Deep learning-based techniques have shown remarkable performance in recognition and classification tasks, but training these networks is computationally expensive. Many users opt for outsourcing the training or using pre-trained models.

An adversary can target the model supply chain and create a “BadNet” that performs well on the user’s data but misbehaves on specific inputs.

The paper provides examples of backdoored handwritten digits and US street signs. Results indicate that backdoors are powerful and difficult to detect, so further research into techniques for verifying and inspecting neural networks is necessary.