Rethinking the Trigger of Backdoor Attack
Yiming Li, Tongqing Zhai, Baoyuan Wu, Yong Jiang, Zhifeng Li, Shutao, Xia
TL;DR
This paper analyzes the limitations of static trigger-based backdoor attacks in neural networks, revealing their vulnerability to trigger inconsistency and proposing defense strategies to mitigate this issue.
Contribution
It introduces a new perspective on backdoor attack triggers, highlighting their vulnerability to trigger variation and suggesting methods to defend against such attacks.
Findings
Static triggers are vulnerable to trigger inconsistency.
Trigger variation can weaken backdoor attack effectiveness.
Proposed defenses improve backdoor robustness.
Abstract
Backdoor attack intends to inject hidden backdoor into the deep neural networks (DNNs), such that the prediction of the infected model will be maliciously changed if the hidden backdoor is activated by the attacker-defined trigger, while it performs well on benign samples. Currently, most of existing backdoor attacks adopted the setting of \emph{static} trigger, triggers across the training and testing images follow the same appearance and are located in the same area. In this paper, we revisit this attack paradigm by analyzing the characteristics of the static trigger. We demonstrate that such an attack paradigm is vulnerable when the trigger in testing images is not consistent with the one used for training. We further explore how to utilize this property for backdoor defense, and discuss how to alleviate such vulnerability of existing attacks.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Malware Detection Techniques · Adversarial Robustness in Machine Learning · Security and Verification in Computing