Everyone Can Attack: Repurpose Lossy Compression as a Natural Backdoor Attack

• URL: http://arxiv.org/abs/2308.16684v2
• Date: Sun, 3 Sep 2023 13:36:49 GMT
• Title: Everyone Can Attack: Repurpose Lossy Compression as a Natural Backdoor Attack
• Authors: Sze Jue Yang and Quang Nguyen and Chee Seng Chan and Khoa D. Doan
• Abstract summary: This paper shows that anyone can exploit an easily-accessible algorithm for silent backdoor attacks. Via this attack, the adversary does not need to design a trigger generator as seen in prior works and only requires poisoning the data.
• Score: 15.017990145799189
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: The vulnerabilities to backdoor attacks have recently threatened the trustworthiness of machine learning models in practical applications. Conventional wisdom suggests that not everyone can be an attacker since the process of designing the trigger generation algorithm often involves significant effort and extensive experimentation to ensure the attack's stealthiness and effectiveness. Alternatively, this paper shows that there exists a more severe backdoor threat: anyone can exploit an easily-accessible algorithm for silent backdoor attacks. Specifically, this attacker can employ the widely-used lossy image compression from a plethora of compression tools to effortlessly inject a trigger pattern into an image without leaving any noticeable trace; i.e., the generated triggers are natural artifacts. One does not require extensive knowledge to click on the "convert" or "save as" button while using tools for lossy image compression. Via this attack, the adversary does not need to design a trigger generator as seen in prior works and only requires poisoning the data. Empirically, the proposed attack consistently achieves 100% attack success rate in several benchmark datasets such as MNIST, CIFAR-10, GTSRB and CelebA. More significantly, the proposed attack can still achieve almost 100% attack success rate with very small (approximately 10%) poisoning rates in the clean label setting. The generated trigger of the proposed attack using one lossy compression algorithm is also transferable across other related compression algorithms, exacerbating the severity of this backdoor threat. This work takes another crucial step toward understanding the extensive risks of backdoor attacks in practice, urging practitioners to investigate similar attacks and relevant backdoor mitigation methods.

Related papers

• A4O: All Trigger for One sample [10.78460062665304]
  We show that proposed backdoor defenders often rely on the assumption that triggers would appear in a unified way. In this paper, we show that this naive assumption can create a loophole, allowing more sophisticated backdoor attacks to bypass. We design a novel backdoor attack mechanism that incorporates multiple types of backdoor triggers, focusing on stealthiness and effectiveness.
  arXiv  Detail & Related papers  (2025-01-13T10:38:58Z)
• Robust and Transferable Backdoor Attacks Against Deep Image Compression With Selective Frequency Prior [118.92747171905727]
  This paper introduces a novel frequency-based trigger injection model for launching backdoor attacks with multiple triggers on learned image compression models. We design attack objectives tailored to diverse scenarios, including: 1) degrading compression quality in terms of bit-rate and reconstruction accuracy; 2) targeting task-driven measures like face recognition and semantic segmentation. Experiments show that our trigger injection models, combined with minor modifications to encoder parameters, successfully inject multiple backdoors and their triggers into a single compression model.
  arXiv  Detail & Related papers  (2024-12-02T15:58:40Z)
• NoiseAttack: An Evasive Sample-Specific Multi-Targeted Backdoor Attack Through White Gaussian Noise [0.19820694575112383]
  Backdoor attacks pose a significant threat when using third-party data for deep learning development. We introduce a novel sample-specific multi-targeted backdoor attack, namely NoiseAttack. This work is the first of its kind to launch a vision backdoor attack with the intent to generate multiple targeted classes.
  arXiv  Detail & Related papers  (2024-09-03T19:24:46Z)
• Dual Model Replacement:invisible Multi-target Backdoor Attack based on Federal Learning [21.600003684064706]
  This paper designs a backdoor attack method based on federated learning. aiming at the concealment of the backdoor trigger, a TrojanGan steganography model with encoder-decoder structure is designed. A dual model replacement backdoor attack algorithm based on federated learning is designed.
  arXiv  Detail & Related papers  (2024-04-22T07:44:02Z)
• LOTUS: Evasive and Resilient Backdoor Attacks through Sub-Partitioning [49.174341192722615]
  Backdoor attack poses a significant security threat to Deep Learning applications. Recent papers have introduced attacks using sample-specific invisible triggers crafted through special transformation functions. We introduce a novel backdoor attack LOTUS to address both evasiveness and resilience.
  arXiv  Detail & Related papers  (2024-03-25T21:01:29Z)
• Backdoor Attack with Sparse and Invisible Trigger [57.41876708712008]
  Deep neural networks (DNNs) are vulnerable to backdoor attacks. backdoor attack is an emerging yet threatening training-phase threat. We propose a sparse and invisible backdoor attack (SIBA)
  arXiv  Detail & Related papers  (2023-05-11T10:05:57Z)
• Backdoor Attacks Against Deep Image Compression via Adaptive Frequency Trigger [106.10954454667757]
  We present a novel backdoor attack with multiple triggers against learned image compression models. Motivated by the widely used discrete cosine transform (DCT) in existing compression systems and standards, we propose a frequency-based trigger injection model.
  arXiv  Detail & Related papers  (2023-02-28T15:39:31Z)
• Invisible Backdoor Attack with Dynamic Triggers against Person Re-identification [71.80885227961015]
  Person Re-identification (ReID) has rapidly progressed with wide real-world applications, but also poses significant risks of adversarial attacks. We propose a novel backdoor attack on ReID under a new all-to-unknown scenario, called Dynamic Triggers Invisible Backdoor Attack (DT-IBA) We extensively validate the effectiveness and stealthiness of the proposed attack on benchmark datasets, and evaluate the effectiveness of several defense methods against our attack.
  arXiv  Detail & Related papers  (2022-11-20T10:08:28Z)
• Poison Ink: Robust and Invisible Backdoor Attack [122.49388230821654]
  We propose a robust and invisible backdoor attack called Poison Ink'' Concretely, we first leverage the image structures as target poisoning areas, and fill them with poison ink (information) to generate the trigger pattern. Compared to existing popular backdoor attack methods, Poison Ink outperforms both in stealthiness and robustness.
  arXiv  Detail & Related papers  (2021-08-05T09:52:49Z)
• Hidden Killer: Invisible Textual Backdoor Attacks with Syntactic Trigger [48.59965356276387]
  We propose to use syntactic structure as the trigger in textual backdoor attacks. We conduct extensive experiments to demonstrate that the trigger-based attack method can achieve comparable attack performance. These results also reveal the significant insidiousness and harmfulness of textual backdoor attacks.
  arXiv  Detail & Related papers  (2021-05-26T08:54:19Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.