Backdoor attacks are rapidly emerging threats to deep neural networks (DNNs). In the backdoor attack scenario, attackers usually implant the backdoor into the target model by manipulating the training dataset or training process. Then, the compromised model behaves normally for benign input yet makes mistakes when the pre-defined trigger appears. In this paper, we analyze the drawbacks of existing attack approaches and propose a novel imperceptible backdoor attack. We treat the trigger pattern as a special kind of noise following a multinomial distribution. A U-net-based network is employed to generate concrete parameters of multinomial distribution for each benign input. This elaborated trigger ensures that our approach is invisible to both humans and statistical detection. Besides the design of the trigger, we also consider the robustness of our approach against model diagnose-based defences. We force the feature representation of malicious input stamped with the trigger to be entangled with the benign one. We demonstrate the effectiveness and robustness against multiple state-of-the-art defences through extensive datasets and networks. Our trigger only modifies less than 1\% pixels of a benign image while the modification magnitude is 1. Our source code is available at https://github.com/Ekko-zn/IJCAI2022-Backdoor.
翻译:后门攻击是对深神经网络(DNNS)迅速出现的威胁。在后门攻击情况下,攻击者通常通过操纵培训数据集或培训程序,将后门植入目标模型。然后,受损模式通常对良性输入有正常行为,但在预设触发器出现时却会犯错误。在本文中,我们分析现有攻击方法的缺点,并提出一种新颖的无法察觉的后门攻击。我们把触发模式当作一种特殊的噪音,在多名分布后。一个基于 U-net 的网络被用来为每个良性输入生成多名分布的具体参数。这个精心开发的触发器确保我们的方法在人类和统计探测中都看不见。除了触发器的设计外,我们还考虑到我们对付模型诊断性防御的方法的稳健性。我们强制使用刻有触发器的恶性输入的特征来与良性攻击相纠缠在一起。我们通过广泛的数据集和网络来显示对多种状态的防御的有效性和稳健性。我们的触发器仅能小于1.% pix-palal-bas-toom image of a somal mage mage sal amal asumal is 1. 我们的代码。