops, pp. 41-47, 2020.
[29] R. Pang, H. Shen, X. Zhang, S. Ji, Y. Vorobeychik, and X. Luo, “A tale of evil twins: Adversarial inputs versus poisoned models,” Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 85-99, 2020.
[30] A. S. Rakin, Z. He, and D. Fan, “TBT: Targeted neural network attack with bit trojan,” Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 13195-13204, 2020.
[31] Y. Li, T. Zhai, B. Wu, Y. Jiang, Z. Li, and S. Xia, “Rethinking the trigger of backdoor attack,” Proceedings of the International Conference on Learning Representations, 2021.
[32] E. Bagdasaryan and V. Shmatikov, “Blind backdoors in deep learning models,” Proceedings of the USENIX Security Symposium, pp. 1505-1521, 2021.
[33] G. Severi, J. Meyer, S. Coull, and A. Oprea, “Explanation-guided backdoor poisoning attacks against malware classifiers,” Proceedings of the USENIX Security Symposium, pp. 1487-1504, 2021.
[34] Y. Li, Y. Li, B. Wu, L. Li, R. He, and S. Lyu, “Invisible backdoor attack with sample-specific triggers,” Proceedings of the IEEE International Conference on Computer Vision, pp. 16463-16472, 2021.
[35] A. Salem, R. Wen, M. Backes, S. Ma, and Y. Zhang, “Dynamic backdoor attacks against machine learning models,” Proceedings of the IEEE European Symposium on Security and Privacy, pp. 703-718, 2022.
[36] Y. Tian, F. Suya, F. Xu, and D. Evans, “Stealthy backdoors as compression artifacts,” IEEE Transactions on Iinformation forensics and security, vol. 17, pp. 1372-1387, 2022.
[37] A. J. Zargar, ”Digital image watermarking using LSB technique,” International Journal of Science & Engineering Research, vol. 5, 2014.
[38] J. R. Jayapandiyan, C. Kavitha, and K. Sakthivel, “Enhanced least significant bit replacement algorithm in spatial domain of steganography using character sequence optimization,” IEEE Access, vol. 8, pp. 136537-136545, 2020.
[39] Kelvin Salton do Prado, Steganography: Hiding an image inside another, Retrieved from https://towardsdatascience.com/steganography-hiding-an-imageinside-another-77ca66b2acb1 (last visited on 2023/05/28).
[40] J. Stallkamp, M. Schlipsing, J. Salmen, and C. Igel, “The german traffic sign recognition benchmark: A multi-class classification competition,” Proceedings of the IEEE International Joint Conference on Neural Networks, pp. 1453-1460, 2011.
[41] J. Stallkamp, M. Schlipsing, J. Salmen, and C. Igel, “Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition,” Neural Networks, vol. 32, pp. 323-332, 2012.
[42] M. Lin, Q. Chen, and S. Yan, “Network in network,” arXiv [cs.NE], 2014.
[43] P. Sermanet, and Y. LeCun, "Traffic sign recognition with multi-scale convolutional networks," Proceedings of the International Joint Conference on Neural Networks, pp. 2809-2813, 2011.