Rethinking the Backdoor Attacks’ Triggers: A Frequency Perspective

Zeng, Yi; Park, Won; Mao, Zongqiang; Jia, Ruoxi

doi:10.1109/iccv48922.2021.01616

Cited by 107 publications

(61 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this paper, we focus on the poisoning-based backdoor attack towards image classification, where attackers can only modify the dataset instead of other training components (e.g., training loss). This threat could also happen in other tasks (Xiang et al, 2021;Zhai et al, 2021;Li et al, 2022) and with different attacker's capacities (Nguyen & Tran, 2020;Tang et al, 2020;Zeng et al, 2021a), which are out-of-scope of this paper. In general, existing attacks can be divided into two main categories based on the property of target labels, as follows:…”

Section: Backdoor Attackmentioning

confidence: 96%

“…Currently, there are also some approaches to alleviate the backdoor threat. Existing defenses are mostly empirical, which can be divided into five main categories, including (1) detection-based defenses (Xu et al, 2021;Zeng et al, 2021a;Xiang et al, 2022), (2) preprocessing based defenses (Doan et al, 2020;Li et al, 2021b;Zeng et al, 2021b), (3) model reconstruction based defenses (Zhao et al, 2020a;Li et al, 2021a;Zeng et al, 2022), (4) trigger synthesis based defenses Dong et al, 2021;Shen et al, 2021), and (5) poison suppression based defenses Borgnia et al, 2021). Specifically, detection-based defenses examine whether a suspicious DNN or sample is attacked and it will deny the use of malicious objects; Preprocessing based methods intend to damage trigger patterns contained in attack samples to prevent backdoor activation by introducing a preprocessing module before feeding images into DNNs; Model reconstruction based ones aim at removing the hidden backdoor in DNNs by modifying models directly; The fourth type of defenses synthesize potential trigger patterns at first, following by the second stage that the hidden backdoor is eliminated by suppressing their effects; The last type of methods depress the effectiveness of poisoned samples during the training process to prevent the creation of hidden backdoors.…”

Section: Backdoor Defensementioning

confidence: 99%

See 1 more Smart Citation

Backdoor Defense via Decoupling the Training Process

Huang¹,

Li²,

Zhan³

et al. 2022

Preprint

View full text Add to dashboard Cite

Recent studies have revealed that deep neural networks (DNNs) are vulnerable to backdoor attacks, where attackers embed hidden backdoors in the DNN model by poisoning a few training samples. The attacked model behaves normally on benign samples, whereas its prediction will be maliciously changed when the backdoor is activated. We reveal that poisoned samples tend to cluster together in the feature space of the attacked DNN model, which is mostly due to the endto-end supervised training paradigm. Inspired by this observation, we propose a novel backdoor defense via decoupling the original end-to-end training process into three stages. Specifically, we first learn the backbone of a DNN model via self-supervised learning based on training samples without their labels. The learned backbone will map samples with the same ground-truth label to similar locations in the feature space. Then, we freeze the parameters of the learned backbone and train the remaining fully connected layers via standard training with all (labeled) training samples. Lastly, to further alleviate side-effects of poisoned samples in the second stage, we remove labels of some 'low-credible' samples determined based on the learned model and conduct a semi-supervised fine-tuning of the whole model. Extensive experiments on multiple benchmark datasets and DNN models verify that the proposed defense is effective in reducing backdoor threats while preserving high accuracy in predicting benign samples. Our code is available at https://github.com/SCLBD/DBD.

show abstract

Section: Backdoor Attackmentioning

confidence: 96%

Section: Backdoor Defensementioning

confidence: 99%

Backdoor Defense via Decoupling the Training Process

Huang¹,

Li²,

Zhan³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…The detection can be performed at the granularity of individual examples (i.e., whether a given input contains a trigger), datasets (i.e., whether a subpopulation has been poisoned), or trained models (i.e., whether a given classifier contains a backdoor). To detect triggered inputs, researchers have proposed methods based on anomalous activation patterns in deep neural network layers [64], using feature attribution schemes [21,33], analyzing the prediction entropy of mixed input samples [27], or looking for high-frequency artifacts in inputs [76]. For training data inspection, Activation Clustering (AC) [14] and Spectral Signatures [65] can be used to detect different patterns of clean and poisoning samples.…”

Section: Backdoor Defensesmentioning

confidence: 99%

Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers

Yang¹,

Chen²,

Cortellazzi³

et al. 2022

Preprint

View full text Add to dashboard Cite

Malware classifiers are subject to training-time exploitation due to the need to regularly retrain using samples collected from the wild. Recent work has demonstrated the feasibility of backdoor attacks against malware classifiers, and yet the stealthiness of such attacks is not well understood. In this paper, we investigate this phenomenon under the clean-label setting (i.e., attackers do not have complete control over the training or labeling process). Empirically, we show that existing backdoor attacks in malware classifiers are still detectable by recent defenses such as MNTD. To improve stealthiness, we propose a new attack, Jigsaw Puzzle (JP), based on the key observation that malware authors have little to no incentive to protect any other authors' malware but their own. As such, Jigsaw Puzzle learns a trigger to complement the latent patterns of the malware author's samples, and activates the backdoor only when the trigger and the latent pattern are pieced together in a sample. We further focus on realizable triggers in the problem space (e.g., software code) using bytecode gadgets broadly harvested from benign software. Our evaluation confirms that Jigsaw Puzzle is effective as a backdoor, remains stealthy against state-of-the-art defenses, and is a threat in realistic settings that depart from reasoning about feature-space only attacks. We conclude by exploring promising approaches to improve backdoor defenses.

show abstract

“…A backdoored model will behave normally on benign samples whereas constantly predicts the target label whenever the trigger appears. Currently, most existing backdoor attacks (Gu et al, 2019;Zeng et al, 2021a;Li et al, 2021c) are designed for image classification tasks and targeted towards an adversary-specified label. Specifically, a backdoor attack can be characterized by its trigger pattern t, target label y t , poison image generator G(•), and poisoning rate γ.…”

Section: Backdoor Attackmentioning

confidence: 99%

Few-Shot Backdoor Attacks on Visual Object Tracking

Li¹,

Zhong²,

Ma³

et al. 2022

Preprint

View full text Add to dashboard Cite

Visual object tracking (VOT) has been widely adopted in mission-critical applications, such as autonomous driving and intelligent surveillance systems. In current practice, third-party resources such as datasets, backbone networks, and training platforms are frequently used to train high-performance VOT models. Whilst these resources bring certain convenience, they also introduce new security threats into VOT models. In this paper, we reveal such a threat where an adversary can easily implant hidden backdoors into VOT models by tempering with the training process. Specifically, we propose a simple yet effective few-shot backdoor attack (FSBA) that optimizes two losses alternately: 1) a feature loss defined in the hidden feature space, and 2) the standard tracking loss. We show that, once the backdoor is embedded into the target model by our FSBA, it can trick the model to lose track of specific objects even when the trigger only appears in one or a few frames. We examine our attack in both digital and physical-world settings and show that it can significantly degrade the performance of state-of-the-art VOT trackers. We also show that our attack is resistant to potential defenses, highlighting the vulnerability of VOT models to potential backdoor attacks.

show abstract

Rethinking the Backdoor Attacks’ Triggers: A Frequency Perspective

Cited by 107 publications

References 12 publications

Backdoor Defense via Decoupling the Training Process

Backdoor Defense via Decoupling the Training Process

Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers

Few-Shot Backdoor Attacks on Visual Object Tracking

Contact Info

Product

Resources

About