Backdoor attacks threaten Deep Neural Networks (DNNs). Towards stealthiness, researchers propose clean-label backdoor attacks, which require the adversaries not to alter the labels of the poisoned training datasets. Clean-label settings make the attack more stealthy due to the correct image-label pairs, but some problems still exist: first, traditional methods for poisoning training data are ineffective; second, traditional triggers are not stealthy which are still perceptible. To solve these problems, we propose a two-phase and image-specific triggers generation method to enhance clean-label backdoor attacks. Our methods are (1) powerful: our triggers can both promote the two phases (i.e., the backdoor implantation and activation phase) in backdoor attacks simultaneously; (2) stealthy: our triggers are generated from each image. They are image-specific instead of fixed triggers. Extensive experiments demonstrate that our approach can achieve a fantastic attack success rate~(98.98%) with low poisoning rate~(5%), high stealthiness under many evaluation metrics and is resistant to backdoor defense methods.
翻译:幕后攻击威胁深神经网络(DNNs ) 。 在暗地攻击方面,研究人员建议使用清洁标签的幕后攻击,要求对手不要改变有毒训练数据集的标签。 清洁标签设置使攻击更加隐蔽,因为正确的图像标签配对,但仍然存在一些问题:第一,传统的中毒培训数据方法无效;第二,传统触发器不是隐蔽的,仍然可以察觉到。为了解决这些问题,我们提议了一种两阶段和图像特定触发器生成方法,以加强清洁标签的幕后攻击。我们的方法(1) 强大:我们的触发器可以同时在幕后攻击中促进两个阶段(即后门植入和激活阶段);(2) 隐蔽:我们的触发器来自每个图像。它们都是针对图像的,而不是固定的触发器。 广泛的实验表明,我们的方法可以实现惊人的攻击成功率~(98.98%),低中毒率~(5%),许多评价指标下的高度隐秘性很高,并且能够抵抗后门防御方法。