Yinghua Gao’s research while affiliated with Tsinghua University and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (10)


Backdoor Attack With Sparse and Invisible Trigger
  • Article

January 2024

·

3 Reads

·

10 Citations

IEEE Transactions on Information Forensics and Security

Yinghua Gao

·

Yiming Li

·

Xueluan Gong

·

[...]

·

Qian Wang

Deep neural networks (DNNs) are vulnerable to backdoor attacks, where the adversary manipulates a small portion of training data such that the victim model predicts normally on the benign samples but classifies the triggered samples as the target class. The backdoor attack is an emerging yet threatening training-phase threat, leading to serious risks in DNN-based applications. In this paper, we revisit the trigger patterns of existing backdoor attacks. We reveal that they are either visible or not sparse and therefore are not stealthy enough. More importantly, it is not feasible to simply combine existing methods to design an effective sparse and invisible backdoor attack. To address this problem, we formulate the trigger generation as a bi-level optimization problem with sparsity and invisibility constraints and propose an effective method to solve it. The proposed method is dubbed sparse and invisible backdoor attack (SIBA). We conduct extensive experiments on benchmark datasets under different settings, which verify the effectiveness of our attack and its resistance to existing backdoor defenses. The codes for reproducing main experiments are available at https://github.com/YinghuaGao/SIBA .


Backdoor Attack with Sparse and Invisible Trigger
  • Preprint
  • File available

December 2023

·

203 Reads

Deep neural networks (DNNs) are vulnerable to backdoor attacks, where the adversary manipulates a small portion of training data such that the victim model predicts normally on the benign samples but classifies the triggered samples as the target class. The backdoor attack is an emerging yet threatening training-phase threat, leading to serious risks in DNN-based applications. In this paper, we revisit the trigger patterns of existing backdoor attacks. We reveal that they are either visible or not sparse and therefore are not stealthy enough. More importantly, it is not feasible to simply combine existing methods to design an effective sparse and invisible backdoor attack. To address this problem, we formulate the trigger generation as a bi-level optimization problem with sparsity and invisibility constraints and propose an effective method to solve it. The proposed method is dubbed sparse and invisible backdoor attack (SIBA). We conduct extensive experiments on benchmark datasets under different settings, which verify the effectiveness of our attack and its resistance to existing backdoor defenses. The codes for reproducing main experiments are available at \url{https://github.com/YinghuaGao/SIBA}.

Download

On the Effectiveness of Adversarial Training Against Backdoor Attacks

June 2023

·

10 Reads

·

17 Citations

IEEE Transactions on Neural Networks and Learning Systems

Although adversarial training (AT) is regarded as a potential defense against backdoor attacks, AT and its variants have only yielded unsatisfactory results or have even inversely strengthened backdoor attacks. The large discrepancy between expectations and reality motivates us to thoroughly evaluate the effectiveness of AT against backdoor attacks across various settings for AT and backdoor attacks. We find that the type and budget of perturbations used in AT are important, and AT with common perturbations is only effective for certain backdoor trigger patterns. Based on these empirical findings, we present some practical suggestions for backdoor defense, including relaxed adversarial perturbation and composite AT. This work not only boosts our confidence in AT's ability to defend against backdoor attacks but also provides some important insights for future research.


Fig. 2: The examples of poisoned samples with different backdoor attacks on CIFAR-10 and VGGFace2 datasets. First Row: poisoned samples on the CIFAR-10 dataset. Second Row: poisoned samples on the VGGFace2 dataset.
Fig. 15: Results of SIBA with amplified triggers on CIFAR-10.
Backdoor Attack with Sparse and Invisible Trigger

May 2023

·

3 Reads

Deep neural networks (DNNs) are vulnerable to backdoor attacks, where the adversary manipulates a small portion of training data such that the victim model predicts normally on the benign samples but classifies the triggered samples as the target class. The backdoor attack is an emerging yet threatening training-phase threat, leading to serious risks in DNN-based applications. In this paper, we revisit the trigger patterns of existing backdoor attacks. We reveal that they are either visible or not sparse and therefore are not stealthy enough. More importantly, it is not feasible to simply combine existing methods to design an effective sparse and invisible backdoor attack. To address this problem, we formulate the trigger generation as a bi-level optimization problem with sparsity and invisibility constraints and propose an effective method to solve it. The proposed method is dubbed sparse and invisible backdoor attack (SIBA). We conduct extensive experiments on benchmark datasets under different settings, which verify the effectiveness of our attack and its resistance to existing backdoor defenses. The codes for reproducing main experiments are available at \url{https://github.com/YinghuaGao/SIBA}.



Node-Level Graph Regression With Deep Gaussian Process Models

January 2023

·

13 Reads

IEEE Transactions on Artificial Intelligence

In this paper, we study node-level graph regression, which aims to predict an output vector for each node on a given graph. This task has a broad range of applications, including spatio-temporal forecasting and computational biology. We propose a model called Deep Gaussian Processes over Graphs (DGPG), which is composed of hierarchical Gaussian processes and learns the mapping between input-output signals in graph domains. DGPG possesses several distinctive advantages, such as the ability in capturing uncertainty, effectiveness on small datasets, and requiring fewer efforts for selecting model architectures and hyperparameters. It is also more favorable than traditional Gaussian process models in terms of expressiveness and scalability, due to the hierarchical deep structure and the variational inference framework. Moreover, we generalize DGPG to a more challenging setting where the graph structure is time-varying. Our theoretical analysis shows that the graph information can improve convergence by reducing sampling variances when optimizing the evidence lower bound, and the challenge of time-varying graph structure can be addressed by a time-weighted sampling scheme. The performance of DGPG is demonstrated through extensive experiments in various synthetic and real-world datasets. Some appealing characteristics of DGPG are further discussed, such as its ability to capture prediction uncertainty and learn graph structures.


On the Effectiveness of Adversarial Training against Backdoor Attacks

February 2022

·

47 Reads

DNNs' demand for massive data forces practitioners to collect data from the Internet without careful check due to the unacceptable cost, which brings potential risks of backdoor attacks. A backdoored model always predicts a target class in the presence of a predefined trigger pattern, which can be easily realized via poisoning a small amount of data. In general, adversarial training is believed to defend against backdoor attacks since it helps models to keep their prediction unchanged even if we perturb the input image (as long as within a feasible range). Unfortunately, few previous studies succeed in doing so. To explore whether adversarial training could defend against backdoor attacks or not, we conduct extensive experiments across different threat models and perturbation budgets, and find the threat model in adversarial training matters. For instance, adversarial training with spatial adversarial examples provides notable robustness against commonly-used patch-based backdoor attacks. We further propose a hybrid strategy which provides satisfactory robustness across different backdoor attacks.




Generalized Local Aggregation for Large Scale Gaussian Process Regression

July 2020

·

18 Reads

·

5 Citations

Despite being one of the most popular nonparametric approaches, Gaussian process regression (GPR) suffers from O(n 3 ) computational burden and the computation is infeasible for large-scale scenarios. To reduce the computational complexity, many Shannon-mutual-information-based aggregation methods were proposed, whereas these methods can not effectively identify the importance of experts in some cases. To address this problem, we generalize the traditional mutual information-based methods (GPoE, RBCM, GRBCM) based on Tsallis mutual information. Accordingly, the generated weight distribution is more sparse tending to focus on those experts with good performance. To obtain adaptive and data-dependent entropic-index in Tsallis entropy, we propose three heuristic algorithms to solve our model. Extensive experiments show that, the proposed method can improve the prediction of both the mean and variance, and the improvement of variance prediction is significant in many cases.

Citations (6)


... For example, Chen et al. [10] added a certain amount of noise in the digital space of the image or mixed a specific style of image with the original image as a trigger. This method can reduce the change in images, but cannot make the trigger completely invisible [18]. Turner et al. [19] improved the transparency of the trigger, thus improving the invisibility of the trigger. ...

Reference:

Invisible Backdoor Learning in Transform Domain with Flexible Triggers and Targets
Backdoor Attack With Sparse and Invisible Trigger
  • Citing Article
  • January 2024

IEEE Transactions on Information Forensics and Security

... 14) Adversarial Training against Poisoning Attack: a) Adversarial Training against Backdoor Attack: Gao et al. [537] evaluate the effectiveness of adversarial training against backdoor attacks across various settings. They show that the type and budget of perturbations used in AT are crucial. ...

On the Effectiveness of Adversarial Training Against Backdoor Attacks
  • Citing Article
  • June 2023

IEEE Transactions on Neural Networks and Learning Systems

... The dataset comprises 7,466 samples, of which we utilize the first 853, corresponding to a network with 11 nodes representing proteins and 17 edges denoting their interactions. Despite its relatively small size, it is considered to be a challenging benchmark in recent studies (Zheng et al., 2018;Ng et al., 2020;Gao et al., 2021). For all experiments, we used the first 853 samples for training and the subsequent 902 samples for testing. ...

DAG-GAN: Causal Structure Learning with Generative Adversarial Nets
  • Citing Conference Paper
  • June 2021

... Traditional Gaussian process regression can be divided into global approximation and local approximation, however, since both global and local approximation have their own advantages and disadvantages. In order to handle large-scale data quickly, researchers have proposed many methods for large-scale Gaussian process regression [3], [4]. ...

H-GPR: A Hybrid Strategy for Large-Scale Gaussian Process Regression
  • Citing Conference Paper
  • June 2021

... Traditional Gaussian process regression can be divided into global approximation and local approximation, however, since both global and local approximation have their own advantages and disadvantages. In order to handle large-scale data quickly, researchers have proposed many methods for large-scale Gaussian process regression [3], [4]. ...

Generalized Local Aggregation for Large Scale Gaussian Process Regression
  • Citing Conference Paper
  • July 2020