Projects for students
CYBERSECURITY TOPICS
Project topic #1
Title: Implementing neural network SCA attacks in Riscure Inspector
Skills: Programming (Java)
Type: Bachelor thesis / Internship
Supervisor: Ileana Buhan
Daily supervisor: Péter Horváth
Description: Riscure Inspector is a side-channel evaluation software that provides several tools to aid side-channel analysis. Most of the modules in Inspector are aimed at attacking cryptographic implementations. It lacks support for attacking different neural network algorithms (such as convolutional layers) but allows users to implement their own modules into the tool.
Therefore, the student would implement efficient modules that cover fundamental neural network layers (e.g. convolutional, fully-connected) with different activation layers (e.g. ReLU, Sigmoid) in Java to integrate them into Riscure Inspector. Furthermore, the implemented modules would be expected to facilitate attacks like Differential Power Analysis (DPA) on the implemented layers.
Related work:
- CSI--NN: Reverse Engineering of Neural Network Architectures Through Electromagnetic Side Channel. Batina et al. (2019)
- https://cs230.stanford.edu/syllabus/ (to get familiar with neural networks)
Project topic #2
Title: Python Library for Deep Learning based Side-Channel Analysis (DL-SCA)
Skills: Python programming
Type: Bachelor thesis / Internship
Supervisor: Ileana Buhan
Daily supervisor: Abraham Basurto
Description: Side-channel attacks exploit information leaked from the physical implementations of cryptographic algorithms. Applying Machine Learning techniques to defeat cryptographic implementations, particularly Deep Learning techniques, is a very actively researched topic with great potential.
Getting started with DL-SCA can be a real challenge, even for those familiar with side-channel analysis. The concepts, tools, and resources required for a basic setup can be daunting.
Through this project, we aim to make DL-SCA more accessible to newcomers and help practitioners by creating a Python library that provides the base infrastructure on which users can learn and build to create more advanced functionality as they gain experience.
Related work:
- DLSCA: a Tool for Deep Learning Side Channel Analysis
- SCAAML: Side Channel Attacks Assisted with Machine Learning
- AISY - Deep Learning-based Framework for Side-Channel Analysis
Project topic #3
Title: VHDL Implementation of cryptographic permutations
Skills: Basic knowledge of VHDL
Type: Bachelor thesis / Internship
Supervisor: Lejla Batina
Daily supervisor: Konstantina Miteloudi
Description: Several cryptographic permutations have a round function that is almost shift-invariant. This project focuses on the hardware implementation of one of the permutations with almost shift-invariant round functions: AES unkeyed, Salsa, or Chacha.
The primary objective is to understand the challenges of implementing these permutations in VHDL. By the end of this internship, the students will have enhanced their VHDL coding skills but also they will have identified and overcome challenges of the hardware implementation of cryptographic primitives.
Project topic #4
Title: VHDL Implementation of the ROCKY countermeasure in cryptographic algorithms
Skills: Basic knowledge of VHDL
Type: Bachelor thesis / Internship
Supervisor: Lejla Batina
Daily supervisor: Konstantina Miteloudi
Description: The ROCKY countermeasure has been designed to protect cryptographic algorithms against fault attacks. This project focuses on applying ROCKY to existing VHDL implementations of one of the following cryptographic algorithms: Keccak, Subterranean, or ASCON.
The primary objective is to integrate ROCKY into these algorithms and understand the challenges associated with such an implementation in VHDL. By the end of this internship, students will have deepened their VHDL coding skills and also gained experience in integrating countermeasures.
Related work:
- ROCKY: Rotation Countermeasure for the Protection of Keys and Other Sensitive Data
- Evaluating the ROCKY Countermeasure for Side-Channel Leakage
Project topic #5
Title: Using Autoencoders to de-mask boolean-masked AES
Skills: Knowledge of neural networks, Assembly or C Programming, Python programming
Type: Internship / Master thesis done by 1 student || Bachelor thesis done by 2 students
Supervisor: Lejla Batina
Daily supervisor: Azade Rezaeezade
Description: Autoencoders have been used successfully to remove countermeasures like Gaussian noise, desynchronization, and jitter. A natural question is whether this kind of neural network can be used to neutralize the effect of masking. The first step in exploring this question is to consider the simplest masking technique, boolean masking. In this project, we first aim to collect two data sets, one with random shares of boolean masks and the other with one share equal to zero and the other equal to the actual plaintext. Then, train an autoencoder with these two datasets and finally use the trained autoencoder to reduce (or remove) the masking effect from the actual datasets for profiling (deep learning-based side-channel analysis).
A pre-requested step is customizing and downloading a masked implementation of AES on a stm32 target and then using a chipwhisperer to collect the traces.
By the end of this project, students will know assembly code implementation and understanding of deep learning based side-channel analysis, especially understanding of Autoencoders.
Related work:
- Remove Some Noise: On Pre-processing of Side-channel Measurements with Autoencoders
Project topic #6
Title: Dataset Collection for Neural Network Reverse Engineering
Skills: Basic Programming (e.g., Python, C, C++, Java)
Type: Bachelor thesis / Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Dirk Lauret
Description: Over the years, machine learing has developed itself to the powerful tools that we know today, e.g., ChatGPT. With this vast development of ML, also novel attacks have been developed against these deployed models to, e.g., extract the architecture or the model parameters. One avenue of obtaining these properties of ML deployments is to use side-channel analysis on the power traces of the hardware on which the models are being deployed. Unfortunately, collecting these traces poses a significant obstacle for the research on model extraction through side-channel analysis. This is due to the fact that collection of the traces can take a long time. Therefore, we want to set up a dataset of collected traces to assist the research field, by having traces readily available. Similar datasets have already been developed for image classification purposes, e.g., Imagenet, MNIST, or CIFAR-10. As a student on this project, it will be your job to collect traces that accurately represent the entire scope of trace collection, in the lab. You need to make sure that with solely this dataset, it will be possible for another researcher to have sufficient evidence to support his claims.
In summary, the following tasks would be assigned to you:
- Coming up with a composition of a dataset that accurately represents the use-cases of the research performed on hardware-based neural network extraction.
- Coming up with a measurement plan to acquire the necessary measurement in an efficient time-period.
- Collecting traces of commonly used image classification datasets (MNIST, CIFAR-10, Imagenet) on FPGAs and Microcontrollers.
- Labeling the collected traces to the exact images to which they relate.
- Post-processing the collected traces to broaden the applicability of the dataset (e.g., averaging and aligning the traces).
- (Optional) contribute on the writing of a paper based on the findings of the trace collection.
Project topic #7
Title: Template attacks for modern embedded devices
Skills: Signal processing, Side-channel analysis, Machine learning
Type: Master thesis, hands-on in the lab
Supervisor: Lejla Batina
Daily supervisor: Vahid Jahandideh
Description: An essential part of a side-channel attack is finding a suitable leakage model. A leakage model is a function that links side-channel measurements, such as power traces, with the realized values in the target device. Hamming weight is a popular approach due to its simplicity, but it is probably not optimal. A multi-dimensional Gaussian template with weighted bits is an example of a more elaborate leakage model that requires prepossessing. Learning-based leakage modeling, such as template attacks, is another approach. The cost of building a template in most of these methods depends on the bit-width of the implementations. With emerging {32, 64, 128, 512}-bit devices, some of the existing leakage modeling techniques are computationally unaffordable. In this project, you will explore current and evolving methods for leakage templating and model parameter estimations suitable for various bit widths.
The work of [1] is an excellent introduction to leakage modeling. For more recent results, you can look at [2] and [3], which give an example of an ML-based approach.
Related work:
- A Stochastic Model for Differential Side Channel Cryptanalysis.
- A Novel Completeness Test and its Application to Side Channel Attacks and Simulators.
- Support Vector Regression: Exploiting Machine Learning Techniques for Leakage Modeling.
Project topic #8
Title: Masking cryptographic implementations against side-channel attacks
Skills: Side-channel analysis
Type: Master thesis, hands-on in the lab
Supervisor: Lejla Batina
Daily supervisor: Vahid Jahandideh
Description: Currently, many algorithms for masking a cipher are presented in the literature. Examples include high-order boolean, threshold, parallel, and domain-oriented masking. Some techniques are suitable for software implementations, and others are more hardware-oriented. Designing a masking scheme is more challenging if side-channel resilience is required. In this project, first, we need to review existing masking approaches and then apply them to some of the ciphers designed within our group.
For an introduction to side-channel and masking, see [1]. You can find parallel masking in [2] and the domain-oriented approach in [3]. Consult [4] for more recent research on making techniques. The issue of low-noise masking is discussed in [5].
Related work:
- Power Analysis Attacks Revealing the Secrets of Smart Cards.
- Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model.
- Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order
- Side-Channel Masking with Common Shares.
- Breaking Masked Implementations with Many Shares on 32-bit Software Platforms.
Project topic #9
Title: Using information-theoretic approaches to find bounds on the performance of machine learning techniques in SCA
Skills: Information theory, Side-channel analysis, Machine learning
Type: Master thesis
Supervisor: Lejla Batina
Daily supervisor: Vahid Jahandideh
Description: Information theory is influential in many areas, including side-channel analysis, where It has been used in numerous side-channel papers. Still, research is ongoing to obtain new information-theoretic bounds for the success rate of side-channel attacks. See [1] as a recently published paper in this field. Also, see [2] for more practical information-theoretic bounds. There is also a mathematical reduction from noisy measurements to random noiseless values in [3]. In this project, we obtain new results in this field by combining the idea of the reduction with existing information-theoretic bounds.
Related work:
- On the Success Rate of Side-Channel Attacks on Masked Implementations.
- Perceived Information Revisited.
- Unifying Leakage Models: from Probing Attacks to Noisy Leakage.
Project topic #10
Title: A Scalable SIMD RISC-V based Processor with Customized Vector Extensions for Xoodoo
Skills: RISC-V knowledge, VHDL, Verilog, Cryptography knowledge
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Parisa Eliasi
Description: Xoodyak is a highly valuable candidate in the NIST Lightweight Cryptography (LWC) competition. Xoodyak relies on the Xoodoo permutation, which operates on internal states of size 384 bits, represented as a 3*4*32-bit matrix. The Xoodoo permutation can benefit from speedup through parallelization. In this project, we aim to explore the potential of parallelization of the Xoodoo permutation in RISCV-based processors through custom vector extensions on 32-bit and 64-bit architectures. Then a SIMD processor written in SystemVerilog and can support RISC-V instruction set architecture (ISA) and RISC-V vector extensions will be used to investigate the performance improvement of the Xoodyak with the goals of low latency and high throughput.
Related work:
- Maximizing the Potential of Custom RISC-V Vector Extensions for Speeding up SHA-3 Hash Functions
Project topic #11
Title: Title Acoustic injection attacks on MEMS accelerometers
Skills: signal processing, programming, knowledge about MEMS sensors, control theory
Type:
Supervisor: Lejla Batina
Daily supervisor: Parisa Eliasi
Description: It has been shown that nearby emitting acoustics could damage the integrity of a MEMS sensor’s digital outputs at resonant frequencies of the sensor. Conducted experiments show that the hardware security flaws in amplification and filtering circuits of MEMS sensors (MEMS accelerometer and MEMS gyroscope) represent the root causes of the vulnerabilities. The goal of this internship is to control the time series output of the sensor. To this end, the fluctuating false measurements should be stabilized into constant ones. This can be done by injecting an acoustic sinusoidal signal at the resonance frequency. The desired output signal is then reshaped by modulating it on top of the acoustic sinusoidal signal. However, the resonant frequencies of MEMS accelerometers are over a range, and it can deviate in each measurement. We want to design a feedback circuit to control the output series automatically by correcting the resonance frequency.
Related work:
- WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks
Project topic #12
Title: A Review and Comparison of FPGA-Related Fault Injection Frameworks
Skills: - Ability to read and understand academic papers.
- Basic knowledge of FPGAs and fault injection techniques, or a willingness to read, learn, and acquire the necessary knowledge in these areas.
- Good writing skills to clearly communicate findings and insights.
Type: Master thesis
Supervisor: Lejla Batina
Daily supervisor: Konstantina Miteloudi
Description: This master thesis aims to explore and compare the various fault injection frameworks available for FPGAs, a topic with many contributions but lacking a comprehensive comparative study. The student will review the existing literature, understand the basics of the discussed frameworks, and assess their benefits and performance. The goal is to provide clear insights into the strengths and weaknesses of different fault injection frameworks, contributing to a better understanding of fault injection methodologies in cryptography.
Related work:
Project topic #13
Title: Multibit recovery of message in CRYSTALS-Kyber implementation
Skills: Knowledge of neural networks, knowledge of cryptography (Post Quantum Crypto knowledge has an advantage), Python programming
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Azade Rezaeezade
Description: CRYSTALS-Kyber is one of the selected key exchange mechanisms to be standardized with NIST. However, resistance of hardware and software implementations against side-channel should be considered an essential criterion. In other words, its implementations should be analyzed against different possible attacks.
This project aims to use multi-task learning to exploit a known vulnerability, Incremental-Storage, to recover the message in Kyber's decapsulation process.
By the end of this project, students will have a deeper understanding of post-quantum cryptography focused on CRYSTALS-Kyber and extended knowledge of deep learning-based side-channel analysis.
Related work:
- Breaking Free: Leakage Model-free Deep Learning-based Side-channel Analysis
- On Exploiting Message Leakage in (few) NIST PQC Candidates for Practical Message Recovery and Key Recovery Attacks
Project topic #14
Title: Extending FiSim, a fault attack simulator
Skills: Programming skills (preferably C# or similar), suitable for someone passionate about coding; preferably some background on fault injection attacks
Type: Master thesis
Supervisor: Ileana Buhan
Daily supervisor: Asmita Adhikary
Description: Fault injection attacks have caused implementations to behave unexpectedly, leading to the extraction of cryptographic keys and the bypass of security features. Since manually mitigating fault injection attacks is time-consuming and complex, fault attack simulators automate the process. FiSim is one such fault attack simulator prototype. However, being a prototype, it's not fit to be used in different scenarios involving different implementations. Also, it only implements two fault models. Can FiSim be modified to diminish its limitations so it can be used in any implementation? Can FiSim be made more useful by adding more relevant fault models? In this project, you will extend FiSim to mitigate some of its limitations, like simulating different implementations, adding more fault models, or modifying its range and coverage.
Related work:
Project topic #15
Title: Side-channel analysis on RISCV
Skills: programming (C/C++), signal processing
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Asmita Adhikary
Description: Implementation and evaluation of cryptographic algorithm on RISCV platform. The platform for development is a RISCV SCA evaluation platform (a.k.a. Saidoyoki). The Worcester Polytechnic Institute (WPI) has designed the board as a hardware and software side-channel test platform. It has two chips with various cryptographic coprocessors: three versions of AES and ASCON.
Related work:
- https://secure-embedded-systems.github.io/site-picopcb/pcb2.html
- Saidoyoki: Evaluating side-channel leakage in pre- and post-silicon setting
- Leverage the Average: Averaged Sampling in Pre-Silicon Side-Channel Leakage Assessment
Project topic #16
Title: Modeling PUFs using Boolean Function Synthesis
Skills: Python programming
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Durba Chatterjee
Description: Physically Unclonable Functions~(PUFs) are specialized circuits that leverage intrinsic variabilities in a chip to realize a pseudorandom Boolean mapping in hardware. Since this mapping depends on the underlying physical variations in a chip, mapping realized by each instance of the PUF is unclonable and unique, making it a popular candidate for hardware root-of-trust in embedded devices. Since the inception of PUFs, various modeling techniques have been simultaneously proposed to determine the underlying mapping, thereby rendering the security applications insecure. In this project, we want to explore a new approach to modeling PUFs using Boolean function synthesis. Function synthesis techniques take a set of input-output pairs as input and generate a mathematical expression between the input and output variables. For more details on Boolean function synthesis, refer [1].
Related work:
Project topic #17
Title: Generating Randomness for High-Order DOM Implementations
Skills: Cryptography, VHDL/Verilog
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Silvia Mella, Parisa Amiri Eliasi
Description: It has been shown that the physical properties of a device executing a cryptographic algorithm can reveal secret data if differential power analysis (DPA) is applied. Therefore, many countermeasures have been introduced to protect the algorithm against such attacks. A typical countermeasure is Boolean masking. In Boolean masking, computation on secret data is split into several shares. However, this is not trivial for non-linear parts of a cipher, especially if the SBox has a high degree like the one for AES. But if the SBOX of the cipher has a low degree, e.g., the ciphers that use SHA-3 like SBOX, the masking seems to be easier. Domain-oriented masking (DOM) is one of the approaches to mask simple non-linear functions like AND gate for hardware implementations of a cipher. However, providing enough randomness for each round is challenging when we have more shares because it affects the latency and area needed for the components that generate this randomness. Actually, for shares of more than 4, this task becomes challenging enough or even infeasible to be put on smaller FPGAs. Therefore, it is interesting to see how the number of needed random bits can be minimized for the nonlinear function of a cipher. Therefore, for the Xoodoo permutation that has SHA-3 SBOX, we have two research directions that each can be a student project. One direction is the following:
Reduce the number of needed randomness by using the bits in the permutation's state that can be used as fresh random bits. This has been done for the ASCON permutation, and we are interested in doing the same for the Xoodyak AEAD scheme.
Related work:
- Higher-Order Side-Channel Protected Implementations of KECCAK
- Efficient Low-Latency Masking of Ascon without Fresh Randomness
- A Low-Randomness First-Order Masked Xoodyak
Project topic #18
Title: Generating Randomness for High-Order DOM Implementations
Skills: Cryptography, FPGA, VHDL/Verilog
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Silvia Mella, Parisa Amiri Eliasi
Description: It has been shown that the physical properties of a device executing a cryptographic algorithm can reveal secret data if differential power analysis (DPA) is applied. Therefore, many countermeasures have been introduced to protect the algorithm against such attacks. A typical countermeasure is Boolean masking. In Boolean masking, computation on secret data is split into several shares. However, this is not trivial for non-linear parts of a cipher, especially if the SBox has a high degree like the one for AES. But if the SBOX of the cipher has a low degree, e.g., the ciphers that use SHA-3 like SBOX, the masking seems to be easier. Domain-oriented masking (DOM) is one of the approaches to mask simple non-linear functions like AND gate for hardware implementations of a cipher. However, providing enough randomness for each round is challenging when we have more shares because it affects the latency and area needed for the components that generate this randomness. Actually, for shares of more than 4, this task becomes challenging enough or even infeasible to be put on smaller FPGAs. Therefore, it is interesting to see how the number of needed random bits can be minimized for the nonlinear function of a cipher. Therefore, for the Xoodoo permutation that has SHA-3 SBOX, we have two research directions that each can be a student project. One direction is the following:
Another way to tackle the area constraints is to separate the FPGA that generates the randomness from the one that actually executes the permutation. We want to explore how this can be done for the SAKURA-G evaluation board, which has two Spartan-6 FPGAs available. For this purpose, we want to use the FPGA controller to generate randomness.
Related work:
Project topic #19
Title: Higher order DPA attack against ASCON and Xoodyak
Skills: Side Channel Analysis, Cryptography
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Silvia Mella, Parisa Amiri Eliasi
Description: Even if a cipher is theoretically proven to be secure, when it comes to real-world implementation, it can be susceptible to a powerful class of attacks called Side Channel Analysis (SCA). Countermeasures are introduced to secure implementation against differential power analysis (DPA). One of these countermeasures is Boolean marking, which relies on splitting the secret information into shares and then processing them independently. This protects the algorithm against simple first-order DPA. However, it is still possible to conduct higher-order DPA that is based on higher-order statistics. In this master thesis/internship project, you are supposed to explore higher order DPA attack against ASCON (winner of the NIST LWC competition) and Xoodyak.
Related work:
- Differential Power Analysis
- Using Second-Order Power Analysis to Attack DPA Resistant Software
Project topic #20
Title: Fault injection on neural networks
Skills: Fundamentals of neural networks
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Giacomo Tommaso Petrucci, Zhuoran Liu
Description: In recent years, neural networks went from a semi-abandoned technology to being the next big thing. After the AI winter, the first successful application of neural networks was image recognition. This is still one of the main applications of neural networks, and, as many car manufacturers are exploring the possibility of self-driving cars, a security concern too. Previous work showed that it is possible to induce faults in image classifiers that make the neural network misclassify images. This project will explore the practical feasibility of injecting faults in neural networks in a way that would undermine the security of an autonomous vehicle by focusing on specific attack scenarios. Think for example an adversary that hangs a strong magnet to a traffic light’s pole. When a self-driving car passes nearby the magnet, their relative movement will briefly induce an electromagnetic field. Can this EM pulse make the car misclassify a road sign or not detect a pedestrian? Is this attack easy and reliable enough to be a security concern in the real world? In this project, you will build a fault injection setup and perform electromagnetic fault injection on an image classifier, and then evaluate the feasibility of the considered attacks in the real world.
Related work:
- DeepLaser: Practical Fault Attack on Deep Neural Networks (arxiv.org)
- Fault injection attack on deep neural network | IEEE Conference Publication | IEEE Xplore
- Fault Injection on Embedded Neural Networks: Impact of a Single Instruction Skip (arxiv.org)
- Can A Car Be Considered A Faraday Cage? (faradaysource.com)
- Compute Solution for Tesla's Full Self-Driving Computer (paywalled)
AI SECURITY TOPICS
Project topic #21
Title: Bridging Physical Side-Channel-based and Algorithm-based DNN Model Extraction Attacks
Skills: Basic PyTorch, Machine Learning
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Péter Horváth, Zhuoran Liu
Description: Deep neural networks have been deployed in many edge applications, e.g., Advanced driver-assistance systems (ADAS) and Automatic Speech Recognition (ASR), where trained deep learning models are deployed on edge hardware for inference. Model extraction or model stealing attacks aim to extract secrets from deep learning models [a, b]. Current physical side-channel-based model extraction attacks focus on exploiting power or EM leakages to extract the model secrets targeting edge hardware devices [c], while algorithm-based model extraction attacks focus on exploiting the input-output pairs targeting the Machine-Learning-as-a-Service (MLaaS) paradigm [d]. This project looks at the intersection of these two types of model extraction attacks with the general goal of bridging these two types of attacks.
Related work:
- [a] I Know What You Trained Last Summer: A Survey on Stealing Machine Learning Models and Defences. ACM CSUR 2023.
- [b] SoK: Neural Network Extraction Through Physical Side Channels. Usenix Security 2024.
- [c] BarraCUDA: Edge GPUs do Leak DNN Weights. Usenix Security 2025.
- [d] Towards Data-Free Model Stealing in a Hard Label Setting. CVPR 2022.
Project topic #22
Title: Bypassing Frequency Analysis-cased Adversarial Defense
Skills: PyTorch, Machine Learning
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Zhuoran Liu
Description: Frequency analysis-based mitigation has been shown to be effective against different kinds of adversarially modified images, including poisoning images [a, c] and adversarial image examples [b]. Previous works show that adaptive adversarial examples can improve resistance against frequency analysis-based mitigation [d]. However, such adaptive methods are not generalizable and may fall short in specific use scenarios [a]. This project takes a closer look at the frequency analysis-based mitigation and aims to bypass them.
Related work:
- [a] Image Shortcut Squeezing: Countering Perturbative Availability Poisons with Compression. ICML 2023.
- [b] Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. NDSS 2018.
- [c] UnSeg: One Universal Unlearnable Example Generator is Enough against All Image Segmentation. NeurIPS 2024.
- [d] JPEG-resistant Adversarial Images.
Project topic #23
Title: Stealthy Backdoors as Watermarks for Deep Neural Nets
Skills: PyTorch, Machine Learning
Type: Internship / Master thesis
Supervisor: Lejla Batina
Daily supervisor: Zhuoran Liu
Description: Backdoor, initially as a type of attack, inserts a secret functionality into a model that is activated when inputs containing a specific trigger are provided to the model during inference. Due to the nature that backdoors slightly influence regular model performance, backdoors can be used as a neural network watermark to protect the weights that are commonly treated as intellectual property [a]. Recent backdoor mitigation research showed that non-stealthy backdoors could be easily mitigated [b], substantially compromising their utility as watermarks. In this project, the objective is to design a stealthy backdoor-based neural network watermark such that it can resist different state-of-the-art backdoors [c] or watermark mitigation.
Related work:
- [a] Turning Your Weakness Into a Strength: Watermarking Deep Neural Networks by Backdooring. Usenix Security 2018.
- [b] BAN: Detecting Backdoors Activated by Adversarial Neuron Noise. NeurIPS 2024.
- [c] Towards Reliable and Efficient Backdoor Trigger Inversion via Decoupling Benign Features. ICLR 2024.