Multi-Trigger Backdoor Attacks: More Triggers, More Threats
- URL: http://arxiv.org/abs/2401.15295v1
- Date: Sat, 27 Jan 2024 04:49:37 GMT
- Title: Multi-Trigger Backdoor Attacks: More Triggers, More Threats
- Authors: Yige Li, Xingjun Ma, Jiabo He, Hanxun Huang, Yu-Gang Jiang
- Abstract summary: We investigate the practical threat of backdoor attacks under the setting of textbfmulti-trigger attacks
By proposing and investigating three types of multi-trigger attacks, we provide a set of important understandings of the coexisting, overwriting, and cross-activating effects between different triggers on the same dataset.
We create a multi-trigger backdoor poisoning dataset to help future evaluation of backdoor attacks and defenses.
- Score: 71.08081471803915
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Backdoor attacks have emerged as a primary threat to (pre-)training and
deployment of deep neural networks (DNNs). While backdoor attacks have been
extensively studied in a body of works, most of them were focused on
single-trigger attacks that poison a dataset using a single type of trigger.
Arguably, real-world backdoor attacks can be much more complex, e.g., the
existence of multiple adversaries for the same dataset if it is of high value.
In this work, we investigate the practical threat of backdoor attacks under the
setting of \textbf{multi-trigger attacks} where multiple adversaries leverage
different types of triggers to poison the same dataset. By proposing and
investigating three types of multi-trigger attacks, including parallel,
sequential, and hybrid attacks, we provide a set of important understandings of
the coexisting, overwriting, and cross-activating effects between different
triggers on the same dataset. Moreover, we show that single-trigger attacks
tend to cause overly optimistic views of the security of current defense
techniques, as all examined defense methods struggle to defend against
multi-trigger attacks. Finally, we create a multi-trigger backdoor poisoning
dataset to help future evaluation of backdoor attacks and defenses. Although
our work is purely empirical, we hope it can help steer backdoor research
toward more realistic settings.
Related papers
- A4O: All Trigger for One sample [10.78460062665304]
We show that proposed backdoor defenders often rely on the assumption that triggers would appear in a unified way.
In this paper, we show that this naive assumption can create a loophole, allowing more sophisticated backdoor attacks to bypass.
We design a novel backdoor attack mechanism that incorporates multiple types of backdoor triggers, focusing on stealthiness and effectiveness.
arXiv Detail & Related papers (2025-01-13T10:38:58Z) - Invisible Textual Backdoor Attacks based on Dual-Trigger [1.586075842611725]
This paper proposes a dual-trigger backdoor attack method.<n>Specifically, we use two different attributes, syntax and mood, as two different triggers.<n>It makes our backdoor attack method similar to a double landmine which can have completely different trigger conditions simultaneously.
arXiv Detail & Related papers (2024-12-23T12:56:30Z) - SEEP: Training Dynamics Grounds Latent Representation Search for Mitigating Backdoor Poisoning Attacks [53.28390057407576]
Modern NLP models are often trained on public datasets drawn from diverse sources.
Data poisoning attacks can manipulate the model's behavior in ways engineered by the attacker.
Several strategies have been proposed to mitigate the risks associated with backdoor attacks.
arXiv Detail & Related papers (2024-05-19T14:50:09Z) - Dual Model Replacement:invisible Multi-target Backdoor Attack based on Federal Learning [21.600003684064706]
This paper designs a backdoor attack method based on federated learning.
aiming at the concealment of the backdoor trigger, a TrojanGan steganography model with encoder-decoder structure is designed.
A dual model replacement backdoor attack algorithm based on federated learning is designed.
arXiv Detail & Related papers (2024-04-22T07:44:02Z) - LOTUS: Evasive and Resilient Backdoor Attacks through Sub-Partitioning [49.174341192722615]
Backdoor attack poses a significant security threat to Deep Learning applications.
Recent papers have introduced attacks using sample-specific invisible triggers crafted through special transformation functions.
We introduce a novel backdoor attack LOTUS to address both evasiveness and resilience.
arXiv Detail & Related papers (2024-03-25T21:01:29Z) - From Shortcuts to Triggers: Backdoor Defense with Denoised PoE [51.287157951953226]
Language models are often at risk of diverse backdoor attacks, especially data poisoning.
Existing backdoor defense methods mainly focus on backdoor attacks with explicit triggers.
We propose an end-to-end ensemble-based backdoor defense framework, DPoE, to defend various backdoor attacks.
arXiv Detail & Related papers (2023-05-24T08:59:25Z) - Backdoor Attack with Sparse and Invisible Trigger [57.41876708712008]
Deep neural networks (DNNs) are vulnerable to backdoor attacks.
backdoor attack is an emerging yet threatening training-phase threat.
We propose a sparse and invisible backdoor attack (SIBA)
arXiv Detail & Related papers (2023-05-11T10:05:57Z) - BATT: Backdoor Attack with Transformation-based Triggers [72.61840273364311]
Deep neural networks (DNNs) are vulnerable to backdoor attacks.
Backdoor adversaries inject hidden backdoors that can be activated by adversary-specified trigger patterns.
One recent research revealed that most of the existing attacks failed in the real physical world.
arXiv Detail & Related papers (2022-11-02T16:03:43Z) - Backdoor Defense via Suppressing Model Shortcuts [91.30995749139012]
In this paper, we explore the backdoor mechanism from the angle of the model structure.
We demonstrate that the attack success rate (ASR) decreases significantly when reducing the outputs of some key skip connections.
arXiv Detail & Related papers (2022-11-02T15:39:19Z) - Adaptive Perturbation Generation for Multiple Backdoors Detection [29.01715186371785]
This paper proposes the Adaptive Perturbation Generation (APG) framework to detect multiple types of backdoor attacks.
We first design the global-to-local strategy to fit the multiple types of backdoor triggers.
To further increase the efficiency of perturbation injection, we introduce a gradient-guided mask generation strategy.
arXiv Detail & Related papers (2022-09-12T13:37:06Z) - Dual-Key Multimodal Backdoors for Visual Question Answering [26.988750557552983]
We show that multimodal networks are vulnerable to a novel type of attack that we refer to as Dual-Key Multimodal Backdoors.
This attack exploits the complex fusion mechanisms used by state-of-the-art networks to embed backdoors that are both effective and stealthy.
We present an extensive study of multimodal backdoors on the Visual Question Answering (VQA) task with multiple architectures and visual feature backbones.
arXiv Detail & Related papers (2021-12-14T18:59:52Z) - Rethinking the Trigger of Backdoor Attack [83.98031510668619]
Currently, most of existing backdoor attacks adopted the setting of emphstatic trigger, $i.e.,$ triggers across the training and testing images follow the same appearance and are located in the same area.
We demonstrate that such an attack paradigm is vulnerable when the trigger in testing images is not consistent with the one used for training.
arXiv Detail & Related papers (2020-04-09T17:19:37Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.