{"work":{"id":"7b1cd3ac-9abd-4579-8d13-c75d30c83a5f","openalex_id":null,"doi":null,"arxiv_id":"1708.06733","raw_key":null,"title":"BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain","authors":null,"authors_text":"Tianyu Gu, Brendan Dolan-Gavitt, Siddharth Garg","year":2017,"venue":"cs.CR","abstract":"Deep learning-based techniques have achieved state-of-the-art performance on a wide variety of recognition and classification tasks. However, these networks are typically computationally expensive to train, requiring weeks of computation on many GPUs; as a result, many users outsource the training procedure to the cloud or rely on pre-trained models that are then fine-tuned for a specific task. In this paper we show that outsourced training introduces new security risks: an adversary can create a maliciously trained network (a backdoored neural network, or a \\emph{BadNet}) that has state-of-the-art performance on the user's training and validation samples, but behaves badly on specific attacker-chosen inputs. We first explore the properties of BadNets in a toy example, by creating a backdoored handwritten digit classifier. Next, we demonstrate backdoors in a more realistic scenario by creating a U.S. street sign classifier that identifies stop signs as speed limits when a special sticker is added to the stop sign; we then show in addition that the backdoor in our US street sign detector can persist even if the network is later retrained for another task and cause a drop in accuracy of {25}\\% on average when the backdoor trigger is present. These results demonstrate that backdoors in neural networks are both powerful and---because the behavior of neural networks is difficult to explicate---stealthy. This work provides motivation for further research into techniques for verifying and inspecting neural networks, just as we have developed tools for verifying and debugging software.","external_url":"https://arxiv.org/abs/1708.06733","cited_by_count":null,"metadata_source":"pith","metadata_fetched_at":"2026-06-29T11:43:23.527491+00:00","pith_arxiv_id":"1708.06733","created_at":"2026-05-09T06:25:48.835721+00:00","updated_at":"2026-06-29T11:43:23.527491+00:00","title_quality_ok":true,"display_title":"BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain","render_title":"BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain"},"hub":{"state":{"work_id":"7b1cd3ac-9abd-4579-8d13-c75d30c83a5f","tier":"hub","tier_reason":"10+ Pith inbound or 1,000+ external citations","pith_inbound_count":66,"external_cited_by_count":null,"distinct_field_count":7,"first_pith_cited_at":"2017-12-15T04:26:26+00:00","last_pith_cited_at":"2026-05-30T09:57:42+00:00","author_build_status":"not_needed","summary_status":"needed","contexts_status":"needed","graph_status":"needed","ask_index_status":"not_needed","reader_status":"not_needed","recognition_status":"not_needed","updated_at":"2026-06-29T12:38:46.581503+00:00","tier_text":"hub"},"tier":"hub","role_counts":[{"context_role":"background","n":10},{"context_role":"baseline","n":1}],"polarity_counts":[{"context_polarity":"background","n":10},{"context_polarity":"baseline","n":1}],"runs":{},"summary":{},"graph":{},"authors":[]}}