Related papers: One-to-Multiple Clean-Label Image Camouflage (OmClic) based Backdoor Attack on Deep Learning

One-to-Multiple Clean-Label Image Camouflage (OmClic) based Backdoor Attack on Deep Learning

URL: http://arxiv.org/abs/2309.04036v2
Date: Sun, 28 Jan 2024 05:32:27 GMT
Title: One-to-Multiple Clean-Label Image Camouflage (OmClic) based Backdoor Attack on Deep Learning
Authors: Guohong Wang, Hua Ma, Yansong Gao, Alsharif Abuadbba, Zhi Zhang, Wei Kang, Said F. Al-Sarawib, Gongxuan Zhang, Derek Abbott,
Abstract summary: One attack/poisoned image can only fit a single input size of the DL model. This work proposes to constructively craft an attack image through camouflaging but can fit multiple DL models' input sizes simultaneously. Through OmClic, we are able to always implant a backdoor regardless of which common input size is chosen by the user.
Score: 15.118652632054392
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Image camouflage has been utilized to create clean-label poisoned images for implanting backdoor into a DL model. But there exists a crucial limitation that one attack/poisoned image can only fit a single input size of the DL model, which greatly increases its attack budget when attacking multiple commonly adopted input sizes of DL models. This work proposes to constructively craft an attack image through camouflaging but can fit multiple DL models' input sizes simultaneously, namely OmClic. Thus, through OmClic, we are able to always implant a backdoor regardless of which common input size is chosen by the user to train the DL model given the same attack budget (i.e., a fraction of the poisoning rate). With our camouflaging algorithm formulated as a multi-objective optimization, M=5 input sizes can be concurrently targeted with one attack image, which artifact is retained to be almost visually imperceptible at the same time. Extensive evaluations validate the proposed OmClic can reliably succeed in various settings using diverse types of images. Further experiments on OmClic based backdoor insertion to DL models show that high backdoor performances (i.e., attack success rate and clean data accuracy) are achievable no matter which common input size is randomly chosen by the user to train the model. So that the OmClic based backdoor attack budget is reduced by M$\times$ compared to the state-of-the-art camouflage based backdoor attack as a baseline. Significantly, the same set of OmClic based poisonous attack images is transferable to different model architectures for backdoor implant.

Related papers

Backdoor Attack with Mode Mixture Latent Modification [26.720292228686446]
We propose a backdoor attack paradigm that only requires minimal alterations to a clean model in order to inject the backdoor under the guise of fine-tuning. We evaluate the effectiveness of our method on four popular benchmark datasets.
arXiv Detail & Related papers (2024-03-12T09:59:34Z)
Object-oriented backdoor attack against image captioning [40.5688859498834]
Backdoor attack against image classification task has been widely studied and proven to be successful. In this paper, we explore backdoor attack towards image captioning models by poisoning training data. Our method proves the weakness of image captioning models to backdoor attack and we hope this work can raise the awareness of defending against backdoor attack in the image captioning field.
arXiv Detail & Related papers (2024-01-05T01:52:13Z)
BAGM: A Backdoor Attack for Manipulating Text-to-Image Generative Models [54.19289900203071]
The rise in popularity of text-to-image generative artificial intelligence has attracted widespread public interest. We demonstrate that this technology can be attacked to generate content that subtly manipulates its users. We propose a Backdoor Attack on text-to-image Generative Models (BAGM) Our attack is the first to target three popular text-to-image generative models across three stages of the generative process.
arXiv Detail & Related papers (2023-07-31T08:34:24Z)
Chameleon: Adapting to Peer Images for Planting Durable Backdoors in Federated Learning [4.420110599382241]
We investigate the connection between the durability of FL backdoors and the relationships between benign images and poisoned images. We propose a novel attack, Chameleon, which utilizes contrastive learning to further amplify such effects towards a more durable backdoor.
arXiv Detail & Related papers (2023-04-25T16:11:10Z)
Mask and Restore: Blind Backdoor Defense at Test Time with Masked Autoencoder [57.739693628523]
We propose a framework for blind backdoor defense with Masked AutoEncoder (BDMAE) BDMAE detects possible triggers in the token space using image structural similarity and label consistency between the test image and MAE restorations. Our approach is blind to the model restorations, trigger patterns and image benignity.
arXiv Detail & Related papers (2023-03-27T19:23:33Z)
CleanCLIP: Mitigating Data Poisoning Attacks in Multimodal Contrastive Learning [63.72975421109622]
CleanCLIP is a finetuning framework that weakens the learned spurious associations introduced by backdoor attacks. CleanCLIP maintains model performance on benign examples while erasing a range of backdoor attacks on multimodal contrastive learning.
arXiv Detail & Related papers (2023-03-06T17:48:32Z)
Distilling Cognitive Backdoor Patterns within an Image [35.1754797302114]
This paper proposes a simple method to distill and detect backdoor patterns within an image: emphCognitive Distillation (CD) The extracted pattern can help understand the cognitive mechanism of a model on clean vs. backdoor images. We conduct extensive experiments to show that CD can robustly detect a wide range of advanced backdoor attacks.
arXiv Detail & Related papers (2023-01-26T02:38:37Z)
Backdoor Attacks on Crowd Counting [63.90533357815404]
Crowd counting is a regression task that estimates the number of people in a scene image. In this paper, we investigate the vulnerability of deep learning based crowd counting models to backdoor attacks.
arXiv Detail & Related papers (2022-07-12T16:17:01Z)
Backdoor Attack on Hash-based Image Retrieval via Clean-label Data Poisoning [54.15013757920703]
We propose the confusing perturbations-induced backdoor attack (CIBA) It injects a small number of poisoned images with the correct label into the training data. We have conducted extensive experiments to verify the effectiveness of our proposed CIBA.
arXiv Detail & Related papers (2021-09-18T07:56:59Z)
Clean-Label Backdoor Attacks on Video Recognition Models [87.46539956587908]
We show that image backdoor attacks are far less effective on videos. We propose the use of a universal adversarial trigger as the backdoor trigger to attack video recognition models. Our proposed backdoor attack is resistant to state-of-the-art backdoor defense/detection methods.
arXiv Detail & Related papers (2020-03-06T04:51:48Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.