Enhanced Coalescence Backdoor Attack Against DNN Based on Pixel Gradient

Jianyao Yin,Honglong Chen,Junjian Li,Yudong Gao
DOI: https://doi.org/10.1007/s11063-024-11469-4
IF: 2.565
2024-03-21
Neural Processing Letters
Abstract:Deep learning has been widely used in many applications such as face recognition, autonomous driving, etc. However, deep learning models are vulnerable to various adversarial attacks, among which backdoor attack is emerging recently. Most of the existing backdoor attacks use the same trigger or the same trigger generation approach to generate the poisoned samples in the training and testing sets, which is also commonly adopted by many backdoor defense strategies. In this paper, we develop an enhanced backdoor attack (EBA) that aims to reveal the potential flaws of existing backdoor defense methods. We use a low-intensity trigger to embed the backdoor, while a high-intensity trigger to activate it. Furthermore, we propose an enhanced coalescence backdoor attack (ECBA) where multiple low-intensity incipient triggers are designed to train the backdoor model, and then, all incipient triggers are gathered on one sample and enhanced to launch the attack. Experiment results on three popular datasets show that our proposed attacks can achieve high attack success rates while maintaining the model classification accuracy of benign samples. Meanwhile, by hiding the incipient poisoned samples and preventing them from activating the backdoor, the proposed attack exhibits significant stealth and the ability to evade mainstream defense methods during the model training phase.
computer science, artificial intelligence
What problem does this paper attempt to address?
This paper is primarily dedicated to researching new methods for backdoor attacks on deep neural networks (DNNs) and exploring the limitations of existing defense strategies. Specifically, the authors propose two novel backdoor attack strategies: Enhanced Backdoor Attack (EBA) and Enhanced Coalescence Backdoor Attack (ECBA). ### Main Contributions 1. **Revealing the weaknesses of existing defense methods**: By proposing EBA, the authors demonstrate how to bypass current defense mechanisms, and this attack method has higher stealthiness. 2. **Proposing ECBA**: Compared to N-to-one attacks, ECBA can significantly improve the "attack success rate difference" while retaining the advantages of poisoned samples in the hidden training set and evading AC and NC defense methods. 3. **Extensive experimental validation**: A large number of experiments were conducted to test the effectiveness of the proposed attacks, including performance on different datasets and model architectures, robustness to perturbations during data collection, and the ability to bypass multiple backdoor defense methods. ### Attack Strategies - **EBA (Enhanced Backdoor Attack)**: - Use a low-intensity trigger (incipient trigger) to train the backdoor model, and a high-intensity trigger (enhanced trigger) to activate the backdoor. - This design makes the backdoor difficult to detect during training but effectively activated by the high-intensity trigger during testing, enhancing the stealthiness and effectiveness of the attack. - **ECBA (Enhanced Coalescence Backdoor Attack)**: - Combine EBA with N-to-one attacks by defining multiple low-intensity initial triggers to train the backdoor model. - Then aggregate all these initial triggers into one sample and enhance it into a single trigger to activate the backdoor. - Compared to N-to-one attacks, ECBA is more robust because it does not rely on the specific number of poisoned samples in the training set. ### Conclusion By proposing EBA and ECBA, this paper not only demonstrates the limitations of existing defense methods but also provides new ideas for developing more robust defense measures. Additionally, experiments have proven the effectiveness of these two attacks and their ability to evade current defense methods. This provides important references and challenges for future researchers to develop more secure and reliable deep learning models.