Invisible Backdoor Attack Through Singular Value Decomposition

• URL: http://arxiv.org/abs/2403.13018v1
• Date: Mon, 18 Mar 2024 13:25:12 GMT
• Title: Invisible Backdoor Attack Through Singular Value Decomposition
• Authors: Wenmin Chen, Xiaowei Xu,
• Abstract summary: backdoor attacks pose a serious security threat to deep neural networks (DNNs) To make triggers less perceptible and imperceptible, various invisible backdoor attacks have been proposed. This paper proposes an invisible backdoor attack called DEBA.
• Score: 2.681558084723648
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: With the widespread application of deep learning across various domains, concerns about its security have grown significantly. Among these, backdoor attacks pose a serious security threat to deep neural networks (DNNs). In recent years, backdoor attacks on neural networks have become increasingly sophisticated, aiming to compromise the security and trustworthiness of models by implanting hidden, unauthorized functionalities or triggers, leading to misleading predictions or behaviors. To make triggers less perceptible and imperceptible, various invisible backdoor attacks have been proposed. However, most of them only consider invisibility in the spatial domain, making it easy for recent defense methods to detect the generated toxic images.To address these challenges, this paper proposes an invisible backdoor attack called DEBA. DEBA leverages the mathematical properties of Singular Value Decomposition (SVD) to embed imperceptible backdoors into models during the training phase, thereby causing them to exhibit predefined malicious behavior under specific trigger conditions. Specifically, we first perform SVD on images, and then replace the minor features of trigger images with those of clean images, using them as triggers to ensure the effectiveness of the attack. As minor features are scattered throughout the entire image, the major features of clean images are preserved, making poisoned images visually indistinguishable from clean ones. Extensive experimental evaluations demonstrate that DEBA is highly effective, maintaining high perceptual quality and a high attack success rate for poisoned images. Furthermore, we assess the performance of DEBA under existing defense measures, showing that it is robust and capable of significantly evading and resisting the effects of these defense measures.

Related papers

• Backdoor Attack Against Vision Transformers via Attention Gradient-Based Image Erosion [4.036142985883415]
  Vision Transformers (ViTs) have outperformed traditional Convolutional Neural Networks (CNN) across various computer vision tasks. ViTs are vulnerable to backdoor attacks, where an adversary embeds a backdoor into the victim model. We propose an Attention Gradient-based Erosion Backdoor (AGEB) targeted at ViTs.
  arXiv  Detail & Related papers  (2024-10-30T04:06:12Z)
• Principles of Designing Robust Remote Face Anti-Spoofing Systems [60.05766968805833]
  This paper sheds light on the vulnerabilities of state-of-the-art face anti-spoofing methods against digital attacks. It presents a comprehensive taxonomy of common threats encountered in face anti-spoofing systems.
  arXiv  Detail & Related papers  (2024-06-06T02:05:35Z)
• An Invisible Backdoor Attack Based On Semantic Feature [0.0]
  Backdoor attacks have severely threatened deep neural network (DNN) models in the past several years. We propose a novel backdoor attack, making imperceptible changes. We evaluate our attack on three prominent image classification datasets.
  arXiv  Detail & Related papers  (2024-05-19T13:50:40Z)
• Meta Invariance Defense Towards Generalizable Robustness to Unknown Adversarial Attacks [62.036798488144306]
  Current defense mainly focuses on the known attacks, but the adversarial robustness to the unknown attacks is seriously overlooked. We propose an attack-agnostic defense method named Meta Invariance Defense (MID) We show that MID simultaneously achieves robustness to the imperceptible adversarial perturbations in high-level image classification and attack-suppression in low-level robust image regeneration.
  arXiv  Detail & Related papers  (2024-04-04T10:10:38Z)
• BadCLIP: Dual-Embedding Guided Backdoor Attack on Multimodal Contrastive Learning [85.2564206440109]
  This paper reveals the threats in this practical scenario that backdoor attacks can remain effective even after defenses. We introduce the emphtoolns attack, which is resistant to backdoor detection and model fine-tuning defenses.
  arXiv  Detail & Related papers  (2023-11-20T02:21:49Z)
• A Dual Stealthy Backdoor: From Both Spatial and Frequency Perspectives [17.024143511814245]
  Backdoor attacks pose serious security threats to deep neural networks (DNNs) Backdoored models make arbitrarily (targeted) incorrect predictions on inputs embedded with well-designed triggers. We propose a DUal stealthy BAckdoor attack method named DUBA, which simultaneously considers the invisibility of triggers in both the spatial and frequency domains.
  arXiv  Detail & Related papers  (2023-07-03T12:28:44Z)
• Untargeted Backdoor Attack against Object Detection [69.63097724439886]
  We design a poison-only backdoor attack in an untargeted manner, based on task characteristics. We show that, once the backdoor is embedded into the target model by our attack, it can trick the model to lose detection of any object stamped with our trigger patterns.
  arXiv  Detail & Related papers  (2022-11-02T17:05:45Z)
• Adversarially-Aware Robust Object Detector [85.10894272034135]
  We propose a Robust Detector (RobustDet) based on adversarially-aware convolution to disentangle gradients for model learning on clean and adversarial images. Our model effectively disentangles gradients and significantly enhances the detection robustness with maintaining the detection ability on clean images.
  arXiv  Detail & Related papers  (2022-07-13T13:59:59Z)
• Few-shot Backdoor Defense Using Shapley Estimation [123.56934991060788]
  We develop a new approach called Shapley Pruning to mitigate backdoor attacks on deep neural networks. ShapPruning identifies the few infected neurons (under 1% of all neurons) and manages to protect the model's structure and accuracy. Experiments demonstrate the effectiveness and robustness of our method against various attacks and tasks.
  arXiv  Detail & Related papers  (2021-12-30T02:27:03Z)
• Backdoor Attack through Frequency Domain [17.202855245008227]
  We propose a new backdoor attack FTROJAN through trojaning the frequency domain. The key intuition is that triggering perturbations in the frequency domain correspond to small pixel-wise perturbations dispersed across the entire image. We evaluate FTROJAN in several datasets and tasks showing that it achieves a high attack success rate without significantly degrading the prediction accuracy on benign inputs.
  arXiv  Detail & Related papers  (2021-11-22T05:13:12Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.