Invisible Backdoor Attack with Sample-Specific Triggers

TL;DR

This paper introduces a novel backdoor attack where triggers are sample-specific and invisible, making it harder to detect and defend against, by encoding triggers into images using steganography techniques.

Contribution

The work proposes a new sample-specific, invisible trigger generation method for backdoor attacks, enhancing attack stealth and effectiveness against existing defenses.

Findings

Effective attack on DNNs with sample-specific triggers

Triggers are invisible and hard to detect

Attack remains successful against defenses

Abstract

Recently, backdoor attacks pose a new security threat to the training process of deep neural networks (DNNs). Attackers intend to inject hidden backdoors into DNNs, such that the attacked model performs well on benign samples, whereas its prediction will be maliciously changed if hidden backdoors are activated by the attacker-defined trigger. Existing backdoor attacks usually adopt the setting that triggers are sample-agnostic, $i.e.,$ different poisoned samples contain the same trigger, resulting in that the attacks could be easily mitigated by current backdoor defenses. In this work, we explore a novel attack paradigm, where backdoor triggers are sample-specific. In our attack, we only need to modify certain training samples with invisible perturbation, while not need to manipulate other training components ($e.g.$, training loss, and model structure) as required in many existing attacks. Specifically, inspired by the recent advance in DNN-based image steganography, we generate sample-specific invisible additive noises as backdoor triggers by encoding an attacker-specified string into benign images through an encoder-decoder network. The mapping from the string to the target label will be generated when DNNs are trained on the poisoned dataset. Extensive experiments on benchmark datasets verify the effectiveness of our method in attacking models with or without defenses.