WaNet -- Imperceptible Warping-based Backdoor Attack

TL;DR

This paper introduces WaNet, a stealthy backdoor attack using imperceptible warping triggers, which outperforms noise-based methods in human tests and bypasses current defenses across multiple datasets.

Contribution

Proposes a novel warping-based backdoor trigger that is more stealthy and effective than noise perturbation triggers, along with a training mode to evade detection.

Findings

Outperforms previous noise-based triggers in human inspection tests.

Successfully bypasses state-of-the-art defense methods on multiple datasets.

Backdoors are transparent to network inspection, demonstrating high stealthiness.

Abstract

With the thriving of deep learning and the widespread practice of using pre-trained networks, backdoor attacks have become an increasing security threat drawing many research interests in recent years. A third-party model can be poisoned in training to work well in normal conditions but behave maliciously when a trigger pattern appears. However, the existing backdoor attacks are all built on noise perturbation triggers, making them noticeable to humans. In this paper, we instead propose using warping-based triggers. The proposed backdoor outperforms the previous methods in a human inspection test by a wide margin, proving its stealthiness. To make such models undetectable by machine defenders, we propose a novel training mode, called the ``noise mode. The trained networks successfully attack and bypass the state-of-the-art defense methods on standard classification datasets, including MNIST, CIFAR-10, GTSRB, and CelebA. Behavior analyses show that our backdoors are transparent to network inspection, further proving this novel attack mechanism's efficiency.