BadHash: Invisible Backdoor Attacks against Deep Hashing with Clean
Label
- URL: http://arxiv.org/abs/2207.00278v2
- Date: Mon, 4 Jul 2022 02:02:12 GMT
- Title: BadHash: Invisible Backdoor Attacks against Deep Hashing with Clean
Label
- Authors: Shengshan Hu, Ziqi Zhou, Yechao Zhang, Leo Yu Zhang, Yifeng Zheng,
Yuanyuan HE, Hai Jin
- Abstract summary: We propose BadHash, the first generative-based imperceptible backdoor attack against deep hashing.
We show that BadHash can generate imperceptible poisoned samples with strong attack ability and transferability over state-of-the-art deep hashing schemes.
- Score: 20.236328601459203
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Due to its powerful feature learning capability and high efficiency, deep
hashing has achieved great success in large-scale image retrieval. Meanwhile,
extensive works have demonstrated that deep neural networks (DNNs) are
susceptible to adversarial examples, and exploring adversarial attack against
deep hashing has attracted many research efforts. Nevertheless, backdoor
attack, another famous threat to DNNs, has not been studied for deep hashing
yet. Although various backdoor attacks have been proposed in the field of image
classification, existing approaches failed to realize a truly imperceptive
backdoor attack that enjoys invisible triggers and clean label setting
simultaneously, and they also cannot meet the intrinsic demand of image
retrieval backdoor.
In this paper, we propose BadHash, the first generative-based imperceptible
backdoor attack against deep hashing, which can effectively generate invisible
and input-specific poisoned images with clean label. Specifically, we first
propose a new conditional generative adversarial network (cGAN) pipeline to
effectively generate poisoned samples. For any given benign image, it seeks to
generate a natural-looking poisoned counterpart with a unique invisible
trigger. In order to improve the attack effectiveness, we introduce a
label-based contrastive learning network LabCLN to exploit the semantic
characteristics of different labels, which are subsequently used for confusing
and misleading the target model to learn the embedded trigger. We finally
explore the mechanism of backdoor attacks on image retrieval in the hash space.
Extensive experiments on multiple benchmark datasets verify that BadHash can
generate imperceptible poisoned samples with strong attack ability and
transferability over state-of-the-art deep hashing schemes.
Related papers
- Robustness-Inspired Defense Against Backdoor Attacks on Graph Neural Networks [30.82433380830665]
Graph Neural Networks (GNNs) have achieved promising results in tasks such as node classification and graph classification.
Recent studies reveal that GNNs are vulnerable to backdoor attacks, posing a significant threat to their real-world adoption.
We propose using random edge dropping to detect backdoors and theoretically show that it can efficiently distinguish poisoned nodes from clean ones.
arXiv Detail & Related papers (2024-06-14T08:46:26Z) - Backdoor Attack with Sparse and Invisible Trigger [57.41876708712008]
Deep neural networks (DNNs) are vulnerable to backdoor attacks.
backdoor attack is an emerging yet threatening training-phase threat.
We propose a sparse and invisible backdoor attack (SIBA)
arXiv Detail & Related papers (2023-05-11T10:05:57Z) - Reliable and Efficient Evaluation of Adversarial Robustness for Deep
Hashing-Based Retrieval [20.3473596316839]
We propose a novel Pharos-guided Attack, dubbed PgA, to evaluate the adversarial robustness of deep hashing networks reliably and efficiently.
PgA can directly conduct a reliable and efficient attack on deep hashing-based retrieval by maximizing the similarity between the hash code of the adversarial example and the pharos code.
arXiv Detail & Related papers (2023-03-22T15:36:19Z) - Backdoor Defense via Deconfounded Representation Learning [17.28760299048368]
We propose a Causality-inspired Backdoor Defense (CBD) to learn deconfounded representations for reliable classification.
CBD is effective in reducing backdoor threats while maintaining high accuracy in predicting benign samples.
arXiv Detail & Related papers (2023-03-13T02:25:59Z) - Untargeted Backdoor Attack against Object Detection [69.63097724439886]
We design a poison-only backdoor attack in an untargeted manner, based on task characteristics.
We show that, once the backdoor is embedded into the target model by our attack, it can trick the model to lose detection of any object stamped with our trigger patterns.
arXiv Detail & Related papers (2022-11-02T17:05:45Z) - Backdoor Attack on Hash-based Image Retrieval via Clean-label Data
Poisoning [54.15013757920703]
We propose the confusing perturbations-induced backdoor attack (CIBA)
It injects a small number of poisoned images with the correct label into the training data.
We have conducted extensive experiments to verify the effectiveness of our proposed CIBA.
arXiv Detail & Related papers (2021-09-18T07:56:59Z) - Poison Ink: Robust and Invisible Backdoor Attack [122.49388230821654]
We propose a robust and invisible backdoor attack called Poison Ink''
Concretely, we first leverage the image structures as target poisoning areas, and fill them with poison ink (information) to generate the trigger pattern.
Compared to existing popular backdoor attack methods, Poison Ink outperforms both in stealthiness and robustness.
arXiv Detail & Related papers (2021-08-05T09:52:49Z) - Prototype-supervised Adversarial Network for Targeted Attack of Deep
Hashing [65.32148145602865]
deep hashing networks are vulnerable to adversarial examples.
We propose a novel prototype-supervised adversarial network (ProS-GAN)
To the best of our knowledge, this is the first generation-based method to attack deep hashing networks.
arXiv Detail & Related papers (2021-05-17T00:31:37Z) - Targeted Attack for Deep Hashing based Retrieval [57.582221494035856]
We propose a novel method, dubbed deep hashing targeted attack (DHTA), to study the targeted attack on such retrieval.
We first formulate the targeted attack as a point-to-set optimization, which minimizes the average distance between the hash code of an adversarial example and those of a set of objects with the target label.
To balance the performance and perceptibility, we propose to minimize the Hamming distance between the hash code of the adversarial example and the anchor code under the $ellinfty$ restriction on the perturbation.
arXiv Detail & Related papers (2020-04-15T08:36:58Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.