What problem does this paper attempt to address?

The problem that this paper attempts to solve is the backdoor attack problem in deep neural networks (DNNs), especially how to implant hidden triggers without being detected, thereby triggering malicious behavior under specific conditions. Specifically, the paper focuses on the problem that the triggers generated by existing backdoor attack methods in the spatial domain are easily detected, and proposes a new invisible backdoor attack method (DEBA) based on singular value decomposition (SVD) to enhance the concealment and robustness of the attack. ### Main problems: 1. **Visibility of existing backdoor attacks**: Most existing backdoor attack methods only consider invisibility in the spatial domain, resulting in the generated poisoned images being easily detected by defense methods. 2. **Concealment and robustness of the attack**: There is a need for a backdoor attack method that can achieve a high degree of concealment and be difficult to detect while maintaining the normal performance of the model. ### Solutions proposed in the paper: - **DEBA (SVD - based invisible backdoor attack)**: By using SVD to embed small features into the model during the training stage, the poisoned images are almost indistinguishable from clean images visually. The specific steps are as follows: - Perform SVD decomposition on clean images and trigger images. - Replace the smaller singular values of the trigger image and their corresponding singular vectors into the clean image to form a poisoned image. - Since the smaller singular values correspond to the secondary features in the image, the poisoned image retains most of the main features and is almost identical to the clean image visually. ### Formula representation: Let the size of the image matrix \(A\) be \(m\times n\), and performing singular value decomposition (SVD) on it can obtain: \[A_{m\times n}=U_{m\times m}\Sigma_{m\times n}V^T_{n\times n}\] where: - \(U\) is an \(m\times m\) unitary matrix (left singular vector matrix), - \(\Sigma\) is an \(m\times n\) diagonal matrix, and the elements on the diagonal are called singular values, - \(V\) is an \(n\times n\) unitary matrix (right singular vector matrix). For the clean image \(x_i\) and the trigger image \(x_t\), perform SVD decomposition respectively: \[A_{x_i}=U_{x_i}\Sigma_{x_i}V^T_{x_i}\] \[A_{x_t}=U_{x_t}\Sigma_{x_t}V^T_{x_t}\] Then, replace the small singular values of the clean image and their corresponding singular vectors with the small singular values of the trigger image and their corresponding singular vectors to form a poisoned image: \[ \begin{cases} U_p = [U_1, U_2, \dots, U_{m - k}, U^t_{m - k+1}, \dots, U^t_m]\\ \Sigma_p=\text{diag}(\sigma_1, \sigma_2, \dots, \sigma_{m - k}, \sigma^t_{m - k+1}, \dots, \sigma^t_m)\\ V^T_p = [V_1, V_2, \dots, V_{n - k}, V^t_{n - k+1}, \dots, V^t_n] \end{cases} \] Finally, obtain the poisoned image through inverse singular value decomposition: \[x_p = U_p\Sigma_pV^T_p\] ### Experimental results: - **Attack effect**: DEBA shows a relatively high attack success rate (ASR) and clean data accuracy (CDA) on multiple datasets and models, which proves its effectiveness. - **Concealment**: Evaluated by indicators such as PSNR, SSIM, and LPIPS, the poisoned images generated by DEBA are very similar to clean images and are difficult to distinguish. - **Robustness**: DEBA can effectively resist the existing mainstream defense methods. In summary, this paper proposes a new SVD - based invisible backdoor.