Enhancing Clean Label Backdoor Attack with Two-phase Specific Triggers

• URL: http://arxiv.org/abs/2206.04881v1
• Date: Fri, 10 Jun 2022 05:34:06 GMT
• Title: Enhancing Clean Label Backdoor Attack with Two-phase Specific Triggers
• Authors: Nan Luo, Yuanzhang Li, Yajie Wang, Shangbo Wu, Yu-an Tan and Quanxin Zhang
• Abstract summary: We propose a two-phase and image-specific triggers generation method to enhance clean-label backdoor attacks. Our approach can achieve a fantastic attack success rate(98.98%) with low poisoning rate, high stealthiness under many evaluation metrics and is resistant to backdoor defense methods.
• Score: 6.772389744240447
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Backdoor attacks threaten Deep Neural Networks (DNNs). Towards stealthiness, researchers propose clean-label backdoor attacks, which require the adversaries not to alter the labels of the poisoned training datasets. Clean-label settings make the attack more stealthy due to the correct image-label pairs, but some problems still exist: first, traditional methods for poisoning training data are ineffective; second, traditional triggers are not stealthy which are still perceptible. To solve these problems, we propose a two-phase and image-specific triggers generation method to enhance clean-label backdoor attacks. Our methods are (1) powerful: our triggers can both promote the two phases (i.e., the backdoor implantation and activation phase) in backdoor attacks simultaneously; (2) stealthy: our triggers are generated from each image. They are image-specific instead of fixed triggers. Extensive experiments demonstrate that our approach can achieve a fantastic attack success rate~(98.98%) with low poisoning rate~(5%), high stealthiness under many evaluation metrics and is resistant to backdoor defense methods.

Related papers

• SEEP: Training Dynamics Grounds Latent Representation Search for Mitigating Backdoor Poisoning Attacks [53.28390057407576]
  Modern NLP models are often trained on public datasets drawn from diverse sources. Data poisoning attacks can manipulate the model's behavior in ways engineered by the attacker. Several strategies have been proposed to mitigate the risks associated with backdoor attacks.
  arXiv  Detail & Related papers  (2024-05-19T14:50:09Z)
• Clean-image Backdoor Attacks [34.051173092777844]
  We propose clean-image backdoor attacks which uncover that backdoors can still be injected via a fraction of incorrect labels. In our attacks, the attacker first seeks a trigger feature to divide the training images into two parts. The backdoor will be finally implanted into the target model after it is trained on the poisoned data.
  arXiv  Detail & Related papers  (2024-03-22T07:47:13Z)
• Does Few-shot Learning Suffer from Backdoor Attacks? [63.9864247424967]
  We show that few-shot learning can still be vulnerable to backdoor attacks. Our method demonstrates a high Attack Success Rate (ASR) in FSL tasks with different few-shot learning paradigms. This study reveals that few-shot learning still suffers from backdoor attacks, and its security should be given attention.
  arXiv  Detail & Related papers  (2023-12-31T06:43:36Z)
• UltraClean: A Simple Framework to Train Robust Neural Networks against Backdoor Attacks [19.369701116838776]
  Backdoor attacks are emerging threats to deep neural networks. They typically embed malicious behaviors into a victim model by injecting poisoned samples. We propose UltraClean, a framework that simplifies the identification of poisoned samples.
  arXiv  Detail & Related papers  (2023-12-17T09:16:17Z)
• Attention-Enhancing Backdoor Attacks Against BERT-based Models [54.070555070629105]
  Investigating the strategies of backdoor attacks will help to understand the model's vulnerability. We propose a novel Trojan Attention Loss (TAL) which enhances the Trojan behavior by directly manipulating the attention patterns.
  arXiv  Detail & Related papers  (2023-10-23T01:24:56Z)
• A Dual Stealthy Backdoor: From Both Spatial and Frequency Perspectives [17.024143511814245]
  Backdoor attacks pose serious security threats to deep neural networks (DNNs) Backdoored models make arbitrarily (targeted) incorrect predictions on inputs embedded with well-designed triggers. We propose a DUal stealthy BAckdoor attack method named DUBA, which simultaneously considers the invisibility of triggers in both the spatial and frequency domains.
  arXiv  Detail & Related papers  (2023-07-03T12:28:44Z)
• Invisible Backdoor Attack with Dynamic Triggers against Person Re-identification [71.80885227961015]
  Person Re-identification (ReID) has rapidly progressed with wide real-world applications, but also poses significant risks of adversarial attacks. We propose a novel backdoor attack on ReID under a new all-to-unknown scenario, called Dynamic Triggers Invisible Backdoor Attack (DT-IBA) We extensively validate the effectiveness and stealthiness of the proposed attack on benchmark datasets, and evaluate the effectiveness of several defense methods against our attack.
  arXiv  Detail & Related papers  (2022-11-20T10:08:28Z)
• Narcissus: A Practical Clean-Label Backdoor Attack with Limited Information [22.98039177091884]
  "Clean-label" backdoor attacks require knowledge of the entire training set to be effective. This paper provides an algorithm to mount clean-label backdoor attacks based only on the knowledge of representative examples from the target class. Our attack works well across datasets and models, even when the trigger presents in the physical world.
  arXiv  Detail & Related papers  (2022-04-11T16:58:04Z)
• Backdoor Attack on Hash-based Image Retrieval via Clean-label Data Poisoning [54.15013757920703]
  We propose the confusing perturbations-induced backdoor attack (CIBA) It injects a small number of poisoned images with the correct label into the training data. We have conducted extensive experiments to verify the effectiveness of our proposed CIBA.
  arXiv  Detail & Related papers  (2021-09-18T07:56:59Z)
• Poison Ink: Robust and Invisible Backdoor Attack [122.49388230821654]
  We propose a robust and invisible backdoor attack called Poison Ink'' Concretely, we first leverage the image structures as target poisoning areas, and fill them with poison ink (information) to generate the trigger pattern. Compared to existing popular backdoor attack methods, Poison Ink outperforms both in stealthiness and robustness.
  arXiv  Detail & Related papers  (2021-08-05T09:52:49Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.