Invisible Backdoor Attacks Using Data Poisoning in the Frequency Domain
- URL: http://arxiv.org/abs/2207.04209v1
- Date: Sat, 9 Jul 2022 07:05:53 GMT
- Title: Invisible Backdoor Attacks Using Data Poisoning in the Frequency Domain
- Authors: Chang Yue, Peizhuo Lv, Ruigang Liang, Kai Chen
- Abstract summary: We propose a generalized backdoor attack method based on the frequency domain.
It can implement backdoor implantation without mislabeling and accessing the training process.
We evaluate our approach in the no-label and clean-label cases on three datasets.
- Score: 8.64369418938889
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: With the broad application of deep neural networks (DNNs), backdoor attacks
have gradually attracted attention. Backdoor attacks are insidious, and
poisoned models perform well on benign samples and are only triggered when
given specific inputs, which cause the neural network to produce incorrect
outputs. The state-of-the-art backdoor attack work is implemented by data
poisoning, i.e., the attacker injects poisoned samples into the dataset, and
the models trained with that dataset are infected with the backdoor. However,
most of the triggers used in the current study are fixed patterns patched on a
small fraction of an image and are often clearly mislabeled, which is easily
detected by humans or defense methods such as Neural Cleanse and SentiNet.
Also, it's difficult to be learned by DNNs without mislabeling, as they may
ignore small patterns. In this paper, we propose a generalized backdoor attack
method based on the frequency domain, which can implement backdoor implantation
without mislabeling and accessing the training process. It is invisible to
human beings and able to evade the commonly used defense methods. We evaluate
our approach in the no-label and clean-label cases on three datasets (CIFAR-10,
STL-10, and GTSRB) with two popular scenarios (self-supervised learning and
supervised learning). The results show our approach can achieve a high attack
success rate (above 90%) on all the tasks without significant performance
degradation on main tasks. Also, we evaluate the bypass performance of our
approach for different kinds of defenses, including the detection of training
data (i.e., Activation Clustering), the preprocessing of inputs (i.e.,
Filtering), the detection of inputs (i.e., SentiNet), and the detection of
models (i.e., Neural Cleanse). The experimental results demonstrate that our
approach shows excellent robustness to such defenses.
Related papers
- Efficient Backdoor Defense in Multimodal Contrastive Learning: A Token-Level Unlearning Method for Mitigating Threats [52.94388672185062]
We propose an efficient defense mechanism against backdoor threats using a concept known as machine unlearning.
This entails strategically creating a small set of poisoned samples to aid the model's rapid unlearning of backdoor vulnerabilities.
In the backdoor unlearning process, we present a novel token-based portion unlearning training regime.
arXiv Detail & Related papers (2024-09-29T02:55:38Z) - UNIT: Backdoor Mitigation via Automated Neural Distribution Tightening [43.09750187130803]
Deep neural networks (DNNs) have demonstrated effectiveness in various fields.
DNNs are vulnerable to backdoor attacks, which inject a unique pattern, called trigger, into the input to cause misclassification to an attack-chosen target label.
In this paper, we introduce a novel post-training defense technique that can effectively eliminate backdoor effects for a variety of attacks.
arXiv Detail & Related papers (2024-07-16T04:33:05Z) - Backdoor Attack with Sparse and Invisible Trigger [57.41876708712008]
Deep neural networks (DNNs) are vulnerable to backdoor attacks.
backdoor attack is an emerging yet threatening training-phase threat.
We propose a sparse and invisible backdoor attack (SIBA)
arXiv Detail & Related papers (2023-05-11T10:05:57Z) - Backdoor Defense via Deconfounded Representation Learning [17.28760299048368]
We propose a Causality-inspired Backdoor Defense (CBD) to learn deconfounded representations for reliable classification.
CBD is effective in reducing backdoor threats while maintaining high accuracy in predicting benign samples.
arXiv Detail & Related papers (2023-03-13T02:25:59Z) - FreeEagle: Detecting Complex Neural Trojans in Data-Free Cases [50.065022493142116]
Trojan attack on deep neural networks, also known as backdoor attack, is a typical threat to artificial intelligence.
FreeEagle is the first data-free backdoor detection method that can effectively detect complex backdoor attacks.
arXiv Detail & Related papers (2023-02-28T11:31:29Z) - Untargeted Backdoor Attack against Object Detection [69.63097724439886]
We design a poison-only backdoor attack in an untargeted manner, based on task characteristics.
We show that, once the backdoor is embedded into the target model by our attack, it can trick the model to lose detection of any object stamped with our trigger patterns.
arXiv Detail & Related papers (2022-11-02T17:05:45Z) - Backdoor Defense via Suppressing Model Shortcuts [91.30995749139012]
In this paper, we explore the backdoor mechanism from the angle of the model structure.
We demonstrate that the attack success rate (ASR) decreases significantly when reducing the outputs of some key skip connections.
arXiv Detail & Related papers (2022-11-02T15:39:19Z) - Training set cleansing of backdoor poisoning by self-supervised
representation learning [0.0]
A backdoor or Trojan attack is an important type of data poisoning attack against deep neural network (DNN)
We show that supervised training may build stronger association between the backdoor pattern and the associated target class than that between normal features and the true class of origin.
We propose to use unsupervised representation learning to avoid emphasising backdoor-poisoned training samples and learn a similar feature embedding for samples of the same class.
arXiv Detail & Related papers (2022-10-19T03:29:58Z) - PiDAn: A Coherence Optimization Approach for Backdoor Attack Detection
and Mitigation in Deep Neural Networks [22.900501880865658]
Backdoor attacks impose a new threat in Deep Neural Networks (DNNs)
We propose PiDAn, an algorithm based on coherence optimization purifying the poisoned data.
Our PiDAn algorithm can detect more than 90% infected classes and identify 95% poisoned samples.
arXiv Detail & Related papers (2022-03-17T12:37:21Z) - Black-box Detection of Backdoor Attacks with Limited Information and
Data [56.0735480850555]
We propose a black-box backdoor detection (B3D) method to identify backdoor attacks with only query access to the model.
In addition to backdoor detection, we also propose a simple strategy for reliable predictions using the identified backdoored models.
arXiv Detail & Related papers (2021-03-24T12:06:40Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.