Deep neural networks (DNNs) are vulnerable to backdoor attacks. The backdoor adversaries intend to maliciously control the predictions of attacked DNNs by injecting hidden backdoors that can be activated by adversary-specified trigger patterns during the training process. One recent research revealed that most of the existing attacks failed in the real physical world since the trigger contained in the digitized test samples may be different from that of the one used for training. Accordingly, users can adopt spatial transformations as the image pre-processing to deactivate hidden backdoors. In this paper, we explore the previous findings from another side. We exploit classical spatial transformations (i.e. rotation and translation) with the specific parameter as trigger patterns to design a simple yet effective poisoning-based backdoor attack. For example, only images rotated to a particular angle can activate the embedded backdoor of attacked DNNs. Extensive experiments are conducted, verifying the effectiveness of our attack under both digital and physical settings and its resistance to existing backdoor defenses.
翻译:深神经网络(DNN)很容易受到后门攻击。 后门对手打算通过在培训过程中注射隐藏的触发模式来恶意控制被攻击的DNN的预测。 最近的一项研究显示,由于数字化测试样本中所含的触发器可能不同于用于培训的触发器,现有大多数袭击在真实的物理世界中都失败了。 因此,用户可以采用空间变换作为图像处理前的预处理,以停止隐藏的后门。 在本文中,我们探索了另一个方面的先前发现。 我们利用了带有特定参数的经典空间变换(即旋转和翻译)作为触发模式来设计简单而有效的基于中毒的后门攻击。例如,只有旋转到特定角度的图像才能激活被攻击的DNNN的嵌入后门。 正在进行广泛的实验,以核实我们在数字和物理环境下发动攻击的效果及其对现有后门防御的抵抗力。