Input-Aware Dynamic Backdoor Attack

TL;DR

This paper introduces an input-aware backdoor attack that generates diverse, non-reusable triggers, making detection and mitigation by existing defenses significantly more difficult, thereby exposing vulnerabilities in current neural network security.

Contribution

The authors propose a novel input-aware trigger generation method driven by diversity loss, enabling more stealthy and resilient backdoor attacks that bypass current defense mechanisms.

Findings

Effective in various attack scenarios and datasets

Can bypass state-of-the-art defense methods

Maintains stealthiness against neural network inspection

Abstract

In recent years, neural backdoor attack has been considered to be a potential security threat to deep learning systems. Such systems, while achieving the state-of-the-art performance on clean data, perform abnormally on inputs with predefined triggers. Current backdoor techniques, however, rely on uniform trigger patterns, which are easily detected and mitigated by current defense methods. In this work, we propose a novel backdoor attack technique in which the triggers vary from input to input. To achieve this goal, we implement an input-aware trigger generator driven by diversity loss. A novel cross-trigger test is applied to enforce trigger nonreusablity, making backdoor verification impossible. Experiments show that our method is efficient in various attack scenarios as well as multiple datasets. We further demonstrate that our backdoor can bypass the state of the art defense methods. An analysis with a famous neural network inspector again proves the stealthiness of the proposed attack. Our code is publicly available at https://github.com/VinAIResearch/input-aware-backdoor-attack-release.